Bug 23142

SUSE has issued an advisory on September 10:
http://lists.suse.com/pipermail/sle-security-updates/2018-September/004543.html

It fixes three issues we don't have in bugzilla.

I see the last one has a fix in Cauldron, but we haven't updated Mageia 6 yet.

Mageia 5 is obviously also affected.

Whiteboard: (none) => MGA6TOO
Summary: libtiff possible new security issue CVE-2017-17973 => libtiff possible new security issues CVE-2016-5319 CVE-2017-17942 CVE-2017-17973 CVE-2018-10779

openSUSE has issued an advisory for this on September 26:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00151.html

According to https://bugzilla.novell.com/show_bug.cgi?id=1074318#c5, fix for CVE-2017-9935 also fixes CVE-2017-17973.

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file. (CVE-2016-5319)

In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c. (CVE-2017-17942)

TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. (CVE-2018-10779)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10779
========================

Updated package in core/updates_testing:
========================
libtiff-progs-4.0.9-1.6.mga6
lib(64)tiff5-4.0.9-1.6.mga6
lib(64)tiff-devel-4.0.9-1.6.mga6
lib(64)tiff-static-devel-4.0.9-1.6.mga6

from SRPMS:
libtiff-4.0.9-1.6.mga6.src.rpm

CVE: (none) => CVE-2016-5319, CVE-2017-17942, CVE-2018-10779
Assignee: nicolas.salguero => qa-bugs
Source RPM: libtiff-4.0.9-2.git20180512.2.mga7.src.rpm => libtiff-4.0.9-1.5.mga6.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Testing this after tonight's meeting.

CC: (none) => tarazed25

bmp2tiff and thumbnail are required to exercize the PoCs for CVE-2016-5319.
Neither are packaged with libtiff-progs.  Are they available anywhere else?
$ rpm -qil libtiff-progs
/usr/bin/fax2ps
/usr/bin/fax2tiff
/usr/bin/pal2rgb
/usr/bin/ppm2tiff
/usr/bin/raw2tiff
/usr/bin/tiff2bw
/usr/bin/tiff2pdf
/usr/bin/tiff2ps
/usr/bin/tiff2rgba
/usr/bin/tiffcmp
/usr/bin/tiffcp
/usr/bin/tiffcrop
/usr/bin/tiffdither
/usr/bin/tiffdump
/usr/bin/tiffgt
/usr/bin/tiffinfo
/usr/bin/tiffmedian
/usr/bin/tiffset
/usr/bin/tiffsplit

Keywords: (none) => feedback

It's an old CVE and I believe some of the tools were removed previously because they themselves had security vulnerabilities.

Keywords: feedback => (none)

OK, thanks David.  Those utilities were mentioned but I suppose anything that tries to read the PoC files would do.

Ah, but nothing else in the collection is able so those PoCs are a nogo.

Mageia6, x86_64

Updated the libtiff packages.
Tried out some of the utilities.

$ tiffinfo Ikapati.tif
TIFF Directory at offset 0x100008 (1048584)
  Image Width: 1024 Image Length: 1024
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: min-is-black
  FillOrder: msb-to-lsb
  Samples/Pixel: 1
  Rows/Strip: 8
  Planar Configuration: single image plane
  DocumentName: Standard Input
  ImageDescription: converted PNM file

$ tiff2pdf -o lena.pdf lena_color.tiff
$ okular lena.pdf
That displays fine.
$ tiff2ps -O harbour.ps harbour.tif
$ gs harbour.ps
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
>>showpage, press <return> to continue<<
$ tiff2rgba macbethcolourscan.tif rgba.tif
$ display rgba.tif
That too.
$ tifftopnm GlenShiel.tif > GlenShiel.pnm
tifftopnm: writing PPM file
$ tiffgt macbethcolourscan.tif
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

This may be a regression - tiffgt no longer displays TIFF images.
Switched to display.

$ tiff2bw JessicaAlba.tif jessica_grey.tif
Perfect greyscale rendering.

$ tiffcmp macbethcolourscan.tif rgba.tif
SamplesPerPixel: 3 4
$ tiffcmp -z 20 macbethcolourscan.tif rgba.tif
SamplesPerPixel: 3 4

$ tifftopnm JessicaAlba.tif > jessica.pnm
tifftopnm: writing PPM file

$ tiff2bw GlenShiel.tif GlenShiel_greyscale.tif

$ tiffdump SantaMaria.tif > dumpfile
$ less dumpfile
SantaMaria.tif:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 1971016 (0x1e1348) next 0 (0)
ImageWidth (256) SHORT (3) 1<1638>
ImageLength (257) SHORT (3) 1<1410>
BitsPerSample (258) SHORT (3) 3<8 8 8>
Compression (259) SHORT (3) 1<5>
Photometric (262) SHORT (3) 1<2>
FillOrder (266) SHORT (3) 1<1>
ImageDescription (270) ASCII (2) 14<IDL TIFF file\0>
StripOffsets (273) LONG (4) 1410<8 1199 2491 3695 4958 6211 7472 8750 9972 11260 12484 13781 15014 16267 17486 18683 19928 21122 22405 23629 24889 26177 27436 28726 ...>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<3>
RowsPerStrip (278) SHORT (3) 1<1>
StripByteCounts (279) LONG (4) 1410<1191 1292 1204 1263 1253 1261 1278 1222 1288 1224 1297 1233 1253 1219 1197 1245 1194 1283 1224 1260 1288 1259 1290 1211 ...>
XResolution (282) RATIONAL (5) 1<495.063>
YResolution (283) RATIONAL (5) 1<495.063>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
PageNumber (297) SHORT (3) 2<0 1>
Predictor (317) SHORT (3) 1<2>
Whitepoint (318) RATIONAL (5) 2<0.3127 0.329>
PrimaryChromaticities (319) RATIONAL (5) 6<0.64 0.33 0.3 0.6 0.15 0.06>
BadFaxLines (326) LONG (4) 1<2707030018>
dumpfile (END)

$ ppm2tiff glenshiel.pnm glenshiel_1.tif
Displays OK.
$ tiffcp glenshiel.tiff scottishglen.tif
_TIFFVGetField: scottishglen.tif: Invalid tag "Predictor" (not supported by codec).
_TIFFVGetField: scottishglen.tif: Invalid tag "BadFaxLines" (not supported by codec).
_TIFFVGetField: scottishglen.tif: Invalid tag "Predictor" (not supported by codec).
_TIFFVGetField: scottishglen.tif: Invalid tag "BadFaxLines" (not supported by codec).
$ display scottishglen.tif 
It looks OK.
That "Invalid tag" message has appeared many times in past tests so should not be considered a regression.

$ tiffdither -r 4 -c packbits -t 64 Ikapati.tif ikapati4.tif
Produced a dithered grey view of the surface of Mars.  It needs a greyscale image to start with.

$ tiffgt smandril.tif
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

This sort of failure has always been the case - maybe  time for a bug report.

$ tiffmedian -r 8 -C 128 -f TatianaMaslany.tif Tatiana.tif
Going by rows of 8 creates an image with 128 colours using Floyd-Steinberg dithering.  Without the dithering the image would be considered unacceptable.

Enough tests.  OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0409.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED