| Summary: | libtiff new security issues CVE-2018-1710[01] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | libtiff-4.0.9-1.6.mga6.src.rpm | CVE: | CVE-2018-17100, CVE-2018-17101 |
| Status comment: | |||
|
Description
David Walser
2018-10-24 18:04:25 CEST
CVE-2018-16335: according to https://security-tracker.debian.org/tracker/CVE-2018-16335, the fix is the same as for CVE-2017-11613, which was in bug 22799. CVE-2018-17795: according to https://security-tracker.debian.org/tracker/CVE-2018-17795, the fix is the same as for CVE-2017-9935, which was in bug 22120. Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17100 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17101 https://lists.opensuse.org/opensuse-updates/2018-10/msg00149.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00150.html ======================== Updated package in core/updates_testing: ======================== libtiff-progs-4.0.9-1.7.mga6 lib(64)tiff5-4.0.9-1.7.mga6 lib(64)tiff-devel-4.0.9-1.7.mga6 lib(64)tiff-static-devel-4.0.9-1.7.mga6 from SRPMS: libtiff-4.0.9-1.7.mga6.src.rpm CVE:
(none) =>
CVE-2018-17100, CVE-2018-17101
David Walser
2018-10-25 16:30:25 CEST
Summary:
libtiff possible new security issues CVE-2018-16335 CVE-2018-1710[01] CVE-2018-17795 =>
libtiff possible new security issues CVE-2018-1710[01]
David Walser
2018-10-25 16:30:34 CEST
Summary:
libtiff possible new security issues CVE-2018-1710[01] =>
libtiff new security issues CVE-2018-1710[01] Mageia 6, x86_64 Reviewed the CVEs listed by Suse. CVE-2018-10779 - not in current list. PoC file from an old bug. http://bugzilla.maptools.org/show_bug.cgi?id=2790 $ bmp2tiff POC out.tiff Mageia does not have bmp2tiff. The security issue affects tif_write.c specifically so using this PoC file in alternative conversions would miss the point. CVE-2018-16335 (in QA list?) https://bugzilla.suse.com/show_bug.cgi?id=1106853 $ tiff2pdf poc2 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered. [...] TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. tiff2pdf: No support for poc2 with 254 samples per pixel. tiff2pdf: An error occurred creating output PDF file. CVE-2018-17100 Could not find a PoC for this. The issue likely could be demonstrated by ppm2tiff with a suitable test file. CVE-2018-17101 Out of bounds writes in tools: tiff2bw and pal2rgb. No PoC. CVE-2018-17795 https://bugzilla.suse.com/show_bug.cgi?id=1046077 $ unrar e POC.rar Extracting POC1 OK Extracting POC2 OK Extracting POC3 OK Extracting POC4 OK Extracting POC5 OK $ tiff2pdf POC1 | cat > poc1.pdf TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. [...] TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. $ xpdf poc1.pdf Syntax Error: Couldn't read xref table Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Similar copious error logs from all five files. Packages updated cleanly. CVE-2018-16335 The PoC test failed in the same way and since it seems to have been dropped from the list it can be ignored. CVE-2018-17795 $ tiff2pdf POC1 | cat > poc1.pdf TIFFFetchDirectory: Sanity check on directory count failed, zero tag directories not supported. TIFFReadDirectory: Failed to read directory at offset 5356. tiff2pdf: Can't open input file POC1 for reading. $ tiff2pdf POC2 | cat > poc2.pdf TIFFOpen: POC2: No such file or directory. tiff2pdf: Can't open input file POC2 for reading. Similar output for the other PoC files, so we can assume that this issue is fixed. A few utility tests later. CC:
(none) =>
tarazed25 Utility tests.
Just repeating those from earlier libtiff tests , on similar images.
There is a problem with tiffgt.
$ tiffgt SantaMaria.tif
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow
$ tiffgt greyscale.tif
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow
This is probably the same issue which affects celestia. Performing a local build on celestia cured the problem in the past but that is not possible in QA. Anyway, it looks like a graphics system error and it is something which turns up every now and again with various graphics packages. It comes and goes.
$ tiffcp SantaMaria.tif new.tif
_TIFFVGetField: new.tif: Invalid tag "BadFaxLines" (not supported by codec).
_TIFFVGetField: new.tif: Invalid tag "BadFaxLines" (not supported by codec).
This is another chestnut. Not significant because the new image is a perfect copy.
Most conversion functions work. Output checked with ImageMagick display, gs or xpdf.
$ tifftopnm lena_color.tiff > lena.pnm
tifftopnm: writing PPM file
$ pnmtotiff Ikapati.pgm -output test.pnm
$ tiff2bw macbeth_rgb.tif macbeth_bw.tif
$ tiff2pdf boats.tif > boats.pdf
$ tiff2ps lena.tif > lena.ps
$ tiffcrop -E top -U px -m 100,100,100,100 SantaMaria.tif cropped.tif
_TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec).
_TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec).
The cropped image displayed OK.
$ tiffdump SantaMaria.tif > dumpfile
$ cat dumpfile
SantaMaria.tif:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 1971016 (0x1e1348) next 0 (0)
[...]
PrimaryChromaticities (319) RATIONAL (5) 6<0.64 0.33 0.3 0.6 0.15 0.06>
BadFaxLines (326) LONG (4) 1<2707030018>
$ tiffmedian example2.tiff median.tif
tiffdump craters.tif shows
........
XResolution (282) RATIONAL (5) 1<300>
YResolution (283) RATIONAL (5) 1<300>
$ tiffset -s 282 320.0 craters.tif
$ tiffset -s 283 320.0 craters.tif
tiffdump shows:
XResolution (282) RATIONAL (5) 1<320>
YResolution (283) RATIONAL (5) 1<320>
$ tiffsplit greycombo.tif
Generates {xaaa,xaab,xaac,xaad}.tif from the stacked frames in the original image.
Despite the repeated complaints above this looks good to go.Whiteboard:
(none) =>
MGA6-64-OK Taking your word for it, Len. Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Thomas Backlund
2018-10-30 18:07:44 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0426.html Status:
ASSIGNED =>
RESOLVED |