Bug 24343

Summary:	libtiff new security issues CVE-2018-17000 and CVE-2019-6128
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25
Version:	6	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-64-OK
Source RPM:	libtiff-4.0.9-1.9.mga6.src.rpm	CVE:	CVE-2019-6128
Status comment:

Description David Walser 2019-02-11 01:22:42 CET

Fedora has issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CXMZF6QHRSV4QSTQXM5RAXOWNJHAGFIW/

It may not be a serious issue though.  Perhaps there are more interesting fixes in what's already been updated in Cauldron.

Comment 1 Nicolas Salguero 2019-02-11 10:23:30 CET

Suggested advisory:
========================

The updated packages fix at least one security vulnerability:

The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. (CVE-2019-6128)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.10-1.git20190202.1.mga6
lib(64)tiff5-4.0.10-1.git20190202.1.mga6
lib(64)tiff-devel-4.0.10-1.git20190202.1.mga6
lib(64)tiff-static-devel-4.0.10-1.git20190202.1.mga6

from SRPMS:
libtiff-4.0.10-1.git20190202.1.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-6128
Assignee: nicolas.salguero => qa-bugs

Comment 2 Len Lawrence 2019-02-11 12:59:04 CET

mga6, x86_64

CVE-2019-6128
http://bugzilla.maptools.org/show_bug.cgi?id=2836
$ pal2rgb libtiff-pal2rgb-memory-leak /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered.
libtiff-pal2rgb-memory-leak: Expecting a palette image.

Agrees with the upstream valgrind output both before and afterwards.

$ rpm -qa | grep lib64tiff
lib64tiff-static-devel-4.0.9-1.9.mga6
lib64tiff-devel-4.0.9-1.9.mga6
lib64tiff5-4.0.9-1.9.mga6

The four packages updated cleanly.
No change expected in the POC output.
$ pal2rgb libtiff-pal2rgb-memory-leak /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered.
libtiff-pal2rgb-memory-leak: Expecting a palette image.

In particular, when run with valgrind we see
==10894== All heap blocks were freed -- no leaks are possible
Good enough.

Could not find any examples of palette tiff files on the web, only jpeg and png representations.  Tried to create one using a local file
$ tiffmedian macbeth_rgba.tif macbethpalette.tif
but the result was not very impressive and running pal2rgb on it returned virtually the same image so  we shall simply accept the packages as is.  Since the fix is so specific there is not much point in running the usual libtiff- progs tests.

Giving this an OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2019-02-12 02:49:17 CET

Sounds reasonable to me, Len. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-02-13 03:53:27 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2019-02-13 12:10:48 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0075.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 5 David Walser 2019-03-13 20:03:04 CET

This update also fixed CVE-2018-17000:
https://usn.ubuntu.com/3906-1/

David Walser 2019-03-28 21:40:37 CET

Summary: libtiff new security issue CVE-2019-6128 => libtiff new security issues CVE-2018-17000 and CVE-2019-6128