Bug 29976

Suggested advisory:
========================

The updated packages fix a security vulnerability:

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. (CVE-2022-22844)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22844
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BKCT37QZMPMOV5FFWOTHMMQRUQ2AIX6C/
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.1.mga8
lib(64)tiff-devel-4.2.0-1.1.mga8
lib(64)tiff-static-devel-4.2.0-1.1.mga8
libtiff-progs-4.2.0-1.1.mga8

from SRPM:
libtiff-4.2.0-1.1.mga8.src.rpm

CVE: (none) => CVE-2022-22844
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from Fedora => (none)
Source RPM: libtiff-4.3.0-1.mga9.src.rpm => libtiff-4.2.0-1.mga8.src.rpm
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

CVE-2022-22844
https://gitlab.com/libtiff/libtiff/-/issues/355
PoC fails in a similar  way here and leads to a segfault, before the update.
$ tiffset -s 93 helloworld tiffset_poc
.....
TIFFReadDirectory: Warning, Wrong "StripByteCounts" field, ignoring and calculating from imagelength.
Segmentation fault (core dumped)

After updating the packages the PoC made a clean exit.
$ tiffset -s 93 helloworld tiffset_poc
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
......
TIFFReadDirectory: Warning, Wrong "StripByteCounts" field, ignoring and calculating from imagelength.
TIFFWriteDirectoryTagLongLong8Array: Attempt to write value larger than 0xFFFFFFFF in LONG array..
TIFFWriteDirectoryTagLongLong8Array: Attempt to write value larger than 0xFFFFFFFF in LONG array..
$

Tested some of the tools as in bug 28455:
$ tiffgt MartianCrater.tif
$ tiffgt PIA20966.tif
Both images were displayed properly.
$ tiffdump PIA20966.tif > tiffdump
$ cat tiffdump
PIA20966.tif:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 1048584 (0x100008) next 0 (0)
..........

$ tiffsplit greycombo.tif z
$ ls z*
zaaa.tif  zaab.tif  zaac.tif  zaad.tif

tiffgt displayed the component images OK.

$ tifftopnm lena_color.tiff > lena.pnm
tifftopnm: writing PPM file
tiffmedian -C 128 -f example2.tiff median.tif
$ tiffcrop -E top -U px -m 100,100,100,100 SantaMaria.tif cropped.tif
_TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec).
_TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec).

However, cropped.tif displayed OK.

$ tifftopnm Ikapati.tif > ikapati.pgm
tifftopnm: writing PGM file
$ pnmtotiff ikapati.pgm -output ikapati_test.tif
$ tiffgt Ikapati.tif
$ tiffgt ikapati_test.tif
$ display ikapati.pgm
Faithful copies.
$ tiff2bw macbeth_rgb.tif macbeth_bw.tif
$ tiffgt macbeth_bw.tif
$ tiff2pdf boats.tif > boats.pdf
$ okular boats.pdf
No Gtk messages this time.  Might be due to improvements in okular.
$ tiff2ps lena.tif > lena.ps
$ gs lena.ps
No problems.

Clean bill of health.  
Lots of things require lib64tiff5, including okular, darktable, nomacs and various other image handling applications.  Tried out a few.   geeqie was the only one which failed.  A window opened momentarily then geequie froze.  geeqie has been misbehaving for some time, like two years so maybe we should forget about it.
darktable looks OK though I did not push it.  Accepted the configuration update.

Giving this an OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 28455 for tests

$ tiffgt zwawi0007-1.tiff 
display OK
$ tiffdump zwawi0007-2.tiff > tifdump
$ more tifdump
zwawi0007-2.tiff:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 15304088 (0xe98598) next 0 (0)
SubFileType (254) LONG (4) 1<0>
ImageWidth (256) SHORT (3) 1<3410>
ImageLength (257) SHORT (3) 1<2244>
BitsPerSample (258) SHORT (3) 2<8 8>
Compression (259) SHORT (3) 1<1>
Photometric (262) SHORT (3) 1<1>
DocumentName (269) ASCII (2) 68</home/herman/HV/fotos/zw ...>
ImageDescription (270) ASCII (2) 18<Created with GIMP\0>
StripOffsets (273) LONG (4) 36<8 436488 872968 1309448 1745928 2182408 2618888 3055368 3491848 3928328 4364808 4801288 5237768 5674248 6110728 6547208 6983688 7420168 7856648 8293128 8729608 9166088 9602568 100390
48 ...>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<2>
RowsPerStrip (278) SHORT (3) 1<64>
StripByteCounts (279) LONG (4) 36<436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 436480 ...>
XResolution (282) RATIONAL (5) 1<2400>
YResolution (283) RATIONAL (5) 1<2400>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
ExtraSamples (338) SHORT (3) 1<1>

$ tiffsplit IMG_1251.tif z
[tester8@mach5 20140119NieuwjaarViaene]$ ls z*
zaaa.tif
This is OK as I don't have  a multipage tif available
$ tiffmedian -C 128 -f IMG_1251.tif median.tif
resulting file looks OK
$ tifftopnm IMG_1251.tif > image.pnm
tifftopnm: writing PPM file
$ display image.pnm 
$ tiffcrop -E top -U px -m 100,100,100,100 IMG_1251.tif cropped.tif
$ tiff2bw IMG_1251.tif imagebw.tif
$ tiff2pdf IMG_1251.tif > image.pdf
$ tiff2ps IMG_1251.tif > image.ps
$ gs image.ps
GPL Ghostscript 9.53.3 (2020-10-01)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
>>showpage, press <return> to continue<<
All resulting files are OK.

CC: (none) => herman.viaene

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0046.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED