| Summary: | libtiff new security issues CVE-2022-0561 and CVE-2022-0562 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libtiff-4.2.0-1.1.mga8.src.rpm | CVE: | CVE-2022-0561, CVE-2022-0562 |
| Status comment: | |||
|
Description
David Walser
2022-03-02 20:52:06 CET
David Walser
2022-03-02 20:52:25 CET
Status comment:
(none) =>
Patches available from Fedora Suggested advisory: ======================== The updated packages fix security vulnerabilities: Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. (CVE-2022-0561) Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. (CVE-2022-0562) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0561 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0562 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DZEHZ35XVO2VBZ4HHCMM6J6TQIDSBQOM/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.2.mga8 lib(64)tiff-devel-4.2.0-1.2.mga8 lib(64)tiff-static-devel-4.2.0-1.2.mga8 libtiff-progs-4.2.0-1.2.mga8 from SRPM: libtiff-4.2.0-1.2.mga8.src.rpm Assignee:
bugsquad =>
qa-bugs mga8, x64
Before updating:
Same PoC for both CVEs.
CVE-2022-056{1,2}
https://gitlab.com/libtiff/libtiff/-/issues/362
$ tiffinfo -f lsb2msb -Dcdjrsz crash.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
EstimateStripByteCounts: Cannot determine size of unknown tag type 10825.
Ran the test after updating the four packages and saw the same result. Cannot read much into that though because the PoC is meant to be run within a particular ASAN framework. This confirms an earlier thought that there is little point in QA running pocs, which so often these days need to be tested in a similar environment to the one which exposed the vulnerabilities.
Ran the usual image tests, with tiffgt to display TIFF images and ImageMagick otherwise. See bugs 22799, .... 29976. No regressions noted but the tifftopnm command has disappeared; likewise pnmtotiff.
$ tiff2pdf boats.tif > boats.pdf
$ strace -o boats.trace okular boats.pdf
$ grep libtiff boats.trace
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 20
This looks fine but it is bound to come back again.Whiteboard:
(none) =>
, .... 29976. No regressions noted but the tifftopnm command has disappeared; likewise pnmtotiff. $ tiff2pdf boats.tif > boats.pdf $ strace -o boats.trace okular boats.pdf $ grep libtiff boats.trace openat(AT_FDCWD, "/lib64/libtiff.so.5"
Len Lawrence
2022-03-03 12:41:16 CET
Whiteboard:
, O_RDONLY|O_CLOEXEC) = 20 This looks fine but it is bound to come back again., Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored. TIFFReadDirectory: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered. TIFFFetchNormalTag: Warning mga8, x64 Before updating: Same PoC for both CVEs. CVE-2022-056{1,2} https://gitlab.com/libtiff/libtiff/-/issues/362 $ tiffinfo -f lsb2msb -Dcdjrsz crash.tif TIFFReadDirectoryCheckOrder: Warning a particular ASAN framework. This confirms an earlier thought that there is little point in QA running pocs, which so often these days need to be tested in a similar environment to the one which exposed the vulnerabilities. Ran the usual image tests, with tiffgt to display TIFF images and ImageMagick otherwise. See bugs 22799, .... 29976. No regressions noted but the tifftopnm command has disappeared; likewise pnmtotiff. $ tiff2pdf boats.tif > boats.pdf $ strace -o boats.trace okular boats.pdf $ grep libtiff boats.trace openat(AT_FDCWD, "/lib64/libtiff.so.5", calculating from imagelength. EstimateStripByteCounts: Cannot determine size of unknown tag type 10825. Ran the test after updating the four packages and saw the same result. Cannot read much into that though because the PoC is meant to be run within, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field =>
MGA8-64-OK Validating. Advisory in Comment 1. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-03-06 01:58:19 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0087.html Resolution:
(none) =>
FIXED |