Security issues in libtiff have been announced: http://openwall.com/lists/oss-security/2015/01/24/15 http://openwall.com/lists/oss-security/2015/01/24/16 Some have fixes, some do not yet. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
FYI. ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz Fixes CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130
CC: (none) => oe
Do we know if the unfixed things listed in both of those oss-security messages are now fixed? Anyway, I guess we'll probably want to just upgrade everything to the final 4.0.4 release once it's available, rather than backporting patches.
CVEs have been assigned for the issues from the second message: http://openwall.com/lists/oss-security/2015/02/07/5
Summary: libtiff new security issues CVE-2014-812[7-9], CVE-2014-8130, and possibly others => libtiff new security issues CVE-2014-812[7-9], CVE-2014-8130, CVE-2014-9655, and CVE-2015-1547
OpenSuSE has issued an advisory for this today (March 9): http://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html Now we can borrow patches from them: https://build.opensuse.org/package/show/openSUSE:13.2:Update/tiff?rev=1
URL: (none) => http://lwn.net/Vulnerabilities/635993/
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated libtiff packages fix security vulnerabilities: The libtiff image decoder library contains several issues that could cause the decoder to crash when reading crafted TIFF images (CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2014-9655, CVE-2015-1547). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547 http://openwall.com/lists/oss-security/2015/01/24/15 http://openwall.com/lists/oss-security/2015/02/07/5 http://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html ======================== Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.3-8.1.mga4 libtiff5-4.0.3-8.1.mga4 libtiff-devel-4.0.3-8.1.mga4 libtiff-static-devel-4.0.3-8.1.mga4 from libtiff-4.0.3-8.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)
Created attachment 6038 [details] PoCs for libtiff Testing on Mageia 4x64, real hardware Using PoCs found : http://openwall.com/lists/oss-security/2015/01/24/15 From current packages : --------------------- libtiff-progs-4.0.3-8.mga4 lib64tiff-devel-4.0.3-8.mga4 lib64tiff-static-devel-4.0.3-8.mga4 lib64tiff5-4.0.3-8.mga4 CVE-2014-8127 7 PoCs gave segmentation faults CVE-2014-8128 4 PoCs gave segmentation faults CVE-2014-8129 2 PoCs gave memory corruption CVE-2014-8130 This PoC gave a flotting point exception To updated testing packages : --------------------------- libtiff-progs-4.0.3-8.1.mga4 lib64tiff-devel-4.0.3-8.1.mga4 lib64tiff-static-devel-4.0.3-8.1.mga4 lib64tiff5-4.0.3-8.1.mga4 CVE-2014-8127 3 PoCs still gave segmentation faults : CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool which are $ tiff2ps 08_tiff2ps.tiff $ tiffdither 12_tiffdither.tiff out.tiff $ tiffset 19_tiffset.tiff (in attached tarball) CVE-2014-8128 All OK CVE-2014-8129 Both OK CVE-2014-8130 No flotting point exception anymore. Conclusion : most of the security bugs are solved by this update but 3 remain unsolved.
CC: (none) => olchal
Created attachment 6041 [details] Command line for libtiff PoCs Sorry, for those who would like to test the PoCs, I forgot to put the various commands to trigger the bugs in my previous attachment. So here they are.
Created attachment 6057 [details] tif file from xsane
CC: (none) => herman.viaene
MGA4-32 on AcerD620 Xfce Tried according https://wiki.mageia.org/en/QA_procedure:Libtiff with own tif file (appendix 3) at CLI: ]$ tiffinfo 0002.tif TIFF Directory at offset 0x7c2d2 (508626) Image Width: 3152 Image Length: 2174 Resolution: 2400, 2400 pixels/inch Bits/Sample: 8 Compression Scheme: JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 16 Planar Configuration: single image plane Reference Black/White: 0: 0 255 1: 128 255 2: 128 255 Software: xsane DateTime: 2007:01:16 13:29:35 JPEG Tables: (574 bytes) tif file opens OK in gimp but tiff2pdf 0002.tif > 0002.pdf generates a pdf file of the same size as the tif file, but opens in pfdviewer as a white sheet.
Thanks Olivier. I confirmed that the first 2 of the 3 PoCs still segfaulted on i586. Removing all patches and updating to 4.0.4beta fixed those, but the CVE-2014-8128 "tiffcmp 00_basefile.tiff 18_tiffcmp.tiff" segfaulted. Then I noticed that the last three patches I had added from OpenSuSE had different filenames and may not have been from upstream commits, and indeed they still applied. Re-applying those three patches, all PoCs are now OK. I've asked for a freeze push in Cauldron and committed it in Mageia 4 SVN. I'll add the feedback marker until it's pushed in Cauldron and then submit it in Mageia 4 and remove the marker.
Whiteboard: (none) => feedback
OK, please test x86_64 again with the updated packages. Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.4-0.1.mga4 libtiff5-4.0.4-0.1.mga4 libtiff-devel-4.0.4-0.1.mga4 libtiff-static-devel-4.0.4-0.1.mga4 from libtiff-4.0.4-0.1.mga4.src.rpm
Whiteboard: feedback => has_procedure MGA4-32-OK
Testing on Mageia4x64 real hardware With latest updated testing packages : ------------------------------------ lib64tiff-devel-4.0.4-0.1.mga4 lib64tiff-static-devel-4.0.4-0.1.mga4 lib64tiff5-4.0.4-0.1.mga4 libtiff-progs-4.0.4-0.1.mga4 All OK
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
So a bump from 4.0.3-8 to a 4.0.4 beta and the bump is only tested on x86_64 before validation... :/ and advisory is wrong...
Keywords: validated_update => (none)CC: (none) => tmbWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK advisory => has_procedure MGA4-32-OK MGA4-64-OK
Excuse me? It was tested on i586, rather extensively I might add. The advisory I posted in this bug is correct. I don't know what's in SVN.
i586 test was in comment 9 with 4.0.3-8.1 4.0.4 beta was announced in commennt 11 x86_64 test of 4.0.4 was in comment 12 advisory in svn still refers to 4.0.3-8.1
I tested on i586 with the previous build which wasn't quite good enough and the new beta build, and I didn't mention it until Comment 10. Comment 11 has the correct package list.
Ah, my bad... I missed that part of the tests in comment 10 :/ pushing then
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0112.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2014-9330: http://lwn.net/Vulnerabilities/638727/ Ubuntu has issued an advisory for this on March 31: http://www.ubuntu.com/usn/usn-2553-1/ The CVE page has a link to a github mirror of libtiff (this would been useful earlier :o): http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9330.html