In this CVE assignment for libtiff: http://openwall.com/lists/oss-security/2015/02/07/5 The last image linked there (libtiff5.tif) crashes ImageMagick's identify command if run as follows: identify -verbose libtiff5.tif Note that this is what lesspipe will do with this file if you view it with less. The issue in libtiff was fixed in Bug 15132. On Cauldron, none of the libtiff PoC files crash identify. Reproducible: Steps to Reproduce:
The issue can be demonstrated with tiffinfo from libtiff-progs, so this is actually another issue in libtiff itself. The OpenSuSE packager was nice enough to report this upstream: http://bugzilla.maptools.org/show_bug.cgi?id=2508 He also informed me of some issues in the non-upstream patches in the OpenSuSE update, which we also used in our update: http://bugzilla.maptools.org/show_bug.cgi?id=2499#c11
Hi David, (In reply to David Walser from comment #1) > The issue can be demonstrated with tiffinfo from libtiff-progs, so this is > actually another issue in libtiff itself. The OpenSuSE packager was nice > enough to report this upstream: > http://bugzilla.maptools.org/show_bug.cgi?id=2508 > > He also informed me of some issues in the non-upstream patches in the > OpenSuSE update, which we also used in our update: > http://bugzilla.maptools.org/show_bug.cgi?id=2499#c11 so is this a problem with imagemagick or is it another problem with libtiff? Is there a patch for it? Regards, -- Shlomi Fish
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #2) > so is this a problem with imagemagick or is it another problem with libtiff? Both. > Is there a patch for it? For ImageMagick, it's fixed in the version we have in Mageia 5, so yes. I don't know which commit (of the thousands between it and the Mageia 4 version) fixed it. For libtiff, it has been reported upstream but there has been no response.
(In reply to David Walser from comment #0) > In this CVE assignment for libtiff: > http://openwall.com/lists/oss-security/2015/02/07/5 > > The last image linked there (libtiff5.tif) crashes ImageMagick's identify > command if run as follows: > identify -verbose libtiff5.tif > I cannot reproduce it on a Mageia 4 x86-64 VBox VM. I'll try it on i586 soon. Regards, -- Shlomi Fish
(In reply to Shlomi Fish from comment #4) > (In reply to David Walser from comment #0) > > In this CVE assignment for libtiff: > > http://openwall.com/lists/oss-security/2015/02/07/5 > > > > The last image linked there (libtiff5.tif) crashes ImageMagick's identify > > command if run as follows: > > identify -verbose libtiff5.tif > > > > I cannot reproduce it on a Mageia 4 x86-64 VBox VM. I'll try it on i586 soon. > OK, I cannot reproduce it on Mageia 4 i686 either.
Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedCC: (none) => marja11Assignee: bugsquad => shlomif
(In reply to Marja van Waes from comment #6) > Assigned to the package maintainer. > > (Please set the status to 'assigned' if you are working on it) Well, I don't understand how to reproduce the offending behaviour. Marking as NEEDINFO.
Keywords: (none) => NEEDINFO
Strange, imagemagick and libtiff are up to date on the VM where I found this, but I can still reproduce it there and not on my workstation at home, with identify from imagemagick. Maybe the fix for imagemagick was in some other package that my VM doesn't have up to date. Not sure. I can however still reproduce it will tiffinfo from libtiff-progs, as shown in the upstream bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2508 Reassigning this bug to libtiff.
Keywords: NEEDINFO => (none)Summary: imagemagick new security issue CVE-2015-1547 => libtiff new security issue (second issue from PoC for CVE-2015-1547)Source RPM: imagemagick-6.8.7.0-2.3.mga4.src.rpm => libtiff-4.0.4-0.1.mga4.src.rpm
CC: (none) => mageiaAssignee: shlomif => bugsquad
Testing using the tiffinfo command, Mageia 5 is also affected (as would be expected considering it's the same libtiff version).
Version: 4 => CauldronWhiteboard: (none) => MGA5TOO, MGA4TOO
OpenSuSE has issued a new advisory today (July 9): http://lists.opensuse.org/opensuse-updates/2015-07/msg00019.html Please test the issue in this bug as well as repeating the tests from Bug 15132. Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.4-1.mga4 libtiff5-4.0.4-1.mga4 libtiff-devel-4.0.4-1.mga4 libtiff-static-devel-4.0.4-1.mga4 libtiff-progs-4.0.4-1.mga5 libtiff5-4.0.4-1.mga5 libtiff-devel-4.0.4-1.mga5 libtiff-static-devel-4.0.4-1.mga5 from libtiff-4.0.4-1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
(In reply to Dave Hodgins from comment #11) > Advisory committed to svn. What advisory? I haven't posted one for this yet. I need the testing results to know what exactly I need to write in it.
$ cat 15519.adv type: security subject: Updated libtiff5 package fixes security vulnerability CVE: - CVE-2014-8127 - CVE-2014-8128 - CVE-2014-8129 - CVE-2014-8130 - CVE-2014-9655 - CVE-2015-1547 src: 5: core: - libtiff-4.0.4-1.mga5 description: | tiff was updated to version 4.0.4 to fix six security issues found by fuzzing initiatives. references: - https://bugs.mageia.org/show_bug.cgi?id=15519 - http://lists.opensuse.org/opensuse-updates/2015-07/msg00019.html
Ahh I see. That'll work for now. I'll post an updated one later once it's tested if need be. If all the tests check out OK, that should suffice. The other thing I can tell you right now is it fixes regressions caused by the previous update as well. Thanks Dave.
Whiteboard: MGA4TOO advisory => MGA4TOO has_procedure advisory
I am having a go at this MGA4 x64, but am plagued by such things as "TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order" and worse for *all* the images from: https://bugs.mageia.org/attachment.cgi?id=6038 and : http://openwall.com/lists/oss-security/2015/02/07/5 I can only get Herman's image to display: https://bugs.mageia.org/attachment.cgi?id=6057 using pre-update lib64tiff5-4.0.4-0.1.mga4 libtiff-progs-4.0.4-0.1.mga4 Any ideas?
CC: (none) => lewyssmith
Most of the PoCs are not valid TIFF images, so you should get errors rather than getting them to display. You should not get stack traces or segfaults.
Tested MGA4 x64 Using: http://openwall.com/lists/oss-security/2015/02/07/5 (3 TIF files) https://bugs.mageia.org/attachment.cgi?id=6038 (19 TIF files; plus...) https://bugs.mageia.org/attachment.cgi?id=6041 (a list of tiff* commands to use with the 19 files above) $ identify -verbose ... [used with the 3 sample TIF files] $ tiffinfo ... [used with the 3 sample TIF files] BEFORE the update: all these commands/files yielded error outputs, but no sign of any crash. AFTER the update to: libtiff-progs-4.0.4-1.mga4 lib64tiff5-4.0.4-1.mga4 Same results as before (not necessarily identical): error outputs, but no evidence of a crash. This is inconclusive, but if David agrees to MGA4-64-OK this - please do.
Thanks Lewis. As long as there's nothing that looks like a stack trace, it should be good. I'm hoping to test i586 when I get back to work next week.
Whiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure advisory MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: libtiff5 libtiff-progs Tested using: https://wiki.mageia.org/en/QA_procedure:Libtiff default install of libtiff5 & libtiff-progs [root@localhost wilcal]# urpmi libtiff5 Package libtiff5-4.0.4-0.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-0.1.mga4.i586 is already installed bmp2tiff red_head1.bmp red_head1.tif works tiff2pdf red_head1.tif > red_head1.pdf opens with Okular tiffinfo red_head1.tif works gimp red_head1.tif works install libtiff5 & libtiff-progs from updates_testing [root@localhost wilcal]# urpmi libtiff5 Package libtiff5-4.0.4-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-1.mga4.i586 is already installed bmp2tiff red_head2.bmp red_head2.tif works tiff2pdf red_head2.tif > red_head2.pdf opens with Okular tiffinfo red_head2.tif works gimp red_head2.tif works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: libtiff5 libtiff-progs Tested using: https://wiki.mageia.org/en/QA_procedure:Libtiff default install of libtiff5 & libtiff-progs [root@localhost wilcal]# urpmi libtiff5 Package libtiff5-4.0.4-0.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-0.1.mga5.i586 is already installed bmp2tiff red_head1.bmp red_head1.tif works tiff2pdf red_head1.tif > red_head1.pdf opens with Okular tiffinfo red_head1.tif works gimp red_head1.tif works install libtiff5 & libtiff-progs from updates_testing [root@localhost wilcal]# urpmi libtiff5 Package libtiff5-4.0.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-1.mga5.i586 is already installed bmp2tiff red_head2.bmp red_head2.tif works tiff2pdf red_head2.tif > red_head2.pdf opens with Okular tiffinfo red_head2.tif works gimp red_head2.tif works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lib64tiff5 libtiff-progs Tested using: https://wiki.mageia.org/en/QA_procedure:Libtiff default install of libtiff5 & libtiff-progs [root@localhost wilcal]# urpmi lib64tiff5 Package lib64tiff5-4.0.4-0.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-0.1.mga5.x86_64 is already installed bmp2tiff red_head1.bmp red_head1.tif works tiff2pdf red_head1.tif > red_head1.pdf opens with Okular tiffinfo red_head1.tif works gimp red_head1.tif works install lib64tiff5 & libtiff-progs from updates_testing [root@localhost wilcal]# urpmi lib64tiff5 Package lib64tiff5-4.0.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-1.mga5.x86_64 is already installed bmp2tiff red_head2.bmp red_head2.tif works tiff2pdf red_head2.tif > red_head2.pdf opens with Okular tiffinfo red_head2.tif works gimp red_head2.tif works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA4 & 5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Unvalidating for the moment, the issue I reported in Comment 0 is not fixed.
Keywords: Triaged, validated_update => (none)
Furthermore, there's a regression in one of the test cases from Bug 15132.
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure
(In reply to David Walser from comment #24) > Furthermore, there's a regression in one of the test cases from Bug 15132. $ tiffcmp 00_basefile.tiff 18_tiffcmp.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered. Segmentation fault
(In reply to David Walser from comment #25) > (In reply to David Walser from comment #24) > > Furthermore, there's a regression in one of the test cases from Bug 15132. > > $ tiffcmp 00_basefile.tiff 18_tiffcmp.tiff > TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not > sorted in ascending order. > TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered. > Segmentation fault With the previous package it says: TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchNormalTag: Warning, Incompatible type for "Predictor"; tag ignored. XResolution: 1 0
(In reply to David Walser from comment #23) > Unvalidating for the moment, the issue I reported in Comment 0 is not fixed. $ identify -verbose libtiff5.tif *** Error in `identify': free(): invalid next size (fast): 0x08c43248 *** ======= Backtrace: ========= /lib/i686/libc.so.6(+0x6b053)[0xb71fb053] /lib/i686/libc.so.6(+0x72954)[0xb7202954] /lib/libtiff.so.5(_TIFFfree+0x1b)[0xb66679eb] /lib/libtiff.so.5(+0x24c2e)[0xb6647c2e] /lib/libtiff.so.5(TIFFRGBAImageGet+0x3f)[0xb664a23f] /lib/libtiff.so.5(TIFFReadRGBATile+0x1da)[0xb664a7da] /usr/lib/ImageMagick-6.8.7//modules-Q16/coders/tiff.so(+0x848c)[0xb773848c] /lib/libMagickCore-6.Q16.so.1(ReadImage+0x10ab)[0xb74ef71b] /lib/libMagickCore-6.Q16.so.1(ReadImages+0x1a8)[0xb74efd58] /lib/libMagickWand-6.Q16.so.1(IdentifyImageCommand+0x1d86)[0xb73e05e6] /lib/libMagickWand-6.Q16.so.1(MagickCommandGenesis+0x6f5)[0xb74126e5] identify[0x80486e3] /lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb71a9b33] identify[0x8048744] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 08:08 144940 /usr/bin/identify 08049000-0804a000 r--p 00000000 08:08 144940 /usr/bin/identify 0804a000-0804b000 rw-p 00001000 08:08 144940 /usr/bin/identify 08c24000-08c87000 rw-p 00000000 00:00 0 [heap] b659e000-b65b9000 r-xp 00000000 08:08 137672 /usr/lib/libgcc_s-4.8.2.so.1 b65b9000-b65ba000 r--p 0001a000 08:08 137672 /usr/lib/libgcc_s-4.8.2.so.1 b65ba000-b65bb000 rw-p 0001b000 08:08 137672 /usr/lib/libgcc_s-4.8.2.so.1 b65bb000-b6604000 r-xp 00000000 08:08 136543 /usr/lib/libjpeg.so.8.0.2 b6604000-b6605000 r--p 00048000 08:08 136543 /usr/lib/libjpeg.so.8.0.2 b6605000-b6606000 rw-p 00049000 08:08 136543 /usr/lib/libjpeg.so.8.0.2 b6606000-b6616000 rw-p 00000000 00:00 0 b6616000-b661f000 r-xp 00000000 08:08 136694 /usr/lib/libjbig.so.1.0.0 b661f000-b6620000 r--p 00008000 08:08 136694 /usr/lib/libjbig.so.1.0.0 b6620000-b6623000 rw-p 00009000 08:08 136694 /usr/lib/libjbig.so.1.0.0 b6623000-b6694000 r-xp 00000000 08:08 144946 /usr/lib/libtiff.so.5.2.2 b6694000-b6695000 r--p 00070000 08:08 144946 /usr/lib/libtiff.so.5.2.2 b6695000-b6698000 rw-p 00071000 08:08 144946 /usr/lib/libtiff.so.5.2.2 b66af000-b681e000 r--p 00497000 08:08 276082 /usr/share/locale/locale-archive b681e000-b6a1e000 r--p 00000000 08:08 276082 /usr/share/locale/locale-archive b6a1e000-b6a21000 rw-p 00000000 00:00 0 b6a21000-b6a26000 r-xp 00000000 08:08 136522 /usr/lib/libXdmcp.so.6.0.0 b6a26000-b6a27000 r--p 00004000 08:08 136522 /usr/lib/libXdmcp.so.6.0.0 b6a27000-b6a28000 rw-p 00005000 08:08 136522 /usr/lib/libXdmcp.so.6.0.0 b6a28000-b6a2a000 r-xp 00000000 08:08 136525 /usr/lib/libXau.so.6.0.0 b6a2a000-b6a2b000 r--p 00001000 08:08 136525 /usr/lib/libXau.so.6.0.0 b6a2b000-b6a2c000 rw-p 00002000 08:08 136525 /usr/lib/libXau.so.6.0.0 b6a2c000-b6a5e000 r-xp 00000000 08:08 131866 /usr/lib/liblzma.so.5.0.99 b6a5e000-b6a5f000 r--p 00031000 08:08 131866 /usr/lib/liblzma.so.5.0.99 b6a5f000-b6a60000 rw-p 00032000 08:08 131866 /usr/lib/liblzma.so.5.0.99 b6a60000-b6ac7000 r-xp 00000000 08:08 132635 /usr/lib/libpcre.so.1.2.1 b6ac7000-b6ac8000 r--p 00066000 08:08 132635 /usr/lib/libpcre.so.1.2.1 b6ac8000-b6ac9000 rw-p 00067000 08:08 132635 /usr/lib/libpcre.so.1.2.1 b6ac9000-b6aca000 rw-p 00000000 00:00 0 b6aca000-b6acd000 r-xp 00000000 08:08 147240 /usr/lib/libdl-2.18.so b6acd000-b6ace000 r--p 00002000 08:08 147240 /usr/lib/libdl-2.18.so b6ace000-b6acf000 rw-p 00003000 08:08 147240 /usr/lib/libdl-2.18.so b6acf000-b6aef000 r-xp 00000000 08:08 136527 /usr/lib/libxcb.so.1.1.0 b6aef000-b6af0000 r--p 0001f000 08:08 136527 /usr/lib/libxcb.so.1.1.0 b6af0000-b6af1000 rw-p 00020000 08:08 136527 /usr/lib/libxcb.so.1.1.0 b6af1000-b6b4a000 r-xp 00000000 08:08 131918 /usr/lib/libpng16.so.16.16.0 b6b4a000-b6b4b000 r--p 00058000 08:08 131918 /usr/lib/libpng16.so.16.16.0 b6b4b000-b6b4c000 rw-p 00059000 08:08 131918 /usr/lib/libpng16.so.16.16.0 b6b4c000-b6ca0000 r-xp 00000000 08:08 146121 /usr/lib/libxml2.so.2.9.1 b6ca0000-b6ca1000 ---p 00154000 08:08 146121 /usr/lib/libxml2.so.2.9.1 b6ca1000-b6ca5000 r--p 00154000 08:08 146121 /usr/lib/libxml2.so.2.9.1 b6ca5000-b6ca6000 rw-p 00158000 08:08 146121 /usr/lib/libxml2.so.2.9.1 b6ca6000-b6ca7000 rw-p 00000000 00:00 0 b6ca7000-b6da9000 r-xp 00000000 08:08 132019 /usr/lib/libglib-2.0.so.0.3800.2 b6da9000-b6daa000 r--p 00101000 08:08 132019 /usr/lib/libglib-2.0.so.0.3800.2 b6daa000-b6dab000 rw-p 00102000 08:08 132019 /usr/lib/libglib-2.0.so.0.3800.2 b6dab000-b6dba000 r-xp 00000000 08:08 132147 /usr/lib/libgomp.so.1.0.0 b6dba000-b6dbb000 r--p 0000e000 08:08 132147 /usr/lib/libgomp.so.1.0.0 b6dbb000-b6dbc000 rw-p 0000f000 08:08 132147 /usr/lib/libgomp.so.1.0.0 b6dbc000-b6dbd000 rw-p 00000000 00:00 0 b6dbd000-b6e02000 r-xp 00000000 08:08 144984 /usr/lib/i686/libm-2.18.so b6e02000-b6e03000 r--p 00044000 08:08 144984 /usr/lib/i686/libm-2.18.so b6e03000-b6e04000 rw-p 00045000 08:08 144984 /usr/lib/i686/libm-2.18.so b6e04000-b6e0d000 r-xp 00000000 08:08 135306 /usr/lib/libltdl.so.7.3.0 b6e0d000-b6e0e000 r--p 00008000 08:08 135306 /usr/lib/libltdl.so.7.3.0 b6e0e000-b6e0f000 rw-p 00009000 08:08 135306 /usr/lib/libltdl.so.7.3.0 b6e0f000-b6e28000 r-xp 00000000 08:08 132035 /usr/lib/libz.so.1.2.8 b6e28000-b6e29000 r--p 00018000 08:08 132035 /usr/lib/libz.so.1.2.8 b6e29000-b6e2a000 rw-p 00019000 08:08 132035 /usr/lib/libz.so.1.2.8 b6e2a000-b6e3a000 r-xp 00000000 08:08 141737 /usr/lib/libbz2.so.1.0.6 b6e3a000-b6e3b000 r--p 0000f000 08:08 141737 /usr/lib/libbz2.so.1.0.6 b6e3b000-b6e3c000 rw-p 00010000 08:08 141737 /usr/lib/libbz2.so.1.0.6 b6e3c000-b6f70000 r-xp 00000000 08:08 136529 /usr/lib/libX11.so.6.3.0 b6f70000-b6f71000 ---p 00134000 08:08 136529 /usr/lib/libX11.so.6.3.0 b6f71000-b6f72000 r--p 00134000 08:08 136529 /usr/lib/libX11.so.6.3.0 b6f72000-b6f75000 rw-p 00135000 08:08 136529 /usr/lib/libX11.so.6.3.0 b6f75000-b6f86000 r-xp 00000000 08:08 144474 /usr/lib/libXext.so.6.4.0 b6f86000-b6f87000 r--p 00010000 08:08 144474 /usr/lib/libXext.so.6.4.0 b6f87000-b6f88000 rw-p 00011000 08:08 144474 /usr/lib/libXext.so.6.4.0 b6f88000-b6f89000 rw-p 00000000 00:00 0 b6f89000-b7012000 r-xp 00000000 08:08 144206 /usr/lib/libfreetype.so.6.10.2 b7012000-b7016000 r--p 00088000 08:08 144206 /usr/lib/libfreetype.so.6.10.2 b7016000-b7017000 rw-p 0008c000 08:08 144206 /usr/lib/libfreetype.so.6.10.2 b7017000-b7050000 r-xp 00000000 08:08 144588 /usr/lib/libfontconfig.so.1.8.0 b7050000-b7051000 r--p 00039000 08:08 144588 /usr/lib/libfontconfig.so.1.8.0 b7051000-b7052000 rw-p 0003a000 08:08 144588 /usr/lib/libfontconfig.so.1.8.0 b7052000-b7123000 r-xp 00000000 08:08 144889 /usr/lib/libfftw3.so.3.3.2 b7123000-b7128000 r--p 000d1000 08:08 144889 /usr/lib/libfftw3.so.3.3.2 b7128000-b7129000 rw-p 000d6000 08:08 144889 /usr/lib/libfftw3.so.3.3.2 b7129000-b7137000 r-xp 00000000 08:08 144918 /usr/lib/liblqr-1.so.0.3.2 b7137000-b7138000 r--p 0000d000 08:08 144918 /usr/lib/liblqr-1.so.0.3.2 b7138000-b7139000 rw-p 0000e000 08:08 144918 /usr/lib/liblqr-1.so.0.3.2 b7139000-b7189000 r-xp 00000000 08:08 142777 /usr/lib/liblcms2.so.2.0.5 b7189000-b718a000 ---p 00050000 08:08 142777 /usr/lib/liblcms2.so.2.0.5 b718a000-b718b000 r--p 00050000 08:08 142777 /usr/lib/liblcms2.so.2.0.5 b718b000-b718f000 rw-p 00051000 08:08 142777 /usr/lib/liblcms2.so.2.0.5 b718f000-b7190000 rw-p 00000000 00:00 0 b7190000-b7343000 r-xp 00000000 08:08 144982 /usr/lib/i686/libc-2.18.so b7343000-b7345000 r--p 001b3000 08:08 144982 /usr/lib/i686/libc-2.18.so b7345000-b7346000 rw-p 001b5000 08:08 144982 /usr/lib/i686/libc-2.18.so b7346000-b7349000 rw-p 00000000 00:00 0 b7349000-b7360000 r-xp 00000000 08:08 145173 /usr/lib/i686/libpthread-2.18.so b7360000-b7361000 r--p 00016000 08:08 145173 /usr/lib/i686/libpthread-2.18.so b7361000-b7362000 rw-p 00017000 08:08 145173 /usr/lib/i686/libpthread-2.18.so b7362000-b7364000 rw-p 00000000 00:00 0 b7364000-b747b000 r-xp 00000000 08:08 151877 /usr/lib/libMagickWand-6.Q16.so.1.0.0 b747b000-b747c000 r--p 00116000 08:08 151877 /usr/lib/libMagickWand-6.Q16.so.1.0.0 b747c000-b747e000 rw-p 00117000 08:08 151877 /usr/lib/libMagickWand-6.Q16.so.1.0.0 b747e000-b76c2000 r-xp 00000000 08:08 151875 /usr/lib/libMagickCore-6.Q16.so.1.0.0 b76c2000-b76cd000 r--p 00243000 08:08 151875 /usr/lib/libMagickCore-6.Q16.so.1.0.0 b76cd000-b770a000 rw-p 0024e000 08:08 151875 /usr/lib/libMagickCore-6.Q16.so.1.0.0 b770a000-b7728000 rw-p 00000000 00:00 0 b772e000-b772f000 r--p 00000000 00:1e 497823422 /tmp/libtiff5.tif b772f000-b7730000 rw-p 00000000 00:00 0 b7730000-b773c000 r-xp 00000000 08:08 162897 /usr/lib/ImageMagick-6.8.7/modules-Q16/coders/tiff.so b773c000-b773d000 r--p 0000c000 08:08 162897 /usr/lib/ImageMagick-6.8.7/modules-Q16/coders/tiff.so b773d000-b773e000 rw-p 0000d000 08:08 162897 /usr/lib/ImageMagick-6.8.7/modules-Q16/coders/tiff.so b773e000-b773f000 r--p 00a4b000 08:08 276082 /usr/share/locale/locale-archive b773f000-b7740000 rw-p 00000000 00:00 0 b7740000-b7741000 r-xp 00000000 00:00 0 [vdso] b7741000-b775f000 r-xp 00000000 08:08 147040 /usr/lib/ld-2.18.so b775f000-b7760000 r--p 0001d000 08:08 147040 /usr/lib/ld-2.18.so b7760000-b7761000 rw-p 0001e000 08:08 147040 /usr/lib/ld-2.18.so bff8f000-bffb1000 rw-p 00000000 00:00 0 [stack] Aborted $ tiffinfo -d libtiff5.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. libtiff5.tif: Warning, Nonstandard tile width 61, convert file. TIFF Directory at offset 0xa0 (160) Image Width: 32 Image Length: 32 Tile Width: 61 Tile Length: 3 Bits/Sample: 2 Compression Scheme: NeXT FillOrder: lsb-to-msb Orientation: row 0 top, col 0 lhs Samples/Pixel: 1 Rows/Strip: 3 Planar Configuration: single image plane DocumentName: foo.tif TIFFFillTile: Read error at row 4294967295, col 4294967295, tile 0; got 0 bytes, expected 8. TIFFFillTile: 0: Invalid tile byte count, tile 1. TIFFFillTile: 0: Invalid tile byte count, tile 2. TIFFFillTile: 0: Invalid tile byte count, tile 3. Tile (12,0): 05 00 00 00 01 fc 07 0a 00 00 00 00 00 00 00 00 aa aa aa aa 55 55 55 55 57 00 00 00 00 00 00 00 55 55 55 55 aa aa aa aa 00 00 00 00 55 55 55 55 TIFFFillTile: Read error at row 0, col 244, tile 5; got 0 bytes, expected 1. TIFFFillTile: 0: Invalid tile byte count, tile 6. TIFFFillTile: 0: Invalid tile byte count, tile 7. NeXTDecode: Not enough data for scanline 0. NeXTDecode: Not enough data for scanline 0. NeXTDecode: Not enough data for scanline 0. *** Error in `tiffinfo': free(): invalid next size (fast): 0x08ee33a0 *** ======= Backtrace: ========= /lib/i686/libc.so.6(+0x6b053)[0xb7574053] /lib/i686/libc.so.6(+0x72954)[0xb757b954] /lib/libtiff.so.5(_TIFFfree+0x1b)[0xb77069eb] tiffinfo[0x8049836] tiffinfo[0x8049a9d] tiffinfo[0x8049e55] tiffinfo[0x8048fc8] /lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb7522b33] tiffinfo[0x8049091] ======= Memory map: ======== 08048000-0804b000 r-xp 00000000 08:08 147100 /usr/bin/tiffinfo 0804b000-0804c000 r--p 00002000 08:08 147100 /usr/bin/tiffinfo 0804c000-0804d000 rw-p 00003000 08:08 147100 /usr/bin/tiffinfo 08ee3000-08f04000 rw-p 00000000 00:00 0 [heap] b73b9000-b73d4000 r-xp 00000000 08:08 137672 /usr/lib/libgcc_s-4.8.2.so.1 b73d4000-b73d5000 r--p 0001a000 08:08 137672 /usr/lib/libgcc_s-4.8.2.so.1 b73d5000-b73d6000 rw-p 0001b000 08:08 137672 /usr/lib/libgcc_s-4.8.2.so.1 b73ed000-b73ef000 rw-p 00000000 00:00 0 b73ef000-b7406000 r-xp 00000000 08:08 145173 /usr/lib/i686/libpthread-2.18.so b7406000-b7407000 r--p 00016000 08:08 145173 /usr/lib/i686/libpthread-2.18.so b7407000-b7408000 rw-p 00017000 08:08 145173 /usr/lib/i686/libpthread-2.18.so b7408000-b740a000 rw-p 00000000 00:00 0 b740a000-b744f000 r-xp 00000000 08:08 144984 /usr/lib/i686/libm-2.18.so b744f000-b7450000 r--p 00044000 08:08 144984 /usr/lib/i686/libm-2.18.so b7450000-b7451000 rw-p 00045000 08:08 144984 /usr/lib/i686/libm-2.18.so b7451000-b746a000 r-xp 00000000 08:08 132035 /usr/lib/libz.so.1.2.8 b746a000-b746b000 r--p 00018000 08:08 132035 /usr/lib/libz.so.1.2.8 b746b000-b746c000 rw-p 00019000 08:08 132035 /usr/lib/libz.so.1.2.8 b746c000-b74b5000 r-xp 00000000 08:08 136543 /usr/lib/libjpeg.so.8.0.2 b74b5000-b74b6000 r--p 00048000 08:08 136543 /usr/lib/libjpeg.so.8.0.2 b74b6000-b74b7000 rw-p 00049000 08:08 136543 /usr/lib/libjpeg.so.8.0.2 b74b7000-b74c8000 rw-p 00000000 00:00 0 b74c8000-b74d1000 r-xp 00000000 08:08 136694 /usr/lib/libjbig.so.1.0.0 b74d1000-b74d2000 r--p 00008000 08:08 136694 /usr/lib/libjbig.so.1.0.0 b74d2000-b74d5000 rw-p 00009000 08:08 136694 /usr/lib/libjbig.so.1.0.0 b74d5000-b7507000 r-xp 00000000 08:08 131866 /usr/lib/liblzma.so.5.0.99 b7507000-b7508000 r--p 00031000 08:08 131866 /usr/lib/liblzma.so.5.0.99 b7508000-b7509000 rw-p 00032000 08:08 131866 /usr/lib/liblzma.so.5.0.99 b7509000-b76bc000 r-xp 00000000 08:08 144982 /usr/lib/i686/libc-2.18.so b76bc000-b76be000 r--p 001b3000 08:08 144982 /usr/lib/i686/libc-2.18.so b76be000-b76bf000 rw-p 001b5000 08:08 144982 /usr/lib/i686/libc-2.18.so b76bf000-b76c2000 rw-p 00000000 00:00 0 b76c2000-b7733000 r-xp 00000000 08:08 144946 /usr/lib/libtiff.so.5.2.2 b7733000-b7734000 r--p 00070000 08:08 144946 /usr/lib/libtiff.so.5.2.2 b7734000-b7737000 rw-p 00071000 08:08 144946 /usr/lib/libtiff.so.5.2.2 b774b000-b774d000 rw-p 00000000 00:00 0 b774d000-b774e000 r--s 00000000 00:1e 497823422 /tmp/libtiff5.tif b774e000-b774f000 rw-p 00000000 00:00 0 b774f000-b7750000 r-xp 00000000 00:00 0 [vdso] b7750000-b776e000 r-xp 00000000 08:08 147040 /usr/lib/ld-2.18.so b776e000-b776f000 r--p 0001d000 08:08 147040 /usr/lib/ld-2.18.so b776f000-b7770000 rw-p 0001e000 08:08 147040 /usr/lib/ld-2.18.so bfe2b000-bfe4d000 rw-p 00000000 00:00 0 [stack] Aborted
I've left comments on upstream's Bugzilla about both issues. Unassigning from QA for now.
CC: (none) => qa-bugsVersion: 5 => CauldronAssignee: qa-bugs => bugsquadWhiteboard: MGA4TOO has_procedure => MGA5TOO, MGA4TOO has_procedure
(In reply to David Walser from comment #28) > I've left comments on upstream's Bugzilla about both issues. Unassigning > from QA for now. For the reference, David's comment is in this bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2508#c3 Still no reaction upstream, at least on the BR.
(In reply to Rémi Verschelde from comment #29) > (In reply to David Walser from comment #28) > > I've left comments on upstream's Bugzilla about both issues. Unassigning > > from QA for now. > > For the reference, David's comment is in this bug report: > http://bugzilla.maptools.org/show_bug.cgi?id=2508#c3 > Still no reaction upstream, at least on the BR. And my other comment is here: http://bugzilla.maptools.org/show_bug.cgi?id=2499#c14
Let's try libtiff 4.0.5. Please make sure that you repeat the tests mentioned in Comments 23 through 27 if you're going to help test this. Thanks. Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.5-1.mga4 libtiff5-4.0.5-1.mga4 libtiff-devel-4.0.5-1.mga4 libtiff-static-devel-4.0.5-1.mga4 libtiff-progs-4.0.5-1.mga5 libtiff5-4.0.5-1.mga5 libtiff-devel-4.0.5-1.mga5 libtiff-static-devel-4.0.5-1.mga5 from SRPMS: libtiff-4.0.5-1.mga4.src.rpm libtiff-4.0.5-1.mga5.src.rpm
CC: qa-bugs => (none)Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO has_procedure => MGA4TOO has_procedure
TLDR : Update NOT OK, thumbnail 17_thumbnail.tiff segfault. mga5 x86_64 : ============= Installed packages : lib64tiff5-4.0.5-1.mga5 libtiff-progs-4.0.5-1.mga5 identify -verbose libtiff5.tif : no segfault tiffinfo -d libtiff5.tif : no segfault Bug 15132 test cases : no segfault EXCEPT for thumbnail 17_thumbnail.tiff $ thumbnail 17_thumbnail.tiff out.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 328 (0x148) encountered. rastersize=1 TIFFFillStrip: Read error on strip 0; got 18446744073709551603 bytes, expected 1. bpr=1, sy=0, bpr*sy=0 ... bpr=1, sy=0, bpr*sy=0 Erreur de segmentation mga4 x86_64 (VM) : Same thing ================== Installed packages : libtiff-progs-4.0.5-1.mga4 lib64tiff5-4.0.5-1.mga4 identify -verbose libtiff5.tif : no segfault tiffinfo -d libtiff5.tif : no segfault Bug 15132 test cases : no segfault EXCEPT for thumbnail 17_thumbnail.tiff $ thumbnail 17_thumbnail.tiff out.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 328 (0x148) encountered. rastersize=1 TIFFFillStrip: Read error on strip 0; got 18446744073709551603 bytes, expected 1. bpr=1, sy=0, bpr*sy=0 ... bpr=1, sy=0, bpr*sy=0 Erreur de segmentation
CC: (none) => yann.cantin
thumbnail 17_thumbnail.tiff out.tiff works fine for me on Mageia 4 i586, but I get the same results on the two tests I reported in Comment 25 and Comment 27. Sigh. This is now WONTFIX for Mageia 4. Thanks for testing Yann.
CC: (none) => qa-bugsVersion: 5 => CauldronAssignee: qa-bugs => bugsquadWhiteboard: MGA4TOO has_procedure => MGA5TOO has_procedure
Another issue in libtiff with no fix was noted here on oss-security: http://seclists.org/oss-sec/2015/q3/601
(In reply to David Walser from comment #34) > Another issue in libtiff with no fix was noted here on oss-security: > http://seclists.org/oss-sec/2015/q3/601 CVE-2015-7313 assigned: http://openwall.com/lists/oss-security/2015/09/22/11
About CVE-2015-7313 : According to http://seclists.org/oss-sec/2015/q3/631 and https://bugzilla.redhat.com/show_bug.cgi?id=1265998 this may not be a libtiff bug, but an memory overcommit problem : disabling overcommit with echo 2 > /proc/sys/vm/overcommit_memory seems to fix it.
Let's try libtiff 4.0.6. Please make sure that you repeat the tests mentioned in Comments 23 through 27 if you're going to help test this. Thanks. Note that even 4.0.6 has an issue (CVE-2015-8665): http://openwall.com/lists/oss-security/2015/12/24/4 Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.6-1.mga5 libtiff5-4.0.6-1.mga5 libtiff-devel-4.0.6-1.mga5 libtiff-static-devel-4.0.6-1.mga5 from libtiff-4.0.6-1.mga5.src.rpm
CC: qa-bugs => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO has_procedure => has_procedureVersion: Cauldron => 5
(In reply to David Walser from comment #37) > Note that even 4.0.6 has an issue (CVE-2015-8665): > http://openwall.com/lists/oss-security/2015/12/24/4 and CVE-2015-8683: http://openwall.com/lists/oss-security/2015/12/26/1
(In reply to David Walser from comment #38) > (In reply to David Walser from comment #37) > > Note that even 4.0.6 has an issue (CVE-2015-8665): > > http://openwall.com/lists/oss-security/2015/12/24/4 > > and CVE-2015-8683: > http://openwall.com/lists/oss-security/2015/12/26/1 and CVE-2015-7554: http://openwall.com/lists/oss-security/2015/12/26/7
A fix for the original issue in this bug (Comment 0, libtiff5.tif issue) has been committed in upstream CVS on December 27: 2015-12-27 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #2508 I've patched the package to bring it up to date with current CVS (20151227) and built it locally and confirmed that it fixes this bug. It also includes fixes for two of the three recent CVEs that I mentioned: 2015-12-26 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of Alibaba. Unfortunately, the regression mentioned in Comments 24 through 26 still exists. I've posted another comment on upstream's Bugzilla about that. Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.6-1.1.mga5 libtiff5-4.0.6-1.1.mga5 libtiff-devel-4.0.6-1.1.mga5 libtiff-static-devel-4.0.6-1.1.mga5 from libtiff-4.0.6-1.1.mga5.src.rpm
In Whiteboard: MGA5-32-OK In VirtualBox and KDE Packages under test: libtiff libtiff-progs [root@localhost wilcal]# urpmi libtiff Package libtiff5-4.0.4-0.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-0.1.mga5.i586 is already installed bmp2tiff pic1.bmp pic1.tif works tiff2pdf pic1.tif > pic1.pdf works [wilcal@localhost libtiff_test]$ tiffinfo pic1.tif TIFF Directory at offset 0xee13e (975166) Image Width: 640 Image Length: 504 Bits/Sample: 8 Compression Scheme: PackBits Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 4 Planar Configuration: single image plane pic1.tif opens successfully with Gimp tiffinfo -d pic1.tif > testinfo1.txt ( generates a mountain of info ) Install updates from core updates_testing [root@localhost libtiff_test]# urpmi libtiff Package libtiff5-4.0.6-1.1.mga5.i586 is already installed [root@localhost libtiff_test]# urpmi libtiff-progs Package libtiff-progs-4.0.6-1.1.mga5.i586 is already installed bmp2tiff pic2.bmp pic2.tif works tiff2pdf pic2.tif > pic2.pdf works [wilcal@localhost libtiff_test]$ tiffinfo pic2.tif TIFF Directory at offset 0xaffe (45054) Image Width: 124 Image Length: 124 Bits/Sample: 8 Compression Scheme: PackBits Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 22 Planar Configuration: single image plane tiffinfo -d pic2.tif > testinfo2.txt ( generates a mountain of info )
In Whiteboard: MGA5-64-OK In VirtualBox and KDE Packages under test: libtiff libtiff-progs [root@localhost wilcal]# urpmi libtiff Package lib64tiff5-4.0.4-0.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.4-0.1.mga5.x86_64 is already installed bmp2tiff pic1.bmp pic1.tif works tiff2pdf pic1.tif > pic1.pdf works [wilcal@localhost Pictures]$ tiffinfo pic1.tif TIFF Directory at offset 0xee13e (975166) Image Width: 640 Image Length: 504 Bits/Sample: 8 Compression Scheme: PackBits Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 4 Planar Configuration: single image plane pic1.tif opens successfully with Gimp tiffinfo -d pic1.tif > testinfo1.txt ( generates a mountain of info ) Install libtiff & libtiff-progs from core updates_testing [root@localhost wilcal]# urpmi libtiff Package lib64tiff5-4.0.6-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.6-1.1.mga5.x86_64 is already installed bmp2tiff pic2.bmp pic2.tif works tiff2pdf pic2.tif > pic2.pdf works [wilcal@localhost Pictures]$ tiffinfo pic2.tif TIFF Directory at offset 0x1f80f0 (2064624) Image Width: 640 Image Length: 1067 Bits/Sample: 8 Compression Scheme: PackBits Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 4 Planar Configuration: single image plane pic2.tif opens successfully with Gimp tiffinfo -d pic2.tif > testinfo2.txt ( generates a mountain of info )
Are we good here now?
(In reply to William Kenney from comment #43) > Are we good here now? No, we still have the regression I mentioned. You could run through the rest of the tests from Bug 15132 to make sure there aren't any other regressions (not that I expect any). We *could* release this since it fixes the original bug in this report and two additional CVEs. I'm not sure how "bad" the regression is, just that there is one. I guess we can wait a little longer to see what happens with the third unfixed CVE and the regression.
I ran through the following on MGA32 - i586 [root@localhost Pictures]# urpmi libtiff Package libtiff5-4.0.6-1.1.mga5.i586 is already installed Marking libtiff5 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list brian@localhost Pictures]$ tiffinfo M_2016.tif TIFF Directory at offset 0x75308 (480008) Image Width: 400 Image Length: 300 Resolution: 96, 96 pixels/inch Bits/Sample: 8 Compression Scheme: None Photometric Interpretation: RGB color Samples/Pixel: 4 Planar Configuration: single image plane [brian@localhost Pictures]$ convert M_2016.tif M_2017.tif [brian@localhost Pictures]$ ls M_2016.tif* M_2017.tif [brian@localhost Pictures]$ convert M_2016.tif M_2016.png [brian@localhost Pictures]$ ls M_2016.png M_2016.tif* M_2017.tif [brian@localhost Pictures]$ ls -a ./ ../ .directory M_2016.png M_2016.tif* M_2017.tif [brian@localhost Pictures]$ ls -l total 712 -rw-r--r-- 1 brian brian 2183 Jan 9 08:39 M_2016.png -rwxrwx--- 1 brian brian 480182 Jan 9 08:17 M_2016.tif* -rw-r--r-- 1 brian brian 240562 Jan 9 08:38 M_2017.tif [root@localhost Pictures]# tiff2ps M_2016.tif > M_2016.ps [root@localhost Pictures]# ls -ltr total 1428 -rwxrwx--- 1 brian brian 480182 Jan 9 08:17 M_2016.tif* -rw-r--r-- 1 brian brian 240562 Jan 9 08:38 M_2017.tif -rw-r--r-- 1 brian brian 2183 Jan 9 08:39 M_2016.png -rw-r--r-- 1 root root 731758 Jan 9 08:43 M_2016.ps [root@localhost Pictures]# tiffdither M_2016.tif dither.tif tiffdither: Not a b&w image. [root@localhost Pictures]# tiffset M_2016.tif [root@localhost Pictures]# ls -ltr total 1428 -rw-r--r-- 1 brian brian 240562 Jan 9 08:38 M_2017.tif -rw-r--r-- 1 brian brian 2183 Jan 9 08:39 M_2016.png -rw-r--r-- 1 root root 731758 Jan 9 08:43 M_2016.ps -rwxrwx--- 1 brian brian 480848 Jan 9 08:44 M_2016.tif* [root@localhost Pictures]# convert M_2016.tif -colorspace Gray M_gray.tif [root@localhost Pictures]# ls -ltr total 1664 -rw-r--r-- 1 brian brian 240562 Jan 9 08:38 M_2017.tif -rw-r--r-- 1 brian brian 2183 Jan 9 08:39 M_2016.png -rw-r--r-- 1 root root 731758 Jan 9 08:43 M_2016.ps -rwxrwx--- 1 brian brian 480848 Jan 9 08:44 M_2016.tif* -rw-r--r-- 1 root root 240474 Jan 9 08:49 M_gray.tif [root@localhost Pictures]# tiffset M_gray.tif [root@localhost Pictures]# tiffinfo M_gray.tif TIFF Directory at offset 0x3ab5a (240474) Image Width: 400 Image Length: 300 Resolution: 96, 96 pixels/inch Bits/Sample: 8 Compression Scheme: None Photometric Interpretation: min-is-black Extra Samples: 1<unassoc-alpha> FillOrder: msb-to-lsb Orientation: row 0 top, col 0 lhs Samples/Pixel: 2 Rows/Strip: 10 Planar Configuration: single image plane Page Number: 0-1 [root@localhost Pictures]# Seems good to me.
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure MGA_32_OK
Whiteboard: has_procedure MGA_32_OK => has_procedure MGA5-32-OK
It's not clear to me from the above which cves are now fixed by this update. David, can you sort out a complete list and new advisory?
(In reply to David Walser from comment #39) > and CVE-2015-7554: > http://openwall.com/lists/oss-security/2015/12/26/7 I moved this one to Bug 17480 as there is still no fix available. (In reply to David Walser from comment #40) > Unfortunately, the regression mentioned in Comments 24 through 26 still > exists. I've posted another comment on upstream's Bugzilla about that. Another suggested patch to fix that has been posted on the upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2499#c16 I have confirmed that it fixes the issue. The original issue in this bug also remains fixed. There are no more regressions in the testcases from Bug 15132. CVE-2015-8665 and CVE-2015-8683 are fixed as well. Advisory to come next. Let's test and release this one. Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.6-1.2.mga5 libtiff5-4.0.6-1.2.mga5 libtiff-devel-4.0.6-1.2.mga5 libtiff-static-devel-4.0.6-1.2.mga5 from libtiff-4.0.6-1.2.mga5.src.rpm
Whiteboard: has_procedure MGA5-32-OK => has_procedure
Advisory: ======================== Updated libtiff packages fix security issues: In libtiff, in tif_next.c, a potential out-of-bound write in NeXTDecode() triggered by the test case for CVE-2015-1547 (maptools bugzilla #2508). In libtiff, in tif_getimage.c, out-of-bound reads in the TIFFRGBAImage interface in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV / CIELab (CVE-2015-8665, CVE-2015-8683). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683 http://bugzilla.maptools.org/show_bug.cgi?id=2508 http://openwall.com/lists/oss-security/2015/12/24/4 http://openwall.com/lists/oss-security/2015/12/26/1
Whiteboard: has_procedure => has_procedure advisory
In VirtualBox and KDE Install updates from core updates_testing [root@localhost wilcal]# urpmi libtiff Package libtiff5-4.0.6-1.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.6-1.2.mga5.i586 is already installed bmp2tiff pic2.bmp pic2.tif works tiff2pdf pic2.tif > pic2.pdf works [wilcal@localhost libtiff_test]$ tiffinfo pic2.tif TIFF Directory at offset 0x1f80f0 (2064624) Image Width: 640 Image Length: 1067 Bits/Sample: 8 Compression Scheme: PackBits Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 4 Planar Configuration: single image plane tiffinfo -d pic2.tif > testinfo2.txt ( generates a mountain of info )
In VirtualBox and KDE Install updates from core updates_testing [root@localhost wilcal]# urpmi libtiff Package lib64tiff5-4.0.6-1.2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi libtiff-progs Package libtiff-progs-4.0.6-1.2.mga5.x86_64 is already installed bmp2tiff pic1.bmp pic1.tif works tiff2pdf pic1.tif > pic1.pdf works [wilcal@localhost libtiff_test]$ tiffinfo pic1.tif TIFF Directory at offset 0xee13e (975166) Image Width: 640 Image Length: 504 Bits/Sample: 8 Compression Scheme: PackBits Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 4 Planar Configuration: single image plane tiffinfo -d pic1.tif > testinfo1.txt ( generates a mountain of info )
Can we finally push this devil along?
(In reply to William Kenney from comment #51) > Can we finally push this devil along? Yes, our long international nightmare is over!
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0017.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/671915/
The original issue in this bug has been assigned CVE-2015-8784: http://openwall.com/lists/oss-security/2016/01/24/8 The prior upstream commit to the fix for that one received three CVEs: http://openwall.com/lists/oss-security/2016/01/24/7 Those are CVE-2015-8781, CVE-2015-8782, and CVE-2015-8783.
(In reply to David Walser from comment #54) > The original issue in this bug has been assigned CVE-2015-8784: > http://openwall.com/lists/oss-security/2016/01/24/8 > > The prior upstream commit to the fix for that one received three CVEs: > http://openwall.com/lists/oss-security/2016/01/24/7 > > Those are CVE-2015-8781, CVE-2015-8782, and CVE-2015-8783. LWN reference for all of those: http://lwn.net/Vulnerabilities/674260/
It looks like CVE-2015-8870 was also fixed in either this update or the previous one: https://lwn.net/Vulnerabilities/713268/