Bug 19813 - libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue (CVE-2016-9453)
Summary: libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) an...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://lwn.net/Vulnerabilities/707488/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-18 14:33 CET by Nicolas Salguero
Modified: 2016-11-28 20:24 CET (History)
6 users (show)

See Also:
Source RPM: libtiff-4.0.6-1.6.mga5.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2016-11-18 14:33:46 CET
The fix for CVE-2016-9297 introduced this regression: http://bugzilla.maptools.org/show_bug.cgi?id=2593 (Invalid read of size 1 in TIFFFetchNormalTag)
Comment 1 Nicolas Salguero 2016-11-18 14:38:41 CET
Suggested advisory:
========================

The updated packages fix a regression introduced by the fix for CVE-2016-9297.
========================

Updated packages in core/updates_testing:
========================
i586:
libtiff-progs-4.0.6-1.7.mga5.i586.rpm
libtiff5-4.0.6-1.7.mga5.i586.rpm
libtiff-devel-4.0.6-1.7.mga5.i586.rpm
libtiff-static-devel-4.0.6-1.7.mga5.i586.rpm

x86_64:
libtiff-progs-4.0.6-1.7.mga5.x86_64.rpm
lib64tiff5-4.0.6-1.7.mga5.x86_64.rpm
lib64tiff-devel-4.0.6-1.7.mga5.x86_64.rpm
lib64tiff-static-devel-4.0.6-1.7.mga5.x86_64.rpm

Source RPMs:
libtiff-4.0.6-1.7.mga5.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Source RPM: (none) => libtiff-4.0.6-1.6.mga5.src.rpm

Comment 2 David Walser 2016-11-18 15:01:47 CET
FYI:
http://openwall.com/lists/oss-security/2016/11/18/4
Comment 3 David Walser 2016-11-18 17:20:56 CET
Reference for this update:
http://openwall.com/lists/oss-security/2016/11/18/11

CC: (none) => luigiwalser

Comment 4 Nicolas Salguero 2016-11-19 00:00:56 CET
Suggested advisory:
========================

The updated packages fix:

A regression introduced by the fix for CVE-2016-9297.

An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE number not assigned yet).

References:
http://openwall.com/lists/oss-security/2016/11/18/4
http://openwall.com/lists/oss-security/2016/11/18/11
========================

Updated packages in core/updates_testing:
========================
i586:
libtiff-progs-4.0.6-1.8.mga5.i586.rpm
libtiff5-4.0.6-1.8.mga5.i586.rpm
libtiff-devel-4.0.6-1.8.mga5.i586.rpm
libtiff-static-devel-4.0.6-1.8.mga5.i586.rpm

x86_64:
libtiff-progs-4.0.6-1.8.mga5.x86_64.rpm
lib64tiff5-4.0.6-1.8.mga5.x86_64.rpm
lib64tiff-devel-4.0.6-1.8.mga5.x86_64.rpm
lib64tiff-static-devel-4.0.6-1.8.mga5.x86_64.rpm

Source RPMs:
libtiff-4.0.6-1.8.mga5.src.rpm

Component: RPM Packages => Security

Nicolas Salguero 2016-11-19 00:01:55 CET

Summary: New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 => New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 and another CVE

Comment 5 David Walser 2016-11-20 17:19:58 CET
Apparently this regression had security implications, because the regression fix has been assigned CVE-2016-9448:
http://openwall.com/lists/oss-security/2016/11/18/15

Summary: New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 and another CVE => libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue

Comment 6 David Walser 2016-11-20 17:26:30 CET
(In reply to David Walser from comment #2)
> FYI:
> http://openwall.com/lists/oss-security/2016/11/18/4

CVE-2016-9453:
http://openwall.com/lists/oss-security/2016/11/19/1

Summary: libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue => libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue (CVE-2016-9453)

Comment 7 Nicolas Salguero 2016-11-21 10:54:12 CET
Suggested advisory:
========================

The updated packages fix:

A regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448).

An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE-2016-9453).

References:
http://openwall.com/lists/oss-security/2016/11/18/4
http://openwall.com/lists/oss-security/2016/11/18/11
http://openwall.com/lists/oss-security/2016/11/18/15
http://openwall.com/lists/oss-security/2016/11/19/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453
Comment 8 David Walser 2016-11-21 14:15:46 CET
FYI there's a 4.0.7 release upstream now.
Comment 9 Nicolas Salguero 2016-11-21 14:31:38 CET
Suggested advisory:
========================

The updated packages fix:

A regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448).

An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE-2016-9453).

References:
http://openwall.com/lists/oss-security/2016/11/18/4
http://openwall.com/lists/oss-security/2016/11/18/11
http://openwall.com/lists/oss-security/2016/11/18/15
http://openwall.com/lists/oss-security/2016/11/19/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453
========================

Updated packages in core/updates_testing:
========================
i586:
libtiff-progs-4.0.7-1.mga5.i586.rpm
libtiff5-4.0.7-1.mga5.i586.rpm
libtiff-devel-4.0.7-1.mga5.i586.rpm
libtiff-static-devel-4.0.7-1.mga5.i586.rpm

x86_64:
libtiff-progs-4.0.7-1.mga5.x86_64.rpm
lib64tiff5-4.0.7-1.mga5.x86_64.rpm
lib64tiff-devel-4.0.7-1.mga5.x86_64.rpm
lib64tiff-static-devel-4.0.7-1.mga5.x86_64.rpm

Source RPMs:
libtiff-4.0.7-1.mga5.src.rpm
Dave Hodgins 2016-11-21 22:44:03 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 10 Herman Viaene 2016-11-25 15:57:26 CET
MGA5-32 on AcerD620 Xfce
No installation issues
Followed poc file from http://bugzilla.maptools.org/show_bug.cgi?id=2579, found via http://openwall.com/lists/oss-security/2016/11/18/4
at ClI
$ tiff2pdf -o 1test.pdf 1.tiff 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: IO error during reading of "BitsPerSample".
tiff2pdf: Can't open input file 1.tiff for reading.
So no out-of-bounds
Tried also one of my own tif files and converted successfully to pdf.

Whiteboard: advisory => advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 11 youpburden 2016-11-26 23:21:25 CET
MGA5-64 on HP Pavilion dv7 KDE
No installation issues

Followed instructions from comment#10.

Here are the CLI informations :

tiff2pdf -o 1test.pdf 1.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: IO error during reading of "BitsPerSample".
tiff2pdf: Can't open input file 1.tiff for reading.

CC: (none) => youpburden

Comment 12 Lewis Smith 2016-11-27 20:33:42 CET
Additional test M5 x64

Thanks to Herman for the link to the alleged PoC.
Neither of the two tests above seemed to show the result before & after this update; so I re-tried just to see.

BEFORE: libtiff-progs-4.0.6-1.6.mga5, lib64tiff5-4.0.6-1.6.mga5
 $ tiff2pdf -o 1test.pdf Downloads/1.tif
 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not  sorted in ascending order.
 TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
 TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
 TIFFReadDirectory: IO error during reading of "BitsPerSample".
 tiff2pdf: Can't open input file Downloads/1.tiff for reading.
which is the same result as the previous 2 tests! Never mind.

AFTER: libtiff-progs-4.0.7-1.mga5, lib64tiff5-4.0.7-1.mga5
 $ tiff2pdf -o 1test.pdf Downloads/1.tiff
gave the same output as before. Another PoC which does not show...
 $ tiff2pdf -o 1test.pdf /mnt/common/docs/ElderChmpgn.tiff
produced a large but impeccable PDF file. OK'ing the update.

Then validating. Advisory already uploaded.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 13 Mageia Robot 2016-11-28 01:14:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0405.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 14 David Walser 2016-11-28 20:24:54 CET
There are a whole bunch of other CVEs in the LWN reference (see the URL), but I'm guessing that we have fixed those as well with this update.

URL: (none) => https://lwn.net/Vulnerabilities/707488/


Note You need to log in before you can comment on or make changes to this bug.