The fix for CVE-2016-9297 introduced this regression: http://bugzilla.maptools.org/show_bug.cgi?id=2593 (Invalid read of size 1 in TIFFFetchNormalTag)
Suggested advisory: ======================== The updated packages fix a regression introduced by the fix for CVE-2016-9297. ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.6-1.7.mga5.i586.rpm libtiff5-4.0.6-1.7.mga5.i586.rpm libtiff-devel-4.0.6-1.7.mga5.i586.rpm libtiff-static-devel-4.0.6-1.7.mga5.i586.rpm x86_64: libtiff-progs-4.0.6-1.7.mga5.x86_64.rpm lib64tiff5-4.0.6-1.7.mga5.x86_64.rpm lib64tiff-devel-4.0.6-1.7.mga5.x86_64.rpm lib64tiff-static-devel-4.0.6-1.7.mga5.x86_64.rpm Source RPMs: libtiff-4.0.6-1.7.mga5.src.rpm
Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugsSource RPM: (none) => libtiff-4.0.6-1.6.mga5.src.rpm
FYI: http://openwall.com/lists/oss-security/2016/11/18/4
Reference for this update: http://openwall.com/lists/oss-security/2016/11/18/11
CC: (none) => luigiwalser
Suggested advisory: ======================== The updated packages fix: A regression introduced by the fix for CVE-2016-9297. An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE number not assigned yet). References: http://openwall.com/lists/oss-security/2016/11/18/4 http://openwall.com/lists/oss-security/2016/11/18/11 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.6-1.8.mga5.i586.rpm libtiff5-4.0.6-1.8.mga5.i586.rpm libtiff-devel-4.0.6-1.8.mga5.i586.rpm libtiff-static-devel-4.0.6-1.8.mga5.i586.rpm x86_64: libtiff-progs-4.0.6-1.8.mga5.x86_64.rpm lib64tiff5-4.0.6-1.8.mga5.x86_64.rpm lib64tiff-devel-4.0.6-1.8.mga5.x86_64.rpm lib64tiff-static-devel-4.0.6-1.8.mga5.x86_64.rpm Source RPMs: libtiff-4.0.6-1.8.mga5.src.rpm
Component: RPM Packages => Security
Summary: New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 => New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 and another CVE
Apparently this regression had security implications, because the regression fix has been assigned CVE-2016-9448: http://openwall.com/lists/oss-security/2016/11/18/15
Summary: New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 and another CVE => libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue
(In reply to David Walser from comment #2) > FYI: > http://openwall.com/lists/oss-security/2016/11/18/4 CVE-2016-9453: http://openwall.com/lists/oss-security/2016/11/19/1
Summary: libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue => libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue (CVE-2016-9453)
Suggested advisory: ======================== The updated packages fix: A regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448). An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE-2016-9453). References: http://openwall.com/lists/oss-security/2016/11/18/4 http://openwall.com/lists/oss-security/2016/11/18/11 http://openwall.com/lists/oss-security/2016/11/18/15 http://openwall.com/lists/oss-security/2016/11/19/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453
FYI there's a 4.0.7 release upstream now.
Suggested advisory: ======================== The updated packages fix: A regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448). An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE-2016-9453). References: http://openwall.com/lists/oss-security/2016/11/18/4 http://openwall.com/lists/oss-security/2016/11/18/11 http://openwall.com/lists/oss-security/2016/11/18/15 http://openwall.com/lists/oss-security/2016/11/19/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.7-1.mga5.i586.rpm libtiff5-4.0.7-1.mga5.i586.rpm libtiff-devel-4.0.7-1.mga5.i586.rpm libtiff-static-devel-4.0.7-1.mga5.i586.rpm x86_64: libtiff-progs-4.0.7-1.mga5.x86_64.rpm lib64tiff5-4.0.7-1.mga5.x86_64.rpm lib64tiff-devel-4.0.7-1.mga5.x86_64.rpm lib64tiff-static-devel-4.0.7-1.mga5.x86_64.rpm Source RPMs: libtiff-4.0.7-1.mga5.src.rpm
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on AcerD620 Xfce No installation issues Followed poc file from http://bugzilla.maptools.org/show_bug.cgi?id=2579, found via http://openwall.com/lists/oss-security/2016/11/18/4 at ClI $ tiff2pdf -o 1test.pdf 1.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading. So no out-of-bounds Tried also one of my own tif files and converted successfully to pdf.
Whiteboard: advisory => advisory MGA5-32-OKCC: (none) => herman.viaene
MGA5-64 on HP Pavilion dv7 KDE No installation issues Followed instructions from comment#10. Here are the CLI informations : tiff2pdf -o 1test.pdf 1.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading.
CC: (none) => youpburden
Additional test M5 x64 Thanks to Herman for the link to the alleged PoC. Neither of the two tests above seemed to show the result before & after this update; so I re-tried just to see. BEFORE: libtiff-progs-4.0.6-1.6.mga5, lib64tiff5-4.0.6-1.6.mga5 $ tiff2pdf -o 1test.pdf Downloads/1.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file Downloads/1.tiff for reading. which is the same result as the previous 2 tests! Never mind. AFTER: libtiff-progs-4.0.7-1.mga5, lib64tiff5-4.0.7-1.mga5 $ tiff2pdf -o 1test.pdf Downloads/1.tiff gave the same output as before. Another PoC which does not show... $ tiff2pdf -o 1test.pdf /mnt/common/docs/ElderChmpgn.tiff produced a large but impeccable PDF file. OK'ing the update. Then validating. Advisory already uploaded.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0405.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
There are a whole bunch of other CVEs in the LWN reference (see the URL), but I'm guessing that we have fixed those as well with this update.
URL: (none) => https://lwn.net/Vulnerabilities/707488/