Hi, There is an upstream patch for CVE-2018-7456. Best regards, Nico.
Assignee: bugsquad => nicolas.salgueroCVE: (none) => CVE-2018-7456Whiteboard: (none) => MGA5TOO
Source RPM: (none) => libtiff-4.0.9-1.2.mga6.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.). (CVE-2018-7456) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7456 ======================== Updated package in 5/core/updates_testing: ======================== libtiff-progs-4.0.9-1.3.mga5 lib(64)tiff5-4.0.9-1.3.mga5 lib(64)tiff-devel-4.0.9-1.3.mga5 lib(64)tiff-static-devel-4.0.9-1.3.mga5 from SRPMS: libtiff-4.0.9-1.3.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== libtiff-progs-4.0.9-1.3.mga6 lib(64)tiff5-4.0.9-1.3.mga6 lib(64)tiff-devel-4.0.9-1.3.mga6 lib(64)tiff-static-devel-4.0.9-1.3.mga6 from SRPMS: libtiff-4.0.9-1.3.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Mageia 6, x86_64 PoC file at https://github.com/xiaoqx/pocs/tree/master/libtiff $ tiffinfo -c 1-tiffinfo-c-null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored. TIFF Directory at offset 0x767fe (485374) Image Width: 1024 Image Length: 768 Resolution: 2, 0 (unitless) Bits/Sample: 8 Compression Scheme: LZW Photometric Interpretation: RGB color Samples/Pixel: 4 Planar Configuration: single image plane Transfer Function: Segmentation fault (core dumped) ImageMagick displays a black window without an image. $ display 1-tiffinfo-c-null display: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 314 (0x13a) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 54034 (0xd312) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Incorrect count for "YResolution"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/915. display: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Wrong length of decoded string: data probably corrupted at scanline 0. `LZWDecode' @ error/tiff.c/TIFFErrors/567. $ tiffgt 1-tiffinfo-c-null libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow Updated the libtiff packages. Ran the test again: $ tiffinfo -c 1-tiffinfo-c-null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. TIFF Directory at offset 0x767fe (485374) Image Width: 1024 Image Length: 768 Resolution: 2, 0 (unitless) Bits/Sample: 8 Compression Scheme: LZW ...................................... 254: 65150 65150 65150 255: 33279 33279 33279 Tag 314: Composer� Untitled, frame � Tag 54034: 1 Software: Composer DateTime: Tue May 7 21:48:30 2002 Artist: maya HostComputer: thor $ Looks like libtiff coped with the corrupt file. Checked the behaviour of some of the tools. tiffgt does not display tiff images, as in the past. Not a regression but an unfixed bug. $ tiff2pdf -o test1.pdf SantaMaria.tif $ xpdf test1.pdf Worked perfectly. $ tiffinfo SantaMaria.tif TIFF Directory at offset 0x1e1348 (1971016) Image Width: 1638 Image Length: 1410 Resolution: 495.062, 495.062 pixels/inch ..................... $ tiff2ps -O test3.ps bridge.tif $ gs test3.ps GPL Ghostscript 9.22 (2017-10-04) .......................... This displayed a copy of the original image as a postscript page. $ tiff2rgba macbethcolourscan.tif rgba.tif The resulting file looked the same under display but the files differed. $ diff rgba.tif macbethcolourscan.tif Binary files rgba.tif and macbethcolourscan.tif differ $ ll macbethcolourscan.tif rgba.tif -rw-r--r-- 1 lcl lcl 2955850 Nov 16 2016 macbethcolourscan.tif -rw-r--r-- 1 lcl lcl 3975572 Apr 17 19:24 rgba.tif The main difference seems to be the addition of the Alpha channel to rgba.tif. tiffcmp fails to work as expected but it is not known if this is a regression. Needs further investigation. $ tiffcmp macbethcolourscan.tif rgba.tif SamplesPerPixel: 3 4 $ tiffcmp -z 20 macbethcolourscan.tif rgba.tif SamplesPerPixel: 3 4 $ tiffcmp -l macbethcolourscan.tif rgba.tif SamplesPerPixel: 3 4 $ tifftopnm JessicaAlba.tif > jessica.pnm tifftopnm: writing PPM file $ display jessica.pnm Perfect copy. $ tiff2bw GlenShiel.tif GlenShiel_greyscale.tif Produces a greyscale copy of original colour image. The latest patch works and the libraries work in most cases but there are one or two possible bugs or regressions which makes the status of libtiff uncertain.
CC: (none) => tarazed25
Mageis 5, x86_64 PoC test: $ tiffinfo -c 1-tiffinfo-c-null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered. ................................................ Segmentation fault tiffgt works with TIFF format files. Upgraded the packages. $ tiffinfo -c 1-tiffinfo-c-null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered. .......................... 255: 33279 33279 33279 Tag 314: Composer� Untitled, frame � Tag 54034: 1 Software: Composer DateTime: Tue May 7 21:48:30 2002 Artist: maya HostComputer: thor $ That looks positive and it agrees with the Mageia 6 test. And tiffgt continues to work. $ tiffinfo SantaMaria.tif TIFF Directory at offset 0x1e1348 (1971016) Image Width: 1638 Image Length: 1410 Resolution: 495.062, 495.062 pixels/inch Bits/Sample: 8 Compression Scheme: LZW Photometric Interpretation: RGB color .................... $ tiff2pdf -o lena.pdf lena_color.tiff $ xpdf lena.pdf Displays a one page document containing the original image. $ tiff2ps -O harbour.ps harbour.tif [lcl@difda images]$ gs harbour.ps GPL Ghostscript 9.22 (2017-10-04) Original greyscale image displayed as an encapsulated Postscript document. $ head -7 harbour.ps %!PS-Adobe-3.0 EPSF-3.0 %%Creator: tiff2ps %%Title: harbour.tif %%CreationDate: Wed Apr 18 14:45:34 2018 %%DocumentData: Clean7Bit %%Origin: 0 0 %%BoundingBox: 0 0 512 512 $ tiff2rgba macbethcolourscan.tif rgba.tif $ tiffgt rgba.tif Displays original colour chart. Comparing the two side by side does not reveal any differences. $ ll macbethcolourscan.tif rgba.tif -rw-r--r-- 1 lcl lcl 2955850 Nov 16 2016 macbethcolourscan.tif -rw-r--r-- 1 lcl lcl 3975572 Apr 18 14:48 rgba.tif This conversion worked perfectly: $ tifftopnm GlenShiel.tif > GlenShiel.pnm $ tiff2bw JessicaAlba.tif jessica_grey.tif produced a greyscale copy of the original colour image. This is fine for 64 bits in Mageia 5.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Adding the OK for Mageia 6 because the failure of tiffgt does not look like a regression but an original bug. Need to raise one on that.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0208.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED