Hi, There is an upstream patch for CVE-2018-10963. Best regards, Nico.
Suggested advisory: ======================== The updated packages fix a security vulnerability: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963 ======================== Updated package in 5/core/updates_testing: ======================== libtiff-progs-4.0.9-1.4.mga5 lib(64)tiff5-4.0.9-1.4.mga5 lib(64)tiff-devel-4.0.9-1.4.mga5 lib(64)tiff-static-devel-4.0.9-1.4.mga5 from SRPMS: libtiff-4.0.9-1.4.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== libtiff-progs-4.0.9-1.4.mga6 lib(64)tiff5-4.0.9-1.4.mga6 lib(64)tiff-devel-4.0.9-1.4.mga6 lib(64)tiff-static-devel-4.0.9-1.4.mga6 from SRPMS: libtiff-4.0.9-1.4.mga6.src.rpm
Whiteboard: (none) => MGA5TOOStatus: NEW => ASSIGNEDAssignee: bugsquad => qa-bugsSource RPM: (none) => libtiff-4.0.9-1.3.mga6.src.rpmCVE: (none) => CVE-2018-10963Version: Cauldron => 6
Summary: libtiff new security issue CVE-2018-10963 => libtiff new security issues CVE-2018-10963 and CVE-2018-8905CVE: CVE-2018-10963 => CVE-2018-10963, CVE-2018-8905
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963) In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905 ======================== Updated package in 5/core/updates_testing: ======================== libtiff-progs-4.0.9-1.5.mga5 lib(64)tiff5-4.0.9-1.5.mga5 lib(64)tiff-devel-4.0.9-1.5.mga5 lib(64)tiff-static-devel-4.0.9-1.5.mga5 from SRPMS: libtiff-4.0.9-1.5.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== libtiff-progs-4.0.9-1.5.mga6 lib(64)tiff5-4.0.9-1.5.mga6 lib(64)tiff-devel-4.0.9-1.5.mga6 lib(64)tiff-static-devel-4.0.9-1.5.mga6 from SRPMS: libtiff-4.0.9-1.5.mga6.src.rpm
Here we go again. Mageia 6, x86_64 Before update: CVE-2018-10963 http://bugzilla.maptools.org/show_bug.cgi?id=2795 $ tiffset POC TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered. TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed. Aborted (core dumped) CVE-2018-8905 http://bugzilla.maptools.org/show_bug.cgi?id=2780 $ tiffcp -i poc4 /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1805 (0x70d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4882 (0x1312) encountered. ............................ TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 1805"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4882"; tag ignored. TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 3600" value failed; ta ...................................... poc4: LZWDecode: Corrupted LZW table at scanline 221. poc4: LZWDecode: Corrupted LZW table at scanline 222.
CC: (none) => tarazed25
After the update: CVE-2018-10963 $ tiffset POC $ CVE-2018-8905 $ tiffcp -i poc4 /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. ................................ For this test the output was as before. Not possible to compare with the upstream test because it was linked with asan. Moved to the QA imge testing directory - these files have taken quite a battering over the years. Checked some of the conversions like tiff2pdf, tiff2ps, tifftopnm, tiff2bw and tiff2rgba and they worked perfectly. tiffinfo continues to work. However tiffgt fails to display TIFF images - ImageMagick had no problem. This does look like a regression but it as noted in a previous test $ tiffgt SantaMaria.tif libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow
comment 4: s/it as/it is/ Inclined to give this an OK on the basis that the tiffgt problem is an old one and the current PoC tests do not end with abort or segfault. Adding it, but feel free to disagree.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Mageia 5, x86_64 Installed missing 4.0.9-1.3 packages. Before update: $ tiffset POC $ Note, no abort. $ tiffcp -i poc4 /tmp/foo This produced the same output as noted in comment 3 so these two tests are not going to provide any information. Confirmed that by running the tests after updating the packages. $ tiffgt SantaMaria.tif Displays fine, so tiffgt is OK in mga5. Performed various conversions from TIFF files to other formats or TIFF images. Viewed resulting TIFF images with tiffgt, PDF with xpdf and PostScript with gs. Performed comparisons and used tiffinfo to extract file information. All good.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0246.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED