Suggested advisory:
========================

The updated packages fix a security vulnerability:

The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
========================

Updated package in 5/core/updates_testing:
========================
libtiff-progs-4.0.9-1.4.mga5
lib(64)tiff5-4.0.9-1.4.mga5
lib(64)tiff-devel-4.0.9-1.4.mga5
lib(64)tiff-static-devel-4.0.9-1.4.mga5

from SRPMS:
libtiff-4.0.9-1.4.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
libtiff-progs-4.0.9-1.4.mga6
lib(64)tiff5-4.0.9-1.4.mga6
lib(64)tiff-devel-4.0.9-1.4.mga6
lib(64)tiff-static-devel-4.0.9-1.4.mga6

from SRPMS:
libtiff-4.0.9-1.4.mga6.src.rpm

Whiteboard: (none) => MGA5TOO
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Source RPM: (none) => libtiff-4.0.9-1.3.mga6.src.rpm
CVE: (none) => CVE-2018-10963
Version: Cauldron => 6

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963)

In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
========================

Updated package in 5/core/updates_testing:
========================
libtiff-progs-4.0.9-1.5.mga5
lib(64)tiff5-4.0.9-1.5.mga5
lib(64)tiff-devel-4.0.9-1.5.mga5
lib(64)tiff-static-devel-4.0.9-1.5.mga5

from SRPMS:
libtiff-4.0.9-1.5.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
libtiff-progs-4.0.9-1.5.mga6
lib(64)tiff5-4.0.9-1.5.mga6
lib(64)tiff-devel-4.0.9-1.5.mga6
lib(64)tiff-static-devel-4.0.9-1.5.mga6

from SRPMS:
libtiff-4.0.9-1.5.mga6.src.rpm

Here we go again.  Mageia 6, x86_64

Before update:

CVE-2018-10963
http://bugzilla.maptools.org/show_bug.cgi?id=2795
$ tiffset POC
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed.
Aborted (core dumped)

CVE-2018-8905
http://bugzilla.maptools.org/show_bug.cgi?id=2780
$ tiffcp -i poc4 /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1805 (0x70d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 4882 (0x1312) encountered.
............................
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 1805"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4882"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 3600" value failed; ta
......................................
poc4: LZWDecode: Corrupted LZW table at scanline 221.
poc4: LZWDecode: Corrupted LZW table at scanline 222.

CC: (none) => tarazed25

After the update:

CVE-2018-10963
$ tiffset POC
$

CVE-2018-8905
$ tiffcp -i poc4 /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
................................

For this test the output was as before.  Not possible to compare with the upstream test because it was linked with asan.

Moved to the QA imge testing directory - these files have taken quite a battering over the years.

Checked some of the conversions like tiff2pdf, tiff2ps, tifftopnm, tiff2bw and tiff2rgba and they worked perfectly.  tiffinfo continues to work.

However tiffgt fails to display TIFF images - ImageMagick had no problem.  This does look like a regression but it as noted in a previous test
$ tiffgt SantaMaria.tif
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

comment 4: s/it as/it is/

Inclined to give this an OK on the basis that the tiffgt problem is an old one and the current PoC tests do not end with abort or segfault.

Adding it, but feel free to disagree.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Mageia 5, x86_64

Installed missing 4.0.9-1.3 packages.

Before update:
$ tiffset POC
$

Note, no abort.

$ tiffcp -i poc4 /tmp/foo

This produced the same output as noted in comment 3 so these two tests are not going to provide any information.  Confirmed that by running the tests after updating the packages.

$ tiffgt SantaMaria.tif
Displays fine, so tiffgt is OK in mga5.

Performed various conversions from TIFF files to other formats or TIFF images.  Viewed resulting TIFF images with tiffgt, PDF with xpdf and PostScript with gs.

Performed comparisons and used tiffinfo to extract file information.

All good.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0246.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED