openSUSE has issued advisories today (October 24): https://lists.opensuse.org/opensuse-updates/2018-10/msg00150.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00149.html They fix a few CVEs we haven't previously mentioned.
CVE-2018-16335: according to https://security-tracker.debian.org/tracker/CVE-2018-16335, the fix is the same as for CVE-2017-11613, which was in bug 22799. CVE-2018-17795: according to https://security-tracker.debian.org/tracker/CVE-2018-17795, the fix is the same as for CVE-2017-9935, which was in bug 22120.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17100 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17101 https://lists.opensuse.org/opensuse-updates/2018-10/msg00149.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00150.html ======================== Updated package in core/updates_testing: ======================== libtiff-progs-4.0.9-1.7.mga6 lib(64)tiff5-4.0.9-1.7.mga6 lib(64)tiff-devel-4.0.9-1.7.mga6 lib(64)tiff-static-devel-4.0.9-1.7.mga6 from SRPMS: libtiff-4.0.9-1.7.mga6.src.rpm
CVE: (none) => CVE-2018-17100, CVE-2018-17101Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Summary: libtiff possible new security issues CVE-2018-16335 CVE-2018-1710[01] CVE-2018-17795 => libtiff possible new security issues CVE-2018-1710[01]
Summary: libtiff possible new security issues CVE-2018-1710[01] => libtiff new security issues CVE-2018-1710[01]
Mageia 6, x86_64 Reviewed the CVEs listed by Suse. CVE-2018-10779 - not in current list. PoC file from an old bug. http://bugzilla.maptools.org/show_bug.cgi?id=2790 $ bmp2tiff POC out.tiff Mageia does not have bmp2tiff. The security issue affects tif_write.c specifically so using this PoC file in alternative conversions would miss the point. CVE-2018-16335 (in QA list?) https://bugzilla.suse.com/show_bug.cgi?id=1106853 $ tiff2pdf poc2 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered. [...] TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. tiff2pdf: No support for poc2 with 254 samples per pixel. tiff2pdf: An error occurred creating output PDF file. CVE-2018-17100 Could not find a PoC for this. The issue likely could be demonstrated by ppm2tiff with a suitable test file. CVE-2018-17101 Out of bounds writes in tools: tiff2bw and pal2rgb. No PoC. CVE-2018-17795 https://bugzilla.suse.com/show_bug.cgi?id=1046077 $ unrar e POC.rar Extracting POC1 OK Extracting POC2 OK Extracting POC3 OK Extracting POC4 OK Extracting POC5 OK $ tiff2pdf POC1 | cat > poc1.pdf TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. [...] TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. $ xpdf poc1.pdf Syntax Error: Couldn't read xref table Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Similar copious error logs from all five files. Packages updated cleanly. CVE-2018-16335 The PoC test failed in the same way and since it seems to have been dropped from the list it can be ignored. CVE-2018-17795 $ tiff2pdf POC1 | cat > poc1.pdf TIFFFetchDirectory: Sanity check on directory count failed, zero tag directories not supported. TIFFReadDirectory: Failed to read directory at offset 5356. tiff2pdf: Can't open input file POC1 for reading. $ tiff2pdf POC2 | cat > poc2.pdf TIFFOpen: POC2: No such file or directory. tiff2pdf: Can't open input file POC2 for reading. Similar output for the other PoC files, so we can assume that this issue is fixed. A few utility tests later.
CC: (none) => tarazed25
Utility tests. Just repeating those from earlier libtiff tests , on similar images. There is a problem with tiffgt. $ tiffgt SantaMaria.tif libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow $ tiffgt greyscale.tif libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow This is probably the same issue which affects celestia. Performing a local build on celestia cured the problem in the past but that is not possible in QA. Anyway, it looks like a graphics system error and it is something which turns up every now and again with various graphics packages. It comes and goes. $ tiffcp SantaMaria.tif new.tif _TIFFVGetField: new.tif: Invalid tag "BadFaxLines" (not supported by codec). _TIFFVGetField: new.tif: Invalid tag "BadFaxLines" (not supported by codec). This is another chestnut. Not significant because the new image is a perfect copy. Most conversion functions work. Output checked with ImageMagick display, gs or xpdf. $ tifftopnm lena_color.tiff > lena.pnm tifftopnm: writing PPM file $ pnmtotiff Ikapati.pgm -output test.pnm $ tiff2bw macbeth_rgb.tif macbeth_bw.tif $ tiff2pdf boats.tif > boats.pdf $ tiff2ps lena.tif > lena.ps $ tiffcrop -E top -U px -m 100,100,100,100 SantaMaria.tif cropped.tif _TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec). _TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec). The cropped image displayed OK. $ tiffdump SantaMaria.tif > dumpfile $ cat dumpfile SantaMaria.tif: Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF> Directory 0: offset 1971016 (0x1e1348) next 0 (0) [...] PrimaryChromaticities (319) RATIONAL (5) 6<0.64 0.33 0.3 0.6 0.15 0.06> BadFaxLines (326) LONG (4) 1<2707030018> $ tiffmedian example2.tiff median.tif tiffdump craters.tif shows ........ XResolution (282) RATIONAL (5) 1<300> YResolution (283) RATIONAL (5) 1<300> $ tiffset -s 282 320.0 craters.tif $ tiffset -s 283 320.0 craters.tif tiffdump shows: XResolution (282) RATIONAL (5) 1<320> YResolution (283) RATIONAL (5) 1<320> $ tiffsplit greycombo.tif Generates {xaaa,xaab,xaac,xaad}.tif from the stacked frames in the original image. Despite the repeated complaints above this looks good to go.
Whiteboard: (none) => MGA6-64-OK
Taking your word for it, Len. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0426.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED