Hi, There is an upstream patch for CVE-2018-18661. Best regards, Nico.
Whiteboard: (none) => MGA6TOOSource RPM: (none) => libtiff-4.0.9-1.7.mga6.src.rpmAssignee: bugsquad => nicolas.salgueroCVE: (none) => CVE-2018-18661
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18661 ======================== Updated package in core/updates_testing: ======================== libtiff-progs-4.0.9-1.8.mga6 lib(64)tiff5-4.0.9-1.8.mga6 lib(64)tiff-devel-4.0.9-1.8.mga6 lib(64)tiff-static-devel-4.0.9-1.8.mga6 from SRPMS: libtiff-4.0.9-1.8.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 6Assignee: nicolas.salguero => qa-bugs
Mageia 6, x86_64 CVE-2018-18661 http://bugzilla.maptools.org/show_bug.cgi?id=2819 Renamed Null-pointer-derefence__LZWDecode@tif_lzw.c_462 to poc6. $ tiff2bw poc6 /dev/null TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered. LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes). TIFFWriteDirectoryTagData: IO error writing tag data. Note that the upstream test segfaulted after reporting the same error. Updated the four packages. CVE-2018-18661 $ tiff2bw poc6 /dev/null TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered. LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes). TIFFWriteDirectoryTagData: IO error writing tag data. This result, and the absence of a prior segfault, would indicate that this particular issue had already been fixed. Ran several image tests using the tools provided, as in previous bugs on libtiff. Tested tiffdump, ppm2tiff, tiffcp, tiff2bw, tifftopnm, pnmtotiffcmyk, pnmtotiff. All worked. tiffgt fails to display TIFF images but it has worked in the past. There is a suspicion that this has more to do with the graphical environment than libtiff. $ tiffgt SantaMaria.tif libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow Giving this the 64-bit OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
It looks like the problem with tiffgt is unrelated to libtiff to me too, Len. Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory done from comment 1.
CC: (none) => lewyssmithKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0444.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED