Bug 23788 - libtiff new security issue CVE-2018-18661
Summary: libtiff new security issue CVE-2018-18661
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-31 10:49 CET by Nicolas Salguero
Modified: 2018-11-11 22:11 CET (History)
4 users (show)

See Also:
Source RPM: libtiff-4.0.9-1.7.mga6.src.rpm
CVE: CVE-2018-18661
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2018-10-31 10:49:21 CET 
Hi,

There is an upstream patch for CVE-2018-18661.

Best regards,

Nico.
Nicolas Salguero 2018-10-31 10:50:55 CET

Whiteboard: (none) => MGA6TOO
Source RPM: (none) => libtiff-4.0.9-1.7.mga6.src.rpm
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2018-18661

Comment 1 Nicolas Salguero 2018-10-31 11:15:15 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18661
========================

Updated package in core/updates_testing:
========================
libtiff-progs-4.0.9-1.8.mga6
lib(64)tiff5-4.0.9-1.8.mga6
lib(64)tiff-devel-4.0.9-1.8.mga6
lib(64)tiff-static-devel-4.0.9-1.8.mga6

from SRPMS:
libtiff-4.0.9-1.8.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 6
Assignee: nicolas.salguero => qa-bugs

Comment 2 Len Lawrence 2018-11-06 13:13:14 CET 
Mageia 6, x86_64

CVE-2018-18661
http://bugzilla.maptools.org/show_bug.cgi?id=2819
Renamed Null-pointer-derefence__LZWDecode@tif_lzw.c_462 to poc6.
$ tiff2bw poc6 /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
TIFFWriteDirectoryTagData: IO error writing tag data.

Note that the upstream test segfaulted after reporting the same error.

Updated the four packages.

CVE-2018-18661
$ tiff2bw poc6 /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
TIFFWriteDirectoryTagData: IO error writing tag data.

This result, and the absence of a prior segfault, would indicate that this particular issue had already been fixed.

Ran several image tests using the tools provided, as in previous bugs on libtiff.

Tested tiffdump, ppm2tiff, tiffcp, tiff2bw, tifftopnm, pnmtotiffcmyk, pnmtotiff.  All worked.  

tiffgt fails to display TIFF images but it has worked in the past.  There is a suspicion that this has more to do with the graphical environment than libtiff.
$ tiffgt SantaMaria.tif
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

Giving this the 64-bit OK.

CC: (none) => tarazed25

Len Lawrence 2018-11-06 13:13:29 CET

Whiteboard: (none) => MGA6-64-OK

Comment 3 Thomas Andrews 2018-11-09 22:33:45 CET 
It looks like the problem with tiffgt is unrelated to libtiff to me too, Len.

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Lewis Smith 2018-11-11 21:19:42 CET 
Advisory done from comment 1.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-11-11 22:11:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0444.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.