Fedora has issued an advisory on February 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CXMZF6QHRSV4QSTQXM5RAXOWNJHAGFIW/ It may not be a serious issue though. Perhaps there are more interesting fixes in what's already been updated in Cauldron.
Suggested advisory: ======================== The updated packages fix at least one security vulnerability: The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. (CVE-2019-6128) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128 ======================== Updated packages in core/updates_testing: ======================== libtiff-progs-4.0.10-1.git20190202.1.mga6 lib(64)tiff5-4.0.10-1.git20190202.1.mga6 lib(64)tiff-devel-4.0.10-1.git20190202.1.mga6 lib(64)tiff-static-devel-4.0.10-1.git20190202.1.mga6 from SRPMS: libtiff-4.0.10-1.git20190202.1.mga6.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2019-6128Assignee: nicolas.salguero => qa-bugs
mga6, x86_64 CVE-2019-6128 http://bugzilla.maptools.org/show_bug.cgi?id=2836 $ pal2rgb libtiff-pal2rgb-memory-leak /dev/null TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered. libtiff-pal2rgb-memory-leak: Expecting a palette image. Agrees with the upstream valgrind output both before and afterwards. $ rpm -qa | grep lib64tiff lib64tiff-static-devel-4.0.9-1.9.mga6 lib64tiff-devel-4.0.9-1.9.mga6 lib64tiff5-4.0.9-1.9.mga6 The four packages updated cleanly. No change expected in the POC output. $ pal2rgb libtiff-pal2rgb-memory-leak /dev/null TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered. libtiff-pal2rgb-memory-leak: Expecting a palette image. In particular, when run with valgrind we see ==10894== All heap blocks were freed -- no leaks are possible Good enough. Could not find any examples of palette tiff files on the web, only jpeg and png representations. Tried to create one using a local file $ tiffmedian macbeth_rgba.tif macbethpalette.tif but the result was not very impressive and running pal2rgb on it returned virtually the same image so we shall simply accept the packages as is. Since the fix is so specific there is not much point in running the usual libtiff- progs tests. Giving this an OK for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Sounds reasonable to me, Len. Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0075.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
This update also fixed CVE-2018-17000: https://usn.ubuntu.com/3906-1/
Summary: libtiff new security issue CVE-2019-6128 => libtiff new security issues CVE-2018-17000 and CVE-2019-6128