Bug 24343 - libtiff new security issues CVE-2018-17000 and CVE-2019-6128
Summary: libtiff new security issues CVE-2018-17000 and CVE-2019-6128
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-11 01:22 CET by David Walser
Modified: 2019-03-28 21:40 CET (History)
4 users (show)

See Also:
Source RPM: libtiff-4.0.9-1.9.mga6.src.rpm
CVE: CVE-2019-6128
Status comment:


Attachments

Description David Walser 2019-02-11 01:22:42 CET
Fedora has issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CXMZF6QHRSV4QSTQXM5RAXOWNJHAGFIW/

It may not be a serious issue though.  Perhaps there are more interesting fixes in what's already been updated in Cauldron.
Comment 1 Nicolas Salguero 2019-02-11 10:23:30 CET
Suggested advisory:
========================

The updated packages fix at least one security vulnerability:

The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. (CVE-2019-6128)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.10-1.git20190202.1.mga6
lib(64)tiff5-4.0.10-1.git20190202.1.mga6
lib(64)tiff-devel-4.0.10-1.git20190202.1.mga6
lib(64)tiff-static-devel-4.0.10-1.git20190202.1.mga6

from SRPMS:
libtiff-4.0.10-1.git20190202.1.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-6128
Assignee: nicolas.salguero => qa-bugs

Comment 2 Len Lawrence 2019-02-11 12:59:04 CET
mga6, x86_64

CVE-2019-6128
http://bugzilla.maptools.org/show_bug.cgi?id=2836
$ pal2rgb libtiff-pal2rgb-memory-leak /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered.
libtiff-pal2rgb-memory-leak: Expecting a palette image.

Agrees with the upstream valgrind output both before and afterwards.

$ rpm -qa | grep lib64tiff
lib64tiff-static-devel-4.0.9-1.9.mga6
lib64tiff-devel-4.0.9-1.9.mga6
lib64tiff5-4.0.9-1.9.mga6

The four packages updated cleanly.
No change expected in the POC output.
$ pal2rgb libtiff-pal2rgb-memory-leak /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered.
libtiff-pal2rgb-memory-leak: Expecting a palette image.

In particular, when run with valgrind we see
==10894== All heap blocks were freed -- no leaks are possible
Good enough.

Could not find any examples of palette tiff files on the web, only jpeg and png representations.  Tried to create one using a local file
$ tiffmedian macbeth_rgba.tif macbethpalette.tif
but the result was not very impressive and running pal2rgb on it returned virtually the same image so  we shall simply accept the packages as is.  Since the fix is so specific there is not much point in running the usual libtiff- progs tests.

Giving this an OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2019-02-12 02:49:17 CET
Sounds reasonable to me, Len. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-02-13 03:53:27 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2019-02-13 12:10:48 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0075.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 5 David Walser 2019-03-13 20:03:04 CET
This update also fixed CVE-2018-17000:
https://usn.ubuntu.com/3906-1/
David Walser 2019-03-28 21:40:37 CET

Summary: libtiff new security issue CVE-2019-6128 => libtiff new security issues CVE-2018-17000 and CVE-2019-6128


Note You need to log in before you can comment on or make changes to this bug.