Bug 25777 - libtiff security update CVE-2019-17546
Summary: libtiff security update CVE-2019-17546
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-28 13:48 CET by Zombie Ryushu
Modified: 2019-12-06 15:17 CET (History)
5 users (show)

See Also:
Source RPM: libtiff-4.0.10-6.git20190508.1.mga7.src.rpm
CVE: CVE-2019-17546
Status comment:


Attachments

Jani Välimaa 2019-11-28 15:38:32 CET

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 Nicolas Salguero 2019-11-28 16:03:46 CET
Hi,

CVE-2017-17095 was fixed in bug 22120.
CVE-2018-12900 was fixed in bug 24053.
CVE-2018-18661 was fixed in bug 23788.
CVE-2019-6128 was fixed in bug 24343.

CVE-2019-17546 is not fixed already.

Best regards,

Nico.

Source RPM: libtiff => libtiff-4.0.10-6.git20190508.1.mga7.src.rpm
CC: (none) => nicolas.salguero
Summary: libtiff security update CVE-2017-17095 CVE-2018-12900 CVE-2018-18661 CVE-2019-6128 CVE-2019-17546 => libtiff security update CVE-2019-17546
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2019-17546

Comment 2 Nicolas Salguero 2019-11-28 16:16:19 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition. (CVE-2019-17546)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17546
https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2009-1-tiff-security-update-17-24-54
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.1.0-2.git20191120.1.mga7
lib(64)tiff5-4.1.0-2.git20191120.1.mga7
lib(64)tiff-devel-4.1.0-2.git20191120.1.mga7
lib(64)tiff-static-devel-4.1.0-2.git20191120.1.mga7

from SRPMS:
libtiff-4.1.0-2.git20191120.1.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 3 David Walser 2019-11-28 16:19:59 CET
Just changing to the actual advisory link in the references.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and
other products, has an integer overflow that potentially causes a heap-based
buffer overflow via a crafted RGBA image, related to a "Negative-size-param"
condition (CVE-2019-17546).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17546
https://www.debian.org/lts/security/2019/dla-2009
Comment 4 Len Lawrence 2019-12-04 21:38:02 CET
Mageia7, x86_64

CVE-2019-17456
The clusterfuzz testcase referred to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443 cannot be used because it requires a testing framework to be set up locally.  Outside QA's remit.

List of tools, excluding fax:
pal2rgb
ppm2tiff
raw2tiff
rgb2cbcr
thumbnail
tiff2bw
tiff2pdf
tiff2ps
tiff2rgba
tiffcmp
tiffcp
tiffcrop
tiffdither
tiffdump
tiffinfo
tiffmedian
tiffset
tiffsplit

$ ppm2tiff ikapati.ppm ikapati.tif
$ tiffgt ikapati.tif
Displays the converted image.
$ tiff2bw anna.tiff AnnaPopplewell_grey.tif
$ tiffdither -r 4 -c packbits -t 64 jessica_grey.tif jessica_dither.tif
$ tiffmedian -r 4 -C 128 -f TatianaMaslany.tif Tatiana.tif
$ tiffgt Tatiana.tif
Leads to a few patches of grey on a coloured image.
8 rows with 256 colours gives slightly better results.
$ tiffcp glenshiel.tiff scottishglen.tif
$ tiffcp glenshiel.tiff scottishglen.tif
_TIFFVGetField: scottishglen.tif: Invalid tag "Predictor" (not supported by codec).
_TIFFVGetField: scottishglen.tif: Invalid tag "BadFaxLines" (not supported by codec).
_TIFFVGetField: scottishglen.tif: Invalid tag "Predictor" (not supported by codec).
_TIFFVGetField: scottishglen.tif: Invalid tag "BadFaxLines" (not supported by codec).
$ tiffcmp glenshiel.tif scottishglen.tif
Compression: 8 7
$ ppm2tiff jessica.ppm jess.tif
$ tiffgt jess.tif
$ tiffdump SantaMaria.tif > dump.txt
$ less dump.txt
SantaMaria.tif:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 1971016 (0x1e1348) next 0 (0)
ImageWidth (256) SHORT (3) 1<1638>
ImageLength (257) SHORT (3) 1<1410>
BitsPerSample (258) SHORT (3) 3<8 8 8>
[...]
YResolution (283) RATIONAL (5) 1<495.063>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
PageNumber (297) SHORT (3) 2<0 1>
Predictor (317) SHORT (3) 1<2>
Whitepoint (318) RATIONAL (5) 2<0.3127 0.329>
PrimaryChromaticities (319) RATIONAL (5) 6<0.64 0.33 0.3 0.6 0.15 0.06>
BadFaxLines (326) LONG (4) 1<2707030018>

$ tiff2ps -O macbeth.ps macbethcolourscan.tif 
lcl@difda:images $ gs macbeth.ps
GPL Ghostscript 9.27 (2019-04-04)
.....
<displayed colour chart OK>

$ tiff2pdf -o crater.pdf SantaMaria.tif
That showed fine in okular.
This should be enough to show that everything is working.  The success of tiffgt is to be noted in comparison with earlier bug tests.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2019-12-04 22:36:30 CET
Thanks, Len. Validating. Corrected advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 14:24:20 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-12-06 15:17:31 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0366.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.