Fedora has issued an advisory today (March 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DZEHZ35XVO2VBZ4HHCMM6J6TQIDSBQOM/ Mageia 8 is also affected.
Status comment: (none) => Patches available from FedoraCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. (CVE-2022-0561) Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. (CVE-2022-0562) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0561 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0562 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DZEHZ35XVO2VBZ4HHCMM6J6TQIDSBQOM/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.2.mga8 lib(64)tiff-devel-4.2.0-1.2.mga8 lib(64)tiff-static-devel-4.2.0-1.2.mga8 libtiff-progs-4.2.0-1.2.mga8 from SRPM: libtiff-4.2.0-1.2.mga8.src.rpm
Assignee: bugsquad => qa-bugsStatus comment: Patches available from Fedora => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 8Source RPM: libtiff-4.3.0-2.mga9.src.rpm => libtiff-4.2.0-1.1.mga8.src.rpmWhiteboard: MGA8TOO => (none)CVE: (none) => CVE-2022-0561, CVE-2022-0562
mga8, x64 Before updating: Same PoC for both CVEs. CVE-2022-056{1,2} https://gitlab.com/libtiff/libtiff/-/issues/362 $ tiffinfo -f lsb2msb -Dcdjrsz crash.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. EstimateStripByteCounts: Cannot determine size of unknown tag type 10825. Ran the test after updating the four packages and saw the same result. Cannot read much into that though because the PoC is meant to be run within a particular ASAN framework. This confirms an earlier thought that there is little point in QA running pocs, which so often these days need to be tested in a similar environment to the one which exposed the vulnerabilities. Ran the usual image tests, with tiffgt to display TIFF images and ImageMagick otherwise. See bugs 22799, .... 29976. No regressions noted but the tifftopnm command has disappeared; likewise pnmtotiff. $ tiff2pdf boats.tif > boats.pdf $ strace -o boats.trace okular boats.pdf $ grep libtiff boats.trace openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 20 This looks fine but it is bound to come back again.
Whiteboard: (none) => , .... 29976. No regressions noted but the tifftopnm command has disappeared; likewise pnmtotiff. $ tiff2pdf boats.tif > boats.pdf $ strace -o boats.trace okular boats.pdf $ grep libtiff boats.trace openat(AT_FDCWD, "/lib64/libtiff.so.5"CC: (none) => tarazed25Whiteboard: (none) => , O_RDONLY|O_CLOEXEC) = 20 This looks fine but it is bound to come back again., with tiffgt to display TIFF images and ImageMagick otherwise. See bugs 22799 a particular ASAN framework. This confirms an earlier thought that there is little point in QA running pocs, which so often these days need to be tested in a similar environment to the one which exposed the vulnerabilities. Ran the usual image tests, calculating from imagelength. EstimateStripByteCounts: Cannot determine size of unknown tag type 10825. Ran the test after updating the four packages and saw the same result. Cannot read much into that though because the PoC is meant to be run within, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored. TIFFReadDirectory: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered. TIFFFetchNormalTag: Warning mga8, x64 Before updating: Same PoC for both CVEs. CVE-2022-056{1,2} https://gitlab.com/libtiff/libtiff/-/issues/362 $ tiffinfo -f lsb2msb -Dcdjrsz crash.tif TIFFReadDirectoryCheckOrder: Warning
Whiteboard: , O_RDONLY|O_CLOEXEC) = 20 This looks fine but it is bound to come back again., Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored. TIFFReadDirectory: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered. TIFFFetchNormalTag: Warning mga8, x64 Before updating: Same PoC for both CVEs. CVE-2022-056{1,2} https://gitlab.com/libtiff/libtiff/-/issues/362 $ tiffinfo -f lsb2msb -Dcdjrsz crash.tif TIFFReadDirectoryCheckOrder: Warning a particular ASAN framework. This confirms an earlier thought that there is little point in QA running pocs, which so often these days need to be tested in a similar environment to the one which exposed the vulnerabilities. Ran the usual image tests, with tiffgt to display TIFF images and ImageMagick otherwise. See bugs 22799, .... 29976. No regressions noted but the tifftopnm command has disappeared; likewise pnmtotiff. $ tiff2pdf boats.tif > boats.pdf $ strace -o boats.trace okular boats.pdf $ grep libtiff boats.trace openat(AT_FDCWD, "/lib64/libtiff.so.5", calculating from imagelength. EstimateStripByteCounts: Cannot determine size of unknown tag type 10825. Ran the test after updating the four packages and saw the same result. Cannot read much into that though because the PoC is meant to be run within, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0087.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED