Debian has issued an advisory on March 24: https://www.debian.org/security/2022/dsa-5108 Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and DebianWhiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-0865) A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact. (CVE-2022-0891) Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file. (CVE-2022-0908) Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-0909) Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-0924) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0891 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0909 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0924 https://www.debian.org/security/2022/dsa-5108 ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.3.mga8 lib(64)tiff-devel-4.2.0-1.3.mga8 lib(64)tiff-static-devel-4.2.0-1.3.mga8 libtiff-progs-4.2.0-1.3.mga8 from SRPM: libtiff-4.2.0-1.3.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Assignee: nicolas.salguero => qa-bugsVersion: Cauldron => 8CC: (none) => nicolas.salgueroStatus comment: Patches available from upstream and Debian => (none)Status: NEW => ASSIGNED
Source RPM: libtiff-4.3.0-3.mga9.src.rpm => libtiff-4.2.0-1.2.mga8.src.rpm
i5-2500, Intel graphics, MGA8-64 Plasma system. No installation issues. It just so happens that I just finished testing a graphicsmagick update, and urpmq indicates that uses lib64tiff5, so I used some of the commands found on https://wiki.mageia.org/en/QA_procedure:GraphicsMagick to test this. I was able to convert a jpg image to tiff, though it complained about a "tag" being illegal for the codec. (normal. that happened with another image when testing graphicsmagick with the old lib64tiff5) I was able to display the image, flip it, and convert it to a png. All looks OK. Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0119.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
This update also fixed CVE-2022-1056, according to: https://bugs.mageia.org/show_bug.cgi?id=30440#c1
*** Bug 30440 has been marked as a duplicate of this bug. ***