Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-0907)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0907
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.4.mga8
lib(64)tiff-devel-4.2.0-1.4.mga8
lib(64)tiff-static-devel-4.2.0-1.4.mga8
libtiff-progs-4.2.0-1.4.mga8

from SRPM:
libtiff-4.2.0-1.4.mga8.src.rpm

Source RPM: libtiff-4.3.0-4.mga9.src.rpm => libtiff-4.2.0-1.3.mga8.src.rpm
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-0907
Assignee: nicolas.salguero => qa-bugs
Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED

MGA8-64 Plasma on Lenovo B50
Ref bug 29976 for testing.
$ tiffgt zwawi0008-2.tiff 
display OK

$ tiffdump zwawi0008-2.tiff  > tifdump

$ more tifdump
zwawi0008-2.tiff:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 15433228 (0xeb7e0c) next 0 (0)
SubFileType (254) LONG (4) 1<0>
ImageWidth (256) SHORT (3) 1<3422>
ImageLength (257) SHORT (3) 1<2255>
BitsPerSample (258) SHORT (3) 2<8 8>
Compression (259) SHORT (3) 1<1>
Photometric (262) SHORT (3) 1<1>
DocumentName (269) ASCII (2) 68</home/herman/HV/fotos/zw ...>
ImageDescription (270) ASCII (2) 18<Created with GIMP\0>
StripOffsets (273) LONG (4) 36<8 438024 876040 1314056 1752072 2190088 2628104 3066120 3504136 3942152 4380168 4818184 5256200 5694216 6132232 6570248 7008264 7446280 7884296 8322312 8760328 9198344 9636360 100743
76 ...>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<2>
RowsPerStrip (278) SHORT (3) 1<64>
StripByteCounts (279) LONG (4) 36<438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 ...>
XResolution (282) RATIONAL (5) 1<2400>
YResolution (283) RATIONAL (5) 1<2400>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
ExtraSamples (338) SHORT (3) 1<1>

$ tiffsplit IMG_1272.tif z
$ ls z*
zaaa.tif
This is OK as I don't have  a multipage tif available

$ tiffmedian -C 128 -f IMG_1272.tif median.tif

$ tifftopnm IMG_1272.tif > image.pnm
tifftopnm: writing PPM file

$ display image.pnm 

$ tiffcrop -E top -U px -m 200,200,200,200  IMG_1272.tif cropped.tif

$ tiff2bw IMG_1272.tif imagebw.tif

$ tiff2pdf IMG_1272.tif > image.pdf

$ tiff2ps IMG_1272.tif > image.ps

$ gs image.ps
GPL Ghostscript 9.53.3 (2020-10-01)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
>>showpage, press <return> to continue<<

All resulting files are OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Been working on this since breakfast so shall add it to Herman's tests.
mga8, x64

Before update:
CVE-2022-0907
https://gitlab.com/libtiff/libtiff/-/issues/392
Without ASAN:
$ tiffcrop -H 341 poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 77 (0x4d) encountered.
[...]
Fax4Decode: Warning, Premature EOL at line 2 of strip 0 (got 20, expected 132).
MemoryLimitError: allocation of 271321920 bytes is forbidden. Limit is 268435456.
                  use -k option to change limit.
Segmentation fault (core dumped)

Updated the four packages.
No segfault with the PoC.
$ tiffcrop -H 341 poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 77 (0x4d) encountered.
[...]
Fax4Decode: Warning, Premature EOL at line 2 of strip 0 (got 20, expected 132).
MemoryLimitError: allocation of 271321920 bytes is forbidden. Limit is 268435456.
                  use -k option to change limit.
createImageSection: Unable to allocate/reallocate section buffer.
writeImageSections: Unable to allocate section buffer.

Ran strace on a local TIFF image.
$ strace -o darktable.trace  darktable glenshiel.tiff
<Manipulated the image - softened it and adjusted the RGB curve>
$ grep tiff darktable.trace
execve("/usr/bin/darktable", ["darktable", "glenshiel.tiff"], 0x7ffc1c43d1e8 /* 75 vars */) = 0
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3

$ raw2tiff RAW_FUJI_X-T10.raw raw.tif
Image width and height are not specified.
Width is guessed as 10144, height is guessed as 3328.
$ tiffgt raw.tif
Something displayed but not sure if it was correct.
Tried converting the image through rawtherapee.  That crashed on exit, probably because I don't know what I am doing.
$ rawtherapee RAW_FUJI_X-T10.raw
Segmentation fault (core dumped)

However the TIFF file generated displayed fine.
$ tiffgt RAW_FUJI_X-T10.tif
Note that rawtherapee is in the list of whatrequires lib64tiff5.
Tried tiffdump on that file to print out a description of it - it recorded that RwawTherapee 5.8 had been used to generate it.

Tried out some of the utilities such as tiffsplit, tiffmedian, tifftopnm, tiff2bw, tiffcrop and saw no regressions.  All worked.

This is OK to go taking comment 2 into account.

CC: (none) => tarazed25

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0128.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED