Fedora has issued an advisory today (March 31): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/ We fixed the other issues in Bug 30210. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Fedora
Suggested advisory: ======================== The updated packages fix a security vulnerability: Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-0907) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0907 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.4.mga8 lib(64)tiff-devel-4.2.0-1.4.mga8 lib(64)tiff-static-devel-4.2.0-1.4.mga8 libtiff-progs-4.2.0-1.4.mga8 from SRPM: libtiff-4.2.0-1.4.mga8.src.rpm
Source RPM: libtiff-4.3.0-4.mga9.src.rpm => libtiff-4.2.0-1.3.mga8.src.rpmVersion: Cauldron => 8CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)CVE: (none) => CVE-2022-0907Assignee: nicolas.salguero => qa-bugsStatus comment: Patch available from Fedora => (none)Status: NEW => ASSIGNED
MGA8-64 Plasma on Lenovo B50 Ref bug 29976 for testing. $ tiffgt zwawi0008-2.tiff display OK $ tiffdump zwawi0008-2.tiff > tifdump $ more tifdump zwawi0008-2.tiff: Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF> Directory 0: offset 15433228 (0xeb7e0c) next 0 (0) SubFileType (254) LONG (4) 1<0> ImageWidth (256) SHORT (3) 1<3422> ImageLength (257) SHORT (3) 1<2255> BitsPerSample (258) SHORT (3) 2<8 8> Compression (259) SHORT (3) 1<1> Photometric (262) SHORT (3) 1<1> DocumentName (269) ASCII (2) 68</home/herman/HV/fotos/zw ...> ImageDescription (270) ASCII (2) 18<Created with GIMP\0> StripOffsets (273) LONG (4) 36<8 438024 876040 1314056 1752072 2190088 2628104 3066120 3504136 3942152 4380168 4818184 5256200 5694216 6132232 6570248 7008264 7446280 7884296 8322312 8760328 9198344 9636360 100743 76 ...> Orientation (274) SHORT (3) 1<1> SamplesPerPixel (277) SHORT (3) 1<2> RowsPerStrip (278) SHORT (3) 1<64> StripByteCounts (279) LONG (4) 36<438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 438016 ...> XResolution (282) RATIONAL (5) 1<2400> YResolution (283) RATIONAL (5) 1<2400> PlanarConfig (284) SHORT (3) 1<1> ResolutionUnit (296) SHORT (3) 1<2> ExtraSamples (338) SHORT (3) 1<1> $ tiffsplit IMG_1272.tif z $ ls z* zaaa.tif This is OK as I don't have a multipage tif available $ tiffmedian -C 128 -f IMG_1272.tif median.tif $ tifftopnm IMG_1272.tif > image.pnm tifftopnm: writing PPM file $ display image.pnm $ tiffcrop -E top -U px -m 200,200,200,200 IMG_1272.tif cropped.tif $ tiff2bw IMG_1272.tif imagebw.tif $ tiff2pdf IMG_1272.tif > image.pdf $ tiff2ps IMG_1272.tif > image.ps $ gs image.ps GPL Ghostscript 9.53.3 (2020-10-01) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. >>showpage, press <return> to continue<< All resulting files are OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Been working on this since breakfast so shall add it to Herman's tests. mga8, x64 Before update: CVE-2022-0907 https://gitlab.com/libtiff/libtiff/-/issues/392 Without ASAN: $ tiffcrop -H 341 poc /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 77 (0x4d) encountered. [...] Fax4Decode: Warning, Premature EOL at line 2 of strip 0 (got 20, expected 132). MemoryLimitError: allocation of 271321920 bytes is forbidden. Limit is 268435456. use -k option to change limit. Segmentation fault (core dumped) Updated the four packages. No segfault with the PoC. $ tiffcrop -H 341 poc /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 77 (0x4d) encountered. [...] Fax4Decode: Warning, Premature EOL at line 2 of strip 0 (got 20, expected 132). MemoryLimitError: allocation of 271321920 bytes is forbidden. Limit is 268435456. use -k option to change limit. createImageSection: Unable to allocate/reallocate section buffer. writeImageSections: Unable to allocate section buffer. Ran strace on a local TIFF image. $ strace -o darktable.trace darktable glenshiel.tiff <Manipulated the image - softened it and adjusted the RGB curve> $ grep tiff darktable.trace execve("/usr/bin/darktable", ["darktable", "glenshiel.tiff"], 0x7ffc1c43d1e8 /* 75 vars */) = 0 openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 $ raw2tiff RAW_FUJI_X-T10.raw raw.tif Image width and height are not specified. Width is guessed as 10144, height is guessed as 3328. $ tiffgt raw.tif Something displayed but not sure if it was correct. Tried converting the image through rawtherapee. That crashed on exit, probably because I don't know what I am doing. $ rawtherapee RAW_FUJI_X-T10.raw Segmentation fault (core dumped) However the TIFF file generated displayed fine. $ tiffgt RAW_FUJI_X-T10.tif Note that rawtherapee is in the list of whatrequires lib64tiff5. Tried tiffdump on that file to print out a description of it - it recorded that RwawTherapee 5.8 had been used to generate it. Tried out some of the utilities such as tiffsplit, tiffmedian, tifftopnm, tiff2bw, tiffcrop and saw no regressions. All worked. This is OK to go taking comment 2 into account.
CC: (none) => tarazed25
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0128.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED