Bug 30836 - libtiff new security issues CVE-2022-286[7-9]
Summary: libtiff new security issues CVE-2022-286[7-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-09 19:16 CEST by David Walser
Modified: 2022-09-16 21:41 CEST (History)
5 users (show)

See Also:
Source RPM: libtiff-4.2.0-1.7.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-09 19:16:49 CEST 
Ubuntu has issued an advisory on September 8:
https://ubuntu.com/security/notices/USN-5604-1

The issues are fixed upstream in 4.4.0rc1.
David Walser 2022-09-09 19:16:57 CEST

Status comment: (none) => Fixed upstream in 4.4.0rc1

Comment 1 Nicolas Salguero 2022-09-10 15:12:51 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation. (CVE-2022-2867)

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop. (CVE-2022-2868)

libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation. (CVE-2022-2869)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2869
https://ubuntu.com/security/notices/USN-5604-1
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.8.mga8
lib(64)tiff-devel-4.2.0-1.8.mga8
lib(64)tiff-static-devel-4.2.0-1.8.mga8
libtiff-progs-4.2.0-1.8.mga8

from SRPM:
libtiff-4.2.0-1.8.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status comment: Fixed upstream in 4.4.0rc1 => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2022-09-15 11:10:20 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Ref wiki and bug 30228 for testing
$ tiffgt zwawi0001-2.tiff 
displays OK
$ tiffdump zwawi0001-2.tiff > tifdump
$ more tifdump
zwawi0001-2.tiff:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 15440520 (0xeb9a88) next 0 (0)
SubFileType (254) LONG (4) 1<0>
ImageWidth (256) SHORT (3) 1<3398>
ImageLength (257) SHORT (3) 1<2272>
BitsPerSample (258) SHORT (3) 2<8 8>
Compression (259) SHORT (3) 1<1>
Photometric (262) SHORT (3) 1<1>
DocumentName (269) ASCII (2) 68</home/herman/HV/fotos/zw ...>
ImageDescription (270) ASCII (2) 18<Created with GIMP\0>
StripOffsets (273) LONG (4) 36<8 434952 869896 1304840 1739784 2174728 2609672 3044616 3479560 3914504 4349448 4784392 5219336 5654280
 6089224 6524168 6959112 7394056 7829000 8263944 8698888 9133832 9568776 10003720 ...>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<2>
RowsPerStrip (278) SHORT (3) 1<64>
StripByteCounts (279) LONG (4) 36<434944 434944 434944 434944 434944 434944 434944 434944 434944 434944 434944 434944 434944 434944 43
4944 434944 434944 434944 434944 434944 434944 434944 434944 434944 ...>
XResolution (282) RATIONAL (5) 1<2400>
YResolution (283) RATIONAL (5) 1<2400>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
ExtraSamples (338) SHORT (3) 1<1>


$ tiffsplit rietkleur002.tif z
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
$ ls z*
zaaa.tif
This is OK as I don't have  a multipage tif available

$ tiffmedian -C 128 -f rietkleur002.tif median.tif
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
$ tifftopnm  rietkleur002.tif > image.pnm
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
tifftopnm: writing PPM file
$ display image.pnm 
display is OK

$ tiffcrop -E top -U px -m 200,200,200,200   rietkleur001.tif cropped.tif
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..

$ tiff2bw bertanciaux.tif imagebw.tif

$ tiff2pdf 1973-024.tif > image.pdf
$ tiff2ps 1973-024.tif > image.ps
$ gs image.ps
GPL Ghostscript 9.53.3 (2020-10-01)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
>>showpage, press <return> to continue<<

All generated files display OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-09-16 02:51:27 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-09-16 20:08:00 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-09-16 21:41:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0337.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.