openSUSE has issued an advisory today (October 21): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J7SXFRT2D5U4KU46YFMYHBVPQ56UKZ3V/ Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and openSUSECC: (none) => nicolas.salgueroWhiteboard: (none) => MGA8TOO
This SRPM is NicolasS's baby, so assigning to you.
Assignee: bugsquad => nicolas.salgueroCC: nicolas.salguero => (none)
Ubuntu has issued an advisory on October 27: https://ubuntu.com/security/notices/USN-5705-1 It fixes two new issues. Mageia 8 is also affected.
Summary: libtiff new security issues CVE-2022-2519 and CVE-2022-252[01] => libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-3570, and CVE-2022-3598
For Cauldron, the issues are fixed.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Source RPM: libtiff-4.4.0-3.mga9.src.rpm => libtiff-4.2.0-1.8.mga8.src.rpm
For Mageia 8, I added the patch from openSUSE for CVE-2022-2519, CVE-2022-252[01].
Suggested advisory: ======================== The updated packages fix security vulnerabilities: There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1. (CVE-2022-2519) A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input. (CVE-2022-2520) It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input. (CVE-2022-2521) Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact. (CVE-2022-3570) LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3598) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2519 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2521 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3598 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J7SXFRT2D5U4KU46YFMYHBVPQ56UKZ3V/ https://ubuntu.com/security/notices/USN-5705-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.9.mga8 lib(64)tiff-devel-4.2.0-1.9.mga8 lib(64)tiff-static-devel-4.2.0-1.9.mga8 libtiff-progs-4.2.0-1.9.mga8 from SRPM: libtiff-4.2.0-1.9.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsStatus comment: Patches available from upstream and openSUSE => (none)CC: (none) => nicolas.salguero
mga8, x64 - Looking into this.
CC: (none) => tarazed25
Tried some of the tools then updated via qarepo. Skipped the PoC because they reqired the use of gdb and libtiff-debuginfo... Checked the operation of the tools as in bug 29976 and noticed no regressions. Ran a trace on atril. It could import a TIFF image ad manipulate it and save it but used a backend for that without mentioning libtiff. There is a long list of whatrequires... Chose momacs to invert the image (like a negative) and double the size in both coordinates. Saved it as a TIFF image with LZW compression. $ strace nomacs.trace nomacs MartianCrater.tif $ grep lib nomacs.trace | grep tiff openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 ..... read(49, "lib64tiff5-4.2.0-1.9.mga8\nlib64t"..., 16384) = 124 read(49, "lib64tiff5\nlib64tiff-devel\nlib64"..., 16384) = 64 $ tiffgt SantaMaria_doubled.tif Displayed properly in negative colours. Giving this an OK on the basis of these tests and no regressions.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Blocks: (none) => 31091
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0410.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CVE-2022-2953 was also fixed by the patch for CVE-2022-2519, CVE-2022-252[01].
Summary: libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-3570, and CVE-2022-3598 => libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-2953, CVE-2022-3570, and CVE-2022-3598
CVE-2023-30775 was fixed by the patch for CVE-2022-3570 and CVE-2022-3598, says Nicolas.