Bug 30999 - libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-2953, CVE-2022-3570, and CVE-2022-3598
Summary: libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-2953, C...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 31091
  Show dependency treegraph
Reported: 2022-10-21 19:49 CEST by David Walser
Modified: 2023-05-14 01:44 CEST (History)
5 users (show)

See Also:
Source RPM: libtiff-4.2.0-1.8.mga8.src.rpm
Status comment:


Description David Walser 2022-10-21 19:49:55 CEST
openSUSE has issued an advisory today (October 21):

Mageia 8 is also affected.
David Walser 2022-10-21 19:50:13 CEST

Status comment: (none) => Patches available from upstream and openSUSE
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-10-21 20:25:23 CEST
This SRPM is NicolasS's baby, so assigning to you.

Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => (none)

Comment 2 David Walser 2022-10-31 15:27:09 CET
Ubuntu has issued an advisory on October 27:

It fixes two new issues.

Mageia 8 is also affected.

Summary: libtiff new security issues CVE-2022-2519 and CVE-2022-252[01] => libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-3570, and CVE-2022-3598

Comment 3 Nicolas Salguero 2022-11-02 13:41:29 CET
For Cauldron, the issues are fixed.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: libtiff-4.4.0-3.mga9.src.rpm => libtiff-4.2.0-1.8.mga8.src.rpm

Comment 4 Nicolas Salguero 2022-11-02 13:43:06 CET
For Mageia 8, I added the patch from openSUSE for CVE-2022-2519, CVE-2022-252[01].
Comment 5 Nicolas Salguero 2022-11-03 11:29:15 CET
Suggested advisory:

The updated packages fix security vulnerabilities:

There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1. (CVE-2022-2519)

A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input. (CVE-2022-2520)

It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input. (CVE-2022-2521)

Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact. (CVE-2022-3570)

LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3598)


Updated packages in core/updates_testing:

from SRPM:

Assignee: nicolas.salguero => qa-bugs
Status comment: Patches available from upstream and openSUSE => (none)
CC: (none) => nicolas.salguero

Comment 6 Len Lawrence 2022-11-04 16:31:02 CET
mga8, x64 - Looking into this.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2022-11-04 17:19:50 CET
Tried  some of the tools then updated via qarepo.
Skipped the PoC because they reqired the use of gdb and libtiff-debuginfo...

Checked the operation of the tools as in bug 29976 and noticed no regressions.
Ran a trace on atril.  It could import a TIFF image ad manipulate it and save it but used a backend for that without mentioning libtiff.

There is a long list of whatrequires...
Chose momacs to invert the image (like a negative) and double the size in both coordinates.  Saved it as a TIFF image with LZW compression.
$ strace nomacs.trace nomacs MartianCrater.tif
$ grep lib nomacs.trace | grep tiff
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3
read(49, "lib64tiff5-4.2.0-1.9.mga8\nlib64t"..., 16384) = 124
read(49, "lib64tiff5\nlib64tiff-devel\nlib64"..., 16384) = 64

$ tiffgt SantaMaria_doubled.tif
Displayed properly in negative colours.
Giving this an OK on the basis of these tests and no regressions.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-11-04 22:50:56 CET
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

David Walser 2022-11-08 14:00:34 CET

Blocks: (none) => 31091

Dave Hodgins 2022-11-08 15:31:18 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-11-08 20:45:44 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 10 Nicolas Salguero 2022-11-09 09:58:18 CET
CVE-2022-2953 was also fixed by the patch for CVE-2022-2519, CVE-2022-252[01].

Summary: libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-3570, and CVE-2022-3598 => libtiff new security issues CVE-2022-2519, CVE-2022-252[01], CVE-2022-2953, CVE-2022-3570, and CVE-2022-3598

Comment 11 David Walser 2023-05-14 01:44:43 CEST
CVE-2023-30775 was fixed by the patch for CVE-2022-3570 and CVE-2022-3598, says Nicolas.

Note You need to log in before you can comment on or make changes to this bug.