31091 – libtiff new security issues CVE-2022-3599, CVE-2022-362[67]

Bug 31091 - libtiff new security issues CVE-2022-3599, CVE-2022-362[67]

Summary: libtiff new security issues CVE-2022-3599, CVE-2022-362[67]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Duplicates (2):	31199 31899 (view as bug list)
Depends on:	30999
Blocks:
	Show dependency tree / graph

Reported:	2022-11-08 14:00 CET by David Walser
Modified:	2023-05-14 01:45 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	libtiff-4.2.0-1.9.mga8.src.rpm
CVE:	CVE-2022-3599, CVE-2022-3626, CVE-2022-3627
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-08 14:00:13 CET

Ubuntu has issued an advisory today (November 8):
https://ubuntu.com/security/notices/USN-5714-1

Mageia 8 is also affected.

We can wait for Bug 30999 to be pushed (already validated) or collapse this into it.

David Walser 2022-11-08 14:00:34 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and Ubuntu
Depends on: (none) => 30999

Comment 1 Nicolas Salguero 2022-11-09 09:58:50 CET

CVE-2022-2953 was already fixed in bug 30999.

Summary: libtiff new security issues CVE-2022-2953, CVE-2022-3599, CVE-2022-362[67] => libtiff new security issues CVE-2022-3599, CVE-2022-362[67]

Comment 2 Nicolas Salguero 2022-11-09 10:10:45 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3599)

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3626)

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3627)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3627
https://ubuntu.com/security/notices/USN-5714-1
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.10.mga8
lib(64)tiff-devel-4.2.0-1.10.mga8
lib(64)tiff-static-devel-4.2.0-1.10.mga8
libtiff-progs-4.2.0-1.10.mga8

from SRPM:
libtiff-4.2.0-1.10.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-3599, CVE-2022-3626, CVE-2022-3627
Version: Cauldron => 8
Status comment: Patches available from upstream and Ubuntu => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2022-11-12 12:01:50 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed wiki:
remark as in previous versions that bmp2tiff command does not exist anymore
Then:
$ tiff2pdf 1973-024.tif > 1973.pdf
pdf file looks OK in atril
$ tiffinfo 1973-024.tif 
TIFF Directory at offset 0x2e9da08 (48880136)
  Subfile Type: (0 = 0x0)
  Image Width: 2904 Image Length: 4208
  Resolution: 3200, 3200 pixels/inch
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Extra Samples: 1<assoc-alpha>
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 4
  Rows/Strip: 64
  Planar Configuration: single image plane
  DocumentName: /home/herman/HV/fotos/kleurnegatieven/1973/1973-024.tif
  ImageDescription: Created with GIMP
$ gimp 1973-024.tif 
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
bps: 8
Image dimensions: 2904 x 4208.
load_contiguous
bytes_per_pixel: 4, format: 4
file looks OK.
As  in previous versions the raw2tiff command does not produce any valid output with raw files from Olympus and Canon cameras. On a Nikon one it hangs.
But these are not regressions, so OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-11-12 15:49:19 CET

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-13 00:25:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-11-13 03:27:09 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0424.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2022-11-29 13:43:39 CET

CVE-2022-3597 was also fixed in this update.

Comment 7 David Walser 2022-11-29 13:43:55 CET

*** Bug 31199 has been marked as a duplicate of this bug. ***

Comment 8 David Walser 2023-05-14 01:44:26 CEST

CVE-2023-30774 was fixed by the patch for CVE-2022-3599, says Nicolas.

Comment 9 David Walser 2023-05-14 01:45:32 CEST

*** Bug 31899 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.