Bug 31188 - libtiff new security issue CVE-2022-3970
Summary: libtiff new security issue CVE-2022-3970
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 31189
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-25 17:08 CET by David Walser
Modified: 2022-12-07 00:34 CET (History)
5 users (show)

See Also:
Source RPM: libtiff-4.2.0-1.10.mga8.src.rpm
CVE: CVE-2022-3970
Status comment:


Attachments

Description David Walser 2022-11-25 17:08:13 CET
Ubuntu has issued an advisory on November 24:
https://ubuntu.com/security/notices/USN-5743-1

Mageia 8 is also affected.
David Walser 2022-11-25 17:08:20 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2022-11-25 17:26:52 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. (CVE-2022-3970)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3970
https://ubuntu.com/security/notices/USN-5743-1
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.11.mga8
lib(64)tiff-devel-4.2.0-1.11.mga8
lib(64)tiff-static-devel-4.2.0-1.11.mga8
libtiff-progs-4.2.0-1.11.mga8

from SRPM:
libtiff-4.2.0-1.11.mga8.src.rpm

Version: Cauldron => 8
CVE: (none) => CVE-2022-3970
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Source RPM: libtiff-4.4.0-5.mga9.src.rpm => libtiff-4.2.0-1.10.mga8.src.rpm

Comment 2 Len Lawrence 2022-11-27 10:21:58 CET
mageia8, x64
Clean update.
Repeated tests from earlier report, bug 30228.
Opened an image of mountain valley and used darktable to generate a copy with a misty appearance and lightened the scene a little.
$ strace -o darktable.trace darktable glenshiel.tiff
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3

Using an earlier raw to tiff conversion.
$ tiffgt RAW_FUJI_X-T10.tif
That displayed perfectly.

Manipulated a TIFF image in nomacs, generating an inverted image and a magnified image as PNG and JPEG.
$ strace -o nomacs.trace nomacs anna.tif
$ grep libtiff nomacs.trace
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3

$ tiffsplit greycombo.tif m
Dumped the image stack as files maaa.tif, maab.tif .....

$ tifftopnm lena_color.tiff > lena.pnm
tifftopnm: writing PPM file

$ tiffcrop -E top -U px -m 100,100,100,100 SantaMaria.tif cropped.tif
$ tiffgt cropped.tif
showed a copy of the original with a border removed.

No regressions in any of this.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-11-28 03:21:29 CET
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Nicolas Salguero 2022-11-30 16:12:40 CET
Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.12.mga8
lib(64)tiff-devel-4.2.0-1.12.mga8
lib(64)tiff-static-devel-4.2.0-1.12.mga8
libtiff-progs-4.2.0-1.12.mga8

from SRPM:
libtiff-4.2.0-1.12.mga8.src.rpm

Whiteboard: MGA8-64-OK => (none)
Keywords: validated_update => (none)
Depends on: (none) => 31189

Comment 5 Thomas Andrews 2022-12-01 20:13:45 CET
This additional update was necessary because of the update to jbigkit in bug 31189. 

After updating jbigkit I used qarepo to update to the packages in Comment 4. There were no installation issues. 

urpmq --whatrequires lib64tiff5 produces a long list, including imagemagick and gwenview. Using an updated imagemagick (bug 29054) to convert a jpg image to tif, and in addition to convert the tif image to pbg. The imagemagick display function displayed all three images correctly. Gwenview displays the jpg and tif images, but cannot handle the jbg image, as is normal behavior.

Restoring the OK, and the validation. Advisory information in Comment 1, with additional information at the beginning of this comment.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-12-04 00:17:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-12-07 00:34:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0448.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.