Ubuntu has issued an advisory on November 24: https://ubuntu.com/security/notices/USN-5743-1 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. (CVE-2022-3970) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3970 https://ubuntu.com/security/notices/USN-5743-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.11.mga8 lib(64)tiff-devel-4.2.0-1.11.mga8 lib(64)tiff-static-devel-4.2.0-1.11.mga8 libtiff-progs-4.2.0-1.11.mga8 from SRPM: libtiff-4.2.0-1.11.mga8.src.rpm
Version: Cauldron => 8CVE: (none) => CVE-2022-3970Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDSource RPM: libtiff-4.4.0-5.mga9.src.rpm => libtiff-4.2.0-1.10.mga8.src.rpm
mageia8, x64 Clean update. Repeated tests from earlier report, bug 30228. Opened an image of mountain valley and used darktable to generate a copy with a misty appearance and lightened the scene a little. $ strace -o darktable.trace darktable glenshiel.tiff openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 Using an earlier raw to tiff conversion. $ tiffgt RAW_FUJI_X-T10.tif That displayed perfectly. Manipulated a TIFF image in nomacs, generating an inverted image and a magnified image as PNG and JPEG. $ strace -o nomacs.trace nomacs anna.tif $ grep libtiff nomacs.trace openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 $ tiffsplit greycombo.tif m Dumped the image stack as files maaa.tif, maab.tif ..... $ tifftopnm lena_color.tiff > lena.pnm tifftopnm: writing PPM file $ tiffcrop -E top -U px -m 100,100,100,100 SantaMaria.tif cropped.tif $ tiffgt cropped.tif showed a copy of the original with a border removed. No regressions in any of this.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.12.mga8 lib(64)tiff-devel-4.2.0-1.12.mga8 lib(64)tiff-static-devel-4.2.0-1.12.mga8 libtiff-progs-4.2.0-1.12.mga8 from SRPM: libtiff-4.2.0-1.12.mga8.src.rpm
Whiteboard: MGA8-64-OK => (none)Keywords: validated_update => (none)Depends on: (none) => 31189
This additional update was necessary because of the update to jbigkit in bug 31189. After updating jbigkit I used qarepo to update to the packages in Comment 4. There were no installation issues. urpmq --whatrequires lib64tiff5 produces a long list, including imagemagick and gwenview. Using an updated imagemagick (bug 29054) to convert a jpg image to tif, and in addition to convert the tif image to pbg. The imagemagick display function displayed all three images correctly. Gwenview displays the jpg and tif images, but cannot handle the jbg image, as is normal behavior. Restoring the OK, and the validation. Advisory information in Comment 1, with additional information at the beginning of this comment.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0448.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED