Bug 31668 - libtiff, tkimg new security issue CVE-2022-4645
Summary: libtiff, tkimg new security issue CVE-2022-4645
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-14 02:53 CET by David Walser
Modified: 2023-09-06 18:16 CEST (History)
6 users (show)

See Also:
Source RPM: libtiff-4.2.0-1.14.mga8.src.rpm
CVE: CVE-2022-4645
Status comment:


Attachments
ruby/tk script to test tkimg (298 bytes, application/x-ruby)
2023-03-19 10:08 CET, Len Lawrence
Details
Ruby test file to exercise the tkimg TIFF image display function. (340 bytes, application/x-ruby)
2023-09-06 18:16 CEST, Len Lawrence
Details

Description David Walser 2023-03-14 02:53:57 CET
Fedora has issued an advisory on March 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/

Apparently tkimg bundles libtiff (which should be fixed if possible).

Mageia 8 is also affected.
David Walser 2023-03-14 02:54:48 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-03-14 20:41:42 CET
https://bugzilla.redhat.com/show_bug.cgi?id=2176220
"A flaw was found in tiffcp, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the tiffcp function in tools/tiffcp.c, resulting in a denial of service and limited information disclosure."

I think this is the upstream patch:
https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246
which may have already been applied in Cauldron:
Mar 7: tkimg, daviddavid: apply upstream libtiff fix for CVE-2022-4645

tkimg has no maintainer, libtiff is with NicolasS. Assignng to the latter, CC'ing DavidG.

CC: (none) => geiger.david68210
Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2023-03-16 17:09:55 CET
For Cauldron, libtiff 4.5.0 already solved that CVE and, as Lewis said in comment 1, tkimg was already patched.

For Mga8, tkimg uses libtiff from the system, contrary to the version of tkimg that is in Cauldron.
Comment 3 Nicolas Salguero 2023-03-16 17:10:28 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-4645)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4645
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.15.mga8
lib(64)tiff-devel-4.2.0-1.15.mga8
lib(64)tiff-static-devel-4.2.0-1.15.mga8
libtiff-progs-4.2.0-1.15.mga8

from SRPM:
libtiff-4.2.0-1.15.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-4645
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: libtiff-4.5.0-5.mga9.src.rpm, tkimg-1.4.14-2.mga9.src.rpm => libtiff-4.2.0-1.14.mga8.src.rpm

Comment 4 Len Lawrence 2023-03-19 10:06:07 CET
Mageia8, x86_64

tkimg-1.4-10.mga8 already installed, used every day for homespun guis but never for TIFF images.  Attached is a tiny ruby script which uses the tkimg library to display a TIFF image.  That worked before updates.

Referred to bug 29976 for some utility tests.  All passed.

CVE-2022-4645
https://gitlab.com/libtiff/libtiff/-/issues/277
$ tiffcp pocfile /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered.
[...]
TIFFFillStrip: Read error on strip 0; got 530 bytes, expected 4127134585.
poc_tiffcp_948: Error, can't read scanline 0.

The original test involved an ASAN framework which caused an ABORT.  The backtrace agrees matches the the published result in the first couple of lines.

Updated the packages.
The PoC test returned exactly the same result as before so not much use really.

Used a few of the tools as in earlier tests; tiffgt, tiffsplit, tifftopnm, pnmtotiff, tiffmedian, tiffcrop, tiff2pdf, tiffdump.  No regressions noted.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Len Lawrence 2023-03-19 10:08:43 CET
Created attachment 13741 [details]
ruby/tk script to test tkimg

$ ruby tktest.rb
Only of use if ruby and ruby-tk are installed.
Comment 6 Len Lawrence 2023-03-19 10:14:24 CET
Neglected to try any of the numerous applications listed as requiring libtiff apart from tkimg.
e.g. atril, blender, darktable, rawtherapee, gthumb, okular....
Comment 7 Len Lawrence 2023-03-19 13:29:36 CET
Manipulated TIFF images using gthumb under strace.
$ grep lib gthumb.trace | grep tif
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 27
openat(AT_FDCWD, "/lib64/libnotify.so.4", O_RDONLY|O_CLOEXEC) = 27

Good enough.
Comment 8 Thomas Andrews 2023-03-19 19:51:38 CET
Validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-23 23:56:19 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-03-24 06:57:42 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0113.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 10 Len Lawrence 2023-09-06 18:16:38 CEST
Created attachment 13975 [details]
Ruby test file to exercise the tkimg TIFF image display function.

If ruby and ruby-tk is installed run this thus:
$ ruby tktest.rb <image file name>
Include the path if the image is not in the current directory.
Large images may be shrunk to some default size - do not know how this is decided.

Attachment 13741 is obsolete: 0 => 1


Note You need to log in before you can comment on or make changes to this bug.