Fedora has issued an advisory on March 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/ Apparently tkimg bundles libtiff (which should be fixed if possible). Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
https://bugzilla.redhat.com/show_bug.cgi?id=2176220 "A flaw was found in tiffcp, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the tiffcp function in tools/tiffcp.c, resulting in a denial of service and limited information disclosure." I think this is the upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 which may have already been applied in Cauldron: Mar 7: tkimg, daviddavid: apply upstream libtiff fix for CVE-2022-4645 tkimg has no maintainer, libtiff is with NicolasS. Assignng to the latter, CC'ing DavidG.
CC: (none) => geiger.david68210Assignee: bugsquad => nicolas.salguero
For Cauldron, libtiff 4.5.0 already solved that CVE and, as Lewis said in comment 1, tkimg was already patched. For Mga8, tkimg uses libtiff from the system, contrary to the version of tkimg that is in Cauldron.
Suggested advisory: ======================== The updated packages fix a security vulnerability: LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-4645) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4645 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.15.mga8 lib(64)tiff-devel-4.2.0-1.15.mga8 lib(64)tiff-static-devel-4.2.0-1.15.mga8 libtiff-progs-4.2.0-1.15.mga8 from SRPM: libtiff-4.2.0-1.15.mga8.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2022-4645CC: (none) => nicolas.salgueroAssignee: nicolas.salguero => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8Source RPM: libtiff-4.5.0-5.mga9.src.rpm, tkimg-1.4.14-2.mga9.src.rpm => libtiff-4.2.0-1.14.mga8.src.rpm
Mageia8, x86_64 tkimg-1.4-10.mga8 already installed, used every day for homespun guis but never for TIFF images. Attached is a tiny ruby script which uses the tkimg library to display a TIFF image. That worked before updates. Referred to bug 29976 for some utility tests. All passed. CVE-2022-4645 https://gitlab.com/libtiff/libtiff/-/issues/277 $ tiffcp pocfile /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered. [...] TIFFFillStrip: Read error on strip 0; got 530 bytes, expected 4127134585. poc_tiffcp_948: Error, can't read scanline 0. The original test involved an ASAN framework which caused an ABORT. The backtrace agrees matches the the published result in the first couple of lines. Updated the packages. The PoC test returned exactly the same result as before so not much use really. Used a few of the tools as in earlier tests; tiffgt, tiffsplit, tifftopnm, pnmtotiff, tiffmedian, tiffcrop, tiff2pdf, tiffdump. No regressions noted.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Created attachment 13741 [details] ruby/tk script to test tkimg $ ruby tktest.rb Only of use if ruby and ruby-tk are installed.
Neglected to try any of the numerous applications listed as requiring libtiff apart from tkimg. e.g. atril, blender, darktable, rawtherapee, gthumb, okular....
Manipulated TIFF images using gthumb under strace. $ grep lib gthumb.trace | grep tif openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 27 openat(AT_FDCWD, "/lib64/libnotify.so.4", O_RDONLY|O_CLOEXEC) = 27 Good enough.
Validating. Advisory in comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0113.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Created attachment 13975 [details] Ruby test file to exercise the tkimg TIFF image display function. If ruby and ruby-tk is installed run this thus: $ ruby tktest.rb <image file name> Include the path if the image is not in the current directory. Large images may be shrunk to some default size - do not know how this is decided.
Attachment 13741 is obsolete: 0 => 1