Fedora has issued an advisory on March 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/ Apparently tkimg bundles libtiff (which should be fixed if possible). Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
https://bugzilla.redhat.com/show_bug.cgi?id=2176220 "A flaw was found in tiffcp, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the tiffcp function in tools/tiffcp.c, resulting in a denial of service and limited information disclosure." I think this is the upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 which may have already been applied in Cauldron: Mar 7: tkimg, daviddavid: apply upstream libtiff fix for CVE-2022-4645 tkimg has no maintainer, libtiff is with NicolasS. Assignng to the latter, CC'ing DavidG.
Assignee: bugsquad => nicolas.salgueroCC: (none) => geiger.david68210
For Cauldron, libtiff 4.5.0 already solved that CVE and, as Lewis said in comment 1, tkimg was already patched. For Mga8, tkimg uses libtiff from the system, contrary to the version of tkimg that is in Cauldron.
Suggested advisory: ======================== The updated packages fix a security vulnerability: LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-4645) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4645 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff5-4.2.0-1.15.mga8 lib(64)tiff-devel-4.2.0-1.15.mga8 lib(64)tiff-static-devel-4.2.0-1.15.mga8 libtiff-progs-4.2.0-1.15.mga8 from SRPM: libtiff-4.2.0-1.15.mga8.src.rpm
CC: (none) => nicolas.salgueroAssignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2022-4645Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Source RPM: libtiff-4.5.0-5.mga9.src.rpm, tkimg-1.4.14-2.mga9.src.rpm => libtiff-4.2.0-1.14.mga8.src.rpm
Mageia8, x86_64 tkimg-1.4-10.mga8 already installed, used every day for homespun guis but never for TIFF images. Attached is a tiny ruby script which uses the tkimg library to display a TIFF image. That worked before updates. Referred to bug 29976 for some utility tests. All passed. CVE-2022-4645 https://gitlab.com/libtiff/libtiff/-/issues/277 $ tiffcp pocfile /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered. [...] TIFFFillStrip: Read error on strip 0; got 530 bytes, expected 4127134585. poc_tiffcp_948: Error, can't read scanline 0. The original test involved an ASAN framework which caused an ABORT. The backtrace agrees matches the the published result in the first couple of lines. Updated the packages. The PoC test returned exactly the same result as before so not much use really. Used a few of the tools as in earlier tests; tiffgt, tiffsplit, tifftopnm, pnmtotiff, tiffmedian, tiffcrop, tiff2pdf, tiffdump. No regressions noted.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Created attachment 13741 [details] ruby/tk script to test tkimg $ ruby tktest.rb Only of use if ruby and ruby-tk are installed.
Neglected to try any of the numerous applications listed as requiring libtiff apart from tkimg. e.g. atril, blender, darktable, rawtherapee, gthumb, okular....
Manipulated TIFF images using gthumb under strace. $ grep lib gthumb.trace | grep tif openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 27 openat(AT_FDCWD, "/lib64/libnotify.so.4", O_RDONLY|O_CLOEXEC) = 27 Good enough.
Validating. Advisory in comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs