Bug 31668 - libtiff, tkimg new security issue CVE-2022-4645
Summary: libtiff, tkimg new security issue CVE-2022-4645
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Reported: 2023-03-14 02:53 CET by David Walser
Modified: 2023-03-19 19:51 CET (History)
5 users (show)

See Also:
Source RPM: libtiff-4.2.0-1.14.mga8.src.rpm
CVE: CVE-2022-4645
Status comment:

ruby/tk script to test tkimg (298 bytes, application/x-ruby)
2023-03-19 10:08 CET, Len Lawrence

Description David Walser 2023-03-14 02:53:57 CET
Fedora has issued an advisory on March 11:

Apparently tkimg bundles libtiff (which should be fixed if possible).

Mageia 8 is also affected.
David Walser 2023-03-14 02:54:48 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-03-14 20:41:42 CET
"A flaw was found in tiffcp, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the tiffcp function in tools/tiffcp.c, resulting in a denial of service and limited information disclosure."

I think this is the upstream patch:
which may have already been applied in Cauldron:
Mar 7: tkimg, daviddavid: apply upstream libtiff fix for CVE-2022-4645

tkimg has no maintainer, libtiff is with NicolasS. Assignng to the latter, CC'ing DavidG.

Assignee: bugsquad => nicolas.salguero
CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2023-03-16 17:09:55 CET
For Cauldron, libtiff 4.5.0 already solved that CVE and, as Lewis said in comment 1, tkimg was already patched.

For Mga8, tkimg uses libtiff from the system, contrary to the version of tkimg that is in Cauldron.
Comment 3 Nicolas Salguero 2023-03-16 17:10:28 CET
Suggested advisory:

The updated packages fix a security vulnerability:

LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-4645)


Updated packages in core/updates_testing:

from SRPM:

CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs
CVE: (none) => CVE-2022-4645
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: libtiff-4.5.0-5.mga9.src.rpm, tkimg-1.4.14-2.mga9.src.rpm => libtiff-4.2.0-1.14.mga8.src.rpm

Comment 4 Len Lawrence 2023-03-19 10:06:07 CET
Mageia8, x86_64

tkimg-1.4-10.mga8 already installed, used every day for homespun guis but never for TIFF images.  Attached is a tiny ruby script which uses the tkimg library to display a TIFF image.  That worked before updates.

Referred to bug 29976 for some utility tests.  All passed.

$ tiffcp pocfile /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered.
TIFFFillStrip: Read error on strip 0; got 530 bytes, expected 4127134585.
poc_tiffcp_948: Error, can't read scanline 0.

The original test involved an ASAN framework which caused an ABORT.  The backtrace agrees matches the the published result in the first couple of lines.

Updated the packages.
The PoC test returned exactly the same result as before so not much use really.

Used a few of the tools as in earlier tests; tiffgt, tiffsplit, tifftopnm, pnmtotiff, tiffmedian, tiffcrop, tiff2pdf, tiffdump.  No regressions noted.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Len Lawrence 2023-03-19 10:08:43 CET
Created attachment 13741 [details]
ruby/tk script to test tkimg

$ ruby tktest.rb
Only of use if ruby and ruby-tk are installed.
Comment 6 Len Lawrence 2023-03-19 10:14:24 CET
Neglected to try any of the numerous applications listed as requiring libtiff apart from tkimg.
e.g. atril, blender, darktable, rawtherapee, gthumb, okular....
Comment 7 Len Lawrence 2023-03-19 13:29:36 CET
Manipulated TIFF images using gthumb under strace.
$ grep lib gthumb.trace | grep tif
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 27
openat(AT_FDCWD, "/lib64/libnotify.so.4", O_RDONLY|O_CLOEXEC) = 27

Good enough.
Comment 8 Thomas Andrews 2023-03-19 19:51:38 CET
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Note You need to log in before you can comment on or make changes to this bug.