Bug 32117 - libtiff new security issues CVE-2023-2908, CVE-2023-331[68], CVE-2023-25433, CVE-2023-2696[56]
Summary: libtiff new security issues CVE-2023-2908, CVE-2023-331[68], CVE-2023-25433, ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-07-17 22:17 CEST by David Walser
Modified: 2023-09-11 15:09 CEST (History)
6 users (show)

See Also:
Source RPM: libtiff-4.5.0-5.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-07-17 22:17:58 CEST
Ubuntu has issued an advisory on July 13:
https://ubuntu.com/security/notices/USN-6229-1

The issues are fixed upstream in 4.5.1.

Mageia 8 is also affected.
David Walser 2023-07-17 22:18:09 CEST

Status comment: (none) => Fixed upstream in 4.5.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-19 20:47:12 CEST
This pkg is maintained by ns80, so assigning to you. You have already applied several CVE fixes.

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-08-29 13:32:06 CEST

Whiteboard: MGA8TOO => MGA9TOO, MGA8TOO
Summary: libtiff new security issues CVE-2023-3316, CVE-2023-25433, CVE-2023-2696[56] => libtiff new security issues CVE-2023-2908, CVE-2023-3316, CVE-2023-3618, CVE-2023-25433, CVE-2023-2696[56], CVE-2023-3828[89]

Nicolas Salguero 2023-08-31 14:05:16 CEST

Summary: libtiff new security issues CVE-2023-2908, CVE-2023-3316, CVE-2023-3618, CVE-2023-25433, CVE-2023-2696[56], CVE-2023-3828[89] => libtiff new security issues CVE-2023-2908, CVE-2023-331[68], CVE-2023-25433, CVE-2023-2696[56]
CC: (none) => nicolas.salguero

Comment 2 Nicolas Salguero 2023-08-31 14:08:18 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. (CVE-2023-2908)

A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. (CVE-2023-3316)

A vulnerability was found in SourceCodester Resort Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument page leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. (CVE-2023-3618)

libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. (CVE-2023-25433)

loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image. (CVE-2023-26965)

libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. (CVE-2023-26966)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3316
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26966
https://ubuntu.com/security/notices/USN-6229-1
========================

Updated packages in 8/core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.16.mga8
lib(64)tiff-devel-4.2.0-1.16.mga8
lib(64)tiff-static-devel-4.2.0-1.16.mga8
libtiff-progs-4.2.0-1.16.mga8

from SRPM:
libtiff-4.2.0-1.16.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
lib(64)tiff6-4.5.1-1.mga9
lib(64)tiff-devel-4.5.1-1.mga9
lib(64)tiff-static-devel-4.5.1-1.mga9
libtiff-progs-4.5.1-1.mga9

from SRPM:
libtiff-4.5.1-1.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Status comment: Fixed upstream in 4.5.1 => (none)
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-08-31 16:47:45 CEST

CC: (none) => mageia

Comment 3 Herman Viaene 2023-09-02 15:45:58 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Following wiki
$ tiff2pdf pasfotoherman.tif > pasfotoherman.pdf
pdf displays OK with atril

$ tiffinfo pasfotoriet.tif 
TIFF Directory at offset 0x582322 (5776162)
  Image Width: 2176 Image Length: 2646
  Resolution: 1200, 1200 pixels/inch
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: min-is-black
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 1
  Rows/Strip: 3
  Planar Configuration: single image plane
  Software: xsane
  DateTime: 2013:03:15 10:49:43
this looks OK
$ gimp pasfototineke.tif 
picture opens OK in gimp

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-09-11 02:45:55 CEST
MGA9-64 Plasma, i5-2500, Intel graphics.

Installed libtiff-progs, then updated using QArepo. No installation issues. I decided to vary from Herman's example, and used "urpmq --whatrequires lib64tiff6" to see what else might require this library. It's a rather long list.

Using a photo of a hot air balloon named "floating.jpg:"

$ convert floating.jpg floating.tif converted the image to tiff.
$ display floating.tif displayed it on my monitor.
$ tiffinfo floating.tif
=== TIFF directory 0 ===
TIFF Directory at offset 0x6e6138 (7233848)
  Image Width: 2040 Image Length: 1182
  Resolution: 72, 72 pixels/inch
  Position: 0, 0
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: RGB color
  FillOrder: msb-to-lsb
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 160
  Planar Configuration: single image plane
  Page Number: 0-1
  White Point: 0.3127-0.329
  PrimaryChromaticities: 0.640000,0.330000,0.300000,0.600000,0.150000,0.060000
(plus a lot of EXIF data)

And last, $ gimp floating.tif opened the tiff image in Gimp.

Looks OK in MGA9.
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Dave Hodgins 2023-09-11 03:06:42 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-09-11 15:09:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0255.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.