Debian has issued an advisory today (March 11): https://lwn.net/Articles/965011/ Mageia 9 is also affected.
Assignee: bugsquad => nicolas.salgueroWhiteboard: (none) => MGA9TOOSource RPM: (none) => libtiff-4.6.0-1.mga10.src.rpmCVE: (none) => CVE-2023-52356
Suggested advisory: ======================== The updated packages fix a security vulnerability: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. (CVE-2023-52356) References: https://lwn.net/Articles/965011/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tiff6-4.5.1-1.1.mga9 lib(64)tiff-devel-4.5.1-1.1.mga9 lib(64)tiff-static-devel-4.5.1-1.1.mga9 libtiff-progs-4.5.1-1.1.mga9 from SRPM: libtiff-4.5.1-1.1.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugsSource RPM: libtiff-4.6.0-1.mga10.src.rpm => libtiff-4.5.1-1.mga9.src.rpmWhiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9
mga9, x64 No path to a PoC from the link under references. Updated all the packages. Nothing to do but exercise the utilities as in previous bugs. $ tiffgt Shiel.tif to display an image. No layered tiff image available but plain image was processed properly. $ tiffsplit x.tiff p $ ll pa*.tif -rw-r--r-- 1 lcl lcl 128244 Mar 11 18:04 paaa.tif $ tifftopnm einstein.tif > albert.pnm tifftopnm: writing PGM file $ display albert.pnm Exact copy. $ tiffcrop -E top -U px -m 120,120,120,120 SantaMaria.tif cropped.tif _TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec). _TIFFVGetField: cropped.tif: Invalid tag "BadFaxLines" (not supported by codec). Nevertheless the resulting image was displayed with a 120-pixel border missing. $ file SantaMaria.tif SantaMaria.tif: TIFF image data, little-endian, direntries=21, height=1410, bps=5210, compression=LZW, PhotometricInterpretation=RGB, description=IDL TIFF file, orientation=upper-left, width=1638 $ file cropped.tif cropped.tif: TIFF image data, little-endian, direntries=21, height=1170, bps=22414, compression=LZW, PhotometricInterpretation=RGB, description=IDL TIFF file, orientation=upper-left, width=1398 $ tiff2bw JessicaAlba.tif monochrome.tif $ eom monochrome.tif Greyscale rendering of colour image was displayed. $ tiff2pdf SantaMaria.tif > crater.pdf $ okular crater.pdf That displayed the imagein a one-page PDF. $ tiff2ps SantaMaria.tif > crater.ps $ gs crater.ps Ghostscript image of the original, displayed at a reduced size in the bottom left-hand corner of the page. $ tiffdump SantaMaria.tif > dumpfile $ less dumpfile SantaMaria.tif: Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF> Directory 0: offset 1971016 (0x1e1348) next 0 (0) ImageWidth (256) SHORT (3) 1<1638> ImageLength (257) SHORT (3) 1<1410> BitsPerSample (258) SHORT (3) 3<8 8 8> Compression (259) SHORT (3) 1<5> Photometric (262) SHORT (3) 1<2> FillOrder (266) SHORT (3) 1<1> [...] PrimaryChromaticities (319) RATIONAL (5) 6<0.64 0.33 0.3 0.6 0.15 0.06> BadFaxLines (326) LONG (4) 1<2707030018> No regressions noted. Advisory to follow.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => advisory
(In reply to Len Lawrence from comment #2) > No regressions noted. Advisory to follow. Sorry Len, I not see you already on t, is uploaded
Thanks katnatek, my fault; I should have checked.
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Created attachment 14450 [details] nomacs test with strace
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0055.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CC: (none) => dan
Dan Fandrich Today the adv file for this bug was marked as deleted from svn , is a mistake?
This change is the culprit: ------------------------------------------------------------------------ r15903 | tarazed | 2024-03-19 10:01:01 -0700 (Tue, 19 Mar 2024) | 1 line Changed paths: A /32944.adv D /32959.adv
(In reply to Dan Fandrich from comment #9) > This change is the culprit: > ------------------------------------------------------------------------ > r15903 | tarazed | 2024-03-19 10:01:01 -0700 (Tue, 19 Mar 2024) | 1 line > Changed paths: > A /32944.adv > D /32959.adv Must I add again, or you can do it?
I'm pretty sure you can do it.
Done, I hope I do it right, I follow https://wiki.mageia.org/en/How_to_create_an_update_advisory#Adding_old_advisories https://svnweb.mageia.org/advisories/32959.adv
Sorry katnatek. I was adding an advisory for another bug and was told that that older advisory (remember we clashed) had to be removed. I assumed (!) that meant the copy in my advisories directory, so I agreed to 'r'. I am still confused about what to do in such cases. I don't know what the correct response would have been. The one at my end that I thought had been replaced by your version is actually the skeleton from the documentation and I do not know how that appeared because I use mga-advisor.
(In reply to Len Lawrence from comment #13) > Sorry katnatek. I was adding an advisory for another bug and was told that > that older advisory (remember we clashed) had to be removed. I assumed (!) > that meant the copy in my advisories directory, so I agreed to 'r'. I am > still confused about what to do in such cases. I don't know what the > correct response would have been. The one at my end that I thought had been > replaced by your version is actually the skeleton from the documentation and > I do not know how that appeared because I use mga-advisor. When I did have this I prefer lost some of my work, from ~/mageia-advisories I rm -rf advisories svn co svn+ssh://svn.mageia.org/svn/advisories cd advisories And not is necessary but for be extra sure svn up Then redo my advisory and apply the steps to upload I not make this kind of mistake recently but a few times when I start with this I'm some rusted with svn, I remember is a way of undo this kind of situations, but I decide just re-upload , I have some fun in Mandriva times with this and once I did have to ask Romain D Alverny to come to rescue :/