32983 – libtiff new security issues CVE-2023-40745 and CVE-2023-41175

Bug 32983 - libtiff new security issues CVE-2023-40745 and CVE-2023-41175

Summary: libtiff new security issues CVE-2023-40745 and CVE-2023-41175

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-18 15:53 CET by Nicolas Salguero
Modified:	2024-03-20 22:20 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	libtiff-4.5.1-1.1.mga9.src.rpm
CVE:	CVE-2023-40745, CVE-2023-41175
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-18 15:53:13 CET

SUSE has issued an advisory on March 18:
https://lwn.net/Articles/965827/

Nicolas Salguero 2024-03-18 15:54:08 CET

CVE: (none) => CVE-2023-40745, CVE-2023-41175
Source RPM: (none) => libtiff-4.5.1-1.1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-03-18 16:01:25 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. (CVE-2023-40745)

A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. (CVE-2023-41175)

References:
https://lwn.net/Articles/965827/
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff6-4.5.1-1.2.mga9
lib(64)tiff-devel-4.5.1-1.2.mga9
lib(64)tiff-static-devel-4.5.1-1.2.mga9
libtiff-progs-4.5.1-1.2.mga9

from SRPM:
libtiff-4.5.1-1.2.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

katnatek 2024-03-18 19:21:20 CET

Keywords: (none) => advisory

Comment 2 Thomas Andrews 2024-03-20 19:20:48 CET

MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics.

Seems like we just had a libtiff update a few days ago. Oh, wait - we did.

Anyway, there were no installation issues this time, either.

I decided to go a different route with testing this time, so searched with urpmq to see what required lib64tiff6. There was a fairly long list of packages, including Gimp, Gwenview, and ImageMagick.

I started with a scan of the cover of the first issue of Plank Road magazine, which happened to feature a watercolor painting of our farm stand from several years ago. It was in Gimp's xcf format, so I loaded it into Gimp, then exported it as PlankRoad.tif. Then I converted it again, using ImageMagick from the command line: convert PlankRoad.tif PlankRoad.jpg. 

Then, I used Gwenview to look at the three images, and compare them. Rendering of the original xcf image wasn't very good, nothing like in Gimp itself, but the other two images looked identical.  Finally, I used Gimp to load the original image again, then loaded the other two over it as layers. With the view zoomed in,but not TOO much, I made the layers invisible, one by one, while watching the window. I didn't see any change at all in the three images as I switched from one to the other.

I'm calling this OK, and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 3 Mageia Robot 2024-03-20 22:20:07 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0077.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.