33163 – libtiff new security issue CVE-2023-6228

Bug 33163 - libtiff new security issue CVE-2023-6228

Summary: libtiff new security issue CVE-2023-6228

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-04-30 17:26 CEST by Nicolas Salguero
Modified:	2024-05-09 04:41 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libtiff-4.5.1-1.2.mga9.src.rpm
CVE:	CVE-2023-6228
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-30 17:26:37 CEST

RedHat has issued an advisory on April 30:
https://lwn.net/Articles/971682/

Fix by: https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a

Nicolas Salguero 2024-04-30 17:27:28 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => libtiff-4.6.0-2.mga10.src.rpm
Status comment: (none) => Patch available from upstream
CVE: (none) => CVE-2023-6228

Comment 1 Lewis Smith 2024-04-30 20:29:39 CEST

Assigning back to nicolas who normally updates libtiff.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-05-02 14:28:09 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash. (CVE-2023-6228)

References:
https://lwn.net/Articles/971682/
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff6-4.5.1-1.3.mga9
lib(64)tiff-devel-4.5.1-1.3.mga9
lib(64)tiff-static-devel-4.5.1-1.3.mga9
libtiff-progs-4.5.1-1.3.mga9

from SRPM:
libtiff-4.5.1-1.3.mga9.src.rpm

Status comment: Patch available from upstream => (none)
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9
Source RPM: libtiff-4.6.0-2.mga10.src.rpm => libtiff-4.5.1-1.2.mga9.src.rpm
Status: NEW => ASSIGNED

katnatek 2024-05-02 19:54:59 CEST

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2024-05-05 04:48:18 CEST

No installation issues. Repeated the test from bug 32983 comment 2 with the same results.

Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2024-05-09 04:41:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0164.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.