33538 – libtiff new security issue CVE-2024-7006

Bug 33538 - libtiff new security issue CVE-2024-7006

Summary: libtiff new security issue CVE-2024-7006

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-09-06 10:57 CEST by Nicolas Salguero
Modified:	2024-09-10 18:41 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libtiff-4.5.1-1.4.mga9.src.rpm
CVE:	CVE-2024-7006
Status comment:

Attachments
tiff file that produce blank pdf (9.95 KB, image/tiff) 2024-09-06 19:48 CEST, katnatek	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-09-06 10:57:50 CEST

openSUSE has issued an advisory on September 3:
https://lists.suse.com/pipermail/sle-updates/2024-September/036754.html

Fix: https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e

Nicolas Salguero 2024-09-06 10:58:48 CEST

Status comment: (none) => Patch available from openSUSE and upstream
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-7006
Source RPM: (none) => libtiff-4.6.0-3.mga10.src.rpm, libtiff-4.5.1-1.4.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-09-06 11:14:41 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. (CVE-2024-7006)

References:
https://lists.suse.com/pipermail/sle-updates/2024-September/036754.html
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff6-4.5.1-1.5.mga9
lib(64)tiff-devel-4.5.1-1.5.mga9
lib(64)tiff-static-devel-4.5.1-1.5.mga9
libtiff-progs-4.5.1-1.5.mga9

from SRPM:
libtiff-4.5.1-1.5.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Patch available from openSUSE and upstream => (none)
Status: NEW => ASSIGNED
Source RPM: libtiff-4.6.0-3.mga10.src.rpm, libtiff-4.5.1-1.4.mga9.src.rpm => libtiff-4.5.1-1.4.mga9.src.rpm
Assignee: bugsquad => qa-bugs

katnatek 2024-09-06 19:16:30 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-09-06 19:48:34 CEST

Created attachment 14650 [details]
tiff file that produce blank pdf

RH mageia 9 x86_54

LC_ALL=C urpmi --auto --auto-update
adding 66 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (32-bit)"
adding 4 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64tiff6-4.5.1-1.5.mga9.x86_64.rpm libtiff-progs-4.5.1-1.5.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64tiff6            ##################################################################################################
      2/2: libtiff-progs         ##################################################################################################
      1/2: removing libtiff-progs-4.5.1-1.4.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64tiff6-4.5.1-1.4.mga9.x86_64
                                 ##################################################################################################

With the attached file tiff2pdf produce a blank pdf, but works with other tiff file
Open in gimp both tiff files and works

tiffinfo of "problematic" tiff

tiffinfo mageia-48_gradientStyling_circled.tiff 
=== TIFF directory 0 ===
TIFF Directory at offset 0x2408 (9224)
  Image Width: 48 Image Length: 48
  Resolution: 89.9922, 89.9922 pixels/inch
  Bits/Sample: 8
  Sample Format: unsigned integer
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Extra Samples: 1<assoc-alpha>
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 4
  Rows/Strip: 128
  Planar Configuration: single image plane
  PageName: mageia-48_gradientStyling_circled.bmp
  ICC Profile: <present>, 672 bytes

tiffinfo of the other tiff
tiffinfo gnusea.tiff 
=== TIFF directory 0 ===
TIFF Directory at offset 0x8 (8)
  Image Width: 960 Image Length: 536
  Resolution: 300, 300 pixels/inch
  Bits/Sample: 8
  Sample Format: unsigned integer
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 128
  Planar Configuration: single image plane
  PageName: gnusea.jpg
  Software: GIMP 2.10.38
  DateTime: 2024:09:06 11:40:06
  XMLPacket (XMP Metadata):
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2">
 <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
  <rdf:Description rdf:about=""
    xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
    xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:GIMP="http://www.gimp.org/xmp/"
    xmlns:tiff="http://ns.adobe.com/tiff/1.0/"
    xmlns:xmp="http://ns.adobe.com/xap/1.0/"
   xmpMM:DocumentID="gimp:docid:gimp:e7317989-c30d-4bfd-9d84-c33fa24cdc2a"
   xmpMM:InstanceID="xmp.iid:b39772d1-e722-4a58-923c-e683cd6fe9f7"
   xmpMM:OriginalDocumentID="xmp.did:83b04ec3-cedd-40be-97d4-1f61b82fca47"
   dc:Format="image/tiff"
   GIMP:API="2.0"
   GIMP:Platform="Linux"
   GIMP:TimeStamp="1725644408901154"
   GIMP:Version="2.10.38"
   tiff:DateTime="2024:09:06T11:40:06-06:00"
   tiff:ImageLength="536"
   tiff:ImageWidth="960"
   tiff:Orientation="1"
   xmp:CreatorTool="GIMP 2.10"
   xmp:MetadataDate="2024:09:06T11:40:06-06:00"
   xmp:ModifyDate="2024:09:06T11:40:06-06:00">
   <xmpMM:History>
    <rdf:Seq>
     <rdf:li
      stEvt:action="saved"
      stEvt:changed="/"
      stEvt:instanceID="xmp.iid:03ea192a-8ef4-450b-94b4-6d500249fcf9"
      stEvt:softwareAgent="Gimp 2.10 (Linux)"
      stEvt:when="2024-09-06T11:40:08-06:00"/>
    </rdf:Seq>
   </xmpMM:History>
  </rdf:Description>
 </rdf:RDF>
</x:xmpmeta>

I test downgrading packages and the behavior is the same so not regression but is a curios thing

katnatek 2024-09-09 20:06:36 CEST

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2024-09-10 03:16:29 CEST

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2024-09-10 18:41:23 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0287.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.