Summary: | <media-libs/tiff-4.0.7: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ago, graphics+disabled |
Priority: | Normal | Flags: | kensington:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: |
=media-libs/tiff-4.0.7
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 561880, 585274 |
Description
Thomas Deutschmann (RETIRED)
2016-11-15 02:33:07 UTC
*** Bug 569978 has been marked as a duplicate of this bug. *** *** Bug 579322 has been marked as a duplicate of this bug. *** bmp2tiff and thumbnail utility should be dropped like we did with gif2tiff in bug 585274. @ Maintainer(s): Last upstream release was in 2015. Due to the rating of some vulnerabilities please consider doing a snapshot release. (In reply to Thomas Deutschmann from comment #3) > bmp2tiff and thumbnail utility should be dropped like we did with gif2tiff > in bug 585274. > > @ Maintainer(s): Last upstream release was in 2015. Due to the rating of > some vulnerabilities please consider doing a snapshot release. I didn't analyze at all the problem but if you just remove the binary, you are removing a way to reproduce the issue, but if the issue(s) reside in the shared object, the package is still vulnerable. (In reply to Agostino Sarubbo from comment #4) > I didn't analyze at all the problem but if you just remove the binary, you > are removing a way to reproduce the issue, but if the issue(s) reside in the > shared object, the package is still vulnerable. Valid concern. All I can tell you: Each bug listed in comment #0 affecting bmp2tiff indicates that the source file containing the problem is only used by bmp2tiff. Upstream closed every bug affecting bmp2tiff with the comment "Closing as wontfix since bmp2tiff has been removed from libtiff". I don't see where upstream has removed these utilities. I only find https://github.com/vadz/libtiff/commit/c421b993abe1d6792252833c3bc8b3252b015fb9 but I don't see any touched Makefile. There were some CMakeLists.txt updates. Not sure if upstream provides a "make dist" target or similar which now doesn't contain these files/binaries. Finally that's the way how Debian addressed the problem, see https://sources.debian.net/src/tiff/4.0.6-3/debian/rules/#L34 -- they just call rm like we already do for gif2tiff (what they also do, see line 38). So I think we (the maintainer) should make sure that the package which will be merged doesn't contain bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr binary. CVE-2016-9297 vulnerability reported in http://bugzilla.maptools.org/show_bug.cgi?id=2590 had a regression, which is fixed in http://bugzilla.maptools.org/show_bug.cgi?id=2593 by Even Rouault. From http://seclists.org/oss-sec/2016/q4/464: > CVE-2016-9297 vulnerability reported in http://bugzilla.maptools.org/show_bug.cgi?id=2590 had a > regression, which is fixed in http://bugzilla.maptools.org/show_bug.cgi?id=2593 > > * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference > NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / > TIFF_SETGET_C32_ASCII access are 0-byte arrays. > Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression > introduced by previous fix done on 2016-11-11 for CVE-2016-9297). Use CVE-2016-9448 for the vulnerability fixed in 2593. From http://seclists.org/oss-sec/2016/q4/466: >> http://bugzilla.maptools.org/show_bug.cgi?id=2579 >> >> tools/tiff2pdf.c: fix read -largely- outsize of buffer in >> t2p_readwrite_pdf_image_tile(), causing crash, when reading a >> JPEG compressed image with TIFFTAG_JPEGTABLES length being one. >> Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from >> the MSRC Vulnerabilities & Mitigations team. > >>> Out-of-bounds Write Caused by memcpy and no bound check. > >>> will cause illegal write. An attacker may control the write address and/or >>> value >>> to result in denial-of-service or command execution. > > Use CVE-2016-9453. @maintainer: 4.0.7 is out. I didn't check if covers all vulnerabilities listes here and in the others our bugs. commit 2cc194a9e8b12415ed250ca3c73388e939c15fee Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Nov 21 11:46:13 2016 media-libs/tiff: Security bump to version 4.0.7 (bug #599746). Package-Manager: portage-2.3.2 I haven't checked if all listed vulnerabilities are fixed in 4.0.7 but bumped it anyway. Arches, please test and mark stable: =media-libs/tiff-4.0.7 Target keywords : "alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86" amd64 stable x86 stable This one is included in 4.0.7, from http://www.openwall.com/lists/oss-security/2016/11/11/14: >> http://bugzilla.maptools.org/show_bug.cgi?id=2592 >> >> * tools/tiffcrop.c: fix multiple uint32 overflows in >> writeBufferToSeparateStrips(), writeBufferToContigTiles() and >> writeBufferToSeparateTiles() that could cause heap buffer overflows. >> >> Bug 2592 - >> Summary: Heap buffer overflow via writeBufferToSeparateStrips tiffcrop.c:1170 >> >> AddressSanitizer: heap-buffer-overflow READ of size 223 > > Use CVE-2016-9532 for this integer overflow report with resultant > buffer over-read. Stable on alpha. arm stable sparc stable ia64 stable ppc stable ppc64 stable Stable for HPPA. Lowering rating from A1 to A2. Not sure why I initially rated this as A1. Added to existing GLSA request. This issue was resolved and addressed in GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. @ Maintainer(s): Please cleanup <media-libs/tiff-4.0.7! You folks stabilized media-libs/tiff-4.0.7 (too fast) but this tiff-4.0.7 is causing hylafaxplus-5.5.5 "faxq" to jam and CPU goes 100% the modem never dial out. See bug: 612172 So either Hylafaxplus will need to be fix or tiff-4.0.7 Repository is now clean, all done. |