Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830981 (CVE-2022-0561, CVE-2022-0562, CVE-2022-0865, CVE-2022-0891, CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924, CVE-2022-1056, CVE-2022-22844)

Summary: <media-libs/tiff-4.4.0: Multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: allenwebb, codec, mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/libtiff/libtiff/-/issues/355
See Also: https://bugs.gentoo.org/show_bug.cgi?id=837560
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 854828    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-11 03:18:13 UTC
CVE-2022-22844:

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.

Merge request: https://gitlab.com/libtiff/libtiff/-/merge_requests/287
Comment 1 filip ambroz 2022-02-11 20:54:41 UTC
[CVE-2022-0561]
Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.

URL: https://gitlab.com/libtiff/libtiff/-/issues/362
Patch: https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef


[CVE-2022-0562]
Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.

URL: https://gitlab.com/libtiff/libtiff/-/issues/362
Patch: https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/561599c99f987dc32ae110370cfdd7df7975586b
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-13 13:29:34 UTC
CVE-2022-0924 (https://gitlab.com/libtiff/libtiff/-/issues/278):

Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665

CVE-2022-0909 (https://gitlab.com/libtiff/libtiff/-/issues/393);

Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665

CVE-2022-0908 (https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0908.json):

Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85

CVE-2022-0907 (https://gitlab.com/libtiff/libtiff/-/issues/392):

Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/f2b656e2e64adde07a6cffd5c8e96bd81a850fea

CVE-2022-0865 (https://gitlab.com/libtiff/libtiff/-/issues/385):

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/a1c933dabd0e1c54a412f3f84ae0aa58115c6067

CVE-2022-0891 (https://gitlab.com/libtiff/libtiff/-/issues/382):

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

Patch: https://gitlab.com/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c

All apparently unreleased.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-21 19:25:57 UTC
*** Bug 835759 has been marked as a duplicate of this bug. ***
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-28 22:37:34 UTC
CVE-2022-1056 (https://gitlab.com/libtiff/libtiff/-/merge_requests/307):
https://gitlab.com/libtiff/libtiff/-/issues/391

Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.
Comment 5 Larry the Git Cow gentoo-dev 2022-05-21 00:10:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcf80a84c69f026b3e7df8bec1b0732c2dc7b658

commit bcf80a84c69f026b3e7df8bec1b0732c2dc7b658
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-21 00:07:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-21 00:09:23 +0000

    media-libs/tiff: add 4.4.0_rc1 (unkeyworded)
    
    Bug: https://bugs.gentoo.org/821925
    Bug: https://bugs.gentoo.org/830981
    Bug: https://bugs.gentoo.org/837560
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/tiff/Manifest                           |  2 +
 .../files/tiff-4.4.0_rc1-skip-thumbnail-test.patch | 32 ++++++++
 media-libs/tiff/tiff-4.4.0_rc1.ebuild              | 91 ++++++++++++++++++++++
 3 files changed, 125 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-21 00:11:59 UTC
Not going to adapt version yet in summary given it's unkeyworded and won't be keyworded. Release is soon.
Comment 7 Larry the Git Cow gentoo-dev 2022-05-28 05:28:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cc08f3f2c6514182ca627689da2b5472c1035a7

commit 1cc08f3f2c6514182ca627689da2b5472c1035a7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-28 05:28:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-28 05:28:10 +0000

    media-libs/tiff: add 4.4.0, drop 4.4.0_rc1
    
    Bug: https://bugs.gentoo.org/830981
    Bug: https://bugs.gentoo.org/837560
    Closes: https://bugs.gentoo.org/821925
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/tiff/Manifest                                     | 4 ++--
 media-libs/tiff/{tiff-4.4.0_rc1.ebuild => tiff-4.4.0.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 02:45:36 UTC
GLSA request filed.
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 10:19:57 UTC
cleanup done.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 17:01:51 UTC
Thanks!
Comment 11 Larry the Git Cow gentoo-dev 2022-10-31 01:42:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9323b51c5a02aa440a14eb7aaebea235ed683626

commit 9323b51c5a02aa440a14eb7aaebea235ed683626
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:08:31 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-10 ] LibTIFF: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/830981
    Bug: https://bugs.gentoo.org/837560
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-10.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 01:50:27 UTC
GLSA released, all done!