Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 837560 (CVE-2022-1210, CVE-2022-1354, CVE-2022-1355, CVE-2022-1622, CVE-2022-1623) - <media-libs/tiff-4.4.0: multiple vulnerabilities
Summary: <media-libs/tiff-4.4.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-1210, CVE-2022-1354, CVE-2022-1355, CVE-2022-1622, CVE-2022-1623
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://gitlab.com/libtiff/libtiff/-/...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 854828
Blocks:
  Show dependency tree
 
Reported: 2022-04-09 23:29 UTC by John Helmert III
Modified: 2022-10-31 02:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 23:29:38 UTC
CVE-2022-1210:

A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-12 02:50:54 UTC
CVE-2022-1622 (https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a):
https://gitlab.com/libtiff/libtiff/-/issues/410

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

CVE-2022-1623 (https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a):
https://gitlab.com/libtiff/libtiff/-/issues/410

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

Patch available, don't seem to be in any release.
Comment 2 Larry the Git Cow gentoo-dev 2022-05-21 00:10:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcf80a84c69f026b3e7df8bec1b0732c2dc7b658

commit bcf80a84c69f026b3e7df8bec1b0732c2dc7b658
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-21 00:07:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-21 00:09:23 +0000

    media-libs/tiff: add 4.4.0_rc1 (unkeyworded)
    
    Bug: https://bugs.gentoo.org/821925
    Bug: https://bugs.gentoo.org/830981
    Bug: https://bugs.gentoo.org/837560
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/tiff/Manifest                           |  2 +
 .../files/tiff-4.4.0_rc1-skip-thumbnail-test.patch | 32 ++++++++
 media-libs/tiff/tiff-4.4.0_rc1.ebuild              | 91 ++++++++++++++++++++++
 3 files changed, 125 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-21 00:12:04 UTC
Not going to adapt version yet in summary given it's unkeyworded and won't be keyworded. Release is soon.
Comment 4 Larry the Git Cow gentoo-dev 2022-05-28 05:28:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cc08f3f2c6514182ca627689da2b5472c1035a7

commit 1cc08f3f2c6514182ca627689da2b5472c1035a7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-28 05:28:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-28 05:28:10 +0000

    media-libs/tiff: add 4.4.0, drop 4.4.0_rc1
    
    Bug: https://bugs.gentoo.org/830981
    Bug: https://bugs.gentoo.org/837560
    Closes: https://bugs.gentoo.org/821925
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/tiff/Manifest                                     | 4 ++--
 media-libs/tiff/{tiff-4.4.0_rc1.ebuild => tiff-4.4.0.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 02:06:20 UTC
CVE-2022-1354:

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798
Issue: https://gitlab.com/libtiff/libtiff/-/issues/319

CVE-2022-1355:

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.

Issue: https://gitlab.com/libtiff/libtiff/-/issues/400
Fix: https://gitlab.com/libtiff/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96

Fixed in 4.4.0.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 02:45:40 UTC
GLSA request filed.
Comment 7 Larry the Git Cow gentoo-dev 2022-10-31 01:42:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9323b51c5a02aa440a14eb7aaebea235ed683626

commit 9323b51c5a02aa440a14eb7aaebea235ed683626
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:08:31 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-10 ] LibTIFF: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/830981
    Bug: https://bugs.gentoo.org/837560
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-10.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 01:49:55 UTC
GLSA released, all done!