Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 895900 (CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799, CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804) - <media-libs/tiff-4.5.0-r2: Multiple vulnerabilities
Summary: <media-libs/tiff-4.5.0-r2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799, CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 906220
Blocks:
  Show dependency tree
 
Reported: 2023-02-22 16:07 UTC by Michael Vetter
Modified: 2023-05-30 03:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vetter 2023-02-22 16:07:24 UTC
CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799 seem to be caused by one root problem.

CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804 by another.

So basically it's only 2 problems.

The first one should be fixed by https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 and https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678.

The second set of vulns should be fixed by https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00

I created https://github.com/gentoo/gentoo/pull/29721

Since I'm still new it might contain mistakes, which I'm happy to address.

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2023-02-22 16:23:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53cfbff2eb33daf68de4a26712be94e2a7fa7c10

commit 53cfbff2eb33daf68de4a26712be94e2a7fa7c10
Author:     Michael Vetter <jubalh@iodoru.org>
AuthorDate: 2023-02-22 15:28:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-22 16:23:17 +0000

    media-libs/tiff: Fix several CVEs
    
    Fixes:
    * CVE-2023-0795 https://gitlab.com/libtiff/libtiff/-/issues/493
    * CVE-2023-0796 https://gitlab.com/libtiff/libtiff/-/issues/499
    * CVE-2023-0797 https://gitlab.com/libtiff/libtiff/-/issues/495
    * CVE-2023-0798 https://gitlab.com/libtiff/libtiff/-/issues/492
    * CVE-2023-0799 https://gitlab.com/libtiff/libtiff/-/issues/494
    * CVE-2023-0800 https://gitlab.com/libtiff/libtiff/-/issues/496
    * CVE-2023-0801 https://gitlab.com/libtiff/libtiff/-/issues/498
    * CVE-2023-0802 https://gitlab.com/libtiff/libtiff/-/issues/500
    * CVE-2023-0803 https://gitlab.com/libtiff/libtiff/-/issues/501
    * CVE-2023-0804 https://gitlab.com/libtiff/libtiff/-/issues/497
    
    Bug: https://bugs.gentoo.org/895900
    Signed-off-by: Michael Vetter <jubalh@iodoru.org>
    Closes: https://github.com/gentoo/gentoo/pull/29721
    Signed-off-by: Sam James <sam@gentoo.org>

 ...CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch | 287 +++++++++++++++++++++
 ...CVE-2023-0802-CVE-2023-0803-CVE-2023-0804.patch | 131 ++++++++++
 media-libs/tiff/tiff-4.5.0-r2.ebuild               |  92 +++++++
 3 files changed, 510 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-05-13 21:36:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9250f44e52874c9bc51637f4d57c7a61a4f88063

commit 9250f44e52874c9bc51637f4d57c7a61a4f88063
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-05-13 21:36:06 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-05-13 21:36:23 +0000

    media-libs/tiff: drop 4.5.0, 4.5.0-r1
    
    Bug: https://bugs.gentoo.org/895900
    Bug: https://bugs.gentoo.org/891839
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/tiff/tiff-4.5.0-r1.ebuild | 90 ------------------------------------
 media-libs/tiff/tiff-4.5.0.ebuild    | 89 -----------------------------------
 2 files changed, 179 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 04:38:04 UTC
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2023-05-30 03:05:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d6e726fbb202042644e22b21b37486e541d63ba0

commit d6e726fbb202042644e22b21b37486e541d63ba0
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:01:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:03 +0000

    [ GLSA 202305-31 ] LibTIFF: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891839
    Bug: https://bugs.gentoo.org/895900
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:08:42 UTC
GLSA released, all done!