CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799 seem to be caused by one root problem. CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804 by another. So basically it's only 2 problems. The first one should be fixed by https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 and https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678. The second set of vulns should be fixed by https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 I created https://github.com/gentoo/gentoo/pull/29721 Since I'm still new it might contain mistakes, which I'm happy to address. Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53cfbff2eb33daf68de4a26712be94e2a7fa7c10 commit 53cfbff2eb33daf68de4a26712be94e2a7fa7c10 Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2023-02-22 15:28:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-22 16:23:17 +0000 media-libs/tiff: Fix several CVEs Fixes: * CVE-2023-0795 https://gitlab.com/libtiff/libtiff/-/issues/493 * CVE-2023-0796 https://gitlab.com/libtiff/libtiff/-/issues/499 * CVE-2023-0797 https://gitlab.com/libtiff/libtiff/-/issues/495 * CVE-2023-0798 https://gitlab.com/libtiff/libtiff/-/issues/492 * CVE-2023-0799 https://gitlab.com/libtiff/libtiff/-/issues/494 * CVE-2023-0800 https://gitlab.com/libtiff/libtiff/-/issues/496 * CVE-2023-0801 https://gitlab.com/libtiff/libtiff/-/issues/498 * CVE-2023-0802 https://gitlab.com/libtiff/libtiff/-/issues/500 * CVE-2023-0803 https://gitlab.com/libtiff/libtiff/-/issues/501 * CVE-2023-0804 https://gitlab.com/libtiff/libtiff/-/issues/497 Bug: https://bugs.gentoo.org/895900 Signed-off-by: Michael Vetter <jubalh@iodoru.org> Closes: https://github.com/gentoo/gentoo/pull/29721 Signed-off-by: Sam James <sam@gentoo.org> ...CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch | 287 +++++++++++++++++++++ ...CVE-2023-0802-CVE-2023-0803-CVE-2023-0804.patch | 131 ++++++++++ media-libs/tiff/tiff-4.5.0-r2.ebuild | 92 +++++++ 3 files changed, 510 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9250f44e52874c9bc51637f4d57c7a61a4f88063 commit 9250f44e52874c9bc51637f4d57c7a61a4f88063 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-05-13 21:36:06 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-05-13 21:36:23 +0000 media-libs/tiff: drop 4.5.0, 4.5.0-r1 Bug: https://bugs.gentoo.org/895900 Bug: https://bugs.gentoo.org/891839 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/tiff/tiff-4.5.0-r1.ebuild | 90 ------------------------------------ media-libs/tiff/tiff-4.5.0.ebuild | 89 ----------------------------------- 2 files changed, 179 deletions(-)
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d6e726fbb202042644e22b21b37486e541d63ba0 commit d6e726fbb202042644e22b21b37486e541d63ba0 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-30 03:01:32 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-30 03:05:03 +0000 [ GLSA 202305-31 ] LibTIFF: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891839 Bug: https://bugs.gentoo.org/895900 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
GLSA released, all done!
