Bugzilla – Bug 1201723
VUL-0: CVE-2022-34266: tiff: invalid range may be passed as an argument to the memset() function
Last modified: 2022-10-21 16:23:04 UTC
The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34266 https://alas.aws.amazon.com/AL2/ALAS-2022-1814.html https://alas.aws.amazon.com/
Please ignore the above description mentioning the CVE-2022-0562 which was solved via bsc#1195965. This issue is meant to track CVE-2022-34266 with the following description: A flaw was found in libtiff-4.0.3-35.amzn2.0.1 as packaged on Amazon Linux 2. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault. Actors can use this issue to potentially cause a Denial of Service condition. (CVE-2022-34266)
I think the fixing commit is eecb0712 [0]. [0] https://gitlab.com/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef
Affected packages: - SUSE:SLE-12:Update/tiff - SUSE:SLE-15:Update/tiff Not affected: - SUSE:SLE-11:Update/tiff Already fixed: - openSUSE:Factory/tiff
> Affected packages: > - SUSE:SLE-12:Update/tiff > - SUSE:SLE-15:Update/tiff Did you test this? Because: (In reply to Gianluca Gabrielli from comment #2) > I think the fixing commit is eecb0712 [0]. > > [0] > https://gitlab.com/libtiff/libtiff/-/commit/ > eecb0712f4c3a5b449f70c57988260a667ddbdef This commit is already backported in tiff-CVE-2022-0561.patch, which is present in both SLE12 and SLE15. At least they were added on 6th May. Did the version you tested include this?
> A flaw was found in libtiff-4.0.3-35.amzn2.0.1 as packaged on Amazon Linux 2. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault. This sounds to me exactly like the fix for bsc#1195964 / CVE-2022-0561. In commit https://gitlab.com/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef they write: > TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer and size of zero (fixes #362) And in issue 362 they write https://gitlab.com/libtiff/libtiff/-/issues/362#note_849306001 : > This issue has assigned CVE-2022-0561 and CVE-2022-0562. When looking for a reproducer I only found the one mentioned at https://gitlab.com/libtiff/libtiff/-/issues/362 and couldn't find any for CVE-2022-34266 specifically. Are we sure CVE-2022-34266 is not a duplicate for CVE-2022-0561 or an Amazon specific thing?
filled CVE-2022-34266 as duplicate of CVE-2022-0561 with mitre
Fix is at https://build.suse.de/project/show/home:mvetter:tiff-CVE-2022-34526 Containing the fix for CVE-2022-34526 and the changelog entry/renaming of patch for the already fixed CVE-2022-34266/CVE-2022-0561 SLE11 SR#276971 SLE12 SR#276972 SLE15 SR#276973
(In reply to Michael Vetter from comment #7) > Fix is at https://build.suse.de/project/show/home:mvetter:tiff-CVE-2022-34526 > Containing the fix for CVE-2022-34526 and the changelog entry/renaming of > patch for the already fixed CVE-2022-34266/CVE-2022-0561 > > SLE11 SR#276971 > SLE12 SR#276972 > SLE15 SR#276973 please do not rename until we get feedback from MITRE, what ever they decide to duplicate should not be used anymore. Maybe we are lucky and the re-name is not needed.
SUSE-SU-2022:3679-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1201723,1201971,1202026,1202466,1202467,1202468,1202968,1202971,1202973 CVE References: CVE-2022-0561,CVE-2022-2519,CVE-2022-2520,CVE-2022-2521,CVE-2022-2867,CVE-2022-2868,CVE-2022-2869,CVE-2022-34266,CVE-2022-34526 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): tiff-4.0.9-44.56.1 SUSE OpenStack Cloud 9 (src): tiff-4.0.9-44.56.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): tiff-4.0.9-44.56.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): tiff-4.0.9-44.56.1 SUSE Linux Enterprise Server 12-SP5 (src): tiff-4.0.9-44.56.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): tiff-4.0.9-44.56.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): tiff-4.0.9-44.56.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): tiff-4.0.9-44.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3690-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1201723,1201971,1202026,1202466,1202467,1202468,1202968,1202971,1202973 CVE References: CVE-2022-0561,CVE-2022-2519,CVE-2022-2520,CVE-2022-2521,CVE-2022-2867,CVE-2022-2868,CVE-2022-2869,CVE-2022-34266,CVE-2022-34526 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): tiff-4.0.9-150000.45.16.1 openSUSE Leap 15.4 (src): tiff-4.0.9-150000.45.16.1 openSUSE Leap 15.3 (src): tiff-4.0.9-150000.45.16.1 SUSE Manager Server 4.1 (src): tiff-4.0.9-150000.45.16.1 SUSE Manager Retail Branch Server 4.1 (src): tiff-4.0.9-150000.45.16.1 SUSE Manager Proxy 4.1 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server for SAP 15 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Server 15-LTSS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Micro 5.3 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise Micro 5.2 (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): tiff-4.0.9-150000.45.16.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): tiff-4.0.9-150000.45.16.1 SUSE Enterprise Storage 7 (src): tiff-4.0.9-150000.45.16.1 SUSE Enterprise Storage 6 (src): tiff-4.0.9-150000.45.16.1 SUSE CaaS Platform 4.0 (src): tiff-4.0.9-150000.45.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.