Ubuntu
tiff package

Backport security fix for CVE-2022-3970

Bug #1998444 reported by Rico Tzschichholz on 2022-12-01

This bug affects 1 person

	Status	Importance	Assigned to
tiff (Ubuntu)	Fix Released	Critical	David Fernandez Gonzalez
Bionic	Fix Released	Undecided	Unassigned
Focal	Fix Released	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned
Kinetic	Fix Released	Critical	Unassigned

Bug Description

This CVE patch is desperately needed to fix a build failure caused by a crash in the testsuite of the current libreoffice/kinetic SRU

Testing load file:///<<PKGBUILDDIR>>//vcl/qa/cppunit/graphicfilter/data/tiff/fail/CVE-2017-9936-1.tiff:
*** stack smashing detected ***: terminated

Fatal exception: Signal 6
Stack:
/<<PKGBUILDDIR>>/instdir/program/libuno_sal.so.3(+0x417b2)[0x7fd45563a7b2]
/<<PKGBUILDDIR>>/instdir/program/libuno_sal.so.3(+0x4196a)[0x7fd45563a96a]
/lib/x86_64-linux-gnu/libc.so.6(+0x3bcf0)[0x7fd4550facf0]
/lib/x86_64-linux-gnu/libc.so.6(pthread_kill+0x11b)[0x7fd45515126b]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x16)[0x7fd4550fac46]
/lib/x86_64-linux-gnu/libc.so.6(abort+0xd7)[0x7fd4550e17fc]
/lib/x86_64-linux-gnu/libc.so.6(+0x850be)[0x7fd4551440be]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x2a)[0x7fd4551ee66a]
/lib/x86_64-linux-gnu/libc.so.6(+0x12f636)[0x7fd4551ee636]
/lib/x86_64-linux-gnu/libtiff.so.5(+0x34386)[0x7fd44e8a3386]
/lib/x86_64-linux-gnu/libtiff.so.5(_TIFFReadEncodedStripAndAllocBuffer+0xcc)[0x7fd44e8bc1cc]
/lib/x86_64-linux-gnu/libtiff.so.5(+0x300e1)[0x7fd44e89f0e1]
/lib/x86_64-linux-gnu/libtiff.so.5(TIFFReadRGBAImageOriented+0x100)[0x7fd44e8a2c10]
/<<PKGBUILDDIR>>/instdir/program/libmergedlo.so(_Z23ImportTiffGraphicImportR8SvStreamR7Graphic+0x237)[0x7fd45367b357]
/<<PKGBUILDDIR>>/workdir/LinkTarget/CppunitTest/libtest_vcl_filters_test.so(+0x1be0d)[0x7fd44a1a1e0d]
/<<PKGBUILDDIR>>/workdir/LinkTarget/CppunitTest/../Library/libunotest.so(_ZN4test11FiltersTest13recursiveScanENS_12filterStatusERKN3rtl8OUStringES5_S5_14SfxFilterFlags20SotClipboardFormatIdjb+0x679)[0x7fd44a142479]
/<<PKGBUILDDIR>>/workdir/LinkTarget/CppunitTest/../Library/libunotest.so(_ZN4test11FiltersTest7testDirERKN3rtl8OUStringESt17basic_string_viewIDsSt11char_traitsIDsEES4_14SfxFilterFlags20SotClipboardFormatIdjb+0xd6)[0x7fd44a142fe6]
/<<PKGBUILDDIR>>/workdir/LinkTarget/CppunitTest/libtest_vcl_filters_test.so(+0x1bc7b)[0x7fd44a1a1c7b]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(+0x1e4e6)[0x7fd4556844e6]
/<<PKGBUILDDIR>>/workdir/LinkTarget/Library/unoexceptionprotector.so(+0x2835)[0x7fd4556ac835]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit16DefaultProtector7protectERKNS_7FunctorERKNS_16ProtectorContextE+0x34)[0x7fd455684434]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit14ProtectorChain7protectERKNS_7FunctorERKNS_16ProtectorContextE+0x3b0)[0x7fd45567ea50]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit10TestResult7protectERKNS_7FunctorEPNS_4TestERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x63)[0x7fd455685be3]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit8TestCase3runEPNS_10TestResultE+0x124)[0x7fd45568eb24]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit13TestComposite15doRunChildTestsEPNS_10TestResultE+0x9d)[0x7fd45568484d]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit13TestComposite3runEPNS_10TestResultE+0x3d)[0x7fd45568465d]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit13TestComposite15doRunChildTestsEPNS_10TestResultE+0x9d)[0x7fd45568484d]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit13TestComposite3runEPNS_10TestResultE+0x3d)[0x7fd45568465d]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit10TestResult7runTestEPNS_4TestE+0x27)[0x7fd455685077]
/lib/x86_64-linux-gnu/libcppunit-1.15.so.1(_ZN7CppUnit10TestRunner3runERNS_10TestResultERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x55)[0x7fd45568b6a5]
/<<PKGBUILDDIR>>/workdir/LinkTarget/Executable/cppunittester(+0x711c)[0x55d4d4a1411c]
/<<PKGBUILDDIR>>/workdir/LinkTarget/Executable/cppunittester(+0x7c07)[0x55d4d4a14c07]
/<<PKGBUILDDIR>>/workdir/LinkTarget/Executable/cppunittester(+0x537f)[0x55d4d4a1237f]
/lib/x86_64-linux-gnu/libc.so.6(+0x23510)[0x7fd4550e2510]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x89)[0x7fd4550e25c9]
/<<PKGBUILDDIR>>/workdir/LinkTarget/Executable/cppunittester(+0x53c5)[0x55d4d4a123c5]
Aborted (core dumped)
make[4]: *** [/<<PKGBUILDDIR>>/solenv/gbuild/CppunitTest.mk:121: /<<PKGBUILDDIR>>/workdir/CppunitTest/vcl_filters_test.test] Error 134

For the log of the failed amd64 kinetic archive build, see
https://launchpad.net/ubuntu/+source/libreoffice/1:7.4.3-0ubuntu0.22.10.1/+build/24883181

For the log of the successful amd64 kinetic PPA build with the updated tiff present, see
https://launchpad.net/~libreoffice/+archive/ubuntu/experimental/+build/24886085

Lunar already includes this fix with the last merge from debian
https://launchpad.net/ubuntu/+source/tiff/4.4.0-6ubuntu1

Presumably this fix is required for all supported stable releases.

Tags:

CVE References

2022-3970

Revision history for this message

Rico Tzschichholz (ricotz) wrote on 2022-12-01:

tiff_4.4.0-4ubuntu3.2.debdiff Edit (2.8 KiB, text/plain)

Changed in tiff (Ubuntu Kinetic):
importance:	Undecided → Critical

Ubuntu Foundations Team Bug Bot (crichton) on 2022-12-01

tags:

added: patch

David Fernandez Gonzalez (litios) on 2022-12-01

Changed in tiff (Ubuntu):
assignee:	nobody → David Fernandez Gonzalez (litios)

David Fernandez Gonzalez (litios) on 2022-12-01

Changed in tiff (Ubuntu):
status:	New → In Progress

Revision history for this message

David Fernandez Gonzalez (litios) wrote on 2022-12-01:

The fix for CVE-2022-3970 has been released in the following versions:

Ubuntu 22.10: 4.4.0-4ubuntu3.2

Ubuntu 22.04 LTS: 4.3.0-6ubuntu0.3

Ubuntu 20.04 LTS: 4.1.0+git191117-2ubuntu0.20.04.7

Ubuntu 18.04 LTS: 4.0.9-5ubuntu0.9

Changed in tiff (Ubuntu):
status:	In Progress → Fix Released
Changed in tiff (Ubuntu Bionic):
status:	New → Fix Released
Changed in tiff (Ubuntu Focal):
status:	New → Fix Released
Changed in tiff (Ubuntu Jammy):
status:	New → Fix Released
Changed in tiff (Ubuntu Kinetic):
status:	New → Fix Released