This update also fixes CVEs PDO12 and PDO15, which are both tiffcrop denial-of-service issues. The tiffcrop utility is included in the libtiff package and is used to resize and convert TIFF images. It is activated by default on most Linux distributions. In addition to the aforementioned CVEs, this advisory also includes fixes for several other bugs. The Common Vulnerability Scoring System (CVSS) rating for these fixed vulnerabilities is 8.3. With this update, tiffcrop no longer allows users to provide an unchecked return value to NULL pointer dereference, which prevents a denial-of-service attack. Additionally, this update fixes a memory leak vulnerability that could be exploited by attackers to cause a denial-of-service via a crafted TIFF file.
Download and Installation Instructions
This update is available for the following Linux distributions:
Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, CentOS 6, CentOS 7, SUSE Linux Enterprise Server 11 SP2, SUSE Linux Enterprise Server 12
To download and install this update on your system, follow the instructions below. We recommend upgrading your systems using a packaged update as they provide a easy-to-use interface and perform upgrades with minimal disruption. Alternately, you can upgrade to the latest upstream version of OpenSSL by executing the following commands:
yum update openssl yum update openssl
What is the tiffcrop package?
The tiffcrop package is an image editing tool included in many Linux distributions. The utility is used to resize and convert TIFF images, which are large files that can take a long time to process. Typically, the tiffcrop utility is activated by default on most Linux distributions.
What to do if you are currently running a version V1.0 .8
This update will not affect you if you are currently running a version of tiffcrop that is V1.0.8 or greater. However, if you are still running a version V1.0.7 or earlier, then this update should be applied to your system with the following steps:
- Stop all instances of tiffcrop
- Update your system to the latest stable release
- Start all instances of tiffcrop again
Ubuntu 14.04 LTS and Earlier
Ubuntu 14.04 LTS is no longer supported with this update, as it is end-of-life. Ubuntu 16.04 LTS and later are not affected by this update.
The following vulnerabilities have been patched in this security update:
CVE-2017-14738, CVE-2018-19866, CVE-2019-9392, and CVE-2022-0907
Timeline
Published on: 03/11/2022 18:15:00 UTC
Last modified on: 05/12/2022 20:03:00 UTC
References
- https://gitlab.com/libtiff/libtiff/-/merge_requests/314
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0907.json
- https://gitlab.com/libtiff/libtiff/-/issues/392
- https://www.debian.org/security/2022/dsa-5108
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
- https://security.netapp.com/advisory/ntap-20220506-0002/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0907