Bug 2224971

Summary: libtiff: potential integer overflow in raw2tiff.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, carnil, caswilli, hkataria, jburrell, jkoehler, jsherril, kaycoth, kshier, mmuzila, nforro, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-28 08:54:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2226741, 2226742, 2226743, 2226744    
Bug Blocks: 2222912    

Description Dhananjay Arunesh 2023-07-24 07:02:21 UTC 
Multiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.
Comment 3 Salvatore Bonaccorso 2023-07-30 22:01:09 UTC 
This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591 (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
Comment 4 Dhananjay Arunesh 2023-08-02 09:28:43 UTC 
In reply to comment #3:
> This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> (but it looks the content of this RHBZ is swapped with CVE-2023-38289).

Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs are from the final vulnerabilities report sent by the reporter. I am discussing about this issue with the reporter to rectify from his end.
Comment 5 Salvatore Bonaccorso 2023-08-13 11:44:48 UTC 
Hi,

(In reply to Dhananjay Arunesh from comment #4)
> In reply to comment #3:
> > This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> > (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
> 
> Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs
> are from the final vulnerabilities report sent by the reporter. I am
> discussing about this issue with the reporter to rectify from his end.

As this currently causes confusion, as depending where you look you have 
different CVEs swappend, did the reporter agreed on fixing this annotation
on his end?

Would it be easier to swap the CVEs at RedHat CNA, as there were no RedHat
updates yet fixing those issues?

Thanks already in advance for looking into it,

Regards,
Salvatore
Comment 6 Dhananjay Arunesh 2023-08-16 06:18:27 UTC 
In reply to comment #5:
> Hi,
> 
> (In reply to Dhananjay Arunesh from comment #4)
> > In reply to comment #3:
> > > This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> > > (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
> > 
> > Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs
> > are from the final vulnerabilities report sent by the reporter. I am
> > discussing about this issue with the reporter to rectify from his end.
We don't have any response from the reporter.
> As this currently causes confusion, as depending where you look you have 
> different CVEs swappend, did the reporter agreed on fixing this annotation
> on his end?
> 
> Would it be easier to swap the CVEs at RedHat CNA, as there were no RedHat
> updates yet fixing those issues?
> 
The CVEs are assigned by Red Hat and I can check the CVEs are public at many places so instead of swapping the CVEs best option is to reject the CVEs and re-assign the flaws with new CVEs.
> Thanks already in advance for looking into it,
> 
> Regards,
> Salvatore
Comment 7 Salvatore Bonaccorso 2023-08-19 17:02:46 UTC 
(In reply to Dhananjay Arunesh from comment #6)
> In reply to comment #5:
> > Hi,
> > 
> > (In reply to Dhananjay Arunesh from comment #4)
> > > In reply to comment #3:
> > > > This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> > > > (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
> > > 
> > > Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs
> > > are from the final vulnerabilities report sent by the reporter. I am
> > > discussing about this issue with the reporter to rectify from his end.
> We don't have any response from the reporter.

Okay too bad :(

> > As this currently causes confusion, as depending where you look you have 
> > different CVEs swappend, did the reporter agreed on fixing this annotation
> > on his end?
> > 
> > Would it be easier to swap the CVEs at RedHat CNA, as there were no RedHat
> > updates yet fixing those issues?
> > 
> The CVEs are assigned by Red Hat and I can check the CVEs are public at many
> places so instead of swapping the CVEs best option is to reject the CVEs and
> re-assign the flaws with new CVEs.

Alright, this is indeed an option. For instance the Debian LTS project covering
older suites not anymore covered by the regular security support issued already
an update referencing the CVEs above. Samewise did Ubuntu in USN-6290-1.

Not sure about other distribuions.

Regards,
Salvatore
Comment 8 Salvatore Bonaccorso 2023-08-24 20:21:20 UTC 
I see now both are rejected 

https://www.cve.org/CVERecord?id=CVE-2023-38288
and
https://www.cve.org/CVERecord?id=CVE-2023-38289

with "Rejected Reason: Not a Security Issue.".

I'm now highly confused.
Comment 9 Dhananjay Arunesh 2023-08-28 08:54:04 UTC 

*** This bug has been marked as a duplicate of bug 2235264 ***
Comment 10 Dhananjay Arunesh 2023-08-28 08:58:58 UTC 
In reply to comment #7:
> (In reply to Dhananjay Arunesh from comment #6)
> > In reply to comment #5:
> > > Hi,
> > > 
> > > (In reply to Dhananjay Arunesh from comment #4)
> > > > In reply to comment #3:
> > > > > This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> > > > > (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
> > > > 
> > > > Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs
> > > > are from the final vulnerabilities report sent by the reporter. I am
> > > > discussing about this issue with the reporter to rectify from his end.
> > We don't have any response from the reporter.
> 
> Okay too bad :(
> 
> > > As this currently causes confusion, as depending where you look you have 
> > > different CVEs swappend, did the reporter agreed on fixing this annotation
> > > on his end?
> > > 
> > > Would it be easier to swap the CVEs at RedHat CNA, as there were no RedHat
> > > updates yet fixing those issues?
> > > 
> > The CVEs are assigned by Red Hat and I can check the CVEs are public at many
> > places so instead of swapping the CVEs best option is to reject the CVEs and
> > re-assign the flaws with new CVEs.
> 
> Alright, this is indeed an option. For instance the Debian LTS project
> covering
> older suites not anymore covered by the regular security support issued
> already
> an update referencing the CVEs above. Samewise did Ubuntu in USN-6290-1.
> 
> Not sure about other distribuions.
> 
> Regards,
> Salvatore

Rejected the old CVE and re-assigned the vulnerability with new flaw and CVE. Please track the below link[0] for more information.
https://bugzilla.redhat.com/show_bug.cgi?id=2235264

Regardng the comment for the old CVE (as Not a security issue) on Mitre, we are working to correct the statement.