Bug 2224971 (CVE-2023-38288)

Summary: CVE-2023-38288 libtiff: potential integer overflow in raw2tiff.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, carnil, caswilli, hkataria, jburrell, jkoehler, jsherril, kaycoth, kshier, mmuzila, nforro, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2226741, 2226742, 2226744, 2226743    
Bug Blocks: 2222912    

Description Dhananjay Arunesh 2023-07-24 07:02:21 UTC 
Multiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.
Comment 3 Salvatore Bonaccorso 2023-07-30 22:01:09 UTC 
This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591 (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
Comment 4 Dhananjay Arunesh 2023-08-02 09:28:43 UTC 
In reply to comment #3:
> This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> (but it looks the content of this RHBZ is swapped with CVE-2023-38289).

Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs are from the final vulnerabilities report sent by the reporter. I am discussing about this issue with the reporter to rectify from his end.
Comment 5 Salvatore Bonaccorso 2023-08-13 11:44:48 UTC 
Hi,

(In reply to Dhananjay Arunesh from comment #4)
> In reply to comment #3:
> > This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> > (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
> 
> Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs
> are from the final vulnerabilities report sent by the reporter. I am
> discussing about this issue with the reporter to rectify from his end.

As this currently causes confusion, as depending where you look you have 
different CVEs swappend, did the reporter agreed on fixing this annotation
on his end?

Would it be easier to swap the CVEs at RedHat CNA, as there were no RedHat
updates yet fixing those issues?

Thanks already in advance for looking into it,

Regards,
Salvatore
Comment 6 Dhananjay Arunesh 2023-08-16 06:18:27 UTC 
In reply to comment #5:
> Hi,
> 
> (In reply to Dhananjay Arunesh from comment #4)
> > In reply to comment #3:
> > > This CVE is referenced at https://gitlab.com/libtiff/libtiff/-/issues/591
> > > (but it looks the content of this RHBZ is swapped with CVE-2023-38289).
> > 
> > Hi, These CVEs are assigned by us (Red Hat CNA), CVEs attached to the bugs
> > are from the final vulnerabilities report sent by the reporter. I am
> > discussing about this issue with the reporter to rectify from his end.
We don't have any response from the reporter.
> As this currently causes confusion, as depending where you look you have 
> different CVEs swappend, did the reporter agreed on fixing this annotation
> on his end?
> 
> Would it be easier to swap the CVEs at RedHat CNA, as there were no RedHat
> updates yet fixing those issues?
> 
The CVEs are assigned by Red Hat and I can check the CVEs are public at many places so instead of swapping the CVEs best option is to reject the CVEs and re-assign the flaws with new CVEs.
> Thanks already in advance for looking into it,
> 
> Regards,
> Salvatore