Bug 14203

Summary: [CVE 21] libtiff 4.1.0 CVE - 3
Product: [ROSA-based products] ROSA Fresh Reporter: Vladimir Potapov <v.potapov>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: blocker    
Priority: Highest CC: a.proklov, s.matveev
Version: AllFlags: v.potapov: qa_verified+
v.potapov: secteam_verified?
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2022-4645,CVE-2023-30086,CVE-2023-30774,CVE-2023-2908
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Vladimir Potapov 2024-01-10 12:29:04 MSK 
https://nvd.nist.gov/vuln/detail/CVE-2022-4645 exploit!
Comment 1 Svyatoslav Matveev 2024-01-10 12:48:08 MSK 
CVE-2022-4645 одинаковые исправления CVE-2022-3599

https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246

Дополнил в spec files,
https://abf.io/import/libtiff/commit/9246d29bca93eaf94e041d7cdb57398076aad1b9
Comment 2 Vladimir Potapov 2024-01-15 11:42:25 MSK 
(In reply to Svyatoslav Matveev from comment #1)
> CVE-2022-4645 одинаковые исправления CVE-2022-3599
> 
> https://gitlab.com/libtiff/libtiff/-/commit/
> e813112545942107551433d61afd16ac094ff246
> 
> Дополнил в spec files,
> https://abf.io/import/libtiff/commit/9246d29bca93eaf94e041d7cdb57398076aad1b9
А собрать?
Comment 3 Vladimir Potapov 2024-01-15 11:46:33 MSK 
(In reply to Svyatoslav Matveev from comment #1)
> CVE-2022-4645 одинаковые исправления CVE-2022-3599
> 
> https://gitlab.com/libtiff/libtiff/-/commit/
> e813112545942107551433d61afd16ac094ff246
> 
> Дополнил в spec files,
> https://abf.io/import/libtiff/commit/9246d29bca93eaf94e041d7cdb57398076aad1b9

ага, в дебиане описано
https://security-tracker.debian.org/tracker/CVE-2022-3599
Same fix as for CVE-2022-4645, CVE-2023-30086 and CVE-2023-30774.
The fix causes CVE-2023-2908.
Comment 4 Svyatoslav Matveev 2024-01-15 12:23:49 MSK 
********** QA ADVISORY **********

rebuild

***  libtiff
**   4.1.0 release +1

https://abf.io/build_lists/4955688
https://abf.io/build_lists/4955684
https://abf.io/build_lists/4955685
https://abf.io/build_lists/4955686
https://abf.io/build_lists/4955687

**   rosa2021.15 (опубликовано)
Comment 5 Vladimir Potapov 2024-01-17 10:29:35 MSK 
***************************************
The update sent to testings
Comment 6 Vladimir Potapov 2024-01-23 14:33:22 MSK 
libtiff-4.1.0-7
https://abf.io/build_lists/4955688
https://abf.io/build_lists/4955684
https://abf.io/build_lists/4955685
https://abf.io/build_lists/4955686
https://abf.io/build_lists/4955687
*************************** Advisory ************************
CVEs fix
*************************************************************
QA Verified