Ubuntu
tiff package

Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Jammy

Bug #1971001 reported by Luís Infante da Câmara
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
In Progress
Undecided
Unassigned

Bug Description

The versions in Trusty, Xenial, Bionic, Focal and Jammy may be vulnerable to all CVEs below.

Debian released an advisory on March 24.

See original description
Luís Infante da Câmara (luis220413)
summary: - Multiple vulnerabilities in Bionic, Focal and Impish
+ Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Impish
description: updated
summary: - Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Impish
+ Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal, Impish and
+ Jammy
description: updated
Luís Infante da Câmara (luis220413)
description: updated
Luís Infante da Câmara (luis220413)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in tiff (Ubuntu):
status: New → Confirmed
Luís Infante da Câmara (luis220413)
Changed in tiff (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ): Re: Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal, Impish and Jammy

Packages patched for CVE-2020-35522, CVE-2022-0561, CVE-2022-0562, CVE-2022-0865 and CVE-2022-0891 are available for Bionic, Focal and Impish at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa. (Impish is not affected by CVE-2020-35522.)

Please patch the other CVEs and release a patched version for Jammy.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Packages patched for CVE-2020-35522, CVE-2022-0561, CVE-2022-0562, CVE-2022-0865 and CVE-2022-0891 are now released and available. (https://ubuntu.com/security/notices/USN-5421-1).

Jammy is currently at version 4.3.0-6 which includes the patch for CVE-2022-0865 as it was introduced in 4.3.0-5.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

More vulnerabilities have been found, including a stack buffer overflow (CVE-2022-1355) in tiffcp and a heap buffer overflow (CVE-2022-1354) in libtiff.

description: updated
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Impish reached end-of-life yesterday.

summary: - Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal, Impish and
- Jammy
+ Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Jammy
description: updated
Revision history for this message
David Fernandez Gonzalez (litios) wrote (last edit ):

New security versions of tiff have been released for focal and bionic. These versions provide the corresponding fixes for CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924 and CVE-2022-22844.

https://ubuntu.com/security/notices/USN-5523-2

Revision history for this message
Jeffrey Hawkins (rtswguru) wrote :

Can Ubuntu address CVE-2022-1210 similar to other Linux Distros (RHEL, SUSE, YOCTO,...) with not building tiff with JBIG disabled since the bug is really in libjbig (build with --disable-jbig) . See Fedora Bug Tracker https://bugzilla.redhat.com/show_bug.cgi?id=2072615

Revision history for this message
Jeffrey Hawkins (rtswguru) wrote :

typo in my comment, recommendation is to build tiff with libjbig disabled... sorry..

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Debian says the jbig bug isn't a critical security issue:
https://security-tracker.debian.org/tracker/CVE-2022-1210

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.