lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050519150004.GA350@box79162.elkhouse.de>
Date: Thu, 19 May 2005 17:00:05 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-130-1] TIFF library vulnerability

===========================================================
Ubuntu Security Notice USN-130-1	       May 19, 2005
tiff vulnerability
CAN-2005-1544
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libtiff4

The problem can be corrected by upgrading the affected package to
version 3.6.1-1.1ubuntu1.3 (for Ubuntu 4.10), or 3.6.1-5ubuntu0.1 (for
Ubuntu 5.04).  After a standard system upgrade you need to restart
your CUPS server with

  sudo /etc/init.d/cupsys restart

to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a buffer overflow in the TIFF library.  A
malicious image with an invalid "bits per sample" number could be
constructed which, when decoded, would have resulted in execution of
arbitrary code with the privileges of the process using the library.

Since this library is used in many applications like "ghostscript" and
the "CUPS" printing system, this vulnerability may lead to remotely
induced privilege escalation.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-1.1ubuntu1.3.diff.gz
      Size/MD5:    23204 9ac3ca3fba6f2dfee338a6ead67dd861
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-1.1ubuntu1.3.dsc
      Size/MD5:      646 dd500c399e6e27e8fccc0a2217b81e24
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1.orig.tar.gz
      Size/MD5:   848760 bd252167a20ac7910ab3bd2b3ee9e955

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-tools_3.6.1-1.1ubuntu1.3_amd64.deb
      Size/MD5:   172882 44812e9c564e534afaf120298a05649d
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-1.1ubuntu1.3_amd64.deb
      Size/MD5:   458464 45c8e715cfd6d0d10a8f7755d444e8b2
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-1.1ubuntu1.3_amd64.deb
      Size/MD5:   111528 c3e7f1e32d02fb2f43dcd7eba004f410

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-tools_3.6.1-1.1ubuntu1.3_i386.deb
      Size/MD5:   157242 89a8e234340550fbb7b51b0665f57b07
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-1.1ubuntu1.3_i386.deb
      Size/MD5:   439630 bc310ca8d58fd2edff9becf96618016a
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-1.1ubuntu1.3_i386.deb
      Size/MD5:   102426 b57bcb6731278bd7b9efac661b1d5b29

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-tools_3.6.1-1.1ubuntu1.3_powerpc.deb
      Size/MD5:   187860 a90692f339814812b81b45bd42b020ad
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-1.1ubuntu1.3_powerpc.deb
      Size/MD5:   462482 263381d0e365ef440423e5a39fce2fd9
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-1.1ubuntu1.3_powerpc.deb
      Size/MD5:   112628 7e2d3f122c362d9afce7fdb1058e1628

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-5ubuntu0.1.diff.gz
      Size/MD5:    23765 32eb02942dff40b39c1d15250c3c0859
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-5ubuntu0.1.dsc
      Size/MD5:      681 2450a075bf97cc3f9e6824361985c8d4
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1.orig.tar.gz
      Size/MD5:   848760 bd252167a20ac7910ab3bd2b3ee9e955

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.1_amd64.deb
      Size/MD5:   172924 7231c0247df7c384675a9c6635daa4c3
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.1_amd64.deb
      Size/MD5:   458530 0dc168ca75707a0ad7cae668ee8f8c94
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.1_amd64.deb
      Size/MD5:   111658 3f9045465c9ec449afa7ed5f407ef182

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.1_i386.deb
      Size/MD5:   155938 1a2182f4b9d338b6384a285aa4274193
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.1_i386.deb
      Size/MD5:   439730 df6990250a7715682cadfdef6a6e8bb3
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.1_i386.deb
      Size/MD5:   102640 15d2802c1720a6597838adb38fd69b8f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.1_powerpc.deb
      Size/MD5:   188166 0cdfe537f7838f94dad74e96e9d741b4
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.1_powerpc.deb
      Size/MD5:   462522 673438e0b48b119901dfc70189a1af94
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.1_powerpc.deb
      Size/MD5:   112828 656a62054187e8a3c803fecc54f6fe09

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ