lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050729094730.GA12158@piware.de>
Date: Fri, 29 Jul 2005 11:47:30 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-156-1] TIFF vulnerability

===========================================================
Ubuntu Security Notice USN-156-1	      July 29, 2005
tiff vulnerability
https://bugzilla.ubuntu.com/show_bug.cgi?id=12008
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libtiff4

The problem can be corrected by upgrading the affected package to
version 3.6.1-1.1ubuntu1.4 (for Ubuntu 4.10), or 3.6.1-5ubuntu0.2 (for
Ubuntu 5.04). After a standard system upgrade you need to restart
your CUPS server with

  sudo /etc/init.d/cupsys restart

  to effect the necessary changes.


Details follow:

Wouter Hanegraaff discovered that the TIFF library did not
sufficiently validate the "YCbCr subsampling" value in TIFF image
headers. Decoding a malicious image with a zero value resulted in an
arithmetic exception, which caused the program that uses the TIFF
library to crash. This leads to a Denial of Service in server
applications that use libtiff (like the CUPS printing system) and can
cause data loss in, for example, the Evolution email client.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-1.1ubuntu1.4.diff.gz
      Size/MD5:    23357 6c334b45e84578a8c2dfb835eb7e477e
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-1.1ubuntu1.4.dsc
      Size/MD5:      646 27f079e25cd7f0f8770eb7e1cc6c119b
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1.orig.tar.gz
      Size/MD5:   848760 bd252167a20ac7910ab3bd2b3ee9e955

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-tools_3.6.1-1.1ubuntu1.4_amd64.deb
      Size/MD5:   172912 df244a7355b6108d17777d0f7ee635e2
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-1.1ubuntu1.4_amd64.deb
      Size/MD5:   458490 aae7d9f8d13150371ea323d6c7f7afff
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-1.1ubuntu1.4_amd64.deb
      Size/MD5:   111710 17e5aba420a429f3b8e1a995d8898424

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-tools_3.6.1-1.1ubuntu1.4_i386.deb
      Size/MD5:   157254 bf807eec54e754c17f2a37028cab8577
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-1.1ubuntu1.4_i386.deb
      Size/MD5:   439678 7e793ec244af0b761d5488ae1dbbbacb
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-1.1ubuntu1.4_i386.deb
      Size/MD5:   102658 a63eef903a62203bf97d9ac307ac1bb0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-tools_3.6.1-1.1ubuntu1.4_powerpc.deb
      Size/MD5:   187866 edff62a781e24543101dd8c953df0861
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-1.1ubuntu1.4_powerpc.deb
      Size/MD5:   462568 facec7aa38830d67e844712d85129eb1
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-1.1ubuntu1.4_powerpc.deb
      Size/MD5:   112834 be335d26fd3036982e63755e8d34b974

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-5ubuntu0.2.diff.gz
      Size/MD5:    23937 fc03e1e226cb8f3dc68bcc9c68508216
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-5ubuntu0.2.dsc
      Size/MD5:      681 024be8a278b67c21bd23d6407ff8dbca
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1.orig.tar.gz
      Size/MD5:   848760 bd252167a20ac7910ab3bd2b3ee9e955

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.2_amd64.deb
      Size/MD5:   172924 cd4bd17a871243ca6843fbc088617ae0
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.2_amd64.deb
      Size/MD5:   458564 b19faf6cebe2aae301599b7727b92470
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.2_amd64.deb
      Size/MD5:   111820 cbfcbf747bfc57b32f94922875301536

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.2_i386.deb
      Size/MD5:   155942 903dc99568c986a392792fe1b817891e
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.2_i386.deb
      Size/MD5:   439768 03b5da71622c1071dc78baf563c887c3
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.2_i386.deb
      Size/MD5:   102814 d2f292f44d899fa2aa58cd9df819627a

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.2_powerpc.deb
      Size/MD5:   188188 76cf89e38b5c8bb1365abeb6f60f8e1b
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.2_powerpc.deb
      Size/MD5:   462612 eb9033efe7d5b180cc003854e26ef751
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.2_powerpc.deb
      Size/MD5:   113006 bbe7ac5d4209b07422e9b4370cc390bd

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ