lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060608115645.GE5127@piware.de>
Date: Thu, 8 Jun 2006 13:56:45 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-289-1] tiff vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-289-1              June 08, 2006
tiff vulnerabilities
CVE-2006-2193, CVE-2006-2656
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  libtiff-tools                  3.6.1-5ubuntu0.5

Ubuntu 5.10:
  libtiff-tools                  3.7.3-1ubuntu1.4

Ubuntu 6.06 LTS:
  libtiff-tools                  3.7.4-1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A buffer overflow has been found in the tiff2pdf utility. By tricking
an user into processing a specially crafted TIF file with tiff2pdf,
this could potentially be exploited to execute arbitrary code with the
privileges of the user. (CVE-2006-2193)

A. Alejandro Hernández discovered a buffer overflow in the tiffsplit
utility. By calling tiffsplit with specially crafted long arguments,
an user can execute arbitrary code.  If tiffsplit is used in e. g.  a
web-based frontend or similar automated system, this could lead to
remote arbitary code execution with the privileges of that system. (In
normal interactive command line usage this is not a vulnerability.)
(CVE-2006-2656)


Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-5ubuntu0.5.diff.gz
      Size/MD5:    26319 e6f75f611b9c77ce07cb2cf513f654ad
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1-5ubuntu0.5.dsc
      Size/MD5:      681 57c2c112da454d86f49d8bf2e8e16d9b
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.6.1.orig.tar.gz
      Size/MD5:   848760 bd252167a20ac7910ab3bd2b3ee9e955

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.5_amd64.deb
      Size/MD5:   172880 e890e7578915c4613cd7a74b184445bd
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.5_amd64.deb
      Size/MD5:   459208 8817f18ad3ae963b4a74c716cf7bf0b8
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.5_amd64.deb
      Size/MD5:   112968 5646656fd78c0ff663866e74977bf78e

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.5_i386.deb
      Size/MD5:   155968 27e009d03b6a5d9a93eabde478dc9b1c
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.5_i386.deb
      Size/MD5:   440508 f484f7e00cb7240a9c6f860ec5de9ade
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.5_i386.deb
      Size/MD5:   103886 0388682d81cc301ef2b83a4f4438a05c

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.6.1-5ubuntu0.5_powerpc.deb
      Size/MD5:   188188 6316125bd4d1a540957aa0cc9c60fa8d
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.6.1-5ubuntu0.5_powerpc.deb
      Size/MD5:   463674 8f080f57ffc4cb3a0f116ce7c353c381
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.6.1-5ubuntu0.5_powerpc.deb
      Size/MD5:   114370 971a6be7879aaf5d92b55951b7cdd141

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.3-1ubuntu1.4.diff.gz
      Size/MD5:    11378 17db8270668b8b0eefceb0d27e14bd11
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.3-1ubuntu1.4.dsc
      Size/MD5:      756 218a54ab0966c1b6204b27343b916093
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.3.orig.tar.gz
      Size/MD5:  1268182 48fbef3d76a6253699f28f49c8f25a8b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.3-1ubuntu1.4_amd64.deb
      Size/MD5:    48184 eed2ddb6187b1717db2de95dbc590ec6
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.3-1ubuntu1.4_amd64.deb
      Size/MD5:   219688 79d9cf71f16a3a95c54b481bca648eab
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.3-1ubuntu1.4_amd64.deb
      Size/MD5:   281702 b5b1b261be7c047c3be3eeb2f8398b8a
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.3-1ubuntu1.4_amd64.deb
      Size/MD5:   472142 9cac886846d30589b05802fcc6e01f67
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.3-1ubuntu1.4_amd64.deb
      Size/MD5:    43014 1b71df913359a6b0bdd8d6ebb3e33d7a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.3-1ubuntu1.4_i386.deb
      Size/MD5:    47562 0e08f054ec20d4e82d3d3f67cd384e69
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.3-1ubuntu1.4_i386.deb
      Size/MD5:   204690 278bc83c4fcc7701a7a25719b96a0a8d
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.3-1ubuntu1.4_i386.deb
      Size/MD5:   258346 46cff7452dbef76566b49220634f5d49
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.3-1ubuntu1.4_i386.deb
      Size/MD5:   458214 e0920dc944d05da1b010137cf0e4ed2f
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.3-1ubuntu1.4_i386.deb
      Size/MD5:    43012 749bfc0eeccb0b2b610751163b3cda3d

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.3-1ubuntu1.4_powerpc.deb
      Size/MD5:    49880 6697a3b6fd7a52042a85b527951c2b1a
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.3-1ubuntu1.4_powerpc.deb
      Size/MD5:   239116 8dd87fa3c6922a4e3a3fb5bf8317af09
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.3-1ubuntu1.4_powerpc.deb
      Size/MD5:   286920 4531728171c4d58b730d84cd2999ddba
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.3-1ubuntu1.4_powerpc.deb
      Size/MD5:   472346 b9bbe1b684162fada01c1487876da1ba
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.3-1ubuntu1.4_powerpc.deb
      Size/MD5:    45220 17c2240ce41c10b277c19e01772890c4

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4-1ubuntu3.1.diff.gz
      Size/MD5:    12974 fc61d9c72ecb96537be551c94930d3af
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4-1ubuntu3.1.dsc
      Size/MD5:      758 5c352bc41e1f36e30a94796f3b7e5275
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4.orig.tar.gz
      Size/MD5:  1280113 02cf5c3820bda83b35bb35b45ae27005

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.4-1ubuntu3.1_amd64.deb
      Size/MD5:    49204 f890a4aee050bd6c6f2269a2a10c4d2b
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.1_amd64.deb
      Size/MD5:   220242 67ffe0fd5e4177ae4311e104aa4289f6
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.1_amd64.deb
      Size/MD5:   281250 531b751daf7c8de4a36348cd5d31470e
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.1_amd64.deb
      Size/MD5:   474526 2178dafc48f6b0c1ba6a5f3e90b9cf18
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.1_amd64.deb
      Size/MD5:    44028 57b10b963a838167afe05560e5e9383c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.4-1ubuntu3.1_i386.deb
      Size/MD5:    48540 5fd2f13e2a14134972184510f3a950dc
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.1_i386.deb
      Size/MD5:   205404 5cfc943a4a57e4cb0153ed48473b9df4
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.1_i386.deb
      Size/MD5:   258232 72693e8e7380f6695e87d018fdae226f
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.1_i386.deb
      Size/MD5:   461020 ede882cb7fb44f1cdd9687a04848a84c
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.1_i386.deb
      Size/MD5:    44004 58311b623d1ea6b310000d9d7fbe21e5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.4-1ubuntu3.1_powerpc.deb
      Size/MD5:    50872 17e2bb09736146f292e96c19ab060318
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.1_powerpc.deb
      Size/MD5:   239234 041cf71b96800bb76911a2d95368bfaa
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.1_powerpc.deb
      Size/MD5:   286828 de92f288acdd45cc520e03d81c400258
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.1_powerpc.deb
      Size/MD5:   474980 1227b281cff931e95fd712ad4ce7a308
    http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.1_powerpc.deb
      Size/MD5:    46232 a2c442bed73a4008acd5d4bd3db9858a

Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ