lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081015022722.GN17241@outflux.net>
Date: Tue, 14 Oct 2008 19:27:22 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-655-1] exiv2 vulnerabilities

===========================================================
Ubuntu Security Notice USN-655-1           October 15, 2008
exiv2 vulnerabilities
CVE-2007-6353, CVE-2008-2696
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
  libexiv2-0.12                   0.12-0ubuntu2.1

Ubuntu 7.10:
  libexiv2-0                      0.15-1ubuntu2.1

Ubuntu 8.04 LTS:
  libexiv2-2                      0.16-3ubuntu1.1

After a standard system upgrade you need to restart your session to effect
the necessary changes.

Details follow:

Meder Kydyraliev discovered that exiv2 did not correctly handle certain
EXIF headers. If a user or automated system were tricked into processing
a specially crafted image, a remote attacker could cause the application
linked against libexiv2 to crash, leading to a denial of service, or
possibly executing arbitrary code with user privileges. (CVE-2007-6353)

Joakim Bildrulle discovered that exiv2 did not correctly handle Nikon
lens EXIF information.  If a user or automated system were tricked into
processing a specially crafted image, a remote attacker could cause the
application linked against libexiv2 to crash, leading to a denial of
service. (CVE-2008-2696)


Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.12-0ubuntu2.1.diff.gz
      Size/MD5:    32108 881ecd361df315c9f9ae3eef6697d4c1
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.12-0ubuntu2.1.dsc
      Size/MD5:      816 734b5975b4cebbdbb186b3cb4cbcbf12
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.12.orig.tar.gz
      Size/MD5:  2359138 a97a4e489df7ec99458e3e33b506c3e6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-doc_0.12-0ubuntu2.1_all.deb
      Size/MD5:  1735332 f37635e5c13f681e812d919f30eb204d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0.12_0.12-0ubuntu2.1_amd64.deb
      Size/MD5:   320666 c65dd9bb0ab46b55d185408deeecba6c
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.12-0ubuntu2.1_amd64.deb
      Size/MD5:   589930 824529b76088c4c520fa726a81f45cd4
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.12-0ubuntu2.1_amd64.deb
      Size/MD5:    78012 98d8308fd26e87cb1543561e8c432ade

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0.12_0.12-0ubuntu2.1_i386.deb
      Size/MD5:   312622 36d00e09f5b4ec5d1afe935295fd5877
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.12-0ubuntu2.1_i386.deb
      Size/MD5:   540124 646eae0ccb60a6de683a6168b23a645c
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.12-0ubuntu2.1_i386.deb
      Size/MD5:    76178 9720daedc000922a0dcc281a87258b0b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0.12_0.12-0ubuntu2.1_powerpc.deb
      Size/MD5:   344604 a9056c6871b35ad37edaa7d43fe01e77
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.12-0ubuntu2.1_powerpc.deb
      Size/MD5:   615756 21316c2dd7a54cee1c2ab33ae5782cbe
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.12-0ubuntu2.1_powerpc.deb
      Size/MD5:    80932 c472084be1c41552aa460da32821f6b2

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0.12_0.12-0ubuntu2.1_sparc.deb
      Size/MD5:   342696 8b5b87cb3e775e84f52af42463061a93
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.12-0ubuntu2.1_sparc.deb
      Size/MD5:   550730 c684899b6e02a24363d84d63c79d5f63
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.12-0ubuntu2.1_sparc.deb
      Size/MD5:    76504 5ff1d854da93e6c4aa78e3e044abab9b

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.15-1ubuntu2.1.diff.gz
      Size/MD5:    11827 846734f802184d6ff2c3cd777bc4baa8
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.15-1ubuntu2.1.dsc
      Size/MD5:      962 eb1965e2cad3d8e69c1847d1f5f6511a
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.15.orig.tar.gz
      Size/MD5:  1133249 bb18d19e1d6fb255dadda456cadec00e

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-doc_0.15-1ubuntu2.1_all.deb
      Size/MD5: 10283310 f81b4f8536fcc2d468cc9c2f3aef7edb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0_0.15-1ubuntu2.1_amd64.deb
      Size/MD5:   356922 13eac76c1b4b018606c8dce0a0d743f0
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.15-1ubuntu2.1_amd64.deb
      Size/MD5:   769470 341c2df43845b7f0e49c24801129e190
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.15-1ubuntu2.1_amd64.deb
      Size/MD5:    94342 e904697e488381faa837afedbbce1568

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0_0.15-1ubuntu2.1_i386.deb
      Size/MD5:   346814 18bf13f90a5c04f7fa427d908603de72
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.15-1ubuntu2.1_i386.deb
      Size/MD5:   717734 2cf5ff3f308f31230a093751d6d13bd9
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.15-1ubuntu2.1_i386.deb
      Size/MD5:    92746 3db1939f900790911b0d0cba4c49797d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-0_0.15-1ubuntu2.1_lpia.deb
      Size/MD5:   342714 2cd48a9fccf2e45aa62ff37e5c384091
    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-dev_0.15-1ubuntu2.1_lpia.deb
      Size/MD5:   717386 2e21ee23c17f7d15f20611a23ca957df
    http://ports.ubuntu.com/pool/universe/e/exiv2/exiv2_0.15-1ubuntu2.1_lpia.deb
      Size/MD5:    90954 8c5eae92c4ecd343222ec3fd098bfc7b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0_0.15-1ubuntu2.1_powerpc.deb
      Size/MD5:   382124 09d14e26595a990d93ae26256d066a7d
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.15-1ubuntu2.1_powerpc.deb
      Size/MD5:   799038 6b31eb51ec6b1a679826ed5bb7dcdb5c
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.15-1ubuntu2.1_powerpc.deb
      Size/MD5:    96926 50322cf8bb638c1c1cbf213acb7b26c6

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-0_0.15-1ubuntu2.1_sparc.deb
      Size/MD5:   385294 742f66ba917b8d6a9d08a317ea680527
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.15-1ubuntu2.1_sparc.deb
      Size/MD5:   728258 ed09fe85cc4f41743894ed715b987bc2
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.15-1ubuntu2.1_sparc.deb
      Size/MD5:    91880 e7d8d9553973b8808bfd8e45ec268560

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.16-3ubuntu1.1.diff.gz
      Size/MD5:    10463 6acb39afaf124078cc2dbbf2820fb6ab
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.16-3ubuntu1.1.dsc
      Size/MD5:     1136 0a52104d32ae002426eca5cb807b9054
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/exiv2_0.16.orig.tar.gz
      Size/MD5:  1578446 c6a9a8a3e212b5a26266579ebd0a5410

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-doc_0.16-3ubuntu1.1_all.deb
      Size/MD5:  2792682 ecee2c1ad4c1d40ef1d721e9c1dd3fbe

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-2_0.16-3ubuntu1.1_amd64.deb
      Size/MD5:   569658 233d2093d5426c7a718c631eb70b02f8
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.16-3ubuntu1.1_amd64.deb
      Size/MD5:  1130098 a284e2fafec2b6fa7fc53a20bc8b203f
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.16-3ubuntu1.1_amd64.deb
      Size/MD5:    85898 0eac86576b150c35b4eda829380f2df7

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-2_0.16-3ubuntu1.1_i386.deb
      Size/MD5:   547664 da4c9e28896bce28ee34e42845ab54fe
    http://security.ubuntu.com/ubuntu/pool/main/e/exiv2/libexiv2-dev_0.16-3ubuntu1.1_i386.deb
      Size/MD5:  1060342 8544d49015218b23b27a3a2ad79a4843
    http://security.ubuntu.com/ubuntu/pool/universe/e/exiv2/exiv2_0.16-3ubuntu1.1_i386.deb
      Size/MD5:    84430 d7454f0f74c0dafb9301c48317d0661c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-2_0.16-3ubuntu1.1_lpia.deb
      Size/MD5:   546194 4ddb8f5d98a5a349b18ab3b461366d47
    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-dev_0.16-3ubuntu1.1_lpia.deb
      Size/MD5:  1066974 82fb3099c6df17d67775f12c1a29e68f
    http://ports.ubuntu.com/pool/universe/e/exiv2/exiv2_0.16-3ubuntu1.1_lpia.deb
      Size/MD5:    86704 74172b0f14fccfa6fae355e8b33b408a

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-2_0.16-3ubuntu1.1_powerpc.deb
      Size/MD5:   600368 fa91982b5c97b35b6dc46315a5abbe0b
    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-dev_0.16-3ubuntu1.1_powerpc.deb
      Size/MD5:  1165662 6258ddea80024c0e04433053564ae73b
    http://ports.ubuntu.com/pool/universe/e/exiv2/exiv2_0.16-3ubuntu1.1_powerpc.deb
      Size/MD5:    89518 b3f3a420428093a1cd6f0c49d496a93d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-2_0.16-3ubuntu1.1_sparc.deb
      Size/MD5:   615214 bc34f7ef5304050de05ffd3e1d5bb1b6
    http://ports.ubuntu.com/pool/main/e/exiv2/libexiv2-dev_0.16-3ubuntu1.1_sparc.deb
      Size/MD5:  1122996 df649c37b46a4cb6a40d90b9a7414e95
    http://ports.ubuntu.com/pool/universe/e/exiv2/exiv2_0.16-3ubuntu1.1_sparc.deb
      Size/MD5:    92150 c0804dfd682722e3211158df6f1c860d


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ