lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081104001442.GE9448@outflux.net>
Date: Mon, 3 Nov 2008 16:14:42 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-660-1] enscript vulnerability

===========================================================
Ubuntu Security Notice USN-660-1          November 03, 2008
enscript vulnerability
CVE-2008-3863, CVE-2008-4306
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  enscript                        1.6.4-7ubuntu0.2

Ubuntu 7.10:
  enscript                        1.6.4-11ubuntu0.2

Ubuntu 8.04 LTS:
  enscript                        1.6.4-12ubuntu0.8.04.1

Ubuntu 8.10:
  enscript                        1.6.4-12ubuntu0.8.10.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Ulf Härnhammar discovered multiple stack overflows in enscript's handling of
special escape arguments.  If a user or automated system were tricked into
processing a malicious file with the "-e" option enabled, a remote attacker
could execute arbitrary code or cause enscript to crash, possibly leading
to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7ubuntu0.2.diff.gz
      Size/MD5:    21257 099ec23f341d2d17283bde9b36942ab6
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7ubuntu0.2.dsc
      Size/MD5:      674 432f64fe62d7d29e13872525726cb032
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.orig.tar.gz
      Size/MD5:  1036734 b5174b59e4a050fb462af5dbf28ebba3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7ubuntu0.2_amd64.deb
      Size/MD5:   423482 636c62e47e3e73b9389b47bfcc8c6647

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7ubuntu0.2_i386.deb
      Size/MD5:   405530 41f6c81e90905043fa9018d8f4e30457

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7ubuntu0.2_powerpc.deb
      Size/MD5:   419126 6c80126f37f4800f0507329dd6bb0aa3

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7ubuntu0.2_sparc.deb
      Size/MD5:   411222 47084632ebb468a3d13f52dcee9dd977

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2.diff.gz
      Size/MD5:    91026 c788b4b331ad7ddd6a2743ae27f725a4
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2.dsc
      Size/MD5:      767 084a84daf7f8b47f2ac3bf3debb995ea
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.orig.tar.gz
      Size/MD5:  1036734 b5174b59e4a050fb462af5dbf28ebba3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2_amd64.deb
      Size/MD5:   425468 5f020fcebfffb46ed32cc6ae50939972

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2_i386.deb
      Size/MD5:   411500 3f7ebb92b6a87efce2ec18ad2cbed2d3

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2_lpia.deb
      Size/MD5:   414372 3630143c4898a99a48a13bd5899f003c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2_powerpc.deb
      Size/MD5:   424744 bbd80756d675ae285b7bfec9992fbc55

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2_sparc.deb
      Size/MD5:   415382 f665b649a786296363e17fd6f560bb0f

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1.diff.gz
      Size/MD5:    93119 62c2bd2cef254af68bd2fa0c7d1d36f3
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1.dsc
      Size/MD5:      774 7cb02960688d0e9fb17f30bc7932577e
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.orig.tar.gz
      Size/MD5:  1036734 b5174b59e4a050fb462af5dbf28ebba3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1_amd64.deb
      Size/MD5:   425882 56b5c201eba9f4ccba832d9de0277b6a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1_i386.deb
      Size/MD5:   412426 7e5bd9e9ed8d8a69e01f112ace8bf9d8

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1_lpia.deb
      Size/MD5:   414800 6c3584e7ca1dc88917d3f24298cbd78b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   426356 c9efe8d867bdcf618857c2eb6a140d6b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.04.1_sparc.deb
      Size/MD5:   415802 0d13cb614bbaefb045515c3ac223c5a6

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1.diff.gz
      Size/MD5:    93116 0338194240bae030e8150e47ac40208d
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1.dsc
      Size/MD5:     1188 ac3234ebd2b48790ac95d4d1baae83e8
    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.orig.tar.gz
      Size/MD5:  1036734 b5174b59e4a050fb462af5dbf28ebba3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1_amd64.deb
      Size/MD5:   428584 64a869b979b5d62ff169b68e322ae43f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1_i386.deb
      Size/MD5:   415574 25eb8ba34f468dd58a6ddf607d54e434

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1_lpia.deb
      Size/MD5:   416772 9ec0d324ce07b50261acc2896618a46f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1_powerpc.deb
      Size/MD5:   426934 5aa206fa2bee1d271672ce6041e8616b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8.10.1_sparc.deb
      Size/MD5:   418004 97edf96856ff530d88075b3076cc037e


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ