lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1237833507.5790.3.camel@mdlinux.technorage.com>
Date: Mon, 23 Mar 2009 14:38:27 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [USN-744-1] LittleCMS vulnerabilities

===========================================================
Ubuntu Security Notice USN-744-1             March 23, 2009
lcms vulnerabilities
CVE-2009-0581, CVE-2009-0723, CVE-2009-0733
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  liblcms1                        1.13-1ubuntu0.2

Ubuntu 7.10:
  liblcms1                        1.16-5ubuntu3.2
  python-liblcms                  1.16-5ubuntu3.2

Ubuntu 8.04 LTS:
  liblcms1                        1.16-7ubuntu1.2
  python-liblcms                  1.16-7ubuntu1.2

Ubuntu 8.10:
  liblcms1                        1.16-10ubuntu0.2
  python-liblcms                  1.16-10ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Chris Evans discovered that LittleCMS did not properly handle certain error
conditions, resulting in a large memory leak. If a user or automated system
were tricked into processing an image with malicious ICC tags, a remote
attacker could cause a denial of service. (CVE-2009-0581)

Chris Evans discovered that LittleCMS contained multiple integer overflows.
If a user or automated system were tricked into processing an image with
malicious ICC tags, a remote attacker could crash applications linked
against liblcms1, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2009-0723)

Chris Evans discovered that LittleCMS did not properly perform bounds
checking, leading to a buffer overflow. If a user or automated system were
tricked into processing an image with malicious ICC tags, a remote attacker
could execute arbitrary code with user privileges. (CVE-2009-0733)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2.diff.gz
      Size/MD5:    16399 ed8d931b572458a98ad21c867d5f2487
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2.dsc
      Size/MD5:      647 a3baf912284c86827f6c3fb0dcac98ef
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13.orig.tar.gz
      Size/MD5:   585735 e627f43bbbd238895502402d942a6cfd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_amd64.deb
      Size/MD5:   137660 29da157489a51641ae67d41b30be3ede
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_amd64.deb
      Size/MD5:   129768 f4d40f5a5f5e1ab682b10f672f6b4854
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_amd64.deb
      Size/MD5:    40502 a7cbcd2f32516ff4b5b9a852a4b9f70b

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_i386.deb
      Size/MD5:   124334 03d7898a87db8d20e2605fdb12ba1106
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_i386.deb
      Size/MD5:   118866 92d506d6462e2a1a8664171f9ea794c5
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_i386.deb
      Size/MD5:    37308 70dfcdb72c41765ad6e2eeb28ad547f1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_powerpc.deb
      Size/MD5:   132024 f5353a5fe0ecfd5aa08a3b7f03c998d5
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_powerpc.deb
      Size/MD5:   132484 c241cd5c31b808480852bcd888d7bf33
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_powerpc.deb
      Size/MD5:    44362 492040ce637ad39508f0a23f8e70887b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_sparc.deb
      Size/MD5:   134932 e075347c7c6baca7ee5d3ae60f4c63f1
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_sparc.deb
      Size/MD5:   125634 ea807c79db6752f9595f6eba6f2d0111
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_sparc.deb
      Size/MD5:    38698 d0a84d8c4cf1a810a68a295f4639f1ea

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2.diff.gz
      Size/MD5:    25546 6d57bd85f90041967dd888a13c543c6b
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2.dsc
      Size/MD5:     1015 e4d0440673a46a5bd817b9eceaecaecf
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
      Size/MD5:   911546 b07b623f3e712373ff713fb32cf23651

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_amd64.deb
      Size/MD5:   675488 388c442370fc7967bd286897c4f239d6
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_amd64.deb
      Size/MD5:   105052 16ab9288c04e0b94a9a8738b47a97110
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_amd64.deb
      Size/MD5:    58286 e73aa168732afdb0910ee116a6eef129
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_amd64.deb
      Size/MD5:   161084 e4436b4fedf7b2a6191450784cca3d16

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_i386.deb
      Size/MD5:   626656 f40f43aab6f5c0a1e1f7f7f495e54589
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_i386.deb
      Size/MD5:    98788 b73751edf000dbf987ddb9df72d65bb1
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_i386.deb
      Size/MD5:    54738 9b8bde7acdc4d5b1ff0a6b64e01f6d70
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_i386.deb
      Size/MD5:   152060 5727b6b98955c53cecb3b25c8848e419

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_lpia.deb
      Size/MD5:   628756 21ef105956daf49e251122f9bc9f1c6b
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_lpia.deb
      Size/MD5:    97530 5be86a2f6d2307ccf0d93557132cc76b
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_lpia.deb
      Size/MD5:    55090 91144d0968cde6dd6c4c015f4f7d9627
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_lpia.deb
      Size/MD5:   148344 7117264c524024da8165a35e9e28a058

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_powerpc.deb
      Size/MD5:   764002 ed174a8221d6465cdb29553ee885a72f
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_powerpc.deb
      Size/MD5:   115248 7f73acafbfe531d4f0f9540b6dc7412f
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_powerpc.deb
      Size/MD5:    71982 ad80e7128d1853c63971f413435f9a71
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_powerpc.deb
      Size/MD5:   169926 d388443a572601382b2bfa06656e239a

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_sparc.deb
      Size/MD5:   658642 0b9646029e86357185a8f9c4f091bc69
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_sparc.deb
      Size/MD5:   100794 3b0522813ccc70f75fb4e9dec7fc4e9c
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_sparc.deb
      Size/MD5:    58342 1339297fb81a7414b0df67fce4f0ee3a
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_sparc.deb
      Size/MD5:   160214 06a65eb2ee41a155152efa32faabc3b5

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2.diff.gz
      Size/MD5:    25728 059a45efcc1bae919504f7ec802efdd6
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2.dsc
      Size/MD5:     1015 f6b20c88c9806747f5de29c02f9894b5
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
      Size/MD5:   911546 b07b623f3e712373ff713fb32cf23651

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_amd64.deb
      Size/MD5:   671500 c7dca7c05efcac13d42129f5b49fa885
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_amd64.deb
      Size/MD5:   102618 93fef15514a704d2de1eaed4b252c115
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_amd64.deb
      Size/MD5:    58628 88880fd38759ffe74bcf4d2c7a02bcc7
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_amd64.deb
      Size/MD5:   160744 cfb18ac1863e146b46191c44e2dc6a5f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_i386.deb
      Size/MD5:   623060 9933b7312e23ffa180ff4c09aede9120
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_i386.deb
      Size/MD5:    96198 3e217ba7f1f32576b7d02ae8bd4aadca
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_i386.deb
      Size/MD5:    54934 d68dd91d1a1aee88b63c8340f4d01344
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_i386.deb
      Size/MD5:   151784 776a7e1b5560fef837f23a5ace115002

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_lpia.deb
      Size/MD5:   628870 774bd02c36c944c2dac2269a94cc0100
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_lpia.deb
      Size/MD5:    95566 ab3d60ec5641de6d0662e0219cd57e5a
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_lpia.deb
      Size/MD5:    55350 50e094f7ac8eedf5936e5c7ddef90e1c
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_lpia.deb
      Size/MD5:   148450 217cbd4b8c02ff8df23c728373236d33

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_powerpc.deb
      Size/MD5:   756288 55d0c64d4159f90858507748f22999e0
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_powerpc.deb
      Size/MD5:   111106 cbb834eea02a261ff95f91ae8b2831d3
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_powerpc.deb
      Size/MD5:    72152 409259595d3216ddeedde008b3cf1cf5
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_powerpc.deb
      Size/MD5:   169264 a470e01317920a9e5a169f4250243a4d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_sparc.deb
      Size/MD5:   655476 09dd2eb67d0e13e2461db7cf00ae085c
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_sparc.deb
      Size/MD5:    98740 9fc94b2b933ca0e3a86af914b124ee58
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_sparc.deb
      Size/MD5:    57760 3cbc1e97417d5e121a4f626bd2f28654
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_sparc.deb
      Size/MD5:   159758 f64230560e7cba2256388e0f91c25e00

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.2.diff.gz
      Size/MD5:    33307 b347c006de69915c5dab5bbd99aa82fa
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.2.dsc
      Size/MD5:     1354 572c5d2e2c22dbaef635368021b8a7c3
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
      Size/MD5:   911546 b07b623f3e712373ff713fb32cf23651

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_amd64.deb
      Size/MD5:   198456 d881445e1669f437f889fe6845ea55b8
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_amd64.deb
      Size/MD5:   107286 9d55d0afc3c28443074e65465916ac45
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_amd64.deb
      Size/MD5:    59438 f72f735da78cf9c678df511f5164236f
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_amd64.deb
      Size/MD5:   158234 691c0c50bf7184e662b4fba0693f70d0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_i386.deb
      Size/MD5:   192370 a5d482eecd04afac2970757520dd47c1
    http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_i386.deb
      Size/MD5:   100628 55e942db0d7beea1795285a98469fbe1
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_i386.deb
      Size/MD5:    55308 2c788031380f52c237f514796446a75b
    http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_i386.deb
      Size/MD5:   150304 b99f9f88a6952c84ad54e39c3b2bb622

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_lpia.deb
      Size/MD5:   188986 990370df3b90c3d51bc22c837f738b8b
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_lpia.deb
      Size/MD5:    99768 ab5ae2fac0345f04dac2cd41de8d5528
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_lpia.deb
      Size/MD5:    55666 da79498a812abdc927a21f660f271353
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_lpia.deb
      Size/MD5:   145044 f79ee78633706be128a33f544396b26e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_powerpc.deb
      Size/MD5:   198206 bdbbcaf53c01e4c2241ae253b55af402
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_powerpc.deb
      Size/MD5:   113512 eda7c793d4b1f084986a6712a9ec63c2
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_powerpc.deb
      Size/MD5:    71934 b26d5a054f022131c138b5a68fa841f5
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_powerpc.deb
      Size/MD5:   165790 357084a7ac7fb3fd61bd5cb23a407e35

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_sparc.deb
      Size/MD5:   195826 9232d7265dc65c88420985ee565d02a6
    http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_sparc.deb
      Size/MD5:   101024 64c774ed7d767b8d24e07fd19aa1ad24
    http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_sparc.deb
      Size/MD5:    61116 c60bbdcb8ff337b9f9ef9750ff1acfab
    http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_sparc.deb
      Size/MD5:   158180 268ea56e1620676c9e4bf866814fb99e



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ