lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1252951691.10635.17.camel@mdlinux.technorage.com>
Date: Mon, 14 Sep 2009 14:08:11 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-831-1] OpenEXR vulnerabilities

===========================================================
Ubuntu Security Notice USN-831-1         September 14, 2009
openexr vulnerabilities
CVE-2009-1720, CVE-2009-1721, CVE-2009-1722
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libopenexr2ldbl                 1.2.2-4.4ubuntu1.1

Ubuntu 8.10:
  libopenexr6                     1.6.1-3ubuntu1.8.10.1

Ubuntu 9.04:
  libopenexr6                     1.6.1-3ubuntu1.9.04.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Drew Yao discovered several flaws in the way OpenEXR handled certain
malformed EXR image files. If a user were tricked into opening a crafted
EXR image file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2009-1720, CVE-2009-1721)

It was discovered that OpenEXR did not properly handle certain malformed
EXR image files. If a user were tricked into opening a crafted EXR image
file, an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-1722)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.2.2-4.4ubuntu1.1.diff.gz
      Size/MD5:    14554 bcb5ecaf21b59a7710683a68aba0bb2b
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.2.2-4.4ubuntu1.1.dsc
      Size/MD5:      854 79f78a28a14dc93802a157e8e07da8b2
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.2.2.orig.tar.gz
      Size/MD5:  9324108 a2e56af78dc47c7294ff188c8f78394b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr-dev_1.2.2-4.4ubuntu1.1_amd64.deb
      Size/MD5:   520502 bc8ae0a36129711cf8d3fe76ce9ba08a
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr2ldbl_1.2.2-4.4ubuntu1.1_amd64.deb
      Size/MD5:   286262 9f04235664daaae9a7f7e7b73380c48c
    http://security.ubuntu.com/ubuntu/pool/universe/o/openexr/openexr_1.2.2-4.4ubuntu1.1_amd64.deb
      Size/MD5:   734166 1f69f5a3df60c97112ae6cd10703c57e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr-dev_1.2.2-4.4ubuntu1.1_i386.deb
      Size/MD5:   489298 bf984b8b16376d340a740e53604cfdac
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr2ldbl_1.2.2-4.4ubuntu1.1_i386.deb
      Size/MD5:   287666 f450d951805adacac919a4200e4079c8
    http://security.ubuntu.com/ubuntu/pool/universe/o/openexr/openexr_1.2.2-4.4ubuntu1.1_i386.deb
      Size/MD5:   731418 50a185e5cbef2dde80897bd3b794bca5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.2.2-4.4ubuntu1.1_lpia.deb
      Size/MD5:   489194 c3204af1c07b5e8d91c77e8afc7f493b
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr2ldbl_1.2.2-4.4ubuntu1.1_lpia.deb
      Size/MD5:   287298 7c2fc36791080636a0bbe7278ed42555
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.2.2-4.4ubuntu1.1_lpia.deb
      Size/MD5:   731534 57578bfd60be8abf7fcda8d5bafef26f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.2.2-4.4ubuntu1.1_powerpc.deb
      Size/MD5:   589576 90a3f35339b108824d79a0f0107a12cf
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr2ldbl_1.2.2-4.4ubuntu1.1_powerpc.deb
      Size/MD5:   364716 0887057dc3b0d4e0ffee844453729327
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.2.2-4.4ubuntu1.1_powerpc.deb
      Size/MD5:   754718 f7392e608b57a36e331a6fd704fd0345

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.2.2-4.4ubuntu1.1_sparc.deb
      Size/MD5:   538130 448b7ce51d6dd79d945da1e3e79558f1
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr2ldbl_1.2.2-4.4ubuntu1.1_sparc.deb
      Size/MD5:   348778 438f6f0bf164bfbfc5d6231ae9812d61
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.2.2-4.4ubuntu1.1_sparc.deb
      Size/MD5:   732896 b3032617d77a87167a5b324df68cfebc

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1.diff.gz
      Size/MD5:    10364 e9b92379d848ea8041bb24f373abce27
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1.dsc
      Size/MD5:     1435 447d6de5b9270ee023190c6f6d4c5fd4
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.6.1.orig.tar.gz
      Size/MD5: 13632660 11951f164f9c872b183df75e66de145a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.8.10.1_amd64.deb
      Size/MD5:   407912 2f3b7facf838d3128cf2c1f0c4e1c815
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.8.10.1_amd64.deb
      Size/MD5:   241494 22b5cb24558e05f772bcacd72235036f
    http://security.ubuntu.com/ubuntu/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1_amd64.deb
      Size/MD5:  2773456 45d601ad97839d69fc59608d9604fdf8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.8.10.1_i386.deb
      Size/MD5:   381918 9bd3511e0753b8b6f93645fa4aa43f73
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.8.10.1_i386.deb
      Size/MD5:   246430 57dd3cfeaa869d1e841f9464c8ec2902
    http://security.ubuntu.com/ubuntu/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1_i386.deb
      Size/MD5:  2771286 c183b01a23042f8850646fbae7e8ef85

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.8.10.1_lpia.deb
      Size/MD5:   388238 9b356f52196cf4095783f18e7a603e5e
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.8.10.1_lpia.deb
      Size/MD5:   247922 aeac742568e377354f55332ad8b78d06
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1_lpia.deb
      Size/MD5:  2772774 c586fcbaf277a38f1d5af05826254663

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.8.10.1_powerpc.deb
      Size/MD5:   424732 2368ddc9d9638ea099e9fc120d652a92
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.8.10.1_powerpc.deb
      Size/MD5:   262556 90531ff5022483bd42440a63bcdcbe34
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1_powerpc.deb
      Size/MD5:  2785810 531d8286b0dbed5876de654d9c5a0e15

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.8.10.1_sparc.deb
      Size/MD5:   381484 d265eb57c9803ca3421bbb809151f60d
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.8.10.1_sparc.deb
      Size/MD5:   250576 0d76214dc4310f943241df4cb495abd0
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.8.10.1_sparc.deb
      Size/MD5:  2772058 c5e289674d121ef825e54f9dc47b00ae

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1.diff.gz
      Size/MD5:    10370 cac945dee35c0411a697b27a46f0e42f
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1.dsc
      Size/MD5:     1435 24179d6fa85e4047aa3dc3c694f155bf
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/openexr_1.6.1.orig.tar.gz
      Size/MD5: 13632660 11951f164f9c872b183df75e66de145a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.9.04.1_amd64.deb
      Size/MD5:   407908 fc55d45abf5c0c97e71515ecebd528c7
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.9.04.1_amd64.deb
      Size/MD5:   240858 d7f9b1dd22ef238a9ac08f8f207965d9
    http://security.ubuntu.com/ubuntu/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1_amd64.deb
      Size/MD5:  2773408 616015ed9d2bb5ca69f5e41ea6f5efbf

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.9.04.1_i386.deb
      Size/MD5:   381850 e7362ba5c8c7623053e7ba2d64d261c7
    http://security.ubuntu.com/ubuntu/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.9.04.1_i386.deb
      Size/MD5:   246152 6b5da6b29cd500b56e400909c21b803a
    http://security.ubuntu.com/ubuntu/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1_i386.deb
      Size/MD5:  2771250 266caa9d44e92ccdf8c74affca342a4d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.9.04.1_lpia.deb
      Size/MD5:   388080 0d501381d79dcbd662a2f0dcde11baf4
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.9.04.1_lpia.deb
      Size/MD5:   247390 829f6cd695b52589edcde2a64cf5e0f1
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1_lpia.deb
      Size/MD5:  2772724 f3988f7f58639e1e5cf49beaf08ccfdb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.9.04.1_powerpc.deb
      Size/MD5:   424104 bfa85703ce1182fdc174811b9e90fc9c
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.9.04.1_powerpc.deb
      Size/MD5:   261896 4b4275c8576aa92bbd48cfe6223b8e3c
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1_powerpc.deb
      Size/MD5:  2785844 91802584d1c61f988087a68e8706e72a

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr-dev_1.6.1-3ubuntu1.9.04.1_sparc.deb
      Size/MD5:   381044 9adf5c3aa866865b9a8b2273eb40e697
    http://ports.ubuntu.com/pool/main/o/openexr/libopenexr6_1.6.1-3ubuntu1.9.04.1_sparc.deb
      Size/MD5:   249858 828d97de309d99c0f5a0999174df0e97
    http://ports.ubuntu.com/pool/universe/o/openexr/openexr_1.6.1-3ubuntu1.9.04.1_sparc.deb
      Size/MD5:  2772008 60fd8f4cff249108a15d60c5b0ce119b




Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ