[Full-Disclosure] MDKSA-2005:001 - Updated libtiff packages fix multiple vulnerabilities

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 01/06/05

  • Next message: J.A. Terranson: "RE: [spam] Re: [Full-Disclosure] This sums up Yahoo!s security policy to a -T-"
    To: full-disclosure@lists.netsys.com
    Date: Thu, 06 Jan 2005 13:43:01 -0700
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: libtiff
     Advisory ID: MDKSA-2005:001
     Date: January 6th, 2005

     Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
                             Multi Network Firewall 8.2
     ______________________________________________________________________

     Problem Description:

     Several vulnerabilities have been discovered in the libtiff package:
     
     iDefense reported the possibility of remote exploitation of an integer
     overflow in libtiff that may allow for the execution of arbitrary code.
     
     The overflow occurs in the parsing of TIFF files set with the
     STRIPOFFSETS flag.
     
     iDefense also reported a heap-based buffer overflow vulnerability
     within the LibTIFF package could allow attackers to execute arbitrary
     code. (CAN-2004-1308)
     
     The vulnerability specifically exists due to insufficient validation of
     user-supplied data when calculating the size of a directory entry.
     
     The updated packages are patched to protect against these
     vulnerabilities.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1183
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     26419ea5f9e775c45927a2bea2eb25ff 10.0/RPMS/libtiff-progs-3.5.7-11.5.100mdk.i586.rpm
     cfb638e4f6150118347cef61e699d755 10.0/RPMS/libtiff3-3.5.7-11.5.100mdk.i586.rpm
     d76678e5f4d536deff8f5ec21a25b108 10.0/RPMS/libtiff3-devel-3.5.7-11.5.100mdk.i586.rpm
     61d7b33454e6d722e0626a25fc96a6d3 10.0/RPMS/libtiff3-static-devel-3.5.7-11.5.100mdk.i586.rpm
     0e93d8581db6de31c2cca71a7d8a9d9e 10.0/SRPMS/libtiff-3.5.7-11.5.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     f5a13fd14f3e4b6bd2543338e9ce4673 amd64/10.0/RPMS/lib64tiff3-3.5.7-11.5.100mdk.amd64.rpm
     cb7a9496c0336a50a6b586b634d273e6 amd64/10.0/RPMS/lib64tiff3-devel-3.5.7-11.5.100mdk.amd64.rpm
     c7e9ae6e41e528275056586c61b57a33 amd64/10.0/RPMS/lib64tiff3-static-devel-3.5.7-11.5.100mdk.amd64.rpm
     a7833fbba64ccf3034ea94db771a6ecf amd64/10.0/RPMS/libtiff-progs-3.5.7-11.5.100mdk.amd64.rpm
     0e93d8581db6de31c2cca71a7d8a9d9e amd64/10.0/SRPMS/libtiff-3.5.7-11.5.100mdk.src.rpm

     Mandrakelinux 10.1:
     844326b002681b1fbad9c373928bcc22 10.1/RPMS/libtiff-progs-3.6.1-4.3.101mdk.i586.rpm
     fc39dc40b6e4602cd11dbaaaaa8ccbfc 10.1/RPMS/libtiff3-3.6.1-4.3.101mdk.i586.rpm
     0831a29e721e3b34299a382c565b39be 10.1/RPMS/libtiff3-devel-3.6.1-4.3.101mdk.i586.rpm
     4de78902949d1da955531dfcc18ea673 10.1/RPMS/libtiff3-static-devel-3.6.1-4.3.101mdk.i586.rpm
     3bbd5c84878f47f0aeb6a29808daf075 10.1/SRPMS/libtiff-3.6.1-4.3.101mdk.src.rpm

     Mandrakelinux 10.1/X86_64:
     a194eae967e8b4de9b69600dea3aa154 x86_64/10.1/RPMS/lib64tiff3-3.6.1-4.3.101mdk.x86_64.rpm
     03113ffb0e828e5435a75f225b639d79 x86_64/10.1/RPMS/lib64tiff3-devel-3.6.1-4.3.101mdk.x86_64.rpm
     8799ead4440d3ed03bdb7a135b297fd2 x86_64/10.1/RPMS/lib64tiff3-static-devel-3.6.1-4.3.101mdk.x86_64.rpm
     2a5fa5a22cb394313449f12a99ced13f x86_64/10.1/RPMS/libtiff-progs-3.6.1-4.3.101mdk.x86_64.rpm
     3bbd5c84878f47f0aeb6a29808daf075 x86_64/10.1/SRPMS/libtiff-3.6.1-4.3.101mdk.src.rpm

     Corporate Server 2.1:
     ff96fd5e53c8658a300705feb1bf64d7 corporate/2.1/RPMS/libtiff3-3.5.7-5.5.C21mdk.i586.rpm
     ac7e1c4f37efd05bf0df7b55b3abdefa corporate/2.1/RPMS/libtiff3-devel-3.5.7-5.5.C21mdk.i586.rpm
     28f4daec69cc9edbb7eca8711cb38d2f corporate/2.1/RPMS/libtiff3-progs-3.5.7-5.5.C21mdk.i586.rpm
     1f061eeb03c4731df3601aa7b9c2ef55 corporate/2.1/RPMS/libtiff3-static-devel-3.5.7-5.5.C21mdk.i586.rpm
     a2275152fe3f3959e3b954044df03a7b corporate/2.1/SRPMS/libtiff-3.5.7-5.5.C21mdk.src.rpm

     Corporate Server 2.1/x86_64:
     153f5197d22280627cfa5b35878aa5e7 x86_64/corporate/2.1/RPMS/libtiff3-3.5.7-5.5.C21mdk.x86_64.rpm
     ddca70adfa8fc09333c020be403010ab x86_64/corporate/2.1/RPMS/libtiff3-devel-3.5.7-5.5.C21mdk.x86_64.rpm
     be2dd3bdeadfe2a4d6e2c357ff72304b x86_64/corporate/2.1/RPMS/libtiff3-progs-3.5.7-5.5.C21mdk.x86_64.rpm
     3f85152064fae9bed20168b3728af1ae x86_64/corporate/2.1/RPMS/libtiff3-static-devel-3.5.7-5.5.C21mdk.x86_64.rpm
     a2275152fe3f3959e3b954044df03a7b x86_64/corporate/2.1/SRPMS/libtiff-3.5.7-5.5.C21mdk.src.rpm

     Mandrakelinux 9.2:
     741e8f3ef01a5d16dd0c01d918860777 9.2/RPMS/libtiff-progs-3.5.7-11.5.92mdk.i586.rpm
     6346717fb39bc05185d29032d9844320 9.2/RPMS/libtiff3-3.5.7-11.5.92mdk.i586.rpm
     46a7727bf95b6d76bdcfce4e5a70c15d 9.2/RPMS/libtiff3-devel-3.5.7-11.5.92mdk.i586.rpm
     f3798634944b9ef94390ce06c20df998 9.2/RPMS/libtiff3-static-devel-3.5.7-11.5.92mdk.i586.rpm
     36e2ac6e7e96cfbd428149b3c9ccab55 9.2/SRPMS/libtiff-3.5.7-11.5.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     f81aa073cce93dd18fc35dc2ea0f3d9c amd64/9.2/RPMS/lib64tiff3-3.5.7-11.5.92mdk.amd64.rpm
     f6e36bd732e8ccb00d873c7470251510 amd64/9.2/RPMS/lib64tiff3-devel-3.5.7-11.5.92mdk.amd64.rpm
     c60bb908bb2815451da0a3d57eccaf1f amd64/9.2/RPMS/lib64tiff3-static-devel-3.5.7-11.5.92mdk.amd64.rpm
     67e5ce5b674c882bcca3974e6a2edc3b amd64/9.2/RPMS/libtiff-progs-3.5.7-11.5.92mdk.amd64.rpm
     36e2ac6e7e96cfbd428149b3c9ccab55 amd64/9.2/SRPMS/libtiff-3.5.7-11.5.92mdk.src.rpm

     Multi Network Firewall 8.2:
     bd75dfaf6447560450d6d0f28d0817d8 mnf8.2/RPMS/libtiff3-3.5.5-9.5.M82mdk.i586.rpm
     e1c84b55ff13da157156a0ff67185c81 mnf8.2/SRPMS/libtiff-3.5.5-9.5.M82mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFB3aLVmqjQ0CJFipgRAuEpAJ9dHA4Jb2avd9SzB44AkVFnVKrlCgCfYjgM
    LejodEvApMn0icZcWSQDF4E=
    =V0MP
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: J.A. Terranson: "RE: [spam] Re: [Full-Disclosure] This sums up Yahoo!s security policy to a -T-"

    Relevant Pages