Date: 07 January 2005
References: ESB-2005.0288
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0012 -- Debian Security Advisory DSA 626-1
New tiff packages fix denial of service
7 January 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tiff
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
UNIX variants
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1183
Original Bulletin: http://www.debian.org/security/2005/dsa-626
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 626-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 6th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : tiff
Vulnerability : unsanitised input
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1183
Dmitry V. Levin discovered a buffer overflow in libtiff, the Tag Image
File Format library for processing TIFF graphics files. Upon reading
a TIFF file it is possible to crash the application, and maybe also to
execute arbitrary code.
For the stable distribution (woody) this problem has been fixed in
version 3.5.5-6.woody5.
For the unstable distribution (sid) this problem has been fixed in
version 3.6.1-5.
We recommend that you upgrade your libtiff package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6.woody5.dsc
Size/MD5 checksum: 637 30abd553c21fae8aa009f64c7d5c5fb7
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6.woody5.diff.gz
Size/MD5 checksum: 37066 4b47449e5c15f5981121d2bb29212fc8
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz
Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8
Alpha architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_alpha.deb
Size/MD5 checksum: 141472 2e1246f3ef1525394c8c27b4cf5809f8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_alpha.deb
Size/MD5 checksum: 105420 40ae38e633c220b2d578cc2d21791c11
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_alpha.deb
Size/MD5 checksum: 423234 df5bcc13ca6f61c363a452f6752e3e34
ARM architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_arm.deb
Size/MD5 checksum: 117008 f89f5d1545fa5823fdb465cedce10d14
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_arm.deb
Size/MD5 checksum: 90708 8d3b23cb9262f295a3c58963ffe33c93
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_arm.deb
Size/MD5 checksum: 404256 9af23d64ad58077d4872661bbec90778
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_i386.deb
Size/MD5 checksum: 112096 7c6752fbe95e11b7c67e2bb950b04fa1
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_i386.deb
Size/MD5 checksum: 81286 c2e334518bcb0bfcf43b50490704b70c
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_i386.deb
Size/MD5 checksum: 386974 75532bb3d037538763707553c306cdbe
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_ia64.deb
Size/MD5 checksum: 158802 7aba7243abdddfc1f1ecf59c60487fa2
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_ia64.deb
Size/MD5 checksum: 135648 fac88e6eb25d46a81270d4e1865d5db6
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_ia64.deb
Size/MD5 checksum: 446518 c73d407fc0ba4afa22cf31fbe61639a7
HP Precision architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_hppa.deb
Size/MD5 checksum: 128304 d2ee674c359384f1b53ddf9a198863f4
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_hppa.deb
Size/MD5 checksum: 107050 9ddc7d795cd6aaf87ab44d4adff17d00
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_hppa.deb
Size/MD5 checksum: 420374 4c2afddeb88d91f66672b9419b14e69e
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_m68k.deb
Size/MD5 checksum: 107306 4d9c44ec8da6315698acc948423380ee
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_m68k.deb
Size/MD5 checksum: 80036 9eaa32eb605078c0772deebd35f02b2e
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_m68k.deb
Size/MD5 checksum: 380154 9b66e37ff70d402ae699d98d4fcefc39
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_mips.deb
Size/MD5 checksum: 124080 f058c706cd24c58aaf26c8a607b5970c
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_mips.deb
Size/MD5 checksum: 88076 3c84f8da76f29eb167ce233d579a7d46
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_mips.deb
Size/MD5 checksum: 410788 d17ac2c5788fff8dbcf07bcde307a394
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_mipsel.deb
Size/MD5 checksum: 123676 0824a0dbca1c6e3d164d0f6f6895ca91
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_mipsel.deb
Size/MD5 checksum: 88440 107db6c5e16141137a3f4ca68583050e
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_mipsel.deb
Size/MD5 checksum: 411380 0c4ecfc18395d97d1043a10e35f28bcb
PowerPC architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_powerpc.deb
Size/MD5 checksum: 116074 b217403c7eb35fc693803eb435597977
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_powerpc.deb
Size/MD5 checksum: 89692 e8cb99fb55ede4b7d74f0f2d43efa1f7
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_powerpc.deb
Size/MD5 checksum: 402422 7bc2f2471f7c1bb6c7b259cda3844359
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_s390.deb
Size/MD5 checksum: 116944 654854ff01018ec39fbb459c2264dee2
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_s390.deb
Size/MD5 checksum: 92028 e3737813924d9c647e9b8ff9239dfdce
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_s390.deb
Size/MD5 checksum: 395354 54a156b1986175fc95e747fd95e281aa
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6.woody5_sparc.deb
Size/MD5 checksum: 132914 677d66df3e0190f1a08e09093d136f66
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6.woody5_sparc.deb
Size/MD5 checksum: 88834 24e946dce29d51cc920cb7237749e195
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6.woody5_sparc.deb
Size/MD5 checksum: 397052 367b1261c62cd443cbfa5114b05ad593
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB3UhVW5ql+IAeqTIRAq4dAKCyrNZg85FFGDuRPItELT/rqfeuogCePtjC
fX34XkVe2J5lRCpNBBKTHA0=
=EC1N
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQd3RhCh9+71yA2DNAQLPAQP+K59/wZU8baalaGQQl3rSDDrl72C5fyyC
NLcC8jTEuxouHzI4Y/mxKryMyC3L9lQgn3Wq5KLowxXovs+50kwHT3CNWRoByekU
tbKcXNJ6KDJJGsx7NxtRmcspnGfSLqHJLWUHn4l9LjIlhNhYN/dounFtWybCOlLg
AoZRpxQMARg=
=sknY
-----END PGP SIGNATURE-----
|