Debians sikkerhedsbulletin

DSA-1137-1 tiff -- flere sårbarheder

Rapporteret den:

2. aug 2006

Berørte pakker:

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465.

Yderligere oplysninger:

Tavis Ormandy fra Google Security Team har opdaget flere problemer i TIFF-biblioteket. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

CVE-2006-3459
Flere stak-bufferoverløb er opdaget.
CVE-2006-3460
En heap-overløbssårbarhed i JPEG-dekoderen kunne få en buffer til at løbe over med flere data end forventet.
CVE-2006-3461
En heap-overløbssårbarhed i PixarLog-dekoderen kunne gøre det muligt for en angriber at udføre vilkårlig kode.
CVE-2006-3462
En heap-overløbssårbarhed er opdaget i NeXT RLE-dekoderen.
CVE-2006-3463
En løkke er opdaget hvor en 16-bit unsigned short blev vandt til at gennemløbe en 32-bit unsigned-værdi, hvorved løkken aldrig endte.
CVE-2006-3464
Flere ukontrollerede aritmetiske handlinger er blotlagt, deriblandt et antal handlinger til range-kontrol, designet til at sikre at offset angivet i TIFF-mapper er legitime.
CVE-2006-3465
En fejl blev også blotlagt i libtiffs understøttelse skræddersyede tags, hvilket kunne føre til abnorm opførsel, nedbrud eller potentielt udførelse af vilkårlig kode.

I den stabile distribution (sarge) er disse problemer rettet i version 3.7.2-7.

I den ustabile distribution (sid) er disse problemer rettet i version 3.8.2-6.

Vi anbefaler at du opgraderer dine libtiff-pakker.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.dsc; http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.diff.gz; http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_alpha.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_alpha.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_alpha.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_alpha.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_amd64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_amd64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_amd64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_amd64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_arm.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_arm.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_arm.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_arm.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_i386.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_i386.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_i386.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_i386.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_ia64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_ia64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_ia64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_ia64.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_hppa.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_hppa.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_hppa.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_hppa.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_m68k.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_m68k.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_m68k.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_m68k.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mips.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mips.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mips.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mips.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mipsel.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mipsel.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mipsel.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mipsel.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_powerpc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_powerpc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_powerpc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_powerpc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_s390.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_s390.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_s390.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_s390.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_sparc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_sparc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_sparc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_sparc.deb; http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.