Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0288 -- SCOSA-2005.19 SCO UnixWare libtiff multiple vulnerabilities 8 April 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libtiff Publisher: SCO Operating System: SCO UnixWare 7.1.4 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CAN-2004-1308 CAN-2004-1183 CAN-2004-0929 CAN-2004-0886 CAN-2004-0804 CAN-2004-0803 Ref: ESB-2004.0656 ESB-2004.0673 ESB-2004.0824 ESB-2005.0012 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.4 : libtiff Multiple vulnerabilities Advisory number: SCOSA-2005.19 Issue date: 2005 April 07 Cross reference: sr892971 fz531015 erg712790 CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 CAN-2004-0929 CAN-2004-1183 CAN-2004-1308 ______________________________________________________________________________ 1. Problem Description Updated libtiff fixes several vulnerabilities: Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-0803 to this issue. Vulnerability in in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0804 to this issue. Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-0886 to this issue. Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-0929 to this issue. Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-1183 to this issue. Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.4 libtiff distribution 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.19 4.2 Verification MD5 (tiff.image) = c9f976565559059f1ae413886a43c063 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download tiff.image to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/tiff.image 5. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr892971 fz531015 erg712790. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank iDEFENSE and infamous41md[at]hotpop.com ______________________________________________________________________________ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (SCO/SYSV) iD8DBQFCVZtCaqoBO7ipriERAq0NAKCJyEGo562Bx4SGIYb7DQnXycvavACfXj9H MFkNw5rfq8K3bHt9nip2nQ0= =cjWx - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQlXhqih9+71yA2DNAQK3tgQAjcZ1OT56y2iJ06yS9nzRHN8cMOmdfU0u kmT1eIfRZQ/UsKmMJM4aiWEeHD810oy2tyIfZf9J53RBrXihyyQZAg7pLZ4ibw3F DlMmwKESyKN9YmXgXsYJFbM2lALtlc5aIXF2v2Y5iCarKHd7yGqTnBS2ZFQ/qMEB ypNZPI8v0y4= =jcmc -----END PGP SIGNATURE-----