Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0288 -- SCOSA-2005.19
SCO UnixWare libtiff multiple vulnerabilities
8 April 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libtiff
Publisher: SCO
Operating System: SCO UnixWare 7.1.4
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1308 CAN-2004-1183 CAN-2004-0929
CAN-2004-0886 CAN-2004-0804 CAN-2004-0803
Ref: ESB-2004.0656
ESB-2004.0673
ESB-2004.0824
ESB-2005.0012
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 : libtiff Multiple vulnerabilities
Advisory number: SCOSA-2005.19
Issue date: 2005 April 07
Cross reference: sr892971 fz531015 erg712790 CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 CAN-2004-0929 CAN-2004-1183 CAN-2004-1308
______________________________________________________________________________
1. Problem Description
Updated libtiff fixes several vulnerabilities:
Multiple vulnerabilities in the RLE (run length encoding)
decoders for libtiff 3.6.1 and earlier, related to buffer
overflows and integer overflows, allow remote attackers to
execute arbitrary code via TIFF files.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-0803 to this issue.
Vulnerability in in tif_dirread.c for libtiff allows remote
attackers to cause a denial of service (application crash)
via a TIFF image that causes a divide-by-zero error when
the number of row bytes is zero.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0804 to this issue.
Multiple integer overflows in libtiff 3.6.1 and earlier allow
remote attackers to cause a denial of service (crash or memory
corruption) via TIFF images that lead to incorrect malloc calls.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-0886 to this issue.
Heap-based buffer overflow in the OJPEGVSetField function
in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled
with the OJPEG_SUPPORT (old JPEG support) option, allows
remote attackers to execute arbitrary code via a malformed
TIFF image.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-0929 to this issue.
Integer overflow in the tiffdump utility for libtiff 3.7.1 and
earlier allows remote attackers to cause a denial of service
(application crash) and possibly execute arbitrary code via a
crafted TIFF file.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-1183 to this issue.
Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c
for libtiff 3.5.7 and 3.7.0 allows remote attackers to
execute arbitrary code via a TIFF file containing a TIFF_ASCII
or TIFF_UNDEFINED directory entry with a -1 entry count,
which leads to a heap-based buffer overflow.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-1308 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 libtiff distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.19
4.2 Verification
MD5 (tiff.image) = c9f976565559059f1ae413886a43c063
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download tiff.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/tiff.image
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr892971 fz531015
erg712790.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank iDEFENSE and infamous41md[at]hotpop.com
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVZtCaqoBO7ipriERAq0NAKCJyEGo562Bx4SGIYb7DQnXycvavACfXj9H
MFkNw5rfq8K3bHt9nip2nQ0=
=cjWx
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQlXhqih9+71yA2DNAQK3tgQAjcZ1OT56y2iJ06yS9nzRHN8cMOmdfU0u
kmT1eIfRZQ/UsKmMJM4aiWEeHD810oy2tyIfZf9J53RBrXihyyQZAg7pLZ4ibw3F
DlMmwKESyKN9YmXgXsYJFbM2lALtlc5aIXF2v2Y5iCarKHd7yGqTnBS2ZFQ/qMEB
ypNZPI8v0y4=
=jcmc
-----END PGP SIGNATURE-----