Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0544 -- Debian Security Advisory DSA 755-1
New tiff packages fix arbitrary code execution
14 July 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tiff
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2005-1544
Original Bulletin: http://www.debian.org/security/2005/dsa-755
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 755-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : tiff
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1544
Debian Bug : 309739
Frank Warmerdam discovered a stack-based buffer overflow in libtiff,
the Tag Image File Format library for processing TIFF graphics files
that can lead to the executionof arbitrary code via malformed TIFF
files.
For the old stable distribution (woody) this problem has been fixed in
version 3.5.5-7
For the stable distribution (sarge) this problem has been fixed in
version 3.7.2-3.
For the unstable distribution (sid) this problem has been fixed in
version 3.7.2-3.
We recommend that you upgrade your libtiff packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.dsc
Size/MD5 checksum: 623 fdb202eb01852d3aab26758f5f9a50ce
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.diff.gz
Size/MD5 checksum: 37270 3e154325390b0446bee083a7470adaac
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz
Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8
Alpha architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_alpha.deb
Size/MD5 checksum: 141498 f0d74c745fc5f75016e190f7c9af0604
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_alpha.deb
Size/MD5 checksum: 105544 ff3fe1edd72064a3cec25578decb4ce8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_alpha.deb
Size/MD5 checksum: 423258 d26ce2a8049612b29c4736f341930439
ARM architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_arm.deb
Size/MD5 checksum: 117004 f1c9aafcdaae7148cdb5f13e1805ded5
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_arm.deb
Size/MD5 checksum: 90842 e13019cb16071175cc0b88526d6dc28a
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_arm.deb
Size/MD5 checksum: 404308 162fe09877bf4e31044ad2c1c16983bf
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_i386.deb
Size/MD5 checksum: 112070 9351594ccf87495bc0ec6fb3624d9983
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_i386.deb
Size/MD5 checksum: 81468 76f340590aa4a0546d810a7e7c7691a8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_i386.deb
Size/MD5 checksum: 386938 25f47760934bf3abdf6aa5ac60a0bf84
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_ia64.deb
Size/MD5 checksum: 158806 0a4abf7ed300b3c33a2e590caa3dd2c1
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_ia64.deb
Size/MD5 checksum: 135786 341bf0f708522080b931e89a87b598a6
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_ia64.deb
Size/MD5 checksum: 446574 126ed5be544a1eefe30228d06db9e219
HP Precision architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_hppa.deb
Size/MD5 checksum: 128298 db87d7cbeb3620736f8cabb0286f831e
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_hppa.deb
Size/MD5 checksum: 107142 515937e00c5a75f3efa61749a8c8cf58
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_hppa.deb
Size/MD5 checksum: 420334 0f55b4124cd813964a438403f1253582
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_m68k.deb
Size/MD5 checksum: 107324 33229624caf61822d6cf77e90872c6f9
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_m68k.deb
Size/MD5 checksum: 80132 4d4279969b7526649874eb657accc2b1
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_m68k.deb
Size/MD5 checksum: 380204 68a43fac8f06c48d38ddffc058c7242c
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mips.deb
Size/MD5 checksum: 124008 20f911e6540aa69fc85fd07567fe4697
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mips.deb
Size/MD5 checksum: 88202 7d68f62089e9546c06d9ffa80e7b0a74
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mips.deb
Size/MD5 checksum: 410562 5fa6371f247618b5522ff51259ba35b2
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mipsel.deb
Size/MD5 checksum: 123504 ba3102303df4d1cbde4303a00e3428ed
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mipsel.deb
Size/MD5 checksum: 88530 c1f77d45cda72501d85607ea50f5a4b2
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mipsel.deb
Size/MD5 checksum: 410766 3e3a11a28bc4f1f8081b77e5c72000b0
PowerPC architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_powerpc.deb
Size/MD5 checksum: 116072 045e7bbd3d4dfb9dc75268435aa62794
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_powerpc.deb
Size/MD5 checksum: 89824 3e7d286752e28fea6769936695e097d8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_powerpc.deb
Size/MD5 checksum: 402420 876d140d9752aaea30cb4cd7f9a38cb2
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_s390.deb
Size/MD5 checksum: 116924 380141ee69a4a10201efc66182fe5616
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_s390.deb
Size/MD5 checksum: 92150 762a64a6166aa720fcbf5430a26760cf
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_s390.deb
Size/MD5 checksum: 395362 228596854105753bc1a0139bc6e1fef0
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_sparc.deb
Size/MD5 checksum: 132902 65969fd417aa734f6299c0f35f15dff9
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_sparc.deb
Size/MD5 checksum: 88982 e674bafc1f1df1617b70f4184051da79
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_sparc.deb
Size/MD5 checksum: 397132 e1ebfa6cdfec77c9c643f494e72d0714
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC1QeAW5ql+IAeqTIRAg3QAKCrXnTEx6QLUi/GycstXUwiTl4BdQCfX885
ECPeLU0ufeSouPHXHVi0TME=
=eI3i
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQtXbYCh9+71yA2DNAQKd5QP/eYjvOVIE0T4z0BWRMbN5gKchpThSfPzf
FljBEgymZoFPRdiHMBJaZfvyJPPPk8UAyB/m+/Ew1CvA+rmQXXEsrYAPAs6cYqFs
6HY824nF0vwwbUmE3Kf3t3smdi+3IBKlJL4V8JL33o+GHYhIGEfSc8RNXAQlx5ZA
EMCoFgfmWwU=
=MaPt
-----END PGP SIGNATURE-----