USN-654-1: libexif vulnerabilities

Posted by Bob on: 10/15/2008 01:40 AM [ Print | 0 comment(s) ]

A new libexif vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-654-1 October 14, 2008
libexif vulnerabilities
CVE-2007-6351, CVE-2007-6352
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libexif12 0.6.12-2ubuntu0.3

Ubuntu 7.04:
libexif12 0.6.13-5ubuntu0.3

Ubuntu 7.10:
libexif12 0.6.16-1ubuntu0.1

After a standard system upgrade you need to restart your session to effect
the necessary changes.

Details follow:

Meder Kydyraliev discovered that libexif did not correctly handle certain
EXIF headers. If a user or automated system were tricked into processing
a specially crafted image, a remote attacker could cause the application
linked against libexif to crash, leading to a denial of service, or
possibly executing arbitrary code with user privileges.

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.12-2ubuntu0.3.diff.gz
Size/MD5: 4765 04c7e73ecece1f9f42516b6e9c997adb
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.12-2ubuntu0.3.dsc
Size/MD5: 646 70f71ef6e2246e9a2bb4f2f02e61cc41
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.12.orig.tar.gz
Size/MD5: 537829 69501aaf0862a79aaeeb73e81e8c1306

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.12-2ubuntu0.3_amd64.deb
Size/MD5: 77784 4a873cf21ce3be25603cae7812a8b8d9
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.12-2ubuntu0.3_amd64.deb
Size/MD5: 61968 2a96cfe5d19af5941a65b26a2f08b05d

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.12-2ubuntu0.3_i386.deb
Size/MD5: 73040 ea5652234ef1f6ec6599537977474662
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.12-2ubuntu0.3_i386.deb
Size/MD5: 57832 35743ac1e60d661fb6732b8dd6f47dc8

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.12-2ubuntu0.3_powerpc.deb
Size/MD5: 78270 b6a62e5af9be3d39e0120e1febed6c5e
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.12-2ubuntu0.3_powerpc.deb
Size/MD5: 60856 9521ddaf67e4c41917d675c9c9ae5836

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.12-2ubuntu0.3_sparc.deb
Size/MD5: 75786 254df3e31bbaf47b992c9a91f8e33448
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.12-2ubuntu0.3_sparc.deb
Size/MD5: 58816 81e247e09522421280a83e0ebcb2d9fb

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.13-5ubuntu0.3.diff.gz
Size/MD5: 10064 df74457a3f072138b4adf327f0921c5e
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.13-5ubuntu0.3.dsc
Size/MD5: 750 e3cfd9782d221f1b7ac234afbf9cd173
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.13.orig.tar.gz
Size/MD5: 727418 e5ad93c170bfb4fed6dc3e1c7a7948cb

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.13-5ubuntu0.3_amd64.deb
Size/MD5: 1005978 12f9016542fa2dab6244833228219334
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.13-5ubuntu0.3_amd64.deb
Size/MD5: 70346 32f78b0313d4ca69cf2e19090b07efeb

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.13-5ubuntu0.3_i386.deb
Size/MD5: 996666 b77bd6abf021efc041b2e4c0b5b40ea2
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.13-5ubuntu0.3_i386.deb
Size/MD5: 67310 61ba31cc3c63ce7f79ece1277528c1bf

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.13-5ubuntu0.3_powerpc.deb
Size/MD5: 1006356 bc29b4428ed98f17ffe1bd6d6ca6609a
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.13-5ubuntu0.3_powerpc.deb
Size/MD5: 67786 a7a951b56a444c40b092a3c117e822a0

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.13-5ubuntu0.3_sparc.deb
Size/MD5: 1003438 01d7a1b6a742f36d75548f74f630c8bc
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.13-5ubuntu0.3_sparc.deb
Size/MD5: 65594 3a855f078fc9d092c567aebe7012802d

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.16-1ubuntu0.1.diff.gz
Size/MD5: 17340 5a63929bc9580125b3520c6df9f7cac7
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.16-1ubuntu0.1.dsc
Size/MD5: 759 b31453402e0dbc58f2efff88922f8133
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif_0.6.16.orig.tar.gz
Size/MD5: 1006359 13ceaf57b428f27cac86195a7df1f7f6

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.16-1ubuntu0.1_amd64.deb
Size/MD5: 170838 c19d8415b29e07b757efdca5d5435bd6
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.16-1ubuntu0.1_amd64.deb
Size/MD5: 80764 faf340037e6b98de5b9c41d145cc6c02

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.16-1ubuntu0.1_i386.deb
Size/MD5: 164078 9efe80d75a6d8d7970d607e5a975f5ed
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.16-1ubuntu0.1_i386.deb
Size/MD5: 75536 978e7f3d01dbcde5f8ee2fbf07ac9afc

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/libe/libexif/libexif-dev_0.6.16-1ubuntu0.1_lpia.deb
Size/MD5: 163364 787a375da7e72dc10d7f8464b442af48
http://ports.ubuntu.com/pool/main/libe/libexif/libexif12_0.6.16-1ubuntu0.1_lpia.deb
Size/MD5: 74526 e608b8191bf4dafc7e6962d79d9556e4

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.16-1ubuntu0.1_powerpc.deb
Size/MD5: 169872 5e7585184d409918670150486d8a1a57
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.16-1ubuntu0.1_powerpc.deb
Size/MD5: 77072 7c960380692cfbbc709d0df73b8e0691

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif-dev_0.6.16-1ubuntu0.1_sparc.deb
Size/MD5: 166628 24dbcba556a13d44b5b2e7178ff629b0
http://security.ubuntu.com/ubuntu/pool/main/libe/libexif/libexif12_0.6.16-1ubuntu0.1_sparc.deb
Size/MD5: 75038 0395cc735da2f03c02d147e0124f4828

--qftxBdZWiueWNAVY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook lt;kees@outflux.netgt;

iEYEARECAAYFAkj1Oi8ACgkQH/9LqRcGPm3xFACgnehavbJFrE+Xiekkf+gMtPBi
8VkAn0syPrPkMVvGYdQrqdwyoC6fKWwv
=0wMl
-----END PGP SIGNATURE-----