[gentoo-announce] [ GLSA 200412-02 ] PDFlib: Multiple overflows in the included TIFF library - gentoo-announce

From:	Luke Macken <lewk@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200412-02 ] PDFlib: Multiple overflows in the included TIFF library
Date:	Sun, 05 Dec 2004 16:31:23
Message-Id:	`20041205162747.GB3151@tomservo.ne1.client2.attbi.com`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200412-02

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: PDFlib: Multiple overflows in the included TIFF library

9

      Date: December 05, 2004

10

      Bugs: #69043

11

        ID: 200412-02

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

PDFlib is vulnerable to multiple overflows, which can potentially lead

19

to the execution of arbitrary code.

20

21

Background

22

==========

23

24

PDFlib is a library providing functions to handle PDF files. It

25

includes a modified TIFF library used to process TIFF images.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package            /  Vulnerable  /                    Unaffected

32

    -------------------------------------------------------------------

33

  1  media-libs/pdflib     < 5.0.4_p1                      >= 5.0.4_p1

34

35

Description

36

===========

37

38

The TIFF library is subject to several known vulnerabilities (see GLSA

39

200410-11). Most of these overflows also apply to PDFlib.

40

41

Impact

42

======

43

44

A remote attacker could entice a user or web application to process a

45

carefully crafted PDF file or TIFF image using a PDFlib-powered

46

program. This can potentially lead to the execution of arbitrary code

47

with the rights of the program processing the file.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All PDFlib users should upgrade to the latest version:

58

59

    # emerge --sync

60

    # emerge --ask --oneshot --verbose ">=media-libs/pdflib-5.0.4_p1"

61

62

References

63

==========

64

65

  [ 1 ] PDFlib ChangeLog

66

        http://www.pdflib.com/products/pdflib/info/PDFlib-5.0.4p1-changes.txt

67

  [ 2 ] CAN-2004-0803

68

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803

69

  [ 3 ] CAN-2004-0804

70

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804

71

  [ 4 ] CAN-2004-0886

72

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886

73

  [ 5 ] GLSA 200410-11

74

        http://www.gentoo.org/security/en/glsa/glsa-200410-11.xml

75

76

Availability

77

============

78

79

This GLSA and any updates to it are available for viewing at

80

the Gentoo Security Website:

81

82

  http://security.gentoo.org/glsa/glsa-200412-02.xml

83

84

Concerns?

85

=========

86

87

Security is a primary focus of Gentoo Linux and ensuring the

88

confidentiality and security of our users machines is of utmost

89

importance to us. Any security concerns should be addressed to

90

security@g.o or alternatively, you may file a bug at

91

http://bugs.gentoo.org.

92

93

License

94

=======

95

96

Copyright 2004 Gentoo Foundation, Inc; referenced text

97

belongs to its owner(s).

98

99

The contents of this document are licensed under the

100

Creative Commons - Attribution / Share Alike license.

101

102

http://creativecommons.org/licenses/by-sa/2.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200412-02
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PDFlib: Multiple overflows in the included TIFF library
9	Date: December 05, 2004
10	Bugs: #69043
11	ID: 200412-02
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	PDFlib is vulnerable to multiple overflows, which can potentially lead
19	to the execution of arbitrary code.
20
21	Background
22	==========
23
24	PDFlib is a library providing functions to handle PDF files. It
25	includes a modified TIFF library used to process TIFF images.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 media-libs/pdflib < 5.0.4_p1 >= 5.0.4_p1
34
35	Description
36	===========
37
38	The TIFF library is subject to several known vulnerabilities (see GLSA
39	200410-11). Most of these overflows also apply to PDFlib.
40
41	Impact
42	======
43
44	A remote attacker could entice a user or web application to process a
45	carefully crafted PDF file or TIFF image using a PDFlib-powered
46	program. This can potentially lead to the execution of arbitrary code
47	with the rights of the program processing the file.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All PDFlib users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=media-libs/pdflib-5.0.4_p1"
61
62	References
63	==========
64
65	[ 1 ] PDFlib ChangeLog
66	http://www.pdflib.com/products/pdflib/info/PDFlib-5.0.4p1-changes.txt
67	[ 2 ] CAN-2004-0803
68	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803
69	[ 3 ] CAN-2004-0804
70	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804
71	[ 4 ] CAN-2004-0886
72	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
73	[ 5 ] GLSA 200410-11
74	http://www.gentoo.org/security/en/glsa/glsa-200410-11.xml
75
76	Availability
77	============
78
79	This GLSA and any updates to it are available for viewing at
80	the Gentoo Security Website:
81
82	http://security.gentoo.org/glsa/glsa-200412-02.xml
83
84	Concerns?
85	=========
86
87	Security is a primary focus of Gentoo Linux and ensuring the
88	confidentiality and security of our users machines is of utmost
89	importance to us. Any security concerns should be addressed to
90	security@g.o or alternatively, you may file a bug at
91	http://bugs.gentoo.org.
92
93	License
94	=======
95
96	Copyright 2004 Gentoo Foundation, Inc; referenced text
97	belongs to its owner(s).
98
99	The contents of this document are licensed under the
100	Creative Commons - Attribution / Share Alike license.
101
102	http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce