From: | Luke Macken <lewk@g.o> |
---|---|
To: | gentoo-announce@l.g.o |
Cc: | bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com |
Subject: | [gentoo-announce] [ GLSA 200412-02 ] PDFlib: Multiple overflows in the included TIFF library |
Date: | Sun, 05 Dec 2004 16:31:23 |
Message-Id: | 20041205162747.GB3151@tomservo.ne1.client2.attbi.com |
1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 | Gentoo Linux Security Advisory GLSA 200412-02 |
3 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 | http://security.gentoo.org/ |
5 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 | |
7 | Severity: Normal |
8 | Title: PDFlib: Multiple overflows in the included TIFF library |
9 | Date: December 05, 2004 |
10 | Bugs: #69043 |
11 | ID: 200412-02 |
12 | |
13 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 | |
15 | Synopsis |
16 | ======== |
17 | |
18 | PDFlib is vulnerable to multiple overflows, which can potentially lead |
19 | to the execution of arbitrary code. |
20 | |
21 | Background |
22 | ========== |
23 | |
24 | PDFlib is a library providing functions to handle PDF files. It |
25 | includes a modified TIFF library used to process TIFF images. |
26 | |
27 | Affected packages |
28 | ================= |
29 | |
30 | ------------------------------------------------------------------- |
31 | Package / Vulnerable / Unaffected |
32 | ------------------------------------------------------------------- |
33 | 1 media-libs/pdflib < 5.0.4_p1 >= 5.0.4_p1 |
34 | |
35 | Description |
36 | =========== |
37 | |
38 | The TIFF library is subject to several known vulnerabilities (see GLSA |
39 | 200410-11). Most of these overflows also apply to PDFlib. |
40 | |
41 | Impact |
42 | ====== |
43 | |
44 | A remote attacker could entice a user or web application to process a |
45 | carefully crafted PDF file or TIFF image using a PDFlib-powered |
46 | program. This can potentially lead to the execution of arbitrary code |
47 | with the rights of the program processing the file. |
48 | |
49 | Workaround |
50 | ========== |
51 | |
52 | There is no known workaround at this time. |
53 | |
54 | Resolution |
55 | ========== |
56 | |
57 | All PDFlib users should upgrade to the latest version: |
58 | |
59 | # emerge --sync |
60 | # emerge --ask --oneshot --verbose ">=media-libs/pdflib-5.0.4_p1" |
61 | |
62 | References |
63 | ========== |
64 | |
65 | [ 1 ] PDFlib ChangeLog |
66 | http://www.pdflib.com/products/pdflib/info/PDFlib-5.0.4p1-changes.txt |
67 | [ 2 ] CAN-2004-0803 |
68 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803 |
69 | [ 3 ] CAN-2004-0804 |
70 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804 |
71 | [ 4 ] CAN-2004-0886 |
72 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886 |
73 | [ 5 ] GLSA 200410-11 |
74 | http://www.gentoo.org/security/en/glsa/glsa-200410-11.xml |
75 | |
76 | Availability |
77 | ============ |
78 | |
79 | This GLSA and any updates to it are available for viewing at |
80 | the Gentoo Security Website: |
81 | |
82 | http://security.gentoo.org/glsa/glsa-200412-02.xml |
83 | |
84 | Concerns? |
85 | ========= |
86 | |
87 | Security is a primary focus of Gentoo Linux and ensuring the |
88 | confidentiality and security of our users machines is of utmost |
89 | importance to us. Any security concerns should be addressed to |
90 | security@g.o or alternatively, you may file a bug at |
91 | http://bugs.gentoo.org. |
92 | |
93 | License |
94 | ======= |
95 | |
96 | Copyright 2004 Gentoo Foundation, Inc; referenced text |
97 | belongs to its owner(s). |
98 | |
99 | The contents of this document are licensed under the |
100 | Creative Commons - Attribution / Share Alike license. |
101 | |
102 | http://creativecommons.org/licenses/by-sa/2.0 |