-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.4 : libtiff Multiple vulnerabilities Advisory number: SCOSA-2005.19 Issue date: 2005 April 07 Cross reference: sr892971 fz531015 erg712790 CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 CAN-2004-0929 CAN-2004-1183 CAN-2004-1308 ______________________________________________________________________________ 1. Problem Description Updated libtiff fixes several vulnerabilities: Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-0803 to this issue. Vulnerability in in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0804 to this issue. Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-0886 to this issue. Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-0929 to this issue. Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned th e name CAN-2004-1183 to this issue. Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.4 libtiff distribution 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.19 4.2 Verification MD5 (tiff.image) = c9f976565559059f1ae413886a43c063 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download tiff.image to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/tiff.image 5. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr892971 fz531015 erg712790. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank iDEFENSE and infamous41md[at]hotpop.com ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (SCO/SYSV) iD8DBQFCVZtCaqoBO7ipriERAq0NAKCJyEGo562Bx4SGIYb7DQnXycvavACfXj9H MFkNw5rfq8K3bHt9nip2nQ0= =cjWx -----END PGP SIGNATURE-----