[USN-550-2] Cairo regression
Date: Mon, 10 Dec 2007 12:36:29 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-550-2] Cairo regression
Message-ID: <20071210203629.GD8789@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="NP12RPW2Q08TId7w"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.302 $
X-HELO: gorgon.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--NP12RPW2Q08TId7w
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-550-2 December 10, 2007
libcairo regression
https://launchpad.net/bugs/NNNNNN
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 7.04:
libcairo2 1.4.2-0ubuntu1.2
Ubuntu 7.10:
libcairo2 1.4.10-1ubuntu4.2
After a standard system upgrade you need to restart your session to effect
the necessary changes.
Details follow:
USN-550-1 fixed vulnerabilities in Cairo. The upstream fixes were incomple=
te,
and under certain situations, applications using Cairo would crash with a
floating point error. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Peter Valchev discovered that Cairo did not correctly decode PNG image dat=
a.
By tricking a user or automated system into processing a specially crafted
PNG with Cairo, a remote attacker could execute arbitrary code with user
privileges.
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo_1.4.=
2-0ubuntu1.2.diff.gz
Size/MD5: 29170 a64d5accaf670a3a042a0716291394d7
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo_1.4.=
2-0ubuntu1.2.dsc
Size/MD5: 980 f4568de7fd8d8e64448dd1132927061f
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo_1.4.=
2.orig.tar.gz
Size/MD5: 3081092 b254633046eafe603776d0bee791b751
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-doc=
_1.4.2-0ubuntu1.2_all.deb
Size/MD5: 329056 b1575fd670eb3855e96edf52f3cf7ab0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.2-0ubuntu1.2_amd64.deb
Size/MD5: 515040 59fc61a32d6c5ca65df42f268268f379
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.2-0ubuntu1.2_amd64.deb
Size/MD5: 430266 6d63671bf6d432855a177a76cab4f1d0
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.2-0ubuntu1.2_amd64.deb
Size/MD5: 537122 59f7f0831b4553b99b533958b2a5637d
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E2-0ubuntu1.2_amd64.deb
Size/MD5: 446134 17a75ebfeaa43eca5075260f7322e604
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.2-0ubuntu1.2_amd64.udeb
Size/MD5: 214084 e25a10d4d4e773a7a6a81e4222116497
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.2-0ubuntu1.2_i386.deb
Size/MD5: 488790 979721dacfc63ff1e87c97d104355108
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.2-0ubuntu1.2_i386.deb
Size/MD5: 420138 074aafcb523bc8b393ff13513ed94f81
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.2-0ubuntu1.2_i386.deb
Size/MD5: 508712 6a177d9cffabeb7b46d0b1b1d83408bd
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E2-0ubuntu1.2_i386.deb
Size/MD5: 435692 ff8716999c992cde0d53c0a4cd7776fb
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.2-0ubuntu1.2_i386.udeb
Size/MD5: 204116 519465ff73b0dead2e18ecef8090c41f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.2-0ubuntu1.2_powerpc.deb
Size/MD5: 498406 cac5ffc403e3d286be56aa4c7dfcac03
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.2-0ubuntu1.2_powerpc.deb
Size/MD5: 422954 313dccc5f8880eb99d2bd520dd6b1981
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.2-0ubuntu1.2_powerpc.deb
Size/MD5: 520498 0c0472153c4b798e2219c3e72643818a
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E2-0ubuntu1.2_powerpc.deb
Size/MD5: 438856 645c36b71f069a29c78e71517ebc9253
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.2-0ubuntu1.2_powerpc.udeb
Size/MD5: 206976 d4d191ab373dae4bc9b61b4c72aefef4
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.2-0ubuntu1.2_sparc.deb
Size/MD5: 472108 0317c9ca17ab5428f9e1f359cfb2fa06
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.2-0ubuntu1.2_sparc.deb
Size/MD5: 402336 44be030c98706251b3e414f3e89a9154
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.2-0ubuntu1.2_sparc.deb
Size/MD5: 492324 634481a6f873ae9c00b8b1a416b4ea7e
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E2-0ubuntu1.2_sparc.deb
Size/MD5: 417212 f96fd87530823ee7aa2e6870049eb45f
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.2-0ubuntu1.2_sparc.udeb
Size/MD5: 186296 42df2b3d472069e4918a717c964ba7f7
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo_1.4.=
10-1ubuntu4.2.diff.gz
Size/MD5: 35820 a5dae2b600de79eb6d6cd7c0df613554
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo_1.4.=
10-1ubuntu4.2.dsc
Size/MD5: 1013 8474af5f122f83ab1f75f9ea3f8d354e
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo_1.4.=
10.orig.tar.gz
Size/MD5: 3216689 5598a5e500ad922e37b159dee72fc993
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-doc=
_1.4.10-1ubuntu4.2_all.deb
Size/MD5: 407696 c269f047a06167c111ee0a11365cc1ea
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.10-1ubuntu4.2_amd64.deb
Size/MD5: 572210 a9642cb123ccf6312916e22c27a6e3a9
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.10-1ubuntu4.2_amd64.deb
Size/MD5: 489124 4924ec45a4eea3a3a275f002415653e2
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.10-1ubuntu4.2_amd64.deb
Size/MD5: 632822 07662831762f20e50139b5c950731f58
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E10-1ubuntu4.2_amd64.deb
Size/MD5: 536922 99d1a0202e50db78c0c4646859fea13f
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.10-1ubuntu4.2_amd64.udeb
Size/MD5: 195802 c81baf7740526b9ed2264ab2d5be8bc0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.10-1ubuntu4.2_i386.deb
Size/MD5: 546548 529e9341682d12e757d0e5dc686cc6ec
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.10-1ubuntu4.2_i386.deb
Size/MD5: 479746 5769a4e61e6422cc12839ff17925de9f
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.10-1ubuntu4.2_i386.deb
Size/MD5: 601216 d54be2b3a904bfa20af22b69d8fd21ea
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E10-1ubuntu4.2_i386.deb
Size/MD5: 524124 53f686c49d846e1afe5e8f89115fa1d2
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.10-1ubuntu4.2_i386.udeb
Size/MD5: 186428 c84079451a7bfc3b85c34238aa3c78ce
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.10-1ubuntu4.2_powerpc.deb
Size/MD5: 554832 1de0e3112f48e32b64840429ba621e23
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.10-1ubuntu4.2_powerpc.deb
Size/MD5: 479018 4980ba793084c17f733f40bbf8e4f15e
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.10-1ubuntu4.2_powerpc.deb
Size/MD5: 613880 9a7e834124d8a124f8408ed89f2353da
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E10-1ubuntu4.2_powerpc.deb
Size/MD5: 528508 5ae830818a92c4838fc3951485431530
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.10-1ubuntu4.2_powerpc.udeb
Size/MD5: 186266 098d9b7df582a4ecb9bdf77831c4336a
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2-dev_1.4.10-1ubuntu4.2_sparc.deb
Size/MD5: 543772 e1ea0f5cb6745b0272a6c4d4aeb239e3
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo-dire=
ctfb2_1.4.10-1ubuntu4.2_sparc.deb
Size/MD5: 471248 a8e5991f36e20b71e6213d6c44031e37
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2-dev=
_1.4.10-1ubuntu4.2_sparc.deb
Size/MD5: 584786 affc097d3d1a068fd5fd7f80d13005c0
http://security.ubuntu.com/ubuntu/pool/main/libc/libcairo/libcairo2_1.4=
=2E10-1ubuntu4.2_sparc.deb
Size/MD5: 505364 0a59d599ca6fb9f8047d35745c0d0db3
http://security.ubuntu.com/ubuntu/pool/universe/libc/libcairo/libcairo-=
directfb2-udeb_1.4.10-1ubuntu4.2_sparc.udeb
Size/MD5: 177688 f2705635217a2476cadc8b6dc5b9eae6
--NP12RPW2Q08TId7w
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHXaNNH/9LqRcGPm0RAjRlAJ9qQsofdqEzE2CHsqRSPOOqoIYg2gCgpEzy
49Osgs7l4eg1CzmF8jc8ct4=
=F9ft
-----END PGP SIGNATURE-----
--NP12RPW2Q08TId7w--