[USN-660-1] enscript vulnerability
Date: Mon, 3 Nov 2008 16:14:42 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-660-1] enscript vulnerability
Message-ID: <20081104001442.GE9448@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="NQTVMVnDVuULnIzU"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.63 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--NQTVMVnDVuULnIzU
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-660-1 November 03, 2008
enscript vulnerability
CVE-2008-3863, CVE-2008-4306
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
enscript 1.6.4-7ubuntu0.2
Ubuntu 7.10:
enscript 1.6.4-11ubuntu0.2
Ubuntu 8.04 LTS:
enscript 1.6.4-12ubuntu0.8.04.1
Ubuntu 8.10:
enscript 1.6.4-12ubuntu0.8.10.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Ulf H=E4rnhammar discovered multiple stack overflows in enscript's handling=
of
special escape arguments. If a user or automated system were tricked into
processing a malicious file with the "-e" option enabled, a remote attacker
could execute arbitrary code or cause enscript to crash, possibly leading
to a denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7=
ubuntu0.2.diff.gz
Size/MD5: 21257 099ec23f341d2d17283bde9b36942ab6
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7=
ubuntu0.2.dsc
Size/MD5: 674 432f64fe62d7d29e13872525726cb032
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.o=
rig.tar.gz
Size/MD5: 1036734 b5174b59e4a050fb462af5dbf28ebba3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7=
ubuntu0.2_amd64.deb
Size/MD5: 423482 636c62e47e3e73b9389b47bfcc8c6647
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7=
ubuntu0.2_i386.deb
Size/MD5: 405530 41f6c81e90905043fa9018d8f4e30457
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7=
ubuntu0.2_powerpc.deb
Size/MD5: 419126 6c80126f37f4800f0507329dd6bb0aa3
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-7=
ubuntu0.2_sparc.deb
Size/MD5: 411222 47084632ebb468a3d13f52dcee9dd977
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
1ubuntu0.2.diff.gz
Size/MD5: 91026 c788b4b331ad7ddd6a2743ae27f725a4
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
1ubuntu0.2.dsc
Size/MD5: 767 084a84daf7f8b47f2ac3bf3debb995ea
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.o=
rig.tar.gz
Size/MD5: 1036734 b5174b59e4a050fb462af5dbf28ebba3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
1ubuntu0.2_amd64.deb
Size/MD5: 425468 5f020fcebfffb46ed32cc6ae50939972
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
1ubuntu0.2_i386.deb
Size/MD5: 411500 3f7ebb92b6a87efce2ec18ad2cbed2d3
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-11ubuntu0.2=
_lpia.deb
Size/MD5: 414372 3630143c4898a99a48a13bd5899f003c
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
1ubuntu0.2_powerpc.deb
Size/MD5: 424744 bbd80756d675ae285b7bfec9992fbc55
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
1ubuntu0.2_sparc.deb
Size/MD5: 415382 f665b649a786296363e17fd6f560bb0f
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.04.1.diff.gz
Size/MD5: 93119 62c2bd2cef254af68bd2fa0c7d1d36f3
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.04.1.dsc
Size/MD5: 774 7cb02960688d0e9fb17f30bc7932577e
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.o=
rig.tar.gz
Size/MD5: 1036734 b5174b59e4a050fb462af5dbf28ebba3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.04.1_amd64.deb
Size/MD5: 425882 56b5c201eba9f4ccba832d9de0277b6a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.04.1_i386.deb
Size/MD5: 412426 7e5bd9e9ed8d8a69e01f112ace8bf9d8
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8=
=2E04.1_lpia.deb
Size/MD5: 414800 6c3584e7ca1dc88917d3f24298cbd78b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8=
=2E04.1_powerpc.deb
Size/MD5: 426356 c9efe8d867bdcf618857c2eb6a140d6b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8=
=2E04.1_sparc.deb
Size/MD5: 415802 0d13cb614bbaefb045515c3ac223c5a6
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.10.1.diff.gz
Size/MD5: 93116 0338194240bae030e8150e47ac40208d
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.10.1.dsc
Size/MD5: 1188 ac3234ebd2b48790ac95d4d1baae83e8
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4.o=
rig.tar.gz
Size/MD5: 1036734 b5174b59e4a050fb462af5dbf28ebba3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.10.1_amd64.deb
Size/MD5: 428584 64a869b979b5d62ff169b68e322ae43f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/enscript/enscript_1.6.4-1=
2ubuntu0.8.10.1_i386.deb
Size/MD5: 415574 25eb8ba34f468dd58a6ddf607d54e434
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8=
=2E10.1_lpia.deb
Size/MD5: 416772 9ec0d324ce07b50261acc2896618a46f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8=
=2E10.1_powerpc.deb
Size/MD5: 426934 5aa206fa2bee1d271672ce6041e8616b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/e/enscript/enscript_1.6.4-12ubuntu0.8=
=2E10.1_sparc.deb
Size/MD5: 418004 97edf96856ff530d88075b3076cc037e
--NQTVMVnDVuULnIzU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net.>
iEYEARECAAYFAkkPk/IACgkQH/9LqRcGPm3A2gCeIG9zEsUAlk0xxxfCn24yoITk
E98AoJkTFr8Cll8CMTZhzCD4JqUskUxu
=AJyg
-----END PGP SIGNATURE-----
--NQTVMVnDVuULnIzU--