ubuntu-security-announce Digest, Vol 99, Issue 3

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1654-1] CUPS vulnerability (Marc Deslauriers)
2. [USN-1655-1] LibTIFF vulnerability (Seth Arnold)
3. [USN-1656-1] Libxml2 vulnerability (Seth Arnold)


----------------------------------------------------------------------

Message: 1
Date: Wed, 05 Dec 2012 13:42:43 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1654-1] CUPS vulnerability
Message-ID: <50BF95A3.5090407@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1654-1
December 05, 2012

cups, cupsys vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

CUPS could be made to read files or run programs as an administrator.

Software Description:
- cups: Common UNIX Printing System(tm)
- cupsys: Common UNIX Printing System(tm)

Details:

It was discovered that users in the lpadmin group could modify certain CUPS
configuration options to escalate privileges. An attacker could use this to
potentially gain root privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
cups 1.6.1-0ubuntu11.3

Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu5.1

Ubuntu 11.10:
cups 1.5.0-8ubuntu7.3

Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.9

Ubuntu 8.04 LTS:
cupsys 1.3.7-1ubuntu3.16

In general, a standard system update will make all the necessary changes.

This update adds the new cups-files.conf configuration file for privileged
CUPS settings. In certain customized environments, these settings may need
to be manually moved to this new file. For more information, please see the
updated documentation installed with this package and inspect the CUPS
error log.

References:
http://www.ubuntu.com/usn/usn-1654-1
CVE-2012-5519

Package Information:
https://launchpad.net/ubuntu/+source/cups/1.6.1-0ubuntu11.3
https://launchpad.net/ubuntu/+source/cups/1.5.3-0ubuntu5.1
https://launchpad.net/ubuntu/+source/cups/1.5.0-8ubuntu7.3
https://launchpad.net/ubuntu/+source/cups/1.4.3-1ubuntu1.9
https://launchpad.net/ubuntu/+source/cupsys/1.3.7-1ubuntu3.16


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121205/b05e2997/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 5 Dec 2012 13:09:55 -0800
From: Seth Arnold <seth.arnold@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1655-1] LibTIFF vulnerability
Message-ID: <20121205210955.GA29987@hunt>
Content-Type: text/plain; charset="us-ascii"

==========================================================================
Ubuntu Security Notice USN-1655-1
December 05, 2012

tiff vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Programs that use LibTIFF could be made to crash or run programs if they
opened a specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain malformed
images using the DOTRANGE tag. If a user or automated system were
tricked into opening a specially crafted TIFF image, a remote attacker
could crash the application, leading to a denial of service, or possibly
execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
libtiff4 3.9.5-2ubuntu1.4

Ubuntu 11.10:
libtiff4 3.9.5-1ubuntu1.5

Ubuntu 10.04 LTS:
libtiff4 3.9.2-2ubuntu0.12

Ubuntu 8.04 LTS:
libtiff4 3.8.2-7ubuntu3.16

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1655-1
CVE-2012-5581

Package Information:
https://launchpad.net/ubuntu/+source/tiff/3.9.5-2ubuntu1.4
https://launchpad.net/ubuntu/+source/tiff/3.9.5-1ubuntu1.5
https://launchpad.net/ubuntu/+source/tiff/3.9.2-2ubuntu0.12
https://launchpad.net/ubuntu/+source/tiff/3.8.2-7ubuntu3.16

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121205/c5b9f30c/attachment-0001.pgp>

------------------------------

Message: 3
Date: Wed, 5 Dec 2012 17:37:38 -0800
From: Seth Arnold <seth.arnold@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1656-1] Libxml2 vulnerability
Message-ID: <20121206013738.GA1482@hunt>
Content-Type: text/plain; charset="us-ascii"

==========================================================================
Ubuntu Security Notice USN-1656-1
December 06, 2012

libxml2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Applications using libxml2 could be made to crash or run programs as
your login if they opened a specially crafted file.

Software Description:
- libxml2: GNOME XML library

Details:

It was discovered that libxml2 had a heap-based buffer underflow
when parsing entities. If a user or automated system were tricked into
processing a specially crafted XML document, applications linked against
libxml2 could be made to crash or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libxml2 2.8.0+dfsg1-5ubuntu2.1

Ubuntu 12.04 LTS:
libxml2 2.7.8.dfsg-5.1ubuntu4.3

Ubuntu 11.10:
libxml2 2.7.8.dfsg-4ubuntu0.5

Ubuntu 10.04 LTS:
libxml2 2.7.6.dfsg-1ubuntu1.7

Ubuntu 8.04 LTS:
libxml2 2.6.31.dfsg-2ubuntu1.11

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1656-1
CVE-2012-5134

Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.8.0+dfsg1-5ubuntu2.1
https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-5.1ubuntu4.3
https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-4ubuntu0.5
https://launchpad.net/ubuntu/+source/libxml2/2.7.6.dfsg-1ubuntu1.7
https://launchpad.net/ubuntu/+source/libxml2/2.6.31.dfsg-2ubuntu1.11

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121205/ec8a547c/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 99, Issue 3
*******************************************************