Boletines de Vulnerabilidades

int(3615)

Boletines de Vulnerabilidades

Ejecución de código arbitrario en Cairo
Clasificación de la vulnerabilidad
Propiedad	Valor
Nivel de Confianza	Oficial
Impacto	Obtener acceso
Dificultad	Experto
Requerimientos del atacante	Acceso remoto sin cuenta a un servicio estandar
Información sobre el sistema
Propiedad	Valor
Fabricante afectado	GNU/Linux
Software afectado	Cairo
Descripción
Se ha encontrado una vulnerabilidad del tipo desbordamiento de entero en Cairo. La vulnerabilidad reside en un error en la función read_png() en la forma en que procesa las imágenes PNG. Un atacante remoto podría ejecutar código arbitrario mediante una imagen PNG especialmente diseñada.
Solución
Actualización de software Red Hat (RHSA-2007:1078-3) RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) https://rhn.redhat.com/ Mandriva (MDVSA-2008:019) Mandriva Linux 2007 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/libcairo2-1.2.4-2.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/libcairo2-devel-1.2.4-2.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/libcairo2-static-devel-1.2.4-2.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/cairo-1.2.4-2.1mdv2007.0.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/lib64cairo2-1.2.4-2.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/lib64cairo2-devel-1.2.4-2.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/lib64cairo2-static-devel-1.2.4-2.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/cairo-1.2.4-2.1mdv2007.0.src.rpm Mandriva Linux 2007.1 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/libcairo2-1.4.2-1.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/libcairo2-devel-1.4.2-1.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/libcairo2-static-devel-1.4.2-1.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/cairo-1.4.2-1.1mdv2007.1.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/lib64cairo2-1.4.2-1.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/lib64cairo2-devel-1.4.2-1.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/lib64cairo2-static-devel-1.4.2-1.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/cairo-1.4.2-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/libcairo-devel-1.4.10-2.2mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/libcairo-static-devel-1.4.10-2.2mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/libcairo2-1.4.10-2.2mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/SRPMS/main/updates/cairo-1.4.10-2.2mdv2008.0.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/lib64cairo-devel-1.4.10-2.2mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/lib64cairo-static-devel-1.4.10-2.2mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/lib64cairo2-1.4.10-2.2mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/SRPMS/main/updates/cairo-1.4.10-2.2mdv2008.0.src.rpm Corporate Server 4.0 corporate/4.0/i586/libcairo2-1.0.0-8.2.20060mlcs4.i586.rpm corporate/4.0/i586/libcairo2-devel-1.0.0-8.2.20060mlcs4.i586.rpm corporate/4.0/i586/libcairo2-static-devel-1.0.0-8.2.20060mlcs4.i586.rpm corporate/4.0/SRPMS/cairo-1.0.0-8.2.20060mlcs4.src.rpm X86_64 corporate/4.0/x86_64/lib64cairo2-1.0.0-8.2.20060mlcs4.x86_64.rpm corporate/4.0/x86_64/lib64cairo2-devel-1.0.0-8.2.20060mlcs4.x86_64.rpm corporate/4.0/x86_64/lib64cairo2-static-devel-1.0.0-8.2.20060mlcs4.x86_64.rpm corporate/4.0/SRPMS/cairo-1.0.0-8.2.20060mlcs4.src.rpm Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux. Debian (DSA-1542-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4-4.1+etch1.dsc http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4.orig.tar.gz http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4-4.1+etch1.diff.gz Arquitectura independiente http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-doc_1.2.4-4.1+etch1_all.deb alpha (DEC Alpha) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_alpha.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_alpha.deb amd64 (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_amd64.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_amd64.deb arm (ARM) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_arm.udeb hppa (HP PA RISC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_hppa.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_hppa.deb i386 (Intel ia32) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_i386.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_i386.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_i386.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_i386.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_i386.deb ia64 (Intel ia64) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_ia64.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_ia64.deb mips (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_mips.udeb mipsel (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_mipsel.udeb powerpc (PowerPC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_powerpc.udeb s390 (IBM S/390) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_s390.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_s390.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_s390.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_s390.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_s390.deb sparc (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_sparc.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_sparc.deb
Identificadores estándar
Propiedad	Valor
CVE	CVE-2007-5503
BID
Recursos adicionales
Red Hat Security Advisory (RHSA-2007:1078-3) https://rhn.redhat.com/errata/RHSA-2007-1078.html Mandriva Security Advisory (MDVSA-2008:019) http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:019 SUSE Security Advisory (SUSE-SR:2008:003) http://www.novell.com/linux/security/advisories/2008_3_sr.htm Debian Security Advisory (DSA-1542-1) http://lists.debian.org/debian-security-announce/2008/msg00112.html

Histórico de versiones
Versión	Comentario	Fecha
1.0	Aviso emitido	2007-11-30
1.1	Aviso emitido por Mandriva (MDVSA-2008:019)	2008-01-22
1.2	Aviso emitido por Suse (SUSE-SR:2008:003)	2008-02-11
1.3	Aviso emitido por Debian (DSA-1542-1)	2008-04-14

Boletines de Vulnerabilidades

Ejecución de código arbitrario en Cairo

Clasificación de la vulnerabilidad

Información sobre el sistema

Descripción

Solución

Identificadores estándar

Recursos adicionales

Histórico de versiones