lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1Ew0JX-000ogYC@finlandia.Infodrom.North.DE>
Date: Mon, 9 Jan 2006 17:56:11 +0100 (CET)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 931-1] New xpdf packages fix arbitrary code execution


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 931-1                     security@...ian.org
http://www.debian.org/security/                             Martin Schulze
January 9th, 2006                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xpdf
Vulnerability  : buffer overflows
Problem type   : remote
Debian-specific: no
CVE IDs        : CAN-2005-3191 CAN-2005-3192 CAN-2005-3193 CVE-2005-3624
                 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
Debian Bug     : 342281

"infamous41md" and Chris Evans discovered several heap based buffer
overflows in xpdf, the Portable Document Format (PDF) suite, that can
lead to a denial of service by crashing the application or possibly to
the execution of arbitrary code.

For the old stable distribution (woody) these problems have been fixed in
version 1.00-3.8.

For the stable distribution (sarge) these problems have been fixed in
version 3.00-13.4.

For the unstable distribution (sid) these problems have been fixed in
version 3.01-4.

We recommend that you upgrade your xpdf package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.8.dsc
      Size/MD5 checksum:      706 f8091cb4e0b0c7baa8ccc4ee75a50699
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.8.diff.gz
      Size/MD5 checksum:    11832 ab0665a0fa767785037ceff313cbc1b3
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00.orig.tar.gz
      Size/MD5 checksum:   397750 81f3c381cef729e4b6f4ce21cf5bbf3c

  Architecture independent components:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_1.00-3.8_all.deb
      Size/MD5 checksum:    38826 43072ed4680dab2c7d68eec7b3f7c45a
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.8_all.deb
      Size/MD5 checksum:     1286 7bd55048fc7aab6c9c35f65d472932da

  Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_alpha.deb
      Size/MD5 checksum:   571434 7be66f32548c87a66c2353d976a99c36
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_alpha.deb
      Size/MD5 checksum:  1046964 c83387b2ce2c92faa2cbbc86f2d9a9a8

  ARM architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_arm.deb
      Size/MD5 checksum:   487502 655007df84b968ec59de01638b77f0b8
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_arm.deb
      Size/MD5 checksum:   887368 a2d7e4052bf2a5c4a495c4e45dedf89b

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_i386.deb
      Size/MD5 checksum:   449748 0ae0c17cc4624b254b2aeac09c995d6f
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_i386.deb
      Size/MD5 checksum:   828498 530637087a864c6def87e31283bdeceb

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_ia64.deb
      Size/MD5 checksum:   683068 19ecb0905f8636e67bf7238c10f59ad5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_ia64.deb
      Size/MD5 checksum:  1230046 ed52eb1ba803c65bed5b9b82ec551eef

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_hppa.deb
      Size/MD5 checksum:   564570 e375463f1a090ee04616a2a28d074792
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_hppa.deb
      Size/MD5 checksum:  1034076 c7baa8decb624ae001b8325c426c3e83

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_m68k.deb
      Size/MD5 checksum:   427756 e516e992cf634de082e9261fec596417
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_m68k.deb
      Size/MD5 checksum:   795168 5315ec1734af63b31df537992fd575d7

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_mips.deb
      Size/MD5 checksum:   555626 38b3797dc8685b374bfa4d5b8310e002
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_mips.deb
      Size/MD5 checksum:  1017302 f1420c53961b3574c404e3dcee80e633

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_mipsel.deb
      Size/MD5 checksum:   546712 be27f108ed722e04bee9473fb463a749
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_mipsel.deb
      Size/MD5 checksum:   999554 d8983b16cb67d5b5da734e8a166079b1

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_powerpc.deb
      Size/MD5 checksum:   470466 c90999ac3ffef0f1ca9907ec0c52e8ca
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_powerpc.deb
      Size/MD5 checksum:   860678 1b79e9b04f6b86cee3365c27c99b8c8a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_s390.deb
      Size/MD5 checksum:   430408 09493b1bae3177137a922adbaee7af25
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_s390.deb
      Size/MD5 checksum:   786644 98062cef2cfd5f78eba94f92f7ffc7ec

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_sparc.deb
      Size/MD5 checksum:   444146 9bb3e73108672a45c87eb172b30b645e
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_sparc.deb
      Size/MD5 checksum:   810204 53735cf450d1ff09449dd4e744e31f4a


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.4.dsc
      Size/MD5 checksum:      781 df2be00a261c47ed25cbf00bdcefcc32
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.4.diff.gz
      Size/MD5 checksum:    50734 3018a9155bbcf704f47132bbefddd5b5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00.orig.tar.gz
      Size/MD5 checksum:   534697 95294cef3031dd68e65f331e8750b2c2

  Architecture independent components:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.00-13.4_all.deb
      Size/MD5 checksum:    56504 333976022e4bd6b1a241844231f2db30
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.4_all.deb
      Size/MD5 checksum:     1284 1b077a992654b8df5727d844deb84e0c

  Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_alpha.deb
      Size/MD5 checksum:   802112 93e96a4213f4966d8c0bb2c1e34b572d
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_alpha.deb
      Size/MD5 checksum:  1528190 5db2e3cd7ab5f2865d5303163c3d08a7

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_amd64.deb
      Size/MD5 checksum:   667754 df5e85b58bcb2f7b86837e7a79b745f9
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_amd64.deb
      Size/MD5 checksum:  1273734 5554c8f473a892cc8478f50bc1dd96dd

  ARM architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_arm.deb
      Size/MD5 checksum:   674458 b419a39cb5b1bbaefe52c51f163913d5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_arm.deb
      Size/MD5 checksum:  1279040 fe5af7d7209bb14e865404ea695a6df3

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_i386.deb
      Size/MD5 checksum:   656804 e319b835c10f76ad7946b74da24ba1bf
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_i386.deb
      Size/MD5 checksum:  1242164 731e556748f3f84465bd6537462fde03

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_ia64.deb
      Size/MD5 checksum:   950974 fe4f3be5aa05772806309faaa3847db3
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_ia64.deb
      Size/MD5 checksum:  1801950 27c19b5813e7d2aa34aca9847c277b40

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_hppa.deb
      Size/MD5 checksum:   832646 a2504b353573d384d443e923782775f1
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_hppa.deb
      Size/MD5 checksum:  1580478 72266677b36f9ec9ab2c2bcac1dfe7ac

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_m68k.deb
      Size/MD5 checksum:   585736 e1331547251b0d5eba96c68e6665abf2
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_m68k.deb
      Size/MD5 checksum:  1116746 46d969a98302c1b49b5e9a355047adfc

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_mips.deb
      Size/MD5 checksum:   807800 d1acd349bc0a932ea3467db9796919f5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_mips.deb
      Size/MD5 checksum:  1524848 685d65d2a07676b55fa3abd8505018a9

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_mipsel.deb
      Size/MD5 checksum:   798090 18503fbab79be783005bed35d4cdb02d
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_mipsel.deb
      Size/MD5 checksum:  1503796 aaa4b1de4370d52cc2b3e595542f82c3

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_powerpc.deb
      Size/MD5 checksum:   694126 08e64354f30b1bd573092925b894c77f
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_powerpc.deb
      Size/MD5 checksum:  1313048 5f39d0ffe44186db884a7c1115704666

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_s390.deb
      Size/MD5 checksum:   630774 8b48412164ae96066c61399a5c7b3cd7
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_s390.deb
      Size/MD5 checksum:  1198670 6b837427a05f0b19630197183c9c50f1

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_sparc.deb
      Size/MD5 checksum:   626394 0bbb59b11b9d11f9129fbd475e3ab186
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_sparc.deb
      Size/MD5 checksum:  1181726 a523c04a7ae1c3b8fc24c29f46d3c589


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDwpWrW5ql+IAeqTIRAhdkAKCgwmk5BFUWu5yB3YbFlL2fLf90ZwCfbgnG
UEndv6nnPJdfmUKQUHx2Jus=
=+8on
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ