lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080518092926.9AB2B32687E@morgana.loeki.tv>
Date: Sun, 18 May 2008 11:29:26 +0200 (CEST)
From: Devin Carraway <devin@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1579-1] New netpbm-free packages fix arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1579-1                  security@...ian.org
http://www.debian.org/security/                           Devin Carraway
May 18, 2008                          http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : netpbm-free
Vulnerability  : insufficient input sanitizing
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-0554

A vulnerability was discovered in the GIF reader implementation in
netpbm-free, a suite of image manipulation utilities.  Insufficient
input data validation could allow a maliciously-crafted GIF file
to overrun a stack buffer, potentially permitting the execution of
arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 2:10.0-11.1+etch1.

For the unstable distribution (sid), these problems were fixed in
version 2:10.0-11.1.

We recommend that you upgrade your netpbm packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0-11.1+etch1.diff.gz
    Size/MD5 checksum:    49833 5e340881bb56e88ca2525c5baf3a12cf
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0.orig.tar.gz
    Size/MD5 checksum:  1926538 985e9f6d531ac0b2004f5cbebdeea87d
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0-11.1+etch1.dsc
    Size/MD5 checksum:      755 e8b82a4cab1e4352faf53d6093ff02d1

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_alpha.deb
    Size/MD5 checksum:    84206 b33236e6b1bfd895231905579583ec1c
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_alpha.deb
    Size/MD5 checksum:   139256 4dde0418859c0a44e8abbd5a8888bc97
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_alpha.deb
    Size/MD5 checksum:    75730 5ba8dac319fcb09e6057edcf339031da
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_alpha.deb
    Size/MD5 checksum:  1423650 928d158de222f0aad537d2e9d5a55d1c
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_alpha.deb
    Size/MD5 checksum:   138864 d72de0e9205fafc74ed5a61574f90a89

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_amd64.deb
    Size/MD5 checksum:    75412 c87cf158e0234259584f584a9f1832b5
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_amd64.deb
    Size/MD5 checksum:  1241558 470cca7fe0cafa9a3ef519e45911989f
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_amd64.deb
    Size/MD5 checksum:   116838 1444d40f6022a1650c8ebcf5041ba6ef
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_amd64.deb
    Size/MD5 checksum:    67404 c11ac33a59b828227df65f030d4b0ecd
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_amd64.deb
    Size/MD5 checksum:   117288 aa57bddc977bfcaae40c4d2e0dfab247

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_arm.deb
    Size/MD5 checksum:    62288 4f73d9da53ef5fca46b720787b69a937
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_arm.deb
    Size/MD5 checksum:  1260142 3aad360491069ca71cb1fd79a54047b3
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_arm.deb
    Size/MD5 checksum:   109834 a9b24a209be2c2a05183d5a501981669
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_arm.deb
    Size/MD5 checksum:    68692 02d48f5f058f67b7d2007332c214211d
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_arm.deb
    Size/MD5 checksum:   110104 7e35448f17f029ad74902589aae0c0c5

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_hppa.deb
    Size/MD5 checksum:  1333920 a56ad3bc6edba6f0c8aeeb90a05b24ae
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_hppa.deb
    Size/MD5 checksum:    82594 68fa87cdf4869bc89047fe0ad48cb1cf
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_hppa.deb
    Size/MD5 checksum:   125684 7df0ea27cbd816e3c4846bd4714907c4
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_hppa.deb
    Size/MD5 checksum:   125788 49bdc7c577ccfee26adfd44187e7098d
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_hppa.deb
    Size/MD5 checksum:    73896 5cd54f6760f1d0a74899aa5b1eeeefee

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_i386.deb
    Size/MD5 checksum:    63758 f905f22588b614831324060426e5751d
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_i386.deb
    Size/MD5 checksum:  1181300 365c86b4233a807c3c6c10f800da4afa
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_i386.deb
    Size/MD5 checksum:    70202 591a522cb5cc225858e8ef59c0b0229e
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_i386.deb
    Size/MD5 checksum:   109860 c1011f89b554328ff82cd01451e667c1
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_i386.deb
    Size/MD5 checksum:   109718 c1130da9304e855827b99d4c2202a5b2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_ia64.deb
    Size/MD5 checksum:   101310 e695256a27385dee8fb2f8ddf1ccb151
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_ia64.deb
    Size/MD5 checksum:    92042 a2df3ed51d279ad0191401d7db0a29de
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_ia64.deb
    Size/MD5 checksum:  1759566 1f58b0302e2394d09bf3fcc423ee77ec
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_ia64.deb
    Size/MD5 checksum:   149610 8458ab3ca7477d7011b815e31651a74a
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_ia64.deb
    Size/MD5 checksum:   149986 dc3f0e6f5e4511c5970a0bcd726d8f3b

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_mips.deb
    Size/MD5 checksum:   124128 fad3edf3cf23f0bf7d13660bbb02795e
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_mips.deb
    Size/MD5 checksum:   123212 5331c9d21f4e49029a2d6afc8e88fbcd
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_mips.deb
    Size/MD5 checksum:    73522 ff8075e6113bf9f387798a142c8d07a8
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_mips.deb
    Size/MD5 checksum:  1318050 688e833af5f7ed3dcaf6c8b803acab6b
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_mips.deb
    Size/MD5 checksum:    65826 f6f9b8c34d1fc3ecb332baf87144cc67

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_mipsel.deb
    Size/MD5 checksum:   123410 7e7c4c3649a11e6c5d2bac60511a2608
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_mipsel.deb
    Size/MD5 checksum:    65710 dff78e7f50f68e0e942323af94c69af5
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_mipsel.deb
    Size/MD5 checksum:  1297700 ed5a3f2a53460072beae27697d68bb31
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_mipsel.deb
    Size/MD5 checksum:    72604 b5a39f3389ede6a53b330e761db9d0e8
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_mipsel.deb
    Size/MD5 checksum:   123830 2593cde97437a5d9c33ac978a948bbeb

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_powerpc.deb
    Size/MD5 checksum:   119758 e917d3ac53867792653b8a7d2d090824
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_powerpc.deb
    Size/MD5 checksum:    79014 ee2fd0a785658b116b877f951b8e1531
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_powerpc.deb
    Size/MD5 checksum:  1448810 c24163baecf73aa5452954e1f4c04b05
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_powerpc.deb
    Size/MD5 checksum:   119366 26fc1ef0d6d24cc8c0ea956b9cc12f9c
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_powerpc.deb
    Size/MD5 checksum:    68122 8ef7a20dc73a9e293cf5b15bf33ead0d

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_s390.deb
    Size/MD5 checksum:  1245934 825184a22f4476b277cade23ec93cbf5
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_s390.deb
    Size/MD5 checksum:    76472 005fc9caafb6eb047701e3f5272d0bbe
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_s390.deb
    Size/MD5 checksum:   114788 ba4a56d368c612f161f3e0c983e98bd6
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_s390.deb
    Size/MD5 checksum:   115006 4c1b4a388455a0725771dfb5c73f8ddc
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_s390.deb
    Size/MD5 checksum:    69900 bf8bf3369a29c340eb035413034cccae

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1+etch1_sparc.deb
    Size/MD5 checksum:   111782 e2553ed79f836d8fa1dc25422ba8aa95
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-11.1+etch1_sparc.deb
    Size/MD5 checksum:    68808 4ee6c9653cd560ec0074275b457202b7
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1+etch1_sparc.deb
    Size/MD5 checksum:   111562 e126024c8567d3140c240e60ecc390dc
  http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-11.1+etch1_sparc.deb
    Size/MD5 checksum:  1204234 85d633a743c51efea0122caa7e12c6ea
  http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-11.1+etch1_sparc.deb
    Size/MD5 checksum:    62992 efe34ea795e4c875ab65c28f413a590f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEUAwUBSC/2iWz0hbPcukPfAQLyPgf2MvGbXy5foPi9uyzUu1beoK4VwMVBv2Fp
McQJv2NyEeJ2zhI6Axnk0EFKLNyATvPVoHkSF4IGBhqW9inR40AMVwRgLDsDvWsw
S3R/xfd+0JnIhyc+i+lOxNbT9fUlZTfTVnot4IKKf9WMg7vAdBcj3VEAopr+4dTh
cHQ0GJeIYb5EUriwxv3dR7gRgKE8UI1EFVdDMj8y49hAgtGIZ4kbGplVxabLp0Pw
sOPZir7jPrJ3OTSVuT3IUGtu52o232BJpSmFSJ1fkQFXhqjSgrlqG+WdlqHnzXxV
lRVsk1APdvD5OFJ7MBKrKNe3sQmiVb2WUbWN8yB9mYOn1TmTXgCz
=XTgI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ