lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NWRYp-00021G-Fi@chopin.debian.org>
Date: Sun, 17 Jan 2010 09:36:43 +0000
From: Stefan Fritsch <sf@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA-1972-1] New audiofile packages fix buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-1972-1                  security@...ian.org
http://www.debian.org/security/                           Stefan Fritsch
January 17, 2010                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : audiofile
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id         : CVE-2008-5824
Debian bug     : 510205

Max Kellermann discovered a heap-based buffer overflow in the handling
of ADPCM WAV files in libaudiofile. This flaw could result in a denial
of service (application crash) or possibly execution of arbitrary code
via a crafted WAV file.

The old stable distribution (etch), this problem will be fixed in
version 0.2.6-6+etch1.

The packages for the oldtable distribution are not included in this
advisory. An update will be released soon.

For the stable distribution (lenny), this problem has been fixed in
version 0.2.6-7+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.2.6-7.1.

We recommend that you upgrade your audiofile packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6.orig.tar.gz
    Size/MD5 checksum:   374688 9c1049876cd51c0f1b12c2886cce4d42
  http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-7+lenny1.dsc
    Size/MD5 checksum:     1048 ba1535425e02719cb32aaed448b9e615
  http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-7+lenny1.diff.gz
    Size/MD5 checksum:   300816 57eece898416b8ecf3aa5dac27f2c4fc

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_alpha.deb
    Size/MD5 checksum:   158224 c1579697bbb721374da6451aa12a2030
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_alpha.deb
    Size/MD5 checksum:    90028 01aa1e7a90c361cdd95f289f4d2b554d
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_alpha.deb
    Size/MD5 checksum:   167796 34be04955f6912507db6855eb51fa3cf

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_amd64.deb
    Size/MD5 checksum:    83988 1f3b65530a04afb05e077ff7ed72d331
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_amd64.deb
    Size/MD5 checksum:   169514 94248270333cdf6278dc7b27d3af01d7
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_amd64.deb
    Size/MD5 checksum:   130610 a5ba3174a86f15a11f8922ed892f9bec

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_arm.deb
    Size/MD5 checksum:    74696 f3aa521f8ed711b4a2fd3ff14a3bba32
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_arm.deb
    Size/MD5 checksum:   164142 a87e3ac1f10e120bf8451aac693036ad
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_arm.deb
    Size/MD5 checksum:   116354 20bccdc0014746f3b07c7b19acbef513

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_armel.deb
    Size/MD5 checksum:    77702 0effe95d77f86d22aed53a9a93012d2b
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_armel.deb
    Size/MD5 checksum:   121328 52f253d4bbf24883ca3dd83a7d9e0686
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_armel.deb
    Size/MD5 checksum:   166310 7f5222c459b8964c6551746641b9e385

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_hppa.deb
    Size/MD5 checksum:   135830 8ad815e277bf74a7a231fd3577d1ecbb
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_hppa.deb
    Size/MD5 checksum:    87580 83007039c0d0aa96508027c58d44956d
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_hppa.deb
    Size/MD5 checksum:   166476 4ea9d29c71058ed703baeb407ebf74ef

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
    Size/MD5 checksum:   164582 7c84007f5260c1b9ce714d9e090b649c
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_i386.deb
    Size/MD5 checksum:   118288 99ca6cf504847281ffee6095d6c56df9
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_i386.deb
    Size/MD5 checksum:    77984 eaa5796ba0a90db7d759719ea46e3ea7

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_ia64.deb
    Size/MD5 checksum:   171436 87e839b3f36d8374d46dd8cc46cfdf02
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_ia64.deb
    Size/MD5 checksum:   160876 0a1fca9b908b5626c488befbf17951cd
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_ia64.deb
    Size/MD5 checksum:   114662 fcb0924085a99cb1f5fb7352cb7c4cfe

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_mips.deb
    Size/MD5 checksum:    77652 cf4fdc50fb0c27d2d01ea62a00e419ae
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_mips.deb
    Size/MD5 checksum:   136234 a99b4802eac588c1a4204b4cb51ee750
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_mips.deb
    Size/MD5 checksum:   170994 e1579208d48d6eed6d5b4ee78f633c25

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_mipsel.deb
    Size/MD5 checksum:    77354 9956348cc10198f72e01ef2de9fefb3c
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_mipsel.deb
    Size/MD5 checksum:   169408 e442c1e3761d6417f8619b67f100d0ac
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_mipsel.deb
    Size/MD5 checksum:   136282 4aa8e92fdf213266c6a00815d2ee1326

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_powerpc.deb
    Size/MD5 checksum:   168454 57af4df319a43b6bbe3f26da61b6996c
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_powerpc.deb
    Size/MD5 checksum:   131276 481f73af6d5b0532d830889a2d0e17b7
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_powerpc.deb
    Size/MD5 checksum:    82444 94db16051730d9c914d3cb1cb8eb983b

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_s390.deb
    Size/MD5 checksum:   126500 aaa163e9465ea8781f6af4ca7c9d2ee1
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_s390.deb
    Size/MD5 checksum:    83506 1d9f7379d796d06ca3e18027039fab42
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_s390.deb
    Size/MD5 checksum:   169568 9e4273791c4237c68fa2e70251d6cf93

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_sparc.deb
    Size/MD5 checksum:   117968 ec723b26f1cca8f967695d0701d5defb
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_sparc.deb
    Size/MD5 checksum:   154992 581562d68231ccef4ea31a33c3efcf93
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_sparc.deb
    Size/MD5 checksum:    74984 b8b65cf6dc6d7c2947c4049aa27d44ca


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLUtmzbxelr8HyTqQRAkJwAKCeQxQPQHSTBQTYt28fGBuQc3isBgCfXvPg
D0nWskyEDwZ34JBBpZV21Fo=
=2bKJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ