lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060520174613.GA7816@galadriel.inutil.org>
Date: Sat May 20 18:47:09 2006
From: jmm at debian.org (Moritz Muehlenhoff)
Subject: [SECURITY] [DSA 1068-1] New fbi packages fix
	denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1068-1                    security@...ian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
May 20th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : fbi
Vulnerability  : insecure temporary file
Problem-Type   : local
Debian-specific: no
CVE ID         : CVE-2006-1695
Debian Bug     : 361370

Jan Braun discovered that the fbgs script of fbi, an image viewer for
the framebuffer environment, creates an directory in a predictable manner,
which allows denial of service through symlink attacks.

For the old stable distribution (woody) this problem has been fixed in
version 1.23woody1.

For the stable distribution (sarge) this problem has been fixed in
version 2.01-1.2sarge1.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your fbi package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1.dsc
      Size/MD5 checksum:      559 4aa635f3124ac9e654ad25c11f9c1420
    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1.tar.gz
      Size/MD5 checksum:    58027 20831f12eaf6fd6f4faa928ad2d80428

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_alpha.deb
      Size/MD5 checksum:    49472 6004536fd8a9210c041bf7ab4570c254

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_arm.deb
      Size/MD5 checksum:    40320 bd6d1d6addcd838e7d0d309b6f1b424a

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_i386.deb
      Size/MD5 checksum:    37476 917af0dcaa790e71eef2d20d6766b472

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_ia64.deb
      Size/MD5 checksum:    60846 8435e5bba35a1e2b82f52102dee7e255

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_hppa.deb
      Size/MD5 checksum:    45078 e1343c5ab373022682ea9659c17642e1

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_m68k.deb
      Size/MD5 checksum:    35324 3331d7b580216a5ba9590c936000b32c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_mips.deb
      Size/MD5 checksum:    43206 a9234c16f320296bd2167ee97a9c193d

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_mipsel.deb
      Size/MD5 checksum:    43326 05850aa0862a75c0e9340ff3130b2e7a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_powerpc.deb
      Size/MD5 checksum:    40652 52a8724735c368dad3a6cce4fe2e2986

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_s390.deb
      Size/MD5 checksum:    40358 55e2c97bb3b6e84e65220b8e36fe8bd3

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_sparc.deb
      Size/MD5 checksum:    38928 0e474d52aac9c49575e09c89cc160dc8


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1.dsc
      Size/MD5 checksum:      735 af3db0f27d3d8bab9b8051dc497abaaa
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1.diff.gz
      Size/MD5 checksum:     4840 66b2f2ed2577ef905865b9c18409994e
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01.orig.tar.gz
      Size/MD5 checksum:   205822 7bf21eae612fd457155533a83ab075c2

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_alpha.deb
      Size/MD5 checksum:    29496 597e1fb3a2a44a3e130e71ee14c7818a
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_alpha.deb
      Size/MD5 checksum:    67638 6a60e3c72741d6e6667d6dc256284361

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_amd64.deb
      Size/MD5 checksum:    24474 b59a585d73a3c28060ad56a3aa7e7f0a
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_amd64.deb
      Size/MD5 checksum:    57326 3e846d45b831c55f960792a033d4eafb

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_arm.deb
      Size/MD5 checksum:    22440 6e70ab80e54f70b63a45a0476f883ff7
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_arm.deb
      Size/MD5 checksum:    51178 a53903ec2a00b07c5eaad8acbe91dd4e

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_i386.deb
      Size/MD5 checksum:    22644 c62296dbeb5e1aaee865595b6edd6f61
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_i386.deb
      Size/MD5 checksum:    52126 5e8ce488ccf3ae55e9e18586c3dcad7a

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_ia64.deb
      Size/MD5 checksum:    33838 39beccb7cb3e14c5432ca6c7c6aebaa8
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_ia64.deb
      Size/MD5 checksum:    79752 c4dcf30f9d03eea3c2b88744fdb7ecb4

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_hppa.deb
      Size/MD5 checksum:    26856 5e3917309718e88ba92acf987511f828
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_hppa.deb
      Size/MD5 checksum:    60152 9a87a9cf08571d7dde5105e44aac6b09

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_m68k.deb
      Size/MD5 checksum:    20692 5f02a36a487e20139fa44a6578734352
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_m68k.deb
      Size/MD5 checksum:    47274 99544f2a08a563cd49e873d76a4144bb

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_mips.deb
      Size/MD5 checksum:    25992 265989c07aae9d76a9d1413652d550a5
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_mips.deb
      Size/MD5 checksum:    59434 db2964812374a7e991da7d590dfa9da4

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_mipsel.deb
      Size/MD5 checksum:    26058 040e3d982d77cd40118f5249e1dcd996
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_mipsel.deb
      Size/MD5 checksum:    59166 6ad4d70a30f65b1784269b903ea8271a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_powerpc.deb
      Size/MD5 checksum:    25912 24f98eff47c2ec279c37ed8e678e087a
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_powerpc.deb
      Size/MD5 checksum:    57236 ba603481f53226cfe797714014f2586f

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_s390.deb
      Size/MD5 checksum:    24420 8e769aa578139330b6a1211d51cce264
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_s390.deb
      Size/MD5 checksum:    58016 ec38329e241e32e0a0bd00d114c1c65f

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_sparc.deb
      Size/MD5 checksum:    23016 4e89f15043cf08dccc1b84175e632fc2
    http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_sparc.deb
      Size/MD5 checksum:    52440 7adbfbe748f548614c2726265dc8f680


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEb1V/Xm3vHE4uyloRAtilAKDQHjf0Ml01J1wipeYLdQSQB5dV8QCgtf/X
nGrW4UdYYHiiClmReAoKx28=
=p2d1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ