lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080210205624.GA4437@galadriel.inutil.org>
Date: Sun, 10 Feb 2008 21:56:24 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1491-1] New tk8.4 packages fix
	arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1491-1                  security@...ian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
February 10, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : tk8.4
Vulnerability  : buffer overflow
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-0553

It was discovered that a buffer overflow in the GIF image parsing code
of Tk, a cross-platform graphical toolkit, could lead to denial of
service and potentially the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 8.4.12-1etch2.

For the old stable distribution (sarge), this problem has been fixed in
version 8.4.9-1sarge2.

We recommend that you upgrade your tk8.4 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- ----------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9.orig.tar.gz
    Size/MD5 checksum:  3266500 1b64258abaf258e9a86f331d8de17a71
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2.diff.gz
    Size/MD5 checksum:    19342 41a2a5bc9b62ecb6bbae8ef6bf9cc23d
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2.dsc
    Size/MD5 checksum:      672 591b8bd996be45daee43dcb0cd1f8815

Architecture independent packages:

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-doc_8.4.9-1sarge2_all.deb
    Size/MD5 checksum:   775312 89ad74c73bdfed9b2811a05a08b5fe92

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_alpha.deb
    Size/MD5 checksum:   940460 5118b63aafb55fd885d6360361e39e7c
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_alpha.deb
    Size/MD5 checksum:  1031446 68fefac513706a03f7c7fb7fcd04d9b9

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_amd64.deb
    Size/MD5 checksum:   810124 632854f78763d41d1b9d65b5da1b2909
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_amd64.deb
    Size/MD5 checksum:   976424 21a43a779b8ed88bc57a37b779380caa

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_arm.deb
    Size/MD5 checksum:   823992 161c57a5130d0be1a0538531b33b344c
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_arm.deb
    Size/MD5 checksum:   945242 357bd0c48a6582112b2266d4e816e3e7

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_hppa.deb
    Size/MD5 checksum:   912888 10d8447e4958053c0c6526e4da09e0fb
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_hppa.deb
    Size/MD5 checksum:  1046614 3c2f17f53f9556f47c953d96495c4a40

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_i386.deb
    Size/MD5 checksum:   956188 e5622c965da1e8d140f2e4f200133d00
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_i386.deb
    Size/MD5 checksum:   793374 1c69c159005de29b0972924005776eb8

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_ia64.deb
    Size/MD5 checksum:  1053448 3d8a54d72c65db72771171b86a4a12fa
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_ia64.deb
    Size/MD5 checksum:  1182510 050234d3ee71b5aca66e9a743804239c

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_m68k.deb
    Size/MD5 checksum:   696458 35db6210d983f12250e0970c17b2e31b
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_m68k.deb
    Size/MD5 checksum:   909280 9c61aac16b366c5c05eedb2022e72ed6

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_mips.deb
    Size/MD5 checksum:   838884 f4509833e2022ff4c9251526697db137
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_mips.deb
    Size/MD5 checksum:   974098 ebedb583012e093aafeeb2185ddd20cf

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_mipsel.deb
    Size/MD5 checksum:   834690 6dadf0e560251c7c3374e7084e8da83b
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_mipsel.deb
    Size/MD5 checksum:   972004 d66acaffd44af8463f74710a7601fefd

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_powerpc.deb
    Size/MD5 checksum:   972350 f4a9e8bf74f42b25c34db8f1568c9d8d
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_powerpc.deb
    Size/MD5 checksum:   810052 e9701b9dca60a3fdd84c46c1f555dd83

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_s390.deb
    Size/MD5 checksum:   807464 d4d73b1478eae680b2003fdec6f4ceb3
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_s390.deb
    Size/MD5 checksum:   979890 8bfb0cc0fd20a4b0d8487df2e692add8

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge2_sparc.deb
    Size/MD5 checksum:   958298 31f02fcdbb4063289c50e3e92cef6378
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge2_sparc.deb
    Size/MD5 checksum:   806214 3cb0e95afa875185fe457ef7d317f9db

Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2.dsc
    Size/MD5 checksum:      673 8a67dd58d45ad9c4705102a2de8d6987
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12.orig.tar.gz
    Size/MD5 checksum:  3245547 316491cb82d898b434842353aed1f0d6
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2.diff.gz
    Size/MD5 checksum:    21747 77aa57e251bf839048c9048af5ba20ad

Architecture independent packages:

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-doc_8.4.12-1etch2_all.deb
    Size/MD5 checksum:   788438 d8614ab0eeaea332d7f85b7635093c98

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_alpha.deb
    Size/MD5 checksum:   968030 3fc751321940ad0bbc2322e48b6e8339
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_alpha.deb
    Size/MD5 checksum:  1050864 c3dc809a22c8690810ef707a52f8b1fe

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_amd64.deb
    Size/MD5 checksum:  1008902 80d89dcf9bc8d600269584bbe2f28e91
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_amd64.deb
    Size/MD5 checksum:   839362 58db7235b1da2ea5e3ee391f8224c5f3

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_arm.deb
    Size/MD5 checksum:   793906 375b065e080b63584ab7ee902d4e70e0
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_arm.deb
    Size/MD5 checksum:   971658 226561f98ba563d0903a60f1f694fef7

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_hppa.deb
    Size/MD5 checksum:  1073442 46ecf3cef8d61feba191f9c9d3f5cc2e
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_hppa.deb
    Size/MD5 checksum:   931724 00de88d90abc1ec6424b5d0addf6b1c4

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_i386.deb
    Size/MD5 checksum:   977632 015be44e613a751af013c706c0b87ab2
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_i386.deb
    Size/MD5 checksum:   820786 586b4a3739f1c4f658e13e70f851d57c

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_ia64.deb
    Size/MD5 checksum:  1136290 b98650c6ecab03b0fee872e1907411c5
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_ia64.deb
    Size/MD5 checksum:  1259618 d69ea6067cdb6528be0cd686b5c00696

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_mips.deb
    Size/MD5 checksum:   877896 cf9a61ae0049a26815e56ab2ab02dd87
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_mips.deb
    Size/MD5 checksum:  1000308 149a697aa365874121d524b5f6614d50

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_mipsel.deb
    Size/MD5 checksum:   999208 4d12b599580d276d09b940defe2456da
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_mipsel.deb
    Size/MD5 checksum:   875858 4beeaf45a820b04da0d488246d518c79

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_powerpc.deb
    Size/MD5 checksum:   998938 49b55bf5805216d61f976585c8528b14
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_powerpc.deb
    Size/MD5 checksum:   807072 a68c5a00c1d17b0f8070b70f91edca11

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_s390.deb
    Size/MD5 checksum:  1016866 020ee08295df231dba7100d68f4306b1
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_s390.deb
    Size/MD5 checksum:   847188 6bfb7c319ef6bf4a1cff60a291b32cca

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.12-1etch2_sparc.deb
    Size/MD5 checksum:   978996 16b0c114b0feb65c39b7d453b294a348
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.12-1etch2_sparc.deb
    Size/MD5 checksum:   826650 baaac055088de0ea43775911f1d6c009


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHr2S7Xm3vHE4uyloRAgiqAKDCS5fJNTo+1dYTJprccwkDWqEkKQCgif1M
QovWc691vk2hWizb/3aKtH0=
=uGWw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ