lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080603092735.7BBBC32687F@morgana.loeki.tv>
Date: Tue,  3 Jun 2008 11:27:35 +0200 (CEST)
From: thijs@...ian.org (Thijs Kinkhorst)
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1591-1] New libvorbis packages
	fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1591-1                  security@...ian.org
http://www.debian.org/security/                          Thijs Kinkhorst
June 03, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : libvorbis
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-1419 CVE-2008-1420 CVE-2008-1423
Debian Bug     : 482518

Several local (remote) vulnerabilities have been discovered in libvorbis,
a library for the Vorbis general-purpose compressed audio codec. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-1419

    libvorbis does not properly handle a zero value which allows remote
    attackers to cause a denial of service (crash or infinite loop) or
    trigger an integer overflow.

CVE-2008-1420

    Integer overflow in libvorbis allows remote attackers to execute
    arbitrary code via a crafted OGG file, which triggers a heap overflow.

CVE-2008-1423

    Integer overflow in libvorbis allows remote attackers to cause a denial
    of service (crash) or execute arbitrary code via a crafted OGG file
    which triggers a heap overflow.

For the stable distribution (etch), these problems have been fixed in version
1.1.2.dfsg-1.4.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.0.dfsg-3.1. 

We recommend that you upgrade your libvorbis package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.dsc
    Size/MD5 checksum:      787 2f0bfd28fb368c43c56332e7de7a2e3d
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg.orig.tar.gz
    Size/MD5 checksum:  1312540 44cf09fef7f78e7c6ba7dd63b6137412
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.diff.gz
    Size/MD5 checksum:    15782 62527e6adcff1dca42018a0252b19b91

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_alpha.deb
    Size/MD5 checksum:    94500 edb2728b48cd6fc0357f62a7dc8fca5c
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_alpha.deb
    Size/MD5 checksum:   110468 8273babee8a08c373671b468469b2ede
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_alpha.deb
    Size/MD5 checksum:    19202 925dfba3f212e8b69c760c433b119716
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_alpha.deb
    Size/MD5 checksum:   494958 0052fe78f4be43cb9a7f42ea2b25f7fe

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_amd64.deb
    Size/MD5 checksum:    17790 f49da89a8b972614687f3a5e2f6c5bac
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_amd64.deb
    Size/MD5 checksum:    93498 241499415b96f3e348d1ec9c66a45981
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_amd64.deb
    Size/MD5 checksum:   101508 63e1e8392876a822dc664e21b19e0185
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_amd64.deb
    Size/MD5 checksum:   468670 8c6c80eb7b8e7f8b49be1447357ebce1

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_arm.deb
    Size/MD5 checksum:    75744 03dad28341cde24fbbfd20444bf346c2
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_arm.deb
    Size/MD5 checksum:    18528 508cb939f65a367447c44add9dd8c11a
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_arm.deb
    Size/MD5 checksum:    98190 a09c2d3021f7b9d2d9b2bf04b2d30957
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_arm.deb
    Size/MD5 checksum:   458578 6dcadbb28c56a0a9368bfcd67b28d3fa

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_hppa.deb
    Size/MD5 checksum:   483196 0435784553fb2b9c08c915da58c3c7e1
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_hppa.deb
    Size/MD5 checksum:    21978 6ade3e3b040f8e01c4fe023df6faf2de
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_hppa.deb
    Size/MD5 checksum:   108084 7d263ee14d29b787b0f32710ae2bffdf
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_hppa.deb
    Size/MD5 checksum:    92430 72180513d203103e56e4929ca6da035f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_i386.deb
    Size/MD5 checksum:   453652 55bc31f817b6806d19d8f0696cc288cd
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_i386.deb
    Size/MD5 checksum:    18884 5d4f1bccf5efa0d5ba5767b49f97d253
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_i386.deb
    Size/MD5 checksum:    75346 f11509bd2b430f8be62706a13748d6bc
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_i386.deb
    Size/MD5 checksum:    98176 d5b46716c8ab083b9c00b523a73a81b9

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_ia64.deb
    Size/MD5 checksum:    98022 dabf436427e867a81074bdca0c53ef6e
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_ia64.deb
    Size/MD5 checksum:   510180 1c4e1c58e7d63f10ff7efaf3a6555f46
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_ia64.deb
    Size/MD5 checksum:    24700 8dadf685db0738f52c4b47420eff588a
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_ia64.deb
    Size/MD5 checksum:   136046 b5d657cad9154915f0a9c0779e68cf1c

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mips.deb
    Size/MD5 checksum:   104986 3d6d14fff3621ed344e88e7bb57ae627
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mips.deb
    Size/MD5 checksum:    81588 e776156e4d5647f0aa591ea8b01d3aad
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mips.deb
    Size/MD5 checksum:    20946 5f5eca06d6b715087a4298d2db944fcf
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mips.deb
    Size/MD5 checksum:   479286 4a9404dab651fd387901d6eb223bd835

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mipsel.deb
    Size/MD5 checksum:    76982 63638be1a06154fa1126e5be3a4ac95e
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mipsel.deb
    Size/MD5 checksum:   469086 9c31f061ab04690bf52876821a9383ea
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mipsel.deb
    Size/MD5 checksum:    20944 5f59636c00cbe76590ac1ef23235cd8d
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mipsel.deb
    Size/MD5 checksum:   104948 be1bf5fd730d239f5cd62a92cd4b75e4

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_powerpc.deb
    Size/MD5 checksum:   105760 ba397af813b092de9bea72accb46db4b
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_powerpc.deb
    Size/MD5 checksum:    21394 7e12a198ce7bed6922d20da108e5bad5
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_powerpc.deb
    Size/MD5 checksum:    82558 1299949b45c3a6fdba4fa64fcf48dc53
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_powerpc.deb
    Size/MD5 checksum:   475206 7cda1ebdffc9b47d90efa594bea5d5b8

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_s390.deb
    Size/MD5 checksum:   452736 403af241544bf4fd66f4993003f0f192
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_s390.deb
    Size/MD5 checksum:    90546 f2f4a9e7410b946b91c4d44cef18f5af
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_s390.deb
    Size/MD5 checksum:   102548 ad43cb11ddff398ee0a83ded1a024321
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_s390.deb
    Size/MD5 checksum:    20920 7ffdc1f9962394073efae81356780428

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_sparc.deb
    Size/MD5 checksum:    98252 fad4afe3566e986fe819a0fff6a2376e
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_sparc.deb
    Size/MD5 checksum:   453410 ce3775bb59d55b9ba7e34469225e0d20
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_sparc.deb
    Size/MD5 checksum:    17888 4eaf8a0cfd4f3b1c6f8332ccf1bf6ef4
  http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_sparc.deb
    Size/MD5 checksum:    79796 57795226ac31a7b5bf7793e4e14dc89a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSEUOemz0hbPcukPfAQKlCwf/RNQkhN5GiXzWbIPQDNuXCa9Gri63UI6Z
yUpFdhpcitk0JKDznD67BwrVjEFOOhInCDMiVftX53oAGoUhW/kEbQ4A+gzqf9cJ
B6OfyEjzV9JLEZ5OMlRQCigQpbUqQVwx6ISBM/RuzbuQSXEpYtUPztPAqHmVZDdU
WjiVKEioP6T64ql9xxEu15ekuWJpcaglkHSOEGPmJZwP/9sLCQrVUwciMSWR/fr+
kdV47I292yfyhdVMnmszpncAtO1ZWAyDV8DZS2yMXlqxfK/nMadz4PWj39gISr6e
677OU3WzrE+tj7hKGvutvivwTEzNzhrHq5/oYFnQn/mgoHfgKFsNlQ==
=52+x
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ