Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0712 -- Debian Security Advisory DSA 587-1 New freeamp packages fix arbitrary code execution 9 November 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: freeamp Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux variants Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CAN-2004-0964 Original Bulletin: http://www.debian.org/security/2004/dsa-587 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 587-1 security@debian.org http://www.debian.org/security/ Martin Schulze November 8th, 2004 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : freeamp Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0964 Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf. For the stable distribution (woody) this problem has been fixed in version 2.1.1.0-4woody2. For the unstable distribution (sid) this problem does not exist in the zinf packageas the code in question was rewritten. We recommend that you upgrade your freeamp packages. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2.dsc Size/MD5 checksum: 944 39d51f9def21f5b1d5542ccbcbc01e29 http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2.diff.gz Size/MD5 checksum: 32347 783b34ce5201a8e4e10a8722fd00ad8f http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0.orig.tar.gz Size/MD5 checksum: 3116888 d465da9fcdcc6ee7991e9b6cd968127b Architecture independent components: http://security.debian.org/pool/updates/main/f/freeamp/freeamp-doc_2.1.1.0-4woody2_all.deb Size/MD5 checksum: 282330 ffb91e1362db38b0e063839afdb7eefa Alpha architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum: 2399962 187f779ad3fa78a1bcb6f79837a733ba http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum: 90476 d184dd97abf70f5db80579e76bdca43a http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum: 34752 97704f6cd7245b6821d4683ee7999015 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum: 33376 77bbee46f4b02464e387d40fd850fac9 ARM architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_arm.deb Size/MD5 checksum: 2194684 c37e64837c2353be71062e9c74934028 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_arm.deb Size/MD5 checksum: 82794 6e6e0079c0f912c6aba7e3a73bc7963d http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_arm.deb Size/MD5 checksum: 29440 615324c7d033b4c327a883239b5afe9c http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_arm.deb Size/MD5 checksum: 29342 d745a17d3a3c59dd6d004babcfa7563b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_i386.deb Size/MD5 checksum: 2032164 5c68a2b2940d9bfa3f5f3320f9a85d5b http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_i386.deb Size/MD5 checksum: 73482 091fe47ddd9308edcd2df707b00fefc8 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_i386.deb Size/MD5 checksum: 29382 3b22fa0992c89e05542d06b78ca263df http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_i386.deb Size/MD5 checksum: 28476 0142da2d0ed0d50e7fe454171d7066da Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_ia64.deb Size/MD5 checksum: 2367142 c43140e99b8dd87934e9611a060fe1bc http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_ia64.deb Size/MD5 checksum: 84638 6e55107e3071f451b08d77aed3260d44 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_ia64.deb Size/MD5 checksum: 27532 84b0e8df2b31326b378ce79e404ec4cd HP Precision architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_hppa.deb Size/MD5 checksum: 2184294 a8a7ec3fa22215201fc05c9572c89074 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_hppa.deb Size/MD5 checksum: 105354 ed97bdb2ae641dc2eecc66e7dfd2daf8 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_hppa.deb Size/MD5 checksum: 27602 bae0e367bfb7b40d2c4b0390c6638d3f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_m68k.deb Size/MD5 checksum: 1744992 25bf614e89c0bfddc8863d1e007335d4 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_m68k.deb Size/MD5 checksum: 72386 a0faa0affb7912807c340d65c6049cd5 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_m68k.deb Size/MD5 checksum: 28706 f226affa56379550b2d74c8cded44520 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_mips.deb Size/MD5 checksum: 1864476 d8874d057b941058a7981a3233fdaa65 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_mips.deb Size/MD5 checksum: 69940 7f2ae3c9420e113583932b40eb8604dd http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_mips.deb Size/MD5 checksum: 28610 9eb1bec2958a24a12872486c81e7a106 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_mips.deb Size/MD5 checksum: 27854 88ef872d3fdaa6e6cd274549f250b434 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_mipsel.deb Size/MD5 checksum: 1827610 3bd082fa5eca1e96b2ad2fec3293a8bd http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_mipsel.deb Size/MD5 checksum: 68796 d772ca8a111e64cab746a1f9efe5cf98 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_mipsel.deb Size/MD5 checksum: 27546 d9eb6b5c8f6f608c09e695333e2cd477 PowerPC architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_powerpc.deb Size/MD5 checksum: 2046412 539183b9f14aeeabbd74049bb9dcbca8 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_powerpc.deb Size/MD5 checksum: 75370 033f91e19fbb6da25da8a864a2fde435 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_powerpc.deb Size/MD5 checksum: 29854 405d64cb8eae9c9f24e32191e1ffd8da http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_powerpc.deb Size/MD5 checksum: 29042 595cd2062229e98a2ce6d5c4ccbbc882 IBM S/390 architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_s390.deb Size/MD5 checksum: 1962584 ea73c5dcf1b3d54eb04ebaeb4e190290 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_s390.deb Size/MD5 checksum: 73074 93857a08ea97df7926b688b3d7b75e0d http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_s390.deb Size/MD5 checksum: 29334 4aec2ae5a414e6d2bfbb73c6409f78c7 Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_sparc.deb Size/MD5 checksum: 1969882 b220f88f807c80d6b96d7cfab862b2a3 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_sparc.deb Size/MD5 checksum: 74556 cfb464ec0bf2c9859b5df5f80e9dabbc http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_sparc.deb Size/MD5 checksum: 28814 9d7d9735acc60e36dac2d19c51d9ace9 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_sparc.deb Size/MD5 checksum: 27802 5c91f275ac283265a8c4bd6d94b5122f These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBj1+/W5ql+IAeqTIRAnIrAJ4r0yQnxKCsU9jElkzv5CXctHJvMwCfV6/E mY6LDP6fdnSCcwMHU2GGYUU= =uCT5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQZAFMSh9+71yA2DNAQKlbwP8CAPo/WOKW5s26aJ2VW6664AU0Sy4Kg1N m7Rs9bVwmgpIh9AdxEwPIgL8TPcW2ZOZXnyNAdoG4L8Br7P6kHxM82kOdE/QEQcu pzQM5CdT35vuecVdehX8Z0nbRXRdlc32Caj3zK564kOliUhrG+VNj1U2ugmnPDyK +rd8WfhEfYQ= =QyCh -----END PGP SIGNATURE-----