Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0044 -- Debian Security Advisory DSA 639-1 New mc packages fix several vulnerabilities 17 January 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mc Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux variants Impact: Execute Arbitrary Code/Commands Denial of Service Access: Remote/Unauthenticated CVE Names: CAN-2004-1176 CAN-2004-1175 CAN-2004-1174 CAN-2004-1093 CAN-2004-1092 CAN-2004-1091 CAN-2004-1090 CAN-2004-1009 CAN-2004-1005 CAN-2004-1004 Original Bulletin: http://www.debian.org/security/2005/dsa-639 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 639-1 security@debian.org http://www.debian.org/security/ Martin Schulze January 14th, 2005 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : mc Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-1004 CAN-2004-1005 CAN-2004-1009 CAN-2004-1090 CAN-2004-1091 CAN-2004-1092 CAN-2004-1093 CAN-2004-1174 CAN-2004-1175 CAN-2004-1176 Andrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, a file browser and manager, were not backported to the current version of mc that Debian ships in their stable release. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: CAN-2004-1004 Multiple format string vulnerabilities CAN-2004-1005 Multiple buffer overflows CAN-2004-1009 One infinite loop vulnerability CAN-2004-1090 Denial of service via corrupted section header CAN-2004-1091 Denial of service via null dereference CAN-2004-1092 Freeing unallocated memory CAN-2004-1093 Denial of service via use of already freed memory CAN-2004-1174 Denial of service via manipulating non-existing file handles CAN-2004-1175 Unintended program execution via insecure filename quoting CAN-2004-1176 Denial of service via a buffer underflow For the stable distribution (woody) these problems have been fixed in version 4.5.55-1.2woody5 For the unstable distribution (sid) these problems should already be fixed since they were backported from current versions. We recommend that you upgrade your mc package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5.dsc Size/MD5 checksum: 798 09408d39e539898d3384293454b806a8 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5.diff.gz Size/MD5 checksum: 51884 64d27d64149013cbbfcbe0d568f872af http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55.orig.tar.gz Size/MD5 checksum: 4850321 82772e729bb2ecfe486a6c219ebab09f Alpha architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_alpha.deb Size/MD5 checksum: 1186490 28bce9bd85c73413c4e610a83f6c80dd http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_alpha.deb Size/MD5 checksum: 562942 519466cca7aa730a64c5ff629fe64112 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_alpha.deb Size/MD5 checksum: 1351654 7b7e2ee396427d08f38bb2610533fb25 ARM architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_arm.deb Size/MD5 checksum: 1028206 7bc8143ab26f4c42ef99de8f86d30604 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_arm.deb Size/MD5 checksum: 480562 94e93aaa4a2dccb4b3acde553091fce7 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_arm.deb Size/MD5 checksum: 1351824 cd5a6b905f11fd1661a16e790bf1f588 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_i386.deb Size/MD5 checksum: 994986 0c53de4cf192308977e39bb4a7216314 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_i386.deb Size/MD5 checksum: 455878 7a09ac156183bc9cee032d674e21587c http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_i386.deb Size/MD5 checksum: 1351766 fe4f6d051f36930a1533ac7239d5759f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_ia64.deb Size/MD5 checksum: 1435394 06eb2692e366aa35d3aa39f2903253a7 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_ia64.deb Size/MD5 checksum: 689186 df58ef7f32905a5c4ade98dab6013ef0 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_ia64.deb Size/MD5 checksum: 1351652 6530011245a834c8df64a972855b3995 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_hppa.deb Size/MD5 checksum: 1144490 2d28d59dacd0d57ade92139783897a52 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_hppa.deb Size/MD5 checksum: 541214 cae4c0accc681cb6d74bebcd38424657 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_hppa.deb Size/MD5 checksum: 1352116 9b18a11f41ad50f53787129cbb70ee45 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_m68k.deb Size/MD5 checksum: 957852 622795322c8d3ccb1f844ca4e80fbc07 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_m68k.deb Size/MD5 checksum: 436992 28fe37f13b19930168d06a6092e4295e http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_m68k.deb Size/MD5 checksum: 1352176 83bdc91613abb383a2ba65e39b86ec17 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_mips.deb Size/MD5 checksum: 1087044 ca4c17d34d697187723ed33915949171 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_mips.deb Size/MD5 checksum: 536772 f797b059e1baf558a147296545ab308c http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_mips.deb Size/MD5 checksum: 1352072 de11cf9737a1835a78db10a9f9e01677 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_mipsel.deb Size/MD5 checksum: 1081206 15555616a4587281d589d6c4d75fff4d http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_mipsel.deb Size/MD5 checksum: 535634 44ba98ca679814dca5414955ade5477c http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_mipsel.deb Size/MD5 checksum: 1351830 d4dd86b51fd4f80034323d8fb7fed93e PowerPC architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_powerpc.deb Size/MD5 checksum: 1043048 fa3c76890db2a3eb8910630dda4e2ee1 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_powerpc.deb Size/MD5 checksum: 490084 f9a035d0cabd0b5a2208a83ccdb262d3 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_powerpc.deb Size/MD5 checksum: 1352100 07c82e678f74390eb7be89ca324faaad IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_s390.deb Size/MD5 checksum: 1029952 d114807d61819ad87a705d9c145e4e69 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_s390.deb Size/MD5 checksum: 479508 b9ce19425fb67653ca449f13a564c5b6 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_s390.deb Size/MD5 checksum: 1352022 66290d632d0aeefd2758a9b09c41bd00 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody5_sparc.deb Size/MD5 checksum: 1029094 189ad1f55bee5b1f45f8286830c59413 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5_sparc.deb Size/MD5 checksum: 483478 f693c3a851ff549e7ea1e64dc993f776 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody5_sparc.deb Size/MD5 checksum: 1352114 e26e3f182414e28488950d059bfeee61 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB55zrW5ql+IAeqTIRAhPuAJ9POWu791C+QxxlBkpRYnUUyopcJQCeJNRL Srs4O/oBMdZ7mqo8XvoVIbU= =xz+R - -----END PGP SIGNATURE----- - -- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQer2Uih9+71yA2DNAQLrqgP/ZWUFq2+fTXaJwtpAEf7hhokcJEi+y0aB A0txEly6Swjy9Zq5VyIFqTfhn0uH8c18W+vakMVEQasZlx9ktdP6wq9xJd9c0w/2 8KYujCqhv2d0PtW/YgKZNYfDYnWGDJZIii2zFPpiF1mmiIT5GxNKOT5fHCvf++dB sDnYsP0EXXY= =yMM7 -----END PGP SIGNATURE-----