Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0294 -- [UNIX/Linux][Debian]
New abc2ps packages fix arbitrary code execution
26 April 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: abc2ps
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Debian GNU/Linux 3.0
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Access: Existing Account
CVE Names: CVE-2006-1513
Original Bulletin: http://www.debian.org/security/2006/dsa-1041
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running abc2ps check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1041-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 25th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : abc2ps
Vulnerability : buffer overflows
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-1513
Erik Sjölund discovered that abc2ps, a translator for ABC music
description files into PostScript, does not check the boundaries when
reading in ABC music files resulting in buffer overflows.
For the old stable distribution (woody) these problems have been fixed in
version 1.3.3-2woody1.
For the stable distribution (sarge) these problems have been fixed in
version 1.3.3-3sarge1.
For the unstable distribution (sid) these problems have been fixed in
version 1.3.3-3sarge1.
We recommend that you upgrade your abc2ps package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1.dsc
Size/MD5 checksum: 574 2bf8bde7a186ba1d93794f76ca19a21a
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1.diff.gz
Size/MD5 checksum: 12626 fc9f2d8362327652fbe36926a1011ea3
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3.orig.tar.gz
Size/MD5 checksum: 125327 720f41663251ea56c7d3456c09ccdb24
Alpha architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_alpha.deb
Size/MD5 checksum: 198302 48d72a8edd108a0e860a414ef71f4eed
ARM architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_arm.deb
Size/MD5 checksum: 133896 c31722490dd0068c1b7b31f5623889bf
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_i386.deb
Size/MD5 checksum: 126224 1a7825d31788e2ce2d5611d026c035e8
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_ia64.deb
Size/MD5 checksum: 248658 e4af663fc6bb5557bcbb5556671a0694
HP Precision architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_hppa.deb
Size/MD5 checksum: 151654 fb3434ac543a2b7351912fe9ac70a106
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_m68k.deb
Size/MD5 checksum: 118484 de9477e6ae7eef6bf004e03976a37e2f
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_mips.deb
Size/MD5 checksum: 168336 e8506ab9625e17b37d88104fc329c576
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_mipsel.deb
Size/MD5 checksum: 168412 06fd6748c5aed2b0671fd8948c25f5ac
PowerPC architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_powerpc.deb
Size/MD5 checksum: 159308 59bbf493d9d3aebb5cabd5514152cb7a
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_s390.deb
Size/MD5 checksum: 130400 474abf4e655d73cc29dff7cab0e0caa3
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-2woody1_sparc.deb
Size/MD5 checksum: 156464 65ceb4dd51fcd074f2559e39cdfd72a3
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1.dsc
Size/MD5 checksum: 574 0e501917b1f3eaae019b493a7d75e2ac
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1.diff.gz
Size/MD5 checksum: 12761 ef51821cc1e99f4c27d36f1563fd5939
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3.orig.tar.gz
Size/MD5 checksum: 125327 720f41663251ea56c7d3456c09ccdb24
Alpha architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_alpha.deb
Size/MD5 checksum: 161382 5a61a8187469f45261e2861ef4131657
AMD64 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_amd64.deb
Size/MD5 checksum: 142244 cc3d5a9a34c7e74e4a62800d20595986
ARM architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_arm.deb
Size/MD5 checksum: 133466 e86cec900cabbab1c9655240f7a87cfc
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_i386.deb
Size/MD5 checksum: 131446 1c28cd803285e045788c3fa7aa858c19
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_ia64.deb
Size/MD5 checksum: 194404 74c75445c63e99ee12037b7099b98611
HP Precision architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_hppa.deb
Size/MD5 checksum: 148086 f07421a81c2a2f8b778beb2cbb0eac96
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_m68k.deb
Size/MD5 checksum: 119956 81de406009470ac5f65a8405086a9a74
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_mips.deb
Size/MD5 checksum: 151294 d07363582856e4b798ab992e5369df6a
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_mipsel.deb
Size/MD5 checksum: 151556 62cce9b325a53dc0f1d32eb788fbbc4b
PowerPC architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_powerpc.deb
Size/MD5 checksum: 140764 46152d575bf1945bef5f4dbf1bce3306
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_s390.deb
Size/MD5 checksum: 136302 b0a5f1a3d6cd14374dc4ee11d84a6481
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/a/abc2ps/abc2ps_1.3.3-3sarge1_sparc.deb
Size/MD5 checksum: 136524 89e570de8c755a45d0932c343f5edc20
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFETclfW5ql+IAeqTIRAkRtAJ9C+6KLcRE5e6HingH0Iv+iC0H6yACgseaB
cVljXTSI5h60sHZxM5hiodw=
=OhpK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRE7QyCh9+71yA2DNAQJpBgP+L3+2S2KgTFhPT2ll+sgHG4A9l4fi3iwU
2irXtJ8f6m3e+lAJ1mtMwQkPyI/LLivRzgcCFfbYxRatWOwTyCtCYonAvXh6BZbY
c9T8ugyW/lQCbIh37xj7okQw3khBUwTdWUTsd0ZKahBF9J6qjs78pvQSQPBw3bmM
EazoAqfqwUI=
=WgmW
-----END PGP SIGNATURE-----