Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0227 -- [UNIX/Linux][Debian] New XMMS packages fix arbitrary code execution 5 April 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xmms Publisher: Debian Operating System: Debian GNU/Linux 3.1 UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-0654 CVE-2007-0653 Original Bulletin: http://www.debian.org/security/2007/dsa-1277 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running xmms check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1277-1 security@debian.org http://www.debian.org/security/ Noah Meyerhans April 04, 2007 - - ------------------------------------------------------------------------ Package : xmms Vulnerability : several Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-0654 CVE-2007-0653 BugTraq ID : 23078 Debian Bug : 416423 Multiple errors have been found in the skin handling routines in xmms, the X Multimedia System. These vulnerabilities could allow an attacker to run arbitrary code as the user running xmms by inducing the victim to load specially crafted interface skin files. For the stable distribution (sarge), these problems have been fixed in version 1.2.10+cvs20050209-2sarge1 For the upcoming stable distrubution (etch) and the unstable distribution (sid), these problems have been fixed in versions 1:1.2.10+20061101-1etch1 and 1:1.2.10+20070401-1, respectively. We recommend that you upgrade your xmms packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.diff.gz Size/MD5 checksum: 333600 8d25c5173ec7d94d0db9f92b418610ce http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209.orig.tar.gz Size/MD5 checksum: 2796215 ec03ce185b2fd255d58ef5d2267024eb http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.dsc Size/MD5 checksum: 1065 d03e55ebe9c6a5ba2337d5f3542bc883 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_alpha.deb Size/MD5 checksum: 2700990 aa024afc093e8f415b19d783e39b81c0 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_alpha.deb Size/MD5 checksum: 48766 5fd631196c28fd44df02ecf25ab9c676 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_amd64.deb Size/MD5 checksum: 2434966 5c10a5a20aa5329b1c120cef213ef164 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_amd64.deb Size/MD5 checksum: 37810 06a82b2325505c9e30e4b7d9c6a17ffe arm architecture (ARM) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_arm.deb Size/MD5 checksum: 2396722 fcead4025c4743996a4c307a003377df http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_arm.deb Size/MD5 checksum: 35376 e4f630de7290d4141964cc6ae8758ac4 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_hppa.deb Size/MD5 checksum: 2585550 c73dd34f37131785adcf699e65b55ac3 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_hppa.deb Size/MD5 checksum: 40834 90fe696e1dee1d694cd8148ac83a6b88 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_i386.deb Size/MD5 checksum: 33842 52fef7c2ef6a73f329d18b4df43ee6e5 http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_i386.deb Size/MD5 checksum: 2395578 c0a4c275b67ce3bc166128cd4c1fa747 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_ia64.deb Size/MD5 checksum: 2717624 e7d9b41eda0f4b32c3bba2c2dff15fc1 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_ia64.deb Size/MD5 checksum: 48220 28fef757212bef0da7ed46bec7e76740 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_m68k.deb Size/MD5 checksum: 2315470 1a93ec2577d2a79b9b645003e1d22a03 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_m68k.deb Size/MD5 checksum: 31624 30bd86c18e943f3a93a983a63c2c1fb7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mips.deb Size/MD5 checksum: 2412762 e340f997cfbbe0ef8ef50f78b5ec5d71 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_mips.deb Size/MD5 checksum: 40580 698dfcf5c909de3a955f6337fb23e425 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mipsel.deb Size/MD5 checksum: 2391432 b2ef3697588a72e735f5caa02593d1b7 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_mipsel.deb Size/MD5 checksum: 40516 10443e075a1f4840d4de22f2dcfc355b powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_powerpc.deb Size/MD5 checksum: 36946 057d90024cae6e6a0fdfa2d0de666134 http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_powerpc.deb Size/MD5 checksum: 2487280 e0571a0993112c79d6751509e548193d s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_s390.deb Size/MD5 checksum: 2430886 2cc8a1371309b973c1f963a93fc58a80 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_s390.deb Size/MD5 checksum: 37424 3e6eb798d0a7a6137fbb1ad1a961da75 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_sparc.deb Size/MD5 checksum: 34526 2e7e99b117f6c9ab83d9a8c0afc12f79 http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_sparc.deb Size/MD5 checksum: 2422962 9d5a5484287a3773e8f7a8f5bac4d29a These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGFCB0YrVLjBFATsMRAlUnAJ982xgAnPh05aTYs5FoAqCdRJeazQCffIP2 PXuuTTivH7wU3YxZ+xJzXY0= =ttw5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRhRNiCh9+71yA2DNAQLj2wQAmkY0wJc5AxTCyWMgBZN6kASsps3TC2Vi +ftcM8GGN0jUH768wyKew5GjoCZUCJ79e2UakCON8to6kSZ7c7HzMrLVGBCTwnM8 968BwRHO12P7Yq4TcLF/OTbHoSKx7hhSfBCwGvSAG/VabGoHtBaMwxp0cEagj4AW 5ZBt2zsP/wA= =rha4 -----END PGP SIGNATURE-----