Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0826 -- [Win][UNIX/Linux][RedHat][OSX] Important: flac security update 23 October 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: flac Publisher: Red Hat Operating System: Red Hat Enterprise Linux UNIX variants (UNIX, Linux, OSX) Windows Impact: Execute Arbitrary Code/Commands Denial of Service Access: Existing Account CVE Names: CVE-2007-4619 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0975.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running flac check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Important: flac security update Advisory ID: RHSA-2007:0975-02 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0975.html Issue date: 2007-10-22 Updated on: 2007-10-22 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-4619 - - --------------------------------------------------------------------- 1. Summary: An updated flac package to correct a security issue is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Problem description: FLAC is a Free Lossless Audio Codec. The flac package consists of a FLAC encoder and decoder in library form, a program to encode and decode FLAC files, a metadata editor for FLAC files and input plugins for various music players. A security flaw was found in the way flac processed audio data. An attacker could create a carefully crafted FLAC audio file in such a way that it could cause an application linked with flac libraries to crash or execute arbitrary code when it was opened. (CVE-2007-4619) Users of flac are advised to upgrade to this updated package, which contains a backported patch that resolves this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 331991 - CVE-2007-4619 FLAC Integer overflows 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/flac-1.1.0-7.el4_5.2.src.rpm d41999413949cbca5a305b76bbf41e2e flac-1.1.0-7.el4_5.2.src.rpm i386: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 7c0a7b05c52c59197f56f98628d9a032 flac-devel-1.1.0-7.el4_5.2.i386.rpm 7df0c17e386da2dbbc84fcf01f34af53 xmms-flac-1.1.0-7.el4_5.2.i386.rpm ia64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 436095ccdae7eac5a47e509c73013995 flac-1.1.0-7.el4_5.2.ia64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 15f46721b7307757ab2d3198ade503a9 flac-debuginfo-1.1.0-7.el4_5.2.ia64.rpm 9815d4a455af8153eabcbd0f73ff171d flac-devel-1.1.0-7.el4_5.2.ia64.rpm 5e630db4510212b2d6f3299aaa5ba520 xmms-flac-1.1.0-7.el4_5.2.ia64.rpm ppc: 184b7fafd7a5ed2e2b334d737b9dad90 flac-1.1.0-7.el4_5.2.ppc.rpm f78edb2aeb440f8b8640c4fbddf2710b flac-1.1.0-7.el4_5.2.ppc64.rpm 9276d16e87e9e550d83ce782db34c52e flac-debuginfo-1.1.0-7.el4_5.2.ppc.rpm 27f02a41c8f78e6ca4c6057484a3fc28 flac-debuginfo-1.1.0-7.el4_5.2.ppc64.rpm 57baef335123034cb0d09c748bc986ce flac-devel-1.1.0-7.el4_5.2.ppc.rpm 041129c822241a9f05f48db18dd4444e xmms-flac-1.1.0-7.el4_5.2.ppc.rpm s390: 0577eff8b7303a9a311a9ab5821e99c7 flac-1.1.0-7.el4_5.2.s390.rpm 80bae29006433c509abd79056455d2b5 flac-debuginfo-1.1.0-7.el4_5.2.s390.rpm 72a11ace1105cc3c4caf0302a573d100 flac-devel-1.1.0-7.el4_5.2.s390.rpm 83e98de9ed7257deccf64bfeadf9e955 xmms-flac-1.1.0-7.el4_5.2.s390.rpm s390x: 0577eff8b7303a9a311a9ab5821e99c7 flac-1.1.0-7.el4_5.2.s390.rpm b9f0b84374b5d552728b1d6cb47f0ef8 flac-1.1.0-7.el4_5.2.s390x.rpm 80bae29006433c509abd79056455d2b5 flac-debuginfo-1.1.0-7.el4_5.2.s390.rpm 7d6031748d452b7259a60fa0af21d4bf flac-debuginfo-1.1.0-7.el4_5.2.s390x.rpm 8738d7b7b2c251cef2f791e1cd846483 flac-devel-1.1.0-7.el4_5.2.s390x.rpm 8ecf0e7c96034cc9742c9b90a6de8258 xmms-flac-1.1.0-7.el4_5.2.s390x.rpm x86_64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 2f1b825f091ad02398faa6130ca188b6 flac-1.1.0-7.el4_5.2.x86_64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 9ce3d5f950091c1f5e98c5d9c8c6a2ac flac-debuginfo-1.1.0-7.el4_5.2.x86_64.rpm 3c0af7f00f16e7504ae5a8c87a44679e flac-devel-1.1.0-7.el4_5.2.x86_64.rpm 984c072a9cabd42dcb7d8485e545f877 xmms-flac-1.1.0-7.el4_5.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/flac-1.1.0-7.el4_5.2.src.rpm d41999413949cbca5a305b76bbf41e2e flac-1.1.0-7.el4_5.2.src.rpm i386: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 7c0a7b05c52c59197f56f98628d9a032 flac-devel-1.1.0-7.el4_5.2.i386.rpm 7df0c17e386da2dbbc84fcf01f34af53 xmms-flac-1.1.0-7.el4_5.2.i386.rpm x86_64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 2f1b825f091ad02398faa6130ca188b6 flac-1.1.0-7.el4_5.2.x86_64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 9ce3d5f950091c1f5e98c5d9c8c6a2ac flac-debuginfo-1.1.0-7.el4_5.2.x86_64.rpm 3c0af7f00f16e7504ae5a8c87a44679e flac-devel-1.1.0-7.el4_5.2.x86_64.rpm 984c072a9cabd42dcb7d8485e545f877 xmms-flac-1.1.0-7.el4_5.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/flac-1.1.0-7.el4_5.2.src.rpm d41999413949cbca5a305b76bbf41e2e flac-1.1.0-7.el4_5.2.src.rpm i386: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 7c0a7b05c52c59197f56f98628d9a032 flac-devel-1.1.0-7.el4_5.2.i386.rpm 7df0c17e386da2dbbc84fcf01f34af53 xmms-flac-1.1.0-7.el4_5.2.i386.rpm ia64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 436095ccdae7eac5a47e509c73013995 flac-1.1.0-7.el4_5.2.ia64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 15f46721b7307757ab2d3198ade503a9 flac-debuginfo-1.1.0-7.el4_5.2.ia64.rpm 9815d4a455af8153eabcbd0f73ff171d flac-devel-1.1.0-7.el4_5.2.ia64.rpm 5e630db4510212b2d6f3299aaa5ba520 xmms-flac-1.1.0-7.el4_5.2.ia64.rpm x86_64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 2f1b825f091ad02398faa6130ca188b6 flac-1.1.0-7.el4_5.2.x86_64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 9ce3d5f950091c1f5e98c5d9c8c6a2ac flac-debuginfo-1.1.0-7.el4_5.2.x86_64.rpm 3c0af7f00f16e7504ae5a8c87a44679e flac-devel-1.1.0-7.el4_5.2.x86_64.rpm 984c072a9cabd42dcb7d8485e545f877 xmms-flac-1.1.0-7.el4_5.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/flac-1.1.0-7.el4_5.2.src.rpm d41999413949cbca5a305b76bbf41e2e flac-1.1.0-7.el4_5.2.src.rpm i386: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 7c0a7b05c52c59197f56f98628d9a032 flac-devel-1.1.0-7.el4_5.2.i386.rpm 7df0c17e386da2dbbc84fcf01f34af53 xmms-flac-1.1.0-7.el4_5.2.i386.rpm ia64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 436095ccdae7eac5a47e509c73013995 flac-1.1.0-7.el4_5.2.ia64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 15f46721b7307757ab2d3198ade503a9 flac-debuginfo-1.1.0-7.el4_5.2.ia64.rpm 9815d4a455af8153eabcbd0f73ff171d flac-devel-1.1.0-7.el4_5.2.ia64.rpm 5e630db4510212b2d6f3299aaa5ba520 xmms-flac-1.1.0-7.el4_5.2.ia64.rpm x86_64: 00e519bcf46effa594ee38c0f5062fd6 flac-1.1.0-7.el4_5.2.i386.rpm 2f1b825f091ad02398faa6130ca188b6 flac-1.1.0-7.el4_5.2.x86_64.rpm d14814f1467dc49af7bbd1bca8eead84 flac-debuginfo-1.1.0-7.el4_5.2.i386.rpm 9ce3d5f950091c1f5e98c5d9c8c6a2ac flac-debuginfo-1.1.0-7.el4_5.2.x86_64.rpm 3c0af7f00f16e7504ae5a8c87a44679e flac-devel-1.1.0-7.el4_5.2.x86_64.rpm 984c072a9cabd42dcb7d8485e545f877 xmms-flac-1.1.0-7.el4_5.2.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/flac-1.1.2-28.el5_0.1.src.rpm 3f6524fbf21a606c1ba04c7ff95cf524 flac-1.1.2-28.el5_0.1.src.rpm i386: 62154211d4bac9b4bc253b3c76f6cccb flac-1.1.2-28.el5_0.1.i386.rpm 0026bf5326f45f3b8ff31f09b3c9b076 flac-debuginfo-1.1.2-28.el5_0.1.i386.rpm x86_64: 62154211d4bac9b4bc253b3c76f6cccb flac-1.1.2-28.el5_0.1.i386.rpm 9b95c3d9efb3abcf828fa1b2e769027b flac-1.1.2-28.el5_0.1.x86_64.rpm 0026bf5326f45f3b8ff31f09b3c9b076 flac-debuginfo-1.1.2-28.el5_0.1.i386.rpm 153dd6c34959dc973558ef00e3424cbf flac-debuginfo-1.1.2-28.el5_0.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/flac-1.1.2-28.el5_0.1.src.rpm 3f6524fbf21a606c1ba04c7ff95cf524 flac-1.1.2-28.el5_0.1.src.rpm i386: 0026bf5326f45f3b8ff31f09b3c9b076 flac-debuginfo-1.1.2-28.el5_0.1.i386.rpm 75ac6b584c270c533ad453043c9d1fc9 flac-devel-1.1.2-28.el5_0.1.i386.rpm x86_64: 0026bf5326f45f3b8ff31f09b3c9b076 flac-debuginfo-1.1.2-28.el5_0.1.i386.rpm 153dd6c34959dc973558ef00e3424cbf flac-debuginfo-1.1.2-28.el5_0.1.x86_64.rpm 75ac6b584c270c533ad453043c9d1fc9 flac-devel-1.1.2-28.el5_0.1.i386.rpm 62e04b284340920f8660d7262f1a4036 flac-devel-1.1.2-28.el5_0.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/flac-1.1.2-28.el5_0.1.src.rpm 3f6524fbf21a606c1ba04c7ff95cf524 flac-1.1.2-28.el5_0.1.src.rpm i386: 62154211d4bac9b4bc253b3c76f6cccb flac-1.1.2-28.el5_0.1.i386.rpm 0026bf5326f45f3b8ff31f09b3c9b076 flac-debuginfo-1.1.2-28.el5_0.1.i386.rpm 75ac6b584c270c533ad453043c9d1fc9 flac-devel-1.1.2-28.el5_0.1.i386.rpm ia64: fd01db6b4d0945e884cab6e6258d82d2 flac-1.1.2-28.el5_0.1.ia64.rpm e82680450bf807e4b5b4cc71ce72e2b8 flac-debuginfo-1.1.2-28.el5_0.1.ia64.rpm 30ad312b0e269d377f350fba71d861be flac-devel-1.1.2-28.el5_0.1.ia64.rpm ppc: 5b3943171819aa7879796cb622383209 flac-1.1.2-28.el5_0.1.ppc.rpm 2e8bdcb5d2f178dab798a37b315a3081 flac-1.1.2-28.el5_0.1.ppc64.rpm 8fc3a5070be7271696e28b9836dd84db flac-debuginfo-1.1.2-28.el5_0.1.ppc.rpm 03997f954c1f2fb1baeb6ce76016441a flac-debuginfo-1.1.2-28.el5_0.1.ppc64.rpm 279c295c7365c4e5ccd333a04c2bb206 flac-devel-1.1.2-28.el5_0.1.ppc.rpm e24423a67f8d97857ada252378e3c501 flac-devel-1.1.2-28.el5_0.1.ppc64.rpm s390x: fc2b06b6529e0c0ea3aaa5c6bb8f8a60 flac-1.1.2-28.el5_0.1.s390.rpm 312afc68d82be827607cc4bc9709993c flac-1.1.2-28.el5_0.1.s390x.rpm c7c60e89d26de29498b0afc2457418f7 flac-debuginfo-1.1.2-28.el5_0.1.s390.rpm 161d8f9a624f1898fe583e4a360f6bbe flac-debuginfo-1.1.2-28.el5_0.1.s390x.rpm 89a33fd0e6a5eaa8ed8608731830d06a flac-devel-1.1.2-28.el5_0.1.s390.rpm 47551c0d545ee9e7ba19e5659b2e4c6d flac-devel-1.1.2-28.el5_0.1.s390x.rpm x86_64: 62154211d4bac9b4bc253b3c76f6cccb flac-1.1.2-28.el5_0.1.i386.rpm 9b95c3d9efb3abcf828fa1b2e769027b flac-1.1.2-28.el5_0.1.x86_64.rpm 0026bf5326f45f3b8ff31f09b3c9b076 flac-debuginfo-1.1.2-28.el5_0.1.i386.rpm 153dd6c34959dc973558ef00e3424cbf flac-debuginfo-1.1.2-28.el5_0.1.x86_64.rpm 75ac6b584c270c533ad453043c9d1fc9 flac-devel-1.1.2-28.el5_0.1.i386.rpm 62e04b284340920f8660d7262f1a4036 flac-devel-1.1.2-28.el5_0.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4619 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHHMaLXlSAg2UNWIIRAsv9AJ92kKFR1oO3HvLU48yy345oSzux8ACgqpBp 2LoPfiGhja1pQYAgNNfs1ps= =dzcs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRx12SSh9+71yA2DNAQJH4gP/fq1Qd5AVvGBRTCduNrcIS/tUH9Ux+xEG fMmhjTn44qMx1ntPVKLuB+hqzuZSq9p6KmND/K9doU3dc5uiBxwSm3BdcImFK1V3 gUk+hWOG7IxZwZhRvyba2uF7pCgoVB6pZpiktD+tBfKaqUZYlFggkJ4jRbol/s11 MTK0I0KGKTI= =Egc1 -----END PGP SIGNATURE-----