Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.1057 -- [Win][UNIX/Linux][Debian] New libsndfile packages fix arbitrary code execution 31 December 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libsndfile Publisher: Debian Operating System: UNIX variants (UNIX, Linux, OSX) Windows Debian GNU/Linux 4.0 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-4974 Original Bulletin: http://www.debian.org/security/2007/dsa-1442 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libsndfile check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1442-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 29, 2007 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libsndfile Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-4974 Rubert Buchholz discovered that libsndfile, a library for reading / writing audio files performs insufficient boundary checks when processing FLAC files, which might lead to the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.0.16-2. The old stable distribution (sarge) is not affected by this problem. We recommend that you upgrade your libsndfile packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2.diff.gz Size/MD5 checksum: 5465 3143afa4d8b69fe1ba9d0428d3b5b472 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2.dsc Size/MD5 checksum: 639 778f77063bf0aee761b5d9f7af793ced alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_alpha.deb Size/MD5 checksum: 400468 f555adb582857c57e2efc4c957661a10 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_alpha.deb Size/MD5 checksum: 222432 5a776e9755235dfbc33881b54a69df87 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_alpha.deb Size/MD5 checksum: 72062 0ad263c448319e10f147d4ca3a2e49cd amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_amd64.deb Size/MD5 checksum: 70518 6ece20244584e3e33c680cba32f5bd01 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_amd64.deb Size/MD5 checksum: 186978 15d1c0d80b1df110594b0e25dc444ca3 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_amd64.deb Size/MD5 checksum: 322346 f8d850304a105b5b8d2beadb3e81304d arm architecture (ARM) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_arm.deb Size/MD5 checksum: 72042 6efb81b71098e378b5f702c06cb8b2d9 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_arm.deb Size/MD5 checksum: 343534 03aef95ebfe92522c5d36a4e5590859d http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_arm.deb Size/MD5 checksum: 220952 d01c16d518630402f6714691b829d793 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_hppa.deb Size/MD5 checksum: 74542 cf4e50401c65e94b5ec93b488c0180c7 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_hppa.deb Size/MD5 checksum: 236320 7c0274e6b33b5e301dcd7a474d502107 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_hppa.deb Size/MD5 checksum: 373514 af037103e816ba426298a634057decb2 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_i386.deb Size/MD5 checksum: 74262 834537ca8b562a4350d5a9c422f436ca http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_i386.deb Size/MD5 checksum: 319560 9fe5127322c613449eb0dde18a27cfb8 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_i386.deb Size/MD5 checksum: 197498 e9bc609646a45373a0d365b071950c6a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_ia64.deb Size/MD5 checksum: 270526 4e79bb42b5e92d68fa00bff980686eb3 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_ia64.deb Size/MD5 checksum: 416098 3d6c672fd2480a3a5783142085445bdd http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_ia64.deb Size/MD5 checksum: 75756 d29c6c9fe859001936087e53afdff185 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_mips.deb Size/MD5 checksum: 217138 c59d9ffccb7d577d06f4eb8f8a875e98 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_mips.deb Size/MD5 checksum: 374184 e0a8ce0c236b772bc58eaad8aad2006a http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_mips.deb Size/MD5 checksum: 72760 2468de6305a9c60fdfd0fe73bad8999a mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_mipsel.deb Size/MD5 checksum: 72800 da3ce8b83dc1ad383c23812df43cf31d http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_mipsel.deb Size/MD5 checksum: 373316 d2e45aaad4073e64b6e3e443e6702cac http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_mipsel.deb Size/MD5 checksum: 216758 0a66a28c249850999b90b6f90d0c027b powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_powerpc.deb Size/MD5 checksum: 207748 7c999002bfce68181a2818eaf3e829ed http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_powerpc.deb Size/MD5 checksum: 346286 2b9d3e4cef955ff76a963a3e40aebecd http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_powerpc.deb Size/MD5 checksum: 75812 b8549289577e9a8bfe279592ebb68c69 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_s390.deb Size/MD5 checksum: 346370 dca74b112ab72b4893b272aa983f6e07 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_s390.deb Size/MD5 checksum: 72800 6fd80164e263294833c6b6a4f98faf7f http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_s390.deb Size/MD5 checksum: 220876 8f28f995c96e3366cc98a1578aba5a46 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_sparc.deb Size/MD5 checksum: 70652 7560d39c5a222317decb5586c17d1d55 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_sparc.deb Size/MD5 checksum: 207790 e758c2a6e11a78f25df2ad1b2205206e http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_sparc.deb Size/MD5 checksum: 334854 f97aba9749b0dd78f6da521399fa9937 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHdaUUXm3vHE4uyloRAr+yAJ49UzhGOxcTvtvHNh4s6dtwTHgJAgCg6NzD UvSOyIiGxMdX3pQ5bWESksg= =vIt9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR3g5MSh9+71yA2DNAQKSeAP8CL9dk5Lk5NCfKl0HP8GWHt9Xm1Y/M5HV aQE21KlgxijMMQbVjtdD6M7AwIhoKlienpXCkwRfUFJCTitRvThW6vwgc2bsBiOb ldU1EbNZj/BewdYlXSzLtcncIQJ8dbIN9iWFZGf9DKGFIpyw/pGdO/Gy1e8Drjk5 occ6iVAIORk= =aDJf -----END PGP SIGNATURE-----