Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.1057 -- [Win][UNIX/Linux][Debian]
New libsndfile packages fix arbitrary code execution
31 December 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libsndfile
Publisher: Debian
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Debian GNU/Linux 4.0
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2007-4974
Original Bulletin: http://www.debian.org/security/2007/dsa-1442
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libsndfile check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1442-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
December 29, 2007 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : libsndfile
Vulnerability : buffer overflow
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4974
Rubert Buchholz discovered that libsndfile, a library for reading /
writing audio files performs insufficient boundary checks when
processing FLAC files, which might lead to the execution of arbitrary
code.
For the stable distribution (etch), this problem has been fixed in
version 1.0.16-2.
The old stable distribution (sarge) is not affected by this problem.
We recommend that you upgrade your libsndfile packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 4.0 (stable)
- - -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz
Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2.diff.gz
Size/MD5 checksum: 5465 3143afa4d8b69fe1ba9d0428d3b5b472
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2.dsc
Size/MD5 checksum: 639 778f77063bf0aee761b5d9f7af793ced
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_alpha.deb
Size/MD5 checksum: 400468 f555adb582857c57e2efc4c957661a10
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_alpha.deb
Size/MD5 checksum: 222432 5a776e9755235dfbc33881b54a69df87
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_alpha.deb
Size/MD5 checksum: 72062 0ad263c448319e10f147d4ca3a2e49cd
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_amd64.deb
Size/MD5 checksum: 70518 6ece20244584e3e33c680cba32f5bd01
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_amd64.deb
Size/MD5 checksum: 186978 15d1c0d80b1df110594b0e25dc444ca3
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_amd64.deb
Size/MD5 checksum: 322346 f8d850304a105b5b8d2beadb3e81304d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_arm.deb
Size/MD5 checksum: 72042 6efb81b71098e378b5f702c06cb8b2d9
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_arm.deb
Size/MD5 checksum: 343534 03aef95ebfe92522c5d36a4e5590859d
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_arm.deb
Size/MD5 checksum: 220952 d01c16d518630402f6714691b829d793
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_hppa.deb
Size/MD5 checksum: 74542 cf4e50401c65e94b5ec93b488c0180c7
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_hppa.deb
Size/MD5 checksum: 236320 7c0274e6b33b5e301dcd7a474d502107
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_hppa.deb
Size/MD5 checksum: 373514 af037103e816ba426298a634057decb2
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_i386.deb
Size/MD5 checksum: 74262 834537ca8b562a4350d5a9c422f436ca
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_i386.deb
Size/MD5 checksum: 319560 9fe5127322c613449eb0dde18a27cfb8
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_i386.deb
Size/MD5 checksum: 197498 e9bc609646a45373a0d365b071950c6a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_ia64.deb
Size/MD5 checksum: 270526 4e79bb42b5e92d68fa00bff980686eb3
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_ia64.deb
Size/MD5 checksum: 416098 3d6c672fd2480a3a5783142085445bdd
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_ia64.deb
Size/MD5 checksum: 75756 d29c6c9fe859001936087e53afdff185
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_mips.deb
Size/MD5 checksum: 217138 c59d9ffccb7d577d06f4eb8f8a875e98
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_mips.deb
Size/MD5 checksum: 374184 e0a8ce0c236b772bc58eaad8aad2006a
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_mips.deb
Size/MD5 checksum: 72760 2468de6305a9c60fdfd0fe73bad8999a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_mipsel.deb
Size/MD5 checksum: 72800 da3ce8b83dc1ad383c23812df43cf31d
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_mipsel.deb
Size/MD5 checksum: 373316 d2e45aaad4073e64b6e3e443e6702cac
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_mipsel.deb
Size/MD5 checksum: 216758 0a66a28c249850999b90b6f90d0c027b
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_powerpc.deb
Size/MD5 checksum: 207748 7c999002bfce68181a2818eaf3e829ed
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_powerpc.deb
Size/MD5 checksum: 346286 2b9d3e4cef955ff76a963a3e40aebecd
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_powerpc.deb
Size/MD5 checksum: 75812 b8549289577e9a8bfe279592ebb68c69
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_s390.deb
Size/MD5 checksum: 346370 dca74b112ab72b4893b272aa983f6e07
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_s390.deb
Size/MD5 checksum: 72800 6fd80164e263294833c6b6a4f98faf7f
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_s390.deb
Size/MD5 checksum: 220876 8f28f995c96e3366cc98a1578aba5a46
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_sparc.deb
Size/MD5 checksum: 70652 7560d39c5a222317decb5586c17d1d55
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_sparc.deb
Size/MD5 checksum: 207790 e758c2a6e11a78f25df2ad1b2205206e
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_sparc.deb
Size/MD5 checksum: 334854 f97aba9749b0dd78f6da521399fa9937
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHdaUUXm3vHE4uyloRAr+yAJ49UzhGOxcTvtvHNh4s6dtwTHgJAgCg6NzD
UvSOyIiGxMdX3pQ5bWESksg=
=vIt9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR3g5MSh9+71yA2DNAQKSeAP8CL9dk5Lk5NCfKl0HP8GWHt9Xm1Y/M5HV
aQE21KlgxijMMQbVjtdD6M7AwIhoKlienpXCkwRfUFJCTitRvThW6vwgc2bsBiOb
ldU1EbNZj/BewdYlXSzLtcncIQJ8dbIN9iWFZGf9DKGFIpyw/pGdO/Gy1e8Drjk5
occ6iVAIORk=
=aDJf
-----END PGP SIGNATURE-----