Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0026 -- [Debian] New libarchive1 packages fix several problems 9 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libarchive1 Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Denial of Service Access: Existing Account CVE Names: CVE-2007-3645 CVE-2007-3644 CVE-2007-3641 Ref: ESB-2007.0524 Original Bulletin: http://www.debian.org/security/2008/dsa-1455 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1455-1 security@debian.org http://www.debian.org/security/ Steve Kemp January 08, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libarchive1 Vulnerability : denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-3641, CVE-2007-3644, CVE-2007-3645 Debian Bug : 432924 Several local/remote vulnerabilities have been discovered in libarchive1, a single library to read/write tar, cpio, pax, zip, iso9660, archives. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3641 It was discovered that libarchive1 would miscompute the length of a buffer resulting in a buffer overflow if yet another type of corruption occurred in a pax extension header. CVE-2007-3644 It was discovered that if an archive prematurely ended within a pax extension header the libarchive1 library could enter an infinite loop. CVE-2007-3645 If an archive prematurely ended within a tar header, immediately following a pax extension header, libarchive1 could dereference a NULL pointer. The old stable distribution (sarge), does not contain this package. For the stable distribution (etch), these problems have been fixed in version 1.2.53-2etch1. For the unstable distribution (sid), these problems have been fixed in version 2.2.4-1. We recommend that you upgrade your libarchive package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/liba/libarchive/libarchive_1.2.53-2etch1.diff.gz Size/MD5 checksum: 6474 454b6a56eec392fff05fde2e39b33241 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive_1.2.53.orig.tar.gz Size/MD5 checksum: 522540 2e2df461fef05049b3a92e5bedc2de2c http://security.debian.org/pool/updates/main/liba/libarchive/libarchive_1.2.53-2etch1.dsc Size/MD5 checksum: 723 6bd6417d5da3132138dfec988dd0b484 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_alpha.deb Size/MD5 checksum: 125468 c5f6ca3fbd4dc58994e3322c54665189 http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_alpha.deb Size/MD5 checksum: 98258 7052caa8ea03fb8f8028e779c38007a9 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_alpha.deb Size/MD5 checksum: 80802 e1cbce6999ca08b7c1873a2aa6f37ace amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_amd64.deb Size/MD5 checksum: 86144 75bbf5bd14366b2750a9fd07b94ea651 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_amd64.deb Size/MD5 checksum: 100862 d7d29d3b8712a1affdd661ce8671cc47 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_amd64.deb Size/MD5 checksum: 73082 965a207cd79e4516897997dd4aa38224 arm architecture (ARM) http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_arm.deb Size/MD5 checksum: 71100 ccb4fadaa27c86e51657bcd364900a12 http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_arm.deb Size/MD5 checksum: 81560 6f300693d1c7e58758ffb58cb3792aa7 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_arm.deb Size/MD5 checksum: 94672 f9153798aead194d92167ffce2eebac8 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_hppa.deb Size/MD5 checksum: 95492 fed8bf705c7d5376bccf45caaedccdaf http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_hppa.deb Size/MD5 checksum: 84962 69e703f5aaa825319b89038d0a69e5ac http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_hppa.deb Size/MD5 checksum: 112720 4fee8dd2b8ff9d8c9d76cbfba4306899 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_i386.deb Size/MD5 checksum: 73122 9ae44a93dbe577fea5a3121b32e00bf5 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_i386.deb Size/MD5 checksum: 95600 e3e924b9c25d33d9412ab66e5745002b http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_i386.deb Size/MD5 checksum: 82918 5f52d186b87c77092c092836ad457585 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_ia64.deb Size/MD5 checksum: 137198 d70c90ede254b30bf9aaf3c007d63857 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_ia64.deb Size/MD5 checksum: 102126 416f120362f22dc2893100c4e792ee0d http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_ia64.deb Size/MD5 checksum: 128994 84198707b6b30b4ef930ba3afe3adfd7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_mips.deb Size/MD5 checksum: 95926 655725e49f4f959e1afaf5c5841cf2c7 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_mips.deb Size/MD5 checksum: 111874 01d7e04b7549d71d674a1f2915ba66f7 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_mips.deb Size/MD5 checksum: 75320 64c5129262db87e5f1b1d82ceff8ef0e mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_mipsel.deb Size/MD5 checksum: 111642 1cf3bb9888ff64850c02cbc99b83d611 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_mipsel.deb Size/MD5 checksum: 75418 61b96ae77191c67eb3beacd1245aaf12 http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_mipsel.deb Size/MD5 checksum: 95860 492c4e45c2dc1ace2339745eeea1c319 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_powerpc.deb Size/MD5 checksum: 104546 24fa06af05ae8d48cf8d3e984ed6d111 http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_powerpc.deb Size/MD5 checksum: 90134 17b8989ca59c23bdc0176f71828e226f http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_powerpc.deb Size/MD5 checksum: 77998 5cc5f86178e581a46fb0c4a27240aefe s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_s390.deb Size/MD5 checksum: 92394 5d0973a9c4de0a8005a5cab249d4a274 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_s390.deb Size/MD5 checksum: 103250 33642bf02c416cf2e30e18d3fc1f334a http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_s390.deb Size/MD5 checksum: 80726 c96397d26d8c83b155d5cacf05f426d8 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/liba/libarchive/bsdtar_1.2.53-2etch1_sparc.deb Size/MD5 checksum: 80566 a4e51eebda2a152b1972b17c405ee08a http://security.debian.org/pool/updates/main/liba/libarchive/libarchive1_1.2.53-2etch1_sparc.deb Size/MD5 checksum: 71482 82143b931eb382f3299808efce254f26 http://security.debian.org/pool/updates/main/liba/libarchive/libarchive-dev_1.2.53-2etch1_sparc.deb Size/MD5 checksum: 96164 80379aa102dc6cf97befdd648e7831f4 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHg9ziwM/Gs81MDZ0RAmT7AJ9xNqHCS8xhK7BhAyepW5lSoiTclQCfey5F qUBYPX5WTipUNJQldp8y19M= =2C/m - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR4Qhwih9+71yA2DNAQLtUwP6A96+huNeaNLqn4LWtwLuevFvsc12N3+g 2UV84cWmxQPKpnkvhg2TKUIMByuE7nj0jYkDYJ3ZWDQ2al0bpWIBj+KQhlK7LgnV znjVNYViHyhPkKtF0de6r3ovM38Rtt9y/wRXgYDdHElEJ9h+e+uNH6tvEZrqKDoN 3thCQ3yMAc8= =CcHM -----END PGP SIGNATURE-----