Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0082 -- [Debian]
New exiv2 packages fix arbitrary code execution
24 January 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: exiv2
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6353
Ref: ESB-2008.0037
Original Bulletin: http://www.debian.org/security/2008/dsa-1474
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1474-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 23, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : exiv2
Vulnerability : integer overflow
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-6353
Meder Kydyraliev discovered an integer overflow in the thumbnail
handling of libexif, the EXIF/IPTC metadata manipulation library, which
could result in the execution of arbitrary code.
For the stable distribution (etch), this problem has been fixed in
version 0.10-1.5.
The old stable distribution (sarge) doesn't contain exiv2 packages.
We recommend that you upgrade your exiv2 packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5.diff.gz
Size/MD5 checksum: 31515 ff0fc3ef64872fbb591f7258620f5f0b
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5.dsc
Size/MD5 checksum: 660 ed1b77214142dfedc6c6d88d475987d9
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10.orig.tar.gz
Size/MD5 checksum: 2053756 5af2256fb9895d9331684e8c1865b956
Architecture independent packages:
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-doc_0.10-1.5_all.deb
Size/MD5 checksum: 1471716 ba3233f1b9cf71d3bf45ce0790942af9
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_alpha.deb
Size/MD5 checksum: 82506 a1c6311554e0301f3e5707ce45b12c44
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_alpha.deb
Size/MD5 checksum: 315770 08a274e26723b6644121a77718650df8
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_alpha.deb
Size/MD5 checksum: 716946 65bd53cad7fe49bd5a8b52c18845531d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_amd64.deb
Size/MD5 checksum: 75710 214d62419a4da25d2c43119992adc1b8
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_amd64.deb
Size/MD5 checksum: 546036 b1d63a71e00c934d14f3263d626466a2
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_amd64.deb
Size/MD5 checksum: 282494 0b963505e15fc126583c08b4d6a8671e
arm architecture (ARM)
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_arm.deb
Size/MD5 checksum: 88084 05fbc6853bc2517e58e587bc2e45942c
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_arm.deb
Size/MD5 checksum: 311516 12a1dbbc1dc560187fec31152836831e
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_arm.deb
Size/MD5 checksum: 552870 9e6da478b70cac4cd297c1a2efe8713f
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_hppa.deb
Size/MD5 checksum: 642320 b55a5e8930f4e4fec0e1b83fd2f8d9f8
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_hppa.deb
Size/MD5 checksum: 349652 520fcd26a32bcb915f1221a7cc09d342
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_hppa.deb
Size/MD5 checksum: 82724 643c5f109ad8b0b1e4f2d9ee35cf8283
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_i386.deb
Size/MD5 checksum: 75758 33830c83524ab3ea4fb72ed5fad9889a
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_i386.deb
Size/MD5 checksum: 509668 5871ee4d12d7833b55434a0bd2c78804
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_i386.deb
Size/MD5 checksum: 283882 32dc3334472467a5642b3ebf70d73f83
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_ia64.deb
Size/MD5 checksum: 730890 47ae5bab36a976e9d4c9d20c7e059e06
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_ia64.deb
Size/MD5 checksum: 95450 1a14407cb292d2a7991a34434d971878
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_ia64.deb
Size/MD5 checksum: 368756 4c9297fa105c67af45b7971f0b00c299
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_mips.deb
Size/MD5 checksum: 271654 811dc70c015b27cdcc94bad7147a0fa4
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_mips.deb
Size/MD5 checksum: 586988 fbd433a7f7369be1cff39f9d79b1395e
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_mips.deb
Size/MD5 checksum: 73684 beaaf91359bb0b3d0f3a22a1cade1505
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_mipsel.deb
Size/MD5 checksum: 583038 de9ddb262ef8f49e0512119206ef63b0
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_mipsel.deb
Size/MD5 checksum: 73176 f5d016a0b5e2ec60ef2e2d3446e363b3
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_mipsel.deb
Size/MD5 checksum: 267776 68fa9f26c0c3fbbda74bd6139e332615
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_powerpc.deb
Size/MD5 checksum: 296440 a306748aafa37fa4d7874f817520f71f
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_powerpc.deb
Size/MD5 checksum: 569730 cbf10c6a2166a27406dee3e151ec498b
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_powerpc.deb
Size/MD5 checksum: 76080 dd8f0bfdddf9896fa21dd455a8c30052
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_s390.deb
Size/MD5 checksum: 70088 6a1550294fdf218741ca998c621825b5
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_s390.deb
Size/MD5 checksum: 534022 d2b1f2455e02e16a300f0478c4b40779
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_s390.deb
Size/MD5 checksum: 288842 2134f38671787dd40a582deda5771824
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-0.10_0.10-1.5_sparc.deb
Size/MD5 checksum: 306884 0cff748083910cd2359765fef3d3b6e0
http://security.debian.org/pool/updates/main/e/exiv2/libexiv2-dev_0.10-1.5_sparc.deb
Size/MD5 checksum: 511544 97c2efefdb8d3067d88b82763e7eba6e
http://security.debian.org/pool/updates/main/e/exiv2/exiv2_0.10-1.5_sparc.deb
Size/MD5 checksum: 73494 89d72b486036f6bfabde2cbfc1c16986
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHl7QiXm3vHE4uyloRAtTkAKCrvLbJ+ISbkbiDCUsUSHhowjxGMgCgih8i
XChNYFqx+FQh9CH+R92E0c0=
=zxK/
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR5fZjyh9+71yA2DNAQIaZAP/VyfzAL5ZTljJT/K6rUa6oHWuCbAoJO4V
xycPWVTTAnLUC8DYvKJ/kqSNlSPPXj73nTA2kEs9acJqRPCw22m9frkKfiIUcb0y
7xp6ggBU84QV21c08kmG+y8jH8dQ3aABkzalgypFzjkV49b6i0Pt2uhgnNeeFk4l
OvrdJoxab7s=
=MaAA
-----END PGP SIGNATURE-----