Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0135 -- [Debian] New libexif packages fix several vulnerabilities 11 February 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libexif Publisher: Debian Operating System: Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 Impact: Execute Arbitrary Code/Commands Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2007-6352 CVE-2007-6351 CVE-2007-2645 Ref: ESB-2007.1035 Original Bulletin: http://www.debian.org/security/2008/dsa-1487 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1487-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 08, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libexif Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-2645 CVE-2007-6351 CVE-2007-6352 Several vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the xecution of arbitrary code if a user is tricked into opening a malformed image. CVE-2007-2645 Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. CVE-2007-6351 Meder Kydyraliev discovered an infinite loop, which may result in denial of service. CVE-2007-6352 Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. This update also fixes two potential NULL pointer deferences. For the stable distribution (etch), these problems have been fixed in version 0.6.13-5etch2. For the old stable distribution (sarge), these problems have been fixed in 0.6.9-6sarge2. We recommend that you upgrade your libexif packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - - ---------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9.orig.tar.gz Size/MD5 checksum: 520956 0aa142335a8a00c32bb6c7dbfe95fc24 http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9-6sarge2.dsc Size/MD5 checksum: 591 1ab880b25e1e3ba979d2b6441a3367d5 http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9-6sarge2.diff.gz Size/MD5 checksum: 5162 47e515e0688cd1c661456df1b5d77601 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_alpha.deb Size/MD5 checksum: 87534 d7d3df515250467671cbc2d9f158269e http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_alpha.deb Size/MD5 checksum: 87554 ee4573f7453ca96efda9cd094d106e30 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_amd64.deb Size/MD5 checksum: 67756 af682500abe0346627ba15e941fa0b1a http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_amd64.deb Size/MD5 checksum: 82068 37e1b283512138577147b1acb9717ed7 arm architecture (ARM) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_arm.deb Size/MD5 checksum: 64146 62d0c51dbb3339746066bb04d787af45 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_arm.deb Size/MD5 checksum: 77004 0d1a7247d251ca72ff84e4da7dcca53b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_i386.deb Size/MD5 checksum: 81194 bed6762757bd00b262a0829419cd6634 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_i386.deb Size/MD5 checksum: 66828 8cc90864578b2854bc71255638e47fb5 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_ia64.deb Size/MD5 checksum: 84318 4a59f435077564e89aca96c95d026a10 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_ia64.deb Size/MD5 checksum: 95484 e4ac3f25989bcfc22bc87b1e0d95772e m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_m68k.deb Size/MD5 checksum: 58050 7fef4665ccd47cc42632a329500e70a5 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_m68k.deb Size/MD5 checksum: 79196 46342bf50631c9d64ed103511b1b893c mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_mips.deb Size/MD5 checksum: 69282 708a8d5c33c9a55a4ab4756710839206 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_mips.deb Size/MD5 checksum: 77082 97212d583943be6d83afcec731e27ac1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_mipsel.deb Size/MD5 checksum: 67646 c857ec6882ed8cbb47e051a90df7ca96 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_mipsel.deb Size/MD5 checksum: 77138 47e7a22eb17e671e2ccb500a775a85d1 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_powerpc.deb Size/MD5 checksum: 81332 72847874c73086de64a25d03f48a2780 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_powerpc.deb Size/MD5 checksum: 69112 c4584d2f07fbdb932c85e2633ca9b2a8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_s390.deb Size/MD5 checksum: 82268 3f308fb9b59f68ffdbf7390e76f570c2 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_s390.deb Size/MD5 checksum: 69724 21b6aa80c1a1c1a1b3e8bcd9165c8c43 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_sparc.deb Size/MD5 checksum: 66296 ee6bceace68322f90e171c89c441e4c6 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_sparc.deb Size/MD5 checksum: 80280 4e9b6787b57c526192bdc2de9d5d6a7f Debian 4.0 (stable) - - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13.orig.tar.gz Size/MD5 checksum: 727418 e5ad93c170bfb4fed6dc3e1c7a7948cb http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13-5etch2.dsc Size/MD5 checksum: 611 31d21b75dede8ab7357d68dc10f31b03 http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13-5etch2.diff.gz Size/MD5 checksum: 9821 99a0a91ef86facebe77eb309e84187ee alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_alpha.deb Size/MD5 checksum: 148400 569ffd818b70ff416f2b50033c504a69 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_alpha.deb Size/MD5 checksum: 1068446 66c630fb722856971a824fc00e7ae0f5 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_amd64.deb Size/MD5 checksum: 1044250 b3c5a88cb260655fc65d2ccbd1e2e25b http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_amd64.deb Size/MD5 checksum: 143178 f76de0764808bf3e2c82867954e2a214 arm architecture (ARM) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_arm.deb Size/MD5 checksum: 136448 0f04c8ec7d86dd7c5e2d104cd0a8592a http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_arm.deb Size/MD5 checksum: 1047204 0b0a09e307bd48dd38ea7be61901eec6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_i386.deb Size/MD5 checksum: 140088 74f55a40478fb3735293b8b20a9b29b9 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_i386.deb Size/MD5 checksum: 1008258 98478f9f44a8121aaa68173eabb9d045 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_ia64.deb Size/MD5 checksum: 159480 f35f6ad4c85c7d0b2898a918fd452081 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_ia64.deb Size/MD5 checksum: 1028756 add2a11a37f72fc8e00db36acc7aba96 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_mips.deb Size/MD5 checksum: 1043420 a2a95479dea713b082fef5c1b5309ea7 http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_mips.deb Size/MD5 checksum: 137352 54a048d4d4d5040a026887e93dadb61d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_mipsel.deb Size/MD5 checksum: 136158 f713af175516742b0cda4422b85810ad http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_mipsel.deb Size/MD5 checksum: 1008294 bc6a4b93282d64d33f1d26eee59c5bb4 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_powerpc.deb Size/MD5 checksum: 138282 cb57a663e790a4155635009c8948eeca http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_powerpc.deb Size/MD5 checksum: 1005588 26264ee184bad0af01f7861e3a5db6e7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_s390.deb Size/MD5 checksum: 143596 f4246c73e1d35cc56bc3fca55ec7675f http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_s390.deb Size/MD5 checksum: 1007802 df0e068ffdb783f1da5418e518d623ce sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_sparc.deb Size/MD5 checksum: 138354 d27c15349891f23956642b19733da994 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_sparc.deb Size/MD5 checksum: 1002854 c44f9f239a4e13da27ccb78a42d54df3 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHrJA5Xm3vHE4uyloRAkxeAJwIb/NrMfNSD4vcRt2FXSSnRNmJFwCgwrgy syCcOf1SWUb3hogEG0nUsiw= =N7HU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR6+KvSh9+71yA2DNAQIRqgP9GEm/wHx4TkJ5n7s4MJE0+PKh7m0nv/b5 oLA8MFbeg1X/Pqv2BRWLYshQ3d5leucBOjNiU7G1mNqXrkWAj6HuiFb6yQCdnx0b +qquNX5XcPBY6WVEnS9FG/9prT4trHf8LRJlXCZ6Yg1cK3GQdibGC+nMEvI5cUP5 yLy+QGH3mow= =cTh8 -----END PGP SIGNATURE-----