Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0138 -- [Debian]
New sdl-image1.2 packages fix arbitrary code execution
17 March 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sdl-image1.2
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Debian GNU/Linux 3.1
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0554 CVE-2008-0544 CVE-2007-6697
Original Bulletin: http://www.debian.org/security/2008/dsa-1493
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running SDL_Image check for an updated version of the software for
their operating system.
Revision History: March 17 2008: Updated packages correct versioning
February 11 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1493-2 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
March 16, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : sdl-image1.2
Vulnerability : buffer overflows
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-6697 CVE-2008-0554
An oversight led to the version number of the Debian 4.0 `Etch' update
for advisory DSA 1493-1 being lower than the version in the main archive,
making it uninstallable. This update corrects the version number.
For reference the full advisory is quoted below:
Several local/remote vulnerabilities have been discovered in the image
loading library for the Simple DirectMedia Layer 1.2. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-6697
Gynvael Coldwind discovered a buffer overflow in GIF image parsing,
which could result in denial of service and potentially the
execution of arbitrary code.
CVE-2008-0544
It was discovered that a buffer overflow in IFF ILBM image parsing
could result in denial of service and potentially the execution of
arbitrary code.
For the stable distribution (etch), these problems have been fixed in
version 1.2.5-2+etch1.
For the old stable distribution (sarge), these problems have been fixed
in version 1.2.4-1etch1. Due to a copy & paste error "etch1" was appended
to the version number instead of "sarge1". Since the update is otherwise
technically correct, the update was not rebuilt to the buildd network.
We recommend that you upgrade your sdl-image1.2 packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 3.1 (oldstable)
- - ----------------------
Source archives:
http://security.debian.org/pool/updates/main/s/sdl-image1.2/sdl-image1.2_1.2.4-1etch1.diff.gz
Size/MD5 checksum: 27202 0b364f0ccd1b55de86b64beafbebff7f
http://security.debian.org/pool/updates/main/s/sdl-image1.2/sdl-image1.2_1.2.4-1etch1.dsc
Size/MD5 checksum: 695 6dfd0ce5e3c53237b0b25e4dd269a11a
http://security.debian.org/pool/updates/main/s/sdl-image1.2/sdl-image1.2_1.2.4.orig.tar.gz
Size/MD5 checksum: 841885 70bf617f99e51a2c94550fc79d542f0b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_alpha.deb
Size/MD5 checksum: 33742 ea1ed76178284a1c6db541c965da37e4
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_alpha.deb
Size/MD5 checksum: 43496 f545cac9be83710d7a9fa10b9a6aa3e6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_amd64.deb
Size/MD5 checksum: 28126 42037dac0e93f401ac8dbbd7eb28db3f
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_amd64.deb
Size/MD5 checksum: 33870 742423cedbaf791e44b9038cf55fb12f
arm architecture (ARM)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_arm.deb
Size/MD5 checksum: 26854 6329107849651e11c8d4e4f556083d87
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_arm.deb
Size/MD5 checksum: 32982 e94d20a7159fb861d46ebf3b4eeb1a3e
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_hppa.deb
Size/MD5 checksum: 32766 ea20750007fc127575c809c3c5120670
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_hppa.deb
Size/MD5 checksum: 37850 28508c01a54dbcdfcbc5976fb39d4e4e
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_i386.deb
Size/MD5 checksum: 31678 e4f87b2d32187aea3e3106acffba5110
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_i386.deb
Size/MD5 checksum: 27288 edea4b5cee15f1541affd374d5fdc304
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_ia64.deb
Size/MD5 checksum: 39306 71a0facbdffabd3fc3a2020441cdc77b
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_ia64.deb
Size/MD5 checksum: 46542 d577243130ea99eeddb4aeb426065414
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_m68k.deb
Size/MD5 checksum: 29560 e0090e37b0260ac763bfef2c1759a76f
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_m68k.deb
Size/MD5 checksum: 25882 4c322c227336ab964455c3b0d68a886f
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_mips.deb
Size/MD5 checksum: 28876 b06528c4868efe3611a8b619ffd1241a
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_mips.deb
Size/MD5 checksum: 36434 d3d65379318c3bbb2404b7309b20e22c
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_mipsel.deb
Size/MD5 checksum: 36582 cb7b4d04063110328b56276aca575552
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_mipsel.deb
Size/MD5 checksum: 28340 92e97c6067c2e081ff7cd11ecc302f2a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_powerpc.deb
Size/MD5 checksum: 35462 b51680ea32ee9efe1eb67b26dd282c5b
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_powerpc.deb
Size/MD5 checksum: 30356 e2780564742a68fd237c52d3ca591675
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_s390.deb
Size/MD5 checksum: 29724 44f41692b88e54c89f001eb641da045b
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_s390.deb
Size/MD5 checksum: 34572 80ff11c08dfb385afa654d59d220f9c0
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.4-1etch1_sparc.deb
Size/MD5 checksum: 27324 8d628ae4aadb9e8547550950c7724719
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.4-1etch1_sparc.deb
Size/MD5 checksum: 32698 276764545f2061bf0cc3c93581a31bd0
Debian 4.0 (stable)
- - -------------------
Source archives:
http://security.debian.org/pool/updates/main/s/sdl-image1.2/sdl-image1.2_1.2.5.orig.tar.gz
Size/MD5 checksum: 1308637 cd006109a73bf7dcc93e1c3ed15ee782
http://security.debian.org/pool/updates/main/s/sdl-image1.2/sdl-image1.2_1.2.5-2+etch1.diff.gz
Size/MD5 checksum: 12288 84411d1b20a5081531b7ecc7a8fa6b98
http://security.debian.org/pool/updates/main/s/sdl-image1.2/sdl-image1.2_1.2.5-2+etch1.dsc
Size/MD5 checksum: 991 7806c149bf53c0c3fbe09603b28a9e7f
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_alpha.deb
Size/MD5 checksum: 35600 c930d2cb2fe38353ebbe9edc1a98c98b
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_alpha.deb
Size/MD5 checksum: 47102 35738b5f9cf4f257124cfd790f10cc45
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_amd64.deb
Size/MD5 checksum: 37168 5b25b6d14deacd354314f33feafd1afb
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_amd64.deb
Size/MD5 checksum: 30812 23b4a56805646edd08341cbc8cf50813
arm architecture (ARM)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_arm.deb
Size/MD5 checksum: 29886 9eac2469b9f44949bee06c68cf39d61d
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_arm.deb
Size/MD5 checksum: 34364 dfdae6084d7980fa7e7a37b2d1ce335f
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_hppa.deb
Size/MD5 checksum: 42668 bb3e3aa7c32fc3987601cafe02b5dd06
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_hppa.deb
Size/MD5 checksum: 35994 00a45b42952daf6a89805bc3040e9e9d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_i386.deb
Size/MD5 checksum: 34404 6b98b1a5fd2eeaf25feaab7418583ec9
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_i386.deb
Size/MD5 checksum: 29632 fe51b351e3eb72f315ed1b74f29138eb
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_ia64.deb
Size/MD5 checksum: 44372 31f41f5b4906cf6d1c235ad6a1b29c5c
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_ia64.deb
Size/MD5 checksum: 52846 cfd0229fc15d7a8e18e834c66f5b03d3
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_mips.deb
Size/MD5 checksum: 30960 7132abcd2c819256b7193b7cf63fa81e
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_mips.deb
Size/MD5 checksum: 39782 d3ead76cfe8f6e92fb2921d8de2d54bb
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_mipsel.deb
Size/MD5 checksum: 40086 825a5d5805f99bfb9acf1f6425a909a3
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_mipsel.deb
Size/MD5 checksum: 30402 a656068aaf5669b19699d69f89624900
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_powerpc.deb
Size/MD5 checksum: 38494 af9c5c3a5043f7665277cce36c88446b
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_powerpc.deb
Size/MD5 checksum: 32208 cebf3e7baa407284a2dcc60f4c711240
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_s390.deb
Size/MD5 checksum: 32128 32df92bc5b9c748857ab3c374bef8691
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_s390.deb
Size/MD5 checksum: 37428 0e9e191540931cf1d2e89441b0a115dd
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2-dev_1.2.5-2+etch1_sparc.deb
Size/MD5 checksum: 35878 9ae84a99d7976a4ccef4f231e4eb1b5b
http://security.debian.org/pool/updates/main/s/sdl-image1.2/libsdl-image1.2_1.2.5-2+etch1_sparc.deb
Size/MD5 checksum: 29446 d5f44ae97830110675eec90dba2c442f
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR92Ahmz0hbPcukPfAQIHUggAg8yW6xv5lLRdI6wPGTxH3+gZaqZFC9ae
V8uc+RRCxJ7ptJ0bJbWpA291aCB6mIJQ5NyohT15+ED8wPrO1R4+3JTQ7qeSKQ7j
wxwfcxSzisrV2uqa2GsA2GmEYwG6a6bGTVrP5OWXSZt/NNStwAKjkWYBSruZOuhA
penr4o9kX2Az42IDRlYLlOwDC8quAZdi2VSjgH9u4SFbU21pI/VhvnBfcudzwtLo
goUZcIkq5HmHs344L41bm+hq5JTErDjV6Lwh3yoGAOx2dQqE4698PPjwJXalLIDi
2erDAarrCiF914bT80Qnv0YOv84x2Pj7hrJS7eQxBP76x2NtrdXNLg==
=kPyX
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR93u1Sh9+71yA2DNAQLonAP+I/SbOGRvypNRXfgnVJ/TvbSpEP0eT/ao
S1GsAXY8yWY2apFjAGQAIshIDijvC3lsqRqJGL9vcv2HFQ6M9OR1S9fBKnG/3i3h
WEcnTGg0U3bAd9178dJgrCc+9BzUqRtc1thVBi6lGkv4z4qmjZCdgsS+vipQWwXL
I0gBfGhOhog=
=HINJ
-----END PGP SIGNATURE-----