Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0371 -- [UNIX/Linux][Debian] New libcairo packages fix arbitrary code execution 10 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libcairo Publisher: Debian Operating System: Debian GNU/Linux 4.0 UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-5503 Original Bulletin: http://www.debian.org/security/2008/dsa-1542 Comment: This advisory references vulnerabilties in products which run on platforms other than Debian. It is recommended that administrators running libcairo check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1542-1 security@debian.org http://www.debian.org/security/ Devin Carraway April 09, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libcairo Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2007-5503 Peter Valchev (Google Security) discovered a series of integer overflow weaknesses in Cairo, a vector graphics rendering library used by many other applications. If an application uses cairo to render a maliciously-crafted PNG image, the vulnerability allows the execution of arbitrary code. For the stable distribution (etch), these problems have been fixed in version 1.2.4-4.1+etch1. For the unstable distribution (sid), these problems have been fixed in version 1.4.10-1.1. We recommend that you upgrade your libcairo packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4-4.1+etch1.dsc Size/MD5 checksum: 894 4bd02b09d90fb7dc966f9ad9e4653d74 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4.orig.tar.gz Size/MD5 checksum: 2882781 1222b2bfdf113e2c92f66b3389659f2d http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4-4.1+etch1.diff.gz Size/MD5 checksum: 29508 df191c1acebf8b74f4dc9e9684694827 Architecture independent packages: http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-doc_1.2.4-4.1+etch1_all.deb Size/MD5 checksum: 299594 1265f2438a59a670a2002a1fe37ad83f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_alpha.deb Size/MD5 checksum: 539986 cea40c631672aecbc07e515e33e2a9db http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_alpha.deb Size/MD5 checksum: 411544 fa867f23b40e90f111739bae281c7348 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_alpha.udeb Size/MD5 checksum: 199550 5d1bf32875edb7358f83a2794979757e http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_alpha.deb Size/MD5 checksum: 397872 c9d9341caa748b6c90212f95c22d1c30 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_alpha.deb Size/MD5 checksum: 513532 ea952537b9c51f92dc70e50acc285eca amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_amd64.deb Size/MD5 checksum: 452564 26fd8f9e706dd0f446eada08da6aa4e3 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_amd64.deb Size/MD5 checksum: 395362 686f9dbff74537e61ed8ab677706ad3f http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_amd64.udeb Size/MD5 checksum: 183728 8912904d7aa4d7bfda3443bde0dedd85 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_amd64.deb Size/MD5 checksum: 471076 a05953964b5cf00d1821f9ca7eb48a50 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_amd64.deb Size/MD5 checksum: 382068 474cc11a61af2ff477ca1443f5601324 arm architecture (ARM) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_arm.deb Size/MD5 checksum: 416400 4cda8085d4f84eb9d90db6932d6457a4 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_arm.deb Size/MD5 checksum: 431954 7bfa5c09b8ee60b6037220d9481ae8a7 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_arm.deb Size/MD5 checksum: 360656 9e6dcf8edae92220132ab86b04ee068b http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_arm.deb Size/MD5 checksum: 371894 7a7735ff8683d80a0553a333ef4f5a02 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_arm.udeb Size/MD5 checksum: 162388 4990362745e6022373b2333fccc94a06 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_hppa.deb Size/MD5 checksum: 413884 c4e214540972dd9c727ce67247ba6bed http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_hppa.deb Size/MD5 checksum: 399968 8cfaff95765482045f39f9af72c845a6 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_hppa.deb Size/MD5 checksum: 488146 4fc58af6eee498b6263b60fe8f29fbe2 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_hppa.udeb Size/MD5 checksum: 201684 7adcda56d3cf71f47c1cb071ac0339df http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_hppa.deb Size/MD5 checksum: 467416 0ecb3f00d081b8bd53cec8f0b57204a1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_i386.deb Size/MD5 checksum: 371862 78b04e59cd3c5b6030d293766b926395 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_i386.udeb Size/MD5 checksum: 174406 5cbdb944a46f1b97a0e84eea388bb613 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_i386.deb Size/MD5 checksum: 384534 40a798a8c26b7d4930b6d44e441e4917 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_i386.deb Size/MD5 checksum: 429240 b7aa75bf8806f6b886c8b9556354dfee http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_i386.deb Size/MD5 checksum: 445890 b44a16dcfa36a6a05b5f6a64c477805b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_ia64.deb Size/MD5 checksum: 557968 ea3a26a3344adce06789748f68f9f433 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_ia64.deb Size/MD5 checksum: 585262 5f33580c65809a4ac73fb6c670ce77a1 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_ia64.udeb Size/MD5 checksum: 272082 0d1bb4d44bc50fda6133772fc01bac33 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_ia64.deb Size/MD5 checksum: 489674 3e1f2d13d38cdac74a9675680fe0daff http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_ia64.deb Size/MD5 checksum: 470694 c4aaac4ba044fea5082bf02e92fe8e82 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_mips.deb Size/MD5 checksum: 488170 e92545a6c4f12169715cb3f6f4435e93 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_mips.deb Size/MD5 checksum: 465238 a5afd1fe607e8c86fdad9ecac4982667 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_mips.deb Size/MD5 checksum: 389684 d7321be1df46e5c0afa504dd66950adf http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_mips.deb Size/MD5 checksum: 377046 821cbe3d5acb4bdd73908b91e6707933 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_mips.udeb Size/MD5 checksum: 178908 2fc76539c9e93e47664b020d970ab87a mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_mipsel.deb Size/MD5 checksum: 378354 ed811dcf921690a647280223993819db http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_mipsel.deb Size/MD5 checksum: 390846 90a7ca3743af4aaf0242381765d00fc2 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_mipsel.deb Size/MD5 checksum: 466356 0eea06972850f05cf7874ba33e697e36 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_mipsel.deb Size/MD5 checksum: 488570 1c55421ebd997fd22e20987f42be701c http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_mipsel.udeb Size/MD5 checksum: 179834 60af43139c3b83c7af4e91b0d87ebc48 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_powerpc.deb Size/MD5 checksum: 383326 8fe650e57f071f48bdcbdee8ef629dee http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_powerpc.deb Size/MD5 checksum: 435500 9182ae98f78de748626dcb882f09af3d http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_powerpc.deb Size/MD5 checksum: 454122 464a3b39ab81c0f22222288fa8686335 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_powerpc.deb Size/MD5 checksum: 371486 c7ad7f6842193eb284acde2933cf37a0 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_powerpc.udeb Size/MD5 checksum: 172792 d1602b8093517526bc7368263d6b7ece s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_s390.deb Size/MD5 checksum: 457120 354f0d65b96eac90345823ef8cd551aa http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_s390.deb Size/MD5 checksum: 438358 2fb1ba4651a1cc2bbc2e2d41e850b711 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_s390.udeb Size/MD5 checksum: 187702 ffda9037108f8324fde9fb7f1a08199d http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_s390.deb Size/MD5 checksum: 399726 194e9a8528dde46db7b8fffdf56a97d4 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_s390.deb Size/MD5 checksum: 385820 ae0eaaedd3485a83335bd0005b6e0930 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_sparc.deb Size/MD5 checksum: 415042 001b42c58f1a2ca545816948381fe17c http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_sparc.deb Size/MD5 checksum: 357198 ab14875b97ba5a4dcbf78af6698c3a9e http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_sparc.deb Size/MD5 checksum: 368798 27c8640318302b856a9a154c881cbb1d http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_sparc.udeb Size/MD5 checksum: 158608 dc606702f1ff49c394c300e24cda5ee4 http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_sparc.deb Size/MD5 checksum: 431810 0da0e67c3ee915b8b61acccae7cb3f8d These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH/QK2Xm3vHE4uyloRAj6FAKDCsOBB6Jkrov6np/524W7geztb9ACeNDTV n4AYFR2naeH3+O9sLwhH6kE= =6WGB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR/1lqyh9+71yA2DNAQIHDwQAjX3qPlxIhRjry4Hs0oVRy37tkxXqc9Wy OT8hSIEOoeido9ySiREdZa/oIp/8dyAGtTwxNuuflRECqFCGdwB1PmRq1jm5EDrD OEdhSJrAgYR1q8TBh5YmhVYA55AdjRrLwk4hYwMY3jX8WENUo/+82EBz3L1Uw3mT i23Bylhrh/s= =MB6r -----END PGP SIGNATURE-----