Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0396 -- [UNIX/Linux][Debian]
New xpdf packages fix arbitrary code execution
18 April 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xpdf
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1693
Original Bulletin: http://www.debian.org/security/2008/dsa-1548
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running xpdf check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1548-1 security@debian.org
http://www.debian.org/security/ Devin Carraway
April 17, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : xpdf
Vulnerability : multiple
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-1693
Kees Cook discovered a vulnerability in xpdf, set set of tools for
display and conversion of Portable Document Format (PDF) files. The
Common Vulnerabilities and Exposures project identifies the following
problem:
CVE-2008-1693
Xpdf's handling of embedded fonts lacks sufficient validation
and type checking. If a maliciously-crafted PDF file is opened,
the vulnerability may allow the execution of arbitrary code with
the privileges of the user running xpdf.
For the stable distribution (etch), these problems have been fixed in
version 3.01-9.1+etch3.
For the unstable distribution (sid), these problems were fixed in
version 3.02-1.2.
We recommend that you upgrade your xpdf package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, powerpc, s390.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch4.dsc
Size/MD5 checksum: 974 b5ae1ed7abc02a808b97f9e8b1c08e6d
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch4.diff.gz
Size/MD5 checksum: 39829 8b0fe2c7568c3f82d6b3d5d4742b52d9
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
Size/MD5 checksum: 599778 e004c69c7dddef165d768b1362b44268
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch4_all.deb
Size/MD5 checksum: 1274 e7fcf339747f547b7519cbd1df2f9338
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch4_all.deb
Size/MD5 checksum: 61358 7a76c4dc0a5eeb0b71fbc2807fc8ad21
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_alpha.deb
Size/MD5 checksum: 915780 40c67cd9c1b54b2f61e783df57b9f1b0
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_alpha.deb
Size/MD5 checksum: 1675464 0ec4308b0a7a6a9281b436b536c2b4a4
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_amd64.deb
Size/MD5 checksum: 1480468 cc550f3994bdab8fd1534d0c00111723
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_amd64.deb
Size/MD5 checksum: 804240 cca7233b1fe75ed2772af5d2f8e6d49d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_arm.deb
Size/MD5 checksum: 1458046 46b5a1a1503ad522b310ecbb8ce64bcc
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_arm.deb
Size/MD5 checksum: 799814 97e080dec03c0393d8fee63e1a005f1d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_hppa.deb
Size/MD5 checksum: 1765316 5c465e20d6a5b285da773eda66c7497c
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_hppa.deb
Size/MD5 checksum: 959886 5a5192fc84768372b5370464d646bc64
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_i386.deb
Size/MD5 checksum: 793560 5c6a968f356623a7db8c1b88e8ef40c4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_i386.deb
Size/MD5 checksum: 1450746 701944ba02dbe4dd852bd22bb0ca3ab2
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_ia64.deb
Size/MD5 checksum: 1212440 256c451d95495fa2689d1cca4c98e7e5
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_ia64.deb
Size/MD5 checksum: 2203266 f73f1d87341e34c9f405c2c75b6f459d
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_mips.deb
Size/MD5 checksum: 1730844 fbc5b43b2558c59e6a2d6630d1371a88
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_mips.deb
Size/MD5 checksum: 954942 e0decffa31ae494958afecb231abee9f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_powerpc.deb
Size/MD5 checksum: 845404 543e7f16a393736880f2d3eafae8c26f
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_powerpc.deb
Size/MD5 checksum: 1546580 61e23c448d7a81c80ee9f75bff993e80
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch4_s390.deb
Size/MD5 checksum: 1390938 0823e7675a54c9991880b5e057d079da
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch4_s390.deb
Size/MD5 checksum: 763906 0c891488a3bf7595c20a8063cdc9feca
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIB4PCYrVLjBFATsMRArEJAJoCRYl0cZKzGSX7f9VCOUZO/xivfwCeNuC4
DNz6NSIGv9dKn8NYFmeAp4A=
=gAyP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSAftSyh9+71yA2DNAQI+fAP/R33HvkXFyrCD2l6bKN69iUY1qgDBYo37
FWqW19tVMq/uewdqqDcYjHk4LK9XNe8FhR7gIL8p42XtbcftRdKQfRgJd0Reg1W0
VCoLbB8aVdRpgsUKm7LkJAve0oGb0xyqdDTp9Zqbxe+cmY7nAXNBVzGRjih1a+By
XbjANgh7aY4=
=ksHZ
-----END PGP SIGNATURE-----