Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0536 -- [Debian] New libfissound packages fix execution of arbitrary code 23 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libfishsound Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-1686 Ref: ESB-2008.0393 Original Bulletin: http://www.debian.org/security/2008/dsa-1584 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1584-1 security@debian.org http://www.debian.org/security/ Steve Kemp May 21, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libfishsound Vulnerability : integer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-1686 Debian Bug : 475152 It was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn't correctly handle negative values in a particular header field. This could allow malicious files to execute arbitrary code. For the stable distribution (etch), this problem has been fixed in version 0.7.0-2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.7.0-2.2. We recommend that you upgrade your libfishsound package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0.orig.tar.gz Size/MD5 checksum: 426487 00ece8c9a0363b37957ce670bcf270d3 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0-2etch1.dsc Size/MD5 checksum: 659 d72d4922c70c6bb10dff6ace5a814455 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0-2etch1.diff.gz Size/MD5 checksum: 16054 c5842b27bd7a05ef9bd26e701dfc56dc alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_alpha.deb Size/MD5 checksum: 34582 9ef817deb3b892d9fa9f7fdc4a94e6a5 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_alpha.deb Size/MD5 checksum: 15304 eed92cc88865ae99cc768c0a7b33019c http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_alpha.deb Size/MD5 checksum: 7740 57cd0eae0976b9d78be65d0aeba32a3e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_amd64.deb Size/MD5 checksum: 30786 64fd312521a927ceb867f63e5f4734a5 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_amd64.deb Size/MD5 checksum: 7794 8fb36c5bdd40a8dc5c370802da6ec050 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_amd64.deb Size/MD5 checksum: 14334 a6845973bc2f61f4783710a5797e5484 arm architecture (ARM) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_arm.deb Size/MD5 checksum: 29224 35d4c9d5a750ba8dd53ba6fd5bb248df http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_arm.deb Size/MD5 checksum: 12462 6693b054221d19c6da6c2069466ef7dc http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_arm.deb Size/MD5 checksum: 7882 560e18366ae1e15d5aef32855f0ab731 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_hppa.deb Size/MD5 checksum: 15162 68e6bc1466fcfa4d73edb3d760a9e5b8 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_hppa.deb Size/MD5 checksum: 7802 5922374807b136070b2f002ba716807f http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_hppa.deb Size/MD5 checksum: 31662 3c9fbc584f7942ff0ea88dd27daebbfd i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_i386.deb Size/MD5 checksum: 29344 74a5b956c3dc3450f3da2ec91dcf2a34 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_i386.deb Size/MD5 checksum: 13384 559730ed3949728fc0dcf77d19a05712 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_i386.deb Size/MD5 checksum: 7614 c2b9b6a8343bda423068fa8965411bf6 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_ia64.deb Size/MD5 checksum: 7832 dfc5dbc81fb32225763581dbd7c04b9b http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_ia64.deb Size/MD5 checksum: 18426 e0adf330dba7d6cc800de96e24897ccf http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_ia64.deb Size/MD5 checksum: 35658 671ac1c23579b0274ee4d11837ceaea1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_mips.deb Size/MD5 checksum: 8192 d2f144651551538d9eb7364408000d93 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_mips.deb Size/MD5 checksum: 13568 c21ca7014120fb083d014adbb0a4b33f http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_mips.deb Size/MD5 checksum: 31578 4da77e051c94377ace4e567f96f22b07 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_mipsel.deb Size/MD5 checksum: 16532 7c41c702fd586b8eea66ecc57c742829 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_mipsel.deb Size/MD5 checksum: 8742 948111077a371b6b79a6e176c8844a5b http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_mipsel.deb Size/MD5 checksum: 35456 2baa784478f106c5cf10b4eaf003db8e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_powerpc.deb Size/MD5 checksum: 8984 df70ba8da43c86923cd88c74676ef9ef http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_powerpc.deb Size/MD5 checksum: 15040 22e46a44ff17b0c1d60908cd0b61ccfc http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_powerpc.deb Size/MD5 checksum: 31074 fa6ab24dcf4e23f52a8d67dcaf56e40f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_s390.deb Size/MD5 checksum: 31390 04834db2f07e1ea50eb590d95bc78dcd http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_s390.deb Size/MD5 checksum: 14872 21e26171f0205856b65f6727a32b3edf http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_s390.deb Size/MD5 checksum: 7540 fdc0a47c6522993232751be26725ce3b sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_sparc.deb Size/MD5 checksum: 7686 8483df0677d953b7d10335a6063635fa http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_sparc.deb Size/MD5 checksum: 12432 8c3643ab5a8cf220343e0e583d21b947 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_sparc.deb Size/MD5 checksum: 30008 3cf9fbcaf627dc07d64d2330b5149cce These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINGW8wM/Gs81MDZ0RAtz6AJ9us+9vR8mjKMvX78kiyunLmvwEswCbB5sb Qr8G9776Ofwfnp9Ftzxj/tQ= =wzeM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSDZiCSh9+71yA2DNAQKkYgP9HEjj8PQSxd6q6L3HX/y6/l7cWgxhytfz hTg8qFlpO5cyXI71LYwgGS1k3g7L6Z7fXSGQgwvv+gGcpYVoswloaVuKBUnpjzZn u+2obTparzOIo0x5agPFEsjlG7tYpX9kFlcpF2/YiQ/VZ4E0gqSF5noMItLXWnBm zcFANwU1bQI= =k+35 -----END PGP SIGNATURE-----