Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0536 -- [Debian]
New libfissound packages fix execution of arbitrary code
23 May 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libfishsound
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1686
Ref: ESB-2008.0393
Original Bulletin: http://www.debian.org/security/2008/dsa-1584
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1584-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
May 21, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : libfishsound
Vulnerability : integer overflow
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-1686
Debian Bug : 475152
It was discovered that libfishsound, a simple programming interface that
wraps Xiph.Org audio codecs, didn't correctly handle negative values in
a particular header field. This could allow malicious files to execute
arbitrary code.
For the stable distribution (etch), this problem has been fixed in version
0.7.0-2etch1.
For the unstable distribution (sid), this problem has been fixed in
version 0.7.0-2.2.
We recommend that you upgrade your libfishsound package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0.orig.tar.gz
Size/MD5 checksum: 426487 00ece8c9a0363b37957ce670bcf270d3
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0-2etch1.dsc
Size/MD5 checksum: 659 d72d4922c70c6bb10dff6ace5a814455
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0-2etch1.diff.gz
Size/MD5 checksum: 16054 c5842b27bd7a05ef9bd26e701dfc56dc
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_alpha.deb
Size/MD5 checksum: 34582 9ef817deb3b892d9fa9f7fdc4a94e6a5
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_alpha.deb
Size/MD5 checksum: 15304 eed92cc88865ae99cc768c0a7b33019c
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_alpha.deb
Size/MD5 checksum: 7740 57cd0eae0976b9d78be65d0aeba32a3e
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_amd64.deb
Size/MD5 checksum: 30786 64fd312521a927ceb867f63e5f4734a5
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_amd64.deb
Size/MD5 checksum: 7794 8fb36c5bdd40a8dc5c370802da6ec050
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_amd64.deb
Size/MD5 checksum: 14334 a6845973bc2f61f4783710a5797e5484
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_arm.deb
Size/MD5 checksum: 29224 35d4c9d5a750ba8dd53ba6fd5bb248df
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_arm.deb
Size/MD5 checksum: 12462 6693b054221d19c6da6c2069466ef7dc
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_arm.deb
Size/MD5 checksum: 7882 560e18366ae1e15d5aef32855f0ab731
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_hppa.deb
Size/MD5 checksum: 15162 68e6bc1466fcfa4d73edb3d760a9e5b8
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_hppa.deb
Size/MD5 checksum: 7802 5922374807b136070b2f002ba716807f
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_hppa.deb
Size/MD5 checksum: 31662 3c9fbc584f7942ff0ea88dd27daebbfd
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_i386.deb
Size/MD5 checksum: 29344 74a5b956c3dc3450f3da2ec91dcf2a34
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_i386.deb
Size/MD5 checksum: 13384 559730ed3949728fc0dcf77d19a05712
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_i386.deb
Size/MD5 checksum: 7614 c2b9b6a8343bda423068fa8965411bf6
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_ia64.deb
Size/MD5 checksum: 7832 dfc5dbc81fb32225763581dbd7c04b9b
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_ia64.deb
Size/MD5 checksum: 18426 e0adf330dba7d6cc800de96e24897ccf
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_ia64.deb
Size/MD5 checksum: 35658 671ac1c23579b0274ee4d11837ceaea1
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_mips.deb
Size/MD5 checksum: 8192 d2f144651551538d9eb7364408000d93
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_mips.deb
Size/MD5 checksum: 13568 c21ca7014120fb083d014adbb0a4b33f
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_mips.deb
Size/MD5 checksum: 31578 4da77e051c94377ace4e567f96f22b07
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_mipsel.deb
Size/MD5 checksum: 16532 7c41c702fd586b8eea66ecc57c742829
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_mipsel.deb
Size/MD5 checksum: 8742 948111077a371b6b79a6e176c8844a5b
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_mipsel.deb
Size/MD5 checksum: 35456 2baa784478f106c5cf10b4eaf003db8e
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_powerpc.deb
Size/MD5 checksum: 8984 df70ba8da43c86923cd88c74676ef9ef
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_powerpc.deb
Size/MD5 checksum: 15040 22e46a44ff17b0c1d60908cd0b61ccfc
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_powerpc.deb
Size/MD5 checksum: 31074 fa6ab24dcf4e23f52a8d67dcaf56e40f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_s390.deb
Size/MD5 checksum: 31390 04834db2f07e1ea50eb590d95bc78dcd
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_s390.deb
Size/MD5 checksum: 14872 21e26171f0205856b65f6727a32b3edf
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_s390.deb
Size/MD5 checksum: 7540 fdc0a47c6522993232751be26725ce3b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_sparc.deb
Size/MD5 checksum: 7686 8483df0677d953b7d10335a6063635fa
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_sparc.deb
Size/MD5 checksum: 12432 8c3643ab5a8cf220343e0e583d21b947
http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_sparc.deb
Size/MD5 checksum: 30008 3cf9fbcaf627dc07d64d2330b5149cce
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFINGW8wM/Gs81MDZ0RAtz6AJ9us+9vR8mjKMvX78kiyunLmvwEswCbB5sb
Qr8G9776Ofwfnp9Ftzxj/tQ=
=wzeM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSDZiCSh9+71yA2DNAQKkYgP9HEjj8PQSxd6q6L3HX/y6/l7cWgxhytfz
hTg8qFlpO5cyXI71LYwgGS1k3g7L6Z7fXSGQgwvv+gGcpYVoswloaVuKBUnpjzZn
u+2obTparzOIo0x5agPFEsjlG7tYpX9kFlcpF2/YiQ/VZ4E0gqSF5noMItLXWnBm
zcFANwU1bQI=
=k+35
-----END PGP SIGNATURE-----