Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0768 -- [Debian] New cupsys packages fix arbitrary code execution 4 August 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: cupsys Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-1722 CVE-2008-1373 CVE-2008-0053 Ref: ESB-2008.0416 ESB-2008.0333 Original Bulletin: http://www.debian.org/security/2008/dsa-1625 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1625-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : cupsys Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0053 CVE-2008-1373 CVE-2008-1722 Debian Bug : 476305 Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0053 Buffer overflows in the HP-GL input filter allowed to possibly run arbitrary code through crafted HP-GL files. CVE-2008-1373 Buffer overflow in the GIF filter allowed to possibly run arbitrary code through crafted GIF files. CVE-2008-1722 Integer overflows in the PNG filter allowed to possibly run arbitrary code through crafted PNG files. For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch4 of package cupsys. For the testing (lenny) and unstable distribution (sid), these problems have been fixed in version 1.3.7-2 of package cups. We recommend that you upgrade your cupsys package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.diff.gz Size/MD5 checksum: 107641 b1ae0953050580975ef0c6ff495e912d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.dsc Size/MD5 checksum: 1376 4f8938f4dac4a9732efd621f4aabb63a Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch4_all.deb Size/MD5 checksum: 45758 fbb5c3eaf74a1207d887e12bb75f6182 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch4_all.deb Size/MD5 checksum: 924012 43e775475535e31f2f6963947c03525d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1087542 cb6a29323e4cd1069b669c89963a1fac http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 53024 090d638da135798424a129257b51b157 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 142544 0d446b8acb588ec2b1c8c22067aa2364 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1574904 cdd7afb0953a56cf8d213778cbe1773e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 80706 687de2f8bf779ca898863fb94a07a12b http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 85968 8d69f2ac63f2d4fbd923c2caa33c604d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 36352 02c24a715c2f06dd8bc62a851591948e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 162230 0e2325c67bf23841038be68557ba8758 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 48718 28a8ac4acad82bd582358e38c0c23013 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_arm.deb Size/MD5 checksum: 78910 6566d320a557b02cf94f379b84f0dba9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_arm.deb Size/MD5 checksum: 35936 6ae06d35d6c40084adfd8bfd65866174 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1025732 5c3e851e94f3a41216d7a7149839c8d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 132040 3eb0b900c59ea118d768b1459898ea90 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_arm.deb Size/MD5 checksum: 154878 02d749b77969111a813a4cba408bd74d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1568968 5c60803b01b551503017f750bea5526e http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_arm.deb Size/MD5 checksum: 85168 5b2a0162f00efdcc8cd1d93e0bc7486b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 172120 3b9de8875c9be02866143463b0c919f0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 91152 ab272c582600f995706b46709c510f32 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 1022644 b587ee12458f80bd76a1d7b84869b741 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 57192 4e117dab53e958404f958b99b08da4c1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 154086 2a27882b763ce10df0fd172cfa8d22bb http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 86898 aebbadb4ddb70dde9a524fd56b7bfb46 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 1624440 67216c81ae5f4d2f1d8b571f7099492e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 39270 1bbd6351cb6cd5f686faaddbeb731c4f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_i386.deb Size/MD5 checksum: 86844 5dd05c3c3f08b1e2a60405bcaef83146 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_i386.deb Size/MD5 checksum: 79334 2002dc686f12bb5250d9fafb9b63a268 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_i386.deb Size/MD5 checksum: 53272 1723eb6d5f00ce02702b52b60610c586 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_i386.deb Size/MD5 checksum: 36230 cda0348c0c9b6dbd145e3c02e0c44fd2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_i386.deb Size/MD5 checksum: 1004104 10a43e1b53f782d065362e92ff0998f9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_i386.deb Size/MD5 checksum: 137972 203602cf657f98ee38a372c3922b7ae1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_i386.deb Size/MD5 checksum: 160382 2fa7444168c9f43a22eb776bd9638827 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_i386.deb Size/MD5 checksum: 1559230 dfca65e3edd6f0fb4bdc18973efef89a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 203930 b457e7ae7fb11f876225150e559a4272 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 46330 922f2bd1d98fcbb40badcebd7c0cc07c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 106642 b61d48e93e413245d3fd5ebe47c31243 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 1107892 65945b9397a13a31fb8646cb71ef7794 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 192372 eea62b30397305acdf6f98a6df50cf8e http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 1770682 398872427b493f8206c38a3504fc1904 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 74158 e1f00e7e8be7549ac2b58adaeba0f5b2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 106226 fb838547edf473df7efaa8fe41cf42f1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mips.deb Size/MD5 checksum: 86546 02bd3a3bb274f21179f65edfb28c1f7e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mips.deb Size/MD5 checksum: 76158 53a90a54e6cf7418b81e0b40db39566b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mips.deb Size/MD5 checksum: 36116 8d78c13d605160ee0caa835961667913 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mips.deb Size/MD5 checksum: 150982 b48a8bcf9dbff3e842f83f4ca05e0421 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mips.deb Size/MD5 checksum: 1097820 db2ff50e5555b022b54252f07b442992 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mips.deb Size/MD5 checksum: 157742 94a7c2d49b7234c0a54291446c5ba06d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mips.deb Size/MD5 checksum: 1567460 dffd05c006a78e53bc8c03dc8beaa4ea http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mips.deb Size/MD5 checksum: 57688 cbce6e984252bef94c0bd7ace9afdcdf mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 86688 7c91af84b2fab2419fa4939bb8080097 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 1552918 7d7af09023892fdd9e862ddcbb590fb3 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 150896 ba6b2f7c16957759b63e20d66d5964f2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 36064 702ec7fbc7b2716e10a97f7b7c11e75a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 158270 0354f63d7126c3775cc74a95426052d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 57846 2ee768d4dc5f9c8cbd046a801f154ef8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 1084676 bb31572c9939fe22762ceef59550b25e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 77456 5884939dabb325cda97351bafdb62cfe powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 162918 05df3db670b3f2a4dbb9d8a2d666eaca http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 88204 4546a01b202669d3ffa97dca5b93bf03 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 1576028 67c38bd81585274c0844efeedca40153 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 51894 321b1c0c9d59643294a87b00f81f7895 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 41310 45f55f0797900433a145028d63f6a6ef http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 90004 61698739b3b436e6d1651dc388a89575 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 1142660 10680b3b7efdeb10e9d834e869944206 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 136880 e5c2d81190a9233eb291b519c3b83de6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_s390.deb Size/MD5 checksum: 166424 a2a07e7c586a10000b519c6f6c2ec4e2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_s390.deb Size/MD5 checksum: 1586828 1e581be3892b978e7284de896c3121de http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_s390.deb Size/MD5 checksum: 87588 b3d0d3e7dbb84414f606b4670c6e2692 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_s390.deb Size/MD5 checksum: 1036620 bd1b35bd24260dfb340e0a3173a811a2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_s390.deb Size/MD5 checksum: 37430 622787f6d8b910f3657f98e0f5bf97bc http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_s390.deb Size/MD5 checksum: 82342 40a55f0afa5b2fa03285fd4d4cd8666c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_s390.deb Size/MD5 checksum: 52468 470a81c78c7ececae0569e75bfab9ca7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_s390.deb Size/MD5 checksum: 144932 9ab43b87566469af9e4a79c9c1fae493 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 139570 5f5faa6504275ed43f4a55787519fdfe http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 78516 7066d103f739cd570fd141aa4fa780f6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 36032 c4e4289091dc19e5fbf7a6937ffb36f7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 158816 f33bda24ec7774227b3bdb3dddcf1c46 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 51754 47ce5271662e6b980e34badfc9689009 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 84956 96aa28ac50548723754274f30db15379 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 991408 13a41c49f94085ca6a7f74a030506d3c http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 1562092 2bfd90bca7dbac40df73303f8e1e4b6f These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSJK+8mz0hbPcukPfAQL+2ggArkU0cevHFbynnNIAPflbwBMYNLW4GvDB IDgHshZ4efGYsnfrEl57h/8GoteXN2c3LWNaI2enBtIRfgpyavHRYqX+Vl+7JjJr +8SxXjqxTnJ+6b7iFQVD5UQlrw77vTVBLA4qVdn/+dMKVKZPKTaozjBzxm3cjzrQ owqSLI+l8MJrsY4Et7ajEUJWOJ0meXY2xIgE32hat5prH7vGJUKab5gxwl96oIyi LPaGSpANk4GJCMAV5YtSpY4zxr3WGrJOQVLrqYmdN0/jrLVuGoNyoy2jy/1k+yT7 QIqV4J748E+ftsMvX/4QxPigIpSqQxVXgXZS52YN/OxJLzUBapskpg== =SW1E - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSJZeSCh9+71yA2DNAQLntAQAniteLoq67WIwqfe+5BEFFG/ohciTrs9C 7DBWm8sfjCPkBDoJUJ4G70Arx5urY4SkHMh7wVb4fJVO5SFUmS37xUgYFHvMX28Q pV/ZORCQke+DulmGQr8I3hHXNp3Ov/3zCln+NPUSKCsQKBggUqJUvXM3yzuPoxnV pKzVJnRofrk= =gAIb -----END PGP SIGNATURE-----