Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0244 -- [Debian] New libsnd packages fix arbitrary code execution 16 March 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libsndfile Publisher: Debian Operating System: Debian GNU/Linux 4.0 Debian GNU/Linux 5.0 Impact: Execute Arbitrary Code/Commands Access: Existing Account CVE Names: CVE-2009-0186 Ref: AA-2009.0047 Original Bulletin: http://www.debian.org/security/2009/dsa-1742 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA-1742-1 security@debian.org http://www.debian.org/security/ Nico Golde March 16th, 2009 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : libsndfile Vulnerability : integer overflow Problem type : local Debian-specific: no CVE ID : CVE-2009-0186 Debian Bug : none BugTraq ID : 33963 Alan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution. For the oldstable distribution (etch) this problem has been fixed in version 1.0.16-2+etch1. For the stable distribution (lenny) this problem has been fixed in version 1.0.17-4+lenny1. For the unstable distribution (sid) this problem has been fixed in version 1.0.19-1. We recommend that you upgrade your libsndfile packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch1.dsc Size/MD5 checksum: 659 2782d11c87eb6cdbcbb4757bdcba3582 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch1.diff.gz Size/MD5 checksum: 5872 94c24295ef3f6461e417f7953e3df405 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_amd64.deb Size/MD5 checksum: 322418 5590289019e10655b831451a93b10d43 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_amd64.deb Size/MD5 checksum: 187326 a873f6260972d3f18bb5bfcefc355894 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_amd64.deb Size/MD5 checksum: 70686 3cbb5bbe4f0af88cd8f33e5296427cc3 arm architecture (ARM) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_arm.deb Size/MD5 checksum: 342342 d2f15699c1f3d6d3a5460385ea9b99b6 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_arm.deb Size/MD5 checksum: 72166 e691a87d6803f4e877c12fdc7ba13e25 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_arm.deb Size/MD5 checksum: 221378 b4843f23c1079a4a7ea0fc2324c680fc hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_hppa.deb Size/MD5 checksum: 74914 1f96f0eee8d6a3eb34d24a433546fd57 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_hppa.deb Size/MD5 checksum: 236094 ce6c840fbd31cd9d715c8525616ac54c http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_hppa.deb Size/MD5 checksum: 373868 bef1859b9f1266093be1c95531351eff i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_i386.deb Size/MD5 checksum: 320672 3ed0f57f391284d9d7cb0b3eb95d48fb http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_i386.deb Size/MD5 checksum: 70872 818ad0f2460d4cc6d902809bb0d9bf4a http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_i386.deb Size/MD5 checksum: 197906 eba6df6a2658f8b95ed31c38c3a3ef40 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_ia64.deb Size/MD5 checksum: 270732 de8da4d9acfe054e5e1e9a9367d50cac http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_ia64.deb Size/MD5 checksum: 75896 230edd89ad51fd4c4f064815f661b4c8 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_ia64.deb Size/MD5 checksum: 416258 aecbfa75aae59f97ef88b98c805fe935 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_mips.deb Size/MD5 checksum: 217258 a252e3e6dfa3a82429b1f0f614408f85 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_mips.deb Size/MD5 checksum: 72898 15032de6be2605a07ddcc8c1534f26c9 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_mips.deb Size/MD5 checksum: 374318 27cb3879cb552c881f9c52127bbe5670 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_mipsel.deb Size/MD5 checksum: 72948 02486480aa641705aca406a7f8dd0ed8 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_mipsel.deb Size/MD5 checksum: 216892 9c13d9332ad74db6a6a84cb018f333b0 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_mipsel.deb Size/MD5 checksum: 373456 8cef61c9e296b2134c25245133a69884 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_powerpc.deb Size/MD5 checksum: 207898 47b604aebf08ad004589587b6a977dbd http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_powerpc.deb Size/MD5 checksum: 75942 98415fef5f56e16713c23c96a2e15445 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_powerpc.deb Size/MD5 checksum: 346488 eacb480134790f9e39b1332e6e84e4ee s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_s390.deb Size/MD5 checksum: 72940 c92ba36d5ec4b092a0f07e6db712de30 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_s390.deb Size/MD5 checksum: 220998 a1489d9687ad8b804244a741fdd7cb35 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_s390.deb Size/MD5 checksum: 346540 8f2784ab3ba80709ef6f00b84194fa2a sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_sparc.deb Size/MD5 checksum: 207890 7788155fa7338ac0c7ede3f3c8808e9e http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_sparc.deb Size/MD5 checksum: 70836 ce42b9f5eaf08d484c4b136833575491 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_sparc.deb Size/MD5 checksum: 338816 17c6a3b095be526617571a9a2631e762 Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Debian (stable) - - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny1.diff.gz Size/MD5 checksum: 9969 a06409102bd304eedb0bd6634bceefa1 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17.orig.tar.gz Size/MD5 checksum: 819456 2d126c35448503f6dbe33934d9581f6b http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny1.dsc Size/MD5 checksum: 1131 b44551174131c95a8cfae919907d3efa amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_amd64.deb Size/MD5 checksum: 332902 bb2e2e44a1a399bf089481a9facc4e19 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_amd64.deb Size/MD5 checksum: 73016 93aef598d40745fc4531955441223ab5 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_amd64.deb Size/MD5 checksum: 191504 6b54a2e1a53d09464c4b65d258a5deb3 arm architecture (ARM) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_arm.deb Size/MD5 checksum: 347414 6c52b00fc235e1ae0a47666f31c0b212 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_arm.deb Size/MD5 checksum: 74216 708985007e2bb5a2426a268e6685950b http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_arm.deb Size/MD5 checksum: 217154 9b070d74cf8f2f0386f21bb7808bf080 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_armel.deb Size/MD5 checksum: 355992 e1c35063b71ec530cb04e78fd28cea0e http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_armel.deb Size/MD5 checksum: 220856 4da3e1b0575f958ad80d111a8e50f604 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_armel.deb Size/MD5 checksum: 76350 aa51f771719ec6015035ebe98007c2d5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_hppa.deb Size/MD5 checksum: 236450 094cc8743665a6514b4ff9bc24186d03 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_hppa.deb Size/MD5 checksum: 378900 cf6fa563b615042fc8d506043dd227ac http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_hppa.deb Size/MD5 checksum: 76788 d175a6e5bd172eca340ac85a2d18c645 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_i386.deb Size/MD5 checksum: 72806 5860626d1af8814f8eee7162fb3d4ea0 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_i386.deb Size/MD5 checksum: 196406 69991bf3467c31d730472b29c368dfef http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_i386.deb Size/MD5 checksum: 326094 30572ad1df19e37d3d8cfc991f2835ca ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_ia64.deb Size/MD5 checksum: 274480 924a7ae71b9a33be513a2ae3fd8f6d5c http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_ia64.deb Size/MD5 checksum: 77656 e61068d4526fa2a6fa11723d6dd54d11 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_ia64.deb Size/MD5 checksum: 430756 6674fe583f5bbe41eb796d4659ec8093 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_mips.deb Size/MD5 checksum: 378808 7deca929594ab128abcffc66eb4394d0 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_mips.deb Size/MD5 checksum: 215100 668818f04fe4ab74a43d6c8012b96912 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_mips.deb Size/MD5 checksum: 74824 d06343d42dfd969c74ca9de2e805cc66 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_mipsel.deb Size/MD5 checksum: 74832 ded63b4fd471a3043512f57ff80247a5 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_mipsel.deb Size/MD5 checksum: 215256 777dc5b744908a615db38d6331184b17 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_mipsel.deb Size/MD5 checksum: 379332 b137cbe97da0ae209f667020a001d041 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_s390.deb Size/MD5 checksum: 219930 46c286135742fc81b8e912bc31152165 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_s390.deb Size/MD5 checksum: 355566 76dfe36e9fd16c88b3c57aa57a07fba5 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_s390.deb Size/MD5 checksum: 75106 9a01e6255f4898e572e8239ae00da738 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_sparc.deb Size/MD5 checksum: 206230 e4e000f15013781e5c525ef86197ed27 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_sparc.deb Size/MD5 checksum: 342738 387686095f690170b6339d3945e0b57f http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_sparc.deb Size/MD5 checksum: 73494 78e59cb96a9dc8747c4bc0578853faa9 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkm9oUgACgkQHYflSXNkfP/TcQCeJM5uqpejgBVL/091IAJiHk60 x2AAniu3noikDJRsrjXCtyFHvABP0Anb =xRYd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFJvdydNVH5XJJInbgRAhNBAJ4igpR23Adi4hxt5DEKO6jo/Jz4MQCggO0j f11waP64rx+TaQ6XV/TxmlY= =MSCX -----END PGP SIGNATURE-----