Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0244 -- [Debian]
New libsnd packages fix arbitrary code execution
16 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libsndfile
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Debian GNU/Linux 5.0
Impact: Execute Arbitrary Code/Commands
Access: Existing Account
CVE Names: CVE-2009-0186
Ref: AA-2009.0047
Original Bulletin: http://www.debian.org/security/2009/dsa-1742
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA-1742-1 security@debian.org
http://www.debian.org/security/ Nico Golde
March 16th, 2009 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : libsndfile
Vulnerability : integer overflow
Problem type : local
Debian-specific: no
CVE ID : CVE-2009-0186
Debian Bug : none
BugTraq ID : 33963
Alan Rad Pop discovered that libsndfile, a library to read and write
sampled audio data, is prone to an integer overflow. This causes a
heap-based buffer overflow when processing crafted CAF description
chunks possibly leading to arbitrary code execution.
For the oldstable distribution (etch) this problem has been fixed in
version 1.0.16-2+etch1.
For the stable distribution (lenny) this problem has been fixed in
version 1.0.17-4+lenny1.
For the unstable distribution (sid) this problem has been fixed in
version 1.0.19-1.
We recommend that you upgrade your libsndfile packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Debian (oldstable)
- - ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch1.dsc
Size/MD5 checksum: 659 2782d11c87eb6cdbcbb4757bdcba3582
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz
Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch1.diff.gz
Size/MD5 checksum: 5872 94c24295ef3f6461e417f7953e3df405
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_amd64.deb
Size/MD5 checksum: 322418 5590289019e10655b831451a93b10d43
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_amd64.deb
Size/MD5 checksum: 187326 a873f6260972d3f18bb5bfcefc355894
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_amd64.deb
Size/MD5 checksum: 70686 3cbb5bbe4f0af88cd8f33e5296427cc3
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_arm.deb
Size/MD5 checksum: 342342 d2f15699c1f3d6d3a5460385ea9b99b6
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_arm.deb
Size/MD5 checksum: 72166 e691a87d6803f4e877c12fdc7ba13e25
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_arm.deb
Size/MD5 checksum: 221378 b4843f23c1079a4a7ea0fc2324c680fc
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_hppa.deb
Size/MD5 checksum: 74914 1f96f0eee8d6a3eb34d24a433546fd57
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_hppa.deb
Size/MD5 checksum: 236094 ce6c840fbd31cd9d715c8525616ac54c
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_hppa.deb
Size/MD5 checksum: 373868 bef1859b9f1266093be1c95531351eff
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_i386.deb
Size/MD5 checksum: 320672 3ed0f57f391284d9d7cb0b3eb95d48fb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_i386.deb
Size/MD5 checksum: 70872 818ad0f2460d4cc6d902809bb0d9bf4a
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_i386.deb
Size/MD5 checksum: 197906 eba6df6a2658f8b95ed31c38c3a3ef40
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_ia64.deb
Size/MD5 checksum: 270732 de8da4d9acfe054e5e1e9a9367d50cac
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_ia64.deb
Size/MD5 checksum: 75896 230edd89ad51fd4c4f064815f661b4c8
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_ia64.deb
Size/MD5 checksum: 416258 aecbfa75aae59f97ef88b98c805fe935
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_mips.deb
Size/MD5 checksum: 217258 a252e3e6dfa3a82429b1f0f614408f85
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_mips.deb
Size/MD5 checksum: 72898 15032de6be2605a07ddcc8c1534f26c9
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_mips.deb
Size/MD5 checksum: 374318 27cb3879cb552c881f9c52127bbe5670
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_mipsel.deb
Size/MD5 checksum: 72948 02486480aa641705aca406a7f8dd0ed8
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_mipsel.deb
Size/MD5 checksum: 216892 9c13d9332ad74db6a6a84cb018f333b0
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_mipsel.deb
Size/MD5 checksum: 373456 8cef61c9e296b2134c25245133a69884
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_powerpc.deb
Size/MD5 checksum: 207898 47b604aebf08ad004589587b6a977dbd
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_powerpc.deb
Size/MD5 checksum: 75942 98415fef5f56e16713c23c96a2e15445
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_powerpc.deb
Size/MD5 checksum: 346488 eacb480134790f9e39b1332e6e84e4ee
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_s390.deb
Size/MD5 checksum: 72940 c92ba36d5ec4b092a0f07e6db712de30
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_s390.deb
Size/MD5 checksum: 220998 a1489d9687ad8b804244a741fdd7cb35
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_s390.deb
Size/MD5 checksum: 346540 8f2784ab3ba80709ef6f00b84194fa2a
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch1_sparc.deb
Size/MD5 checksum: 207890 7788155fa7338ac0c7ede3f3c8808e9e
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch1_sparc.deb
Size/MD5 checksum: 70836 ce42b9f5eaf08d484c4b136833575491
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch1_sparc.deb
Size/MD5 checksum: 338816 17c6a3b095be526617571a9a2631e762
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny1.diff.gz
Size/MD5 checksum: 9969 a06409102bd304eedb0bd6634bceefa1
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17.orig.tar.gz
Size/MD5 checksum: 819456 2d126c35448503f6dbe33934d9581f6b
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny1.dsc
Size/MD5 checksum: 1131 b44551174131c95a8cfae919907d3efa
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_amd64.deb
Size/MD5 checksum: 332902 bb2e2e44a1a399bf089481a9facc4e19
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_amd64.deb
Size/MD5 checksum: 73016 93aef598d40745fc4531955441223ab5
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_amd64.deb
Size/MD5 checksum: 191504 6b54a2e1a53d09464c4b65d258a5deb3
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_arm.deb
Size/MD5 checksum: 347414 6c52b00fc235e1ae0a47666f31c0b212
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_arm.deb
Size/MD5 checksum: 74216 708985007e2bb5a2426a268e6685950b
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_arm.deb
Size/MD5 checksum: 217154 9b070d74cf8f2f0386f21bb7808bf080
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_armel.deb
Size/MD5 checksum: 355992 e1c35063b71ec530cb04e78fd28cea0e
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_armel.deb
Size/MD5 checksum: 220856 4da3e1b0575f958ad80d111a8e50f604
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_armel.deb
Size/MD5 checksum: 76350 aa51f771719ec6015035ebe98007c2d5
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_hppa.deb
Size/MD5 checksum: 236450 094cc8743665a6514b4ff9bc24186d03
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_hppa.deb
Size/MD5 checksum: 378900 cf6fa563b615042fc8d506043dd227ac
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_hppa.deb
Size/MD5 checksum: 76788 d175a6e5bd172eca340ac85a2d18c645
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_i386.deb
Size/MD5 checksum: 72806 5860626d1af8814f8eee7162fb3d4ea0
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_i386.deb
Size/MD5 checksum: 196406 69991bf3467c31d730472b29c368dfef
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_i386.deb
Size/MD5 checksum: 326094 30572ad1df19e37d3d8cfc991f2835ca
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_ia64.deb
Size/MD5 checksum: 274480 924a7ae71b9a33be513a2ae3fd8f6d5c
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_ia64.deb
Size/MD5 checksum: 77656 e61068d4526fa2a6fa11723d6dd54d11
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_ia64.deb
Size/MD5 checksum: 430756 6674fe583f5bbe41eb796d4659ec8093
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_mips.deb
Size/MD5 checksum: 378808 7deca929594ab128abcffc66eb4394d0
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_mips.deb
Size/MD5 checksum: 215100 668818f04fe4ab74a43d6c8012b96912
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_mips.deb
Size/MD5 checksum: 74824 d06343d42dfd969c74ca9de2e805cc66
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_mipsel.deb
Size/MD5 checksum: 74832 ded63b4fd471a3043512f57ff80247a5
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_mipsel.deb
Size/MD5 checksum: 215256 777dc5b744908a615db38d6331184b17
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_mipsel.deb
Size/MD5 checksum: 379332 b137cbe97da0ae209f667020a001d041
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_s390.deb
Size/MD5 checksum: 219930 46c286135742fc81b8e912bc31152165
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_s390.deb
Size/MD5 checksum: 355566 76dfe36e9fd16c88b3c57aa57a07fba5
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_s390.deb
Size/MD5 checksum: 75106 9a01e6255f4898e572e8239ae00da738
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny1_sparc.deb
Size/MD5 checksum: 206230 e4e000f15013781e5c525ef86197ed27
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny1_sparc.deb
Size/MD5 checksum: 342738 387686095f690170b6339d3945e0b57f
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny1_sparc.deb
Size/MD5 checksum: 73494 78e59cb96a9dc8747c4bc0578853faa9
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm9oUgACgkQHYflSXNkfP/TcQCeJM5uqpejgBVL/091IAJiHk60
x2AAniu3noikDJRsrjXCtyFHvABP0Anb
=xRYd
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJvdydNVH5XJJInbgRAhNBAJ4igpR23Adi4hxt5DEKO6jo/Jz4MQCggO0j
f11waP64rx+TaQ6XV/TxmlY=
=MSCX
-----END PGP SIGNATURE-----