Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1044 New camlimages packages fix arbitrary code execution 14 July 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: camlimages Publisher: Debian Operating System: Debian GNU/Linux 4 Debian GNU/Linux 5 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch CVE Names: CVE-2009-2295 Original Bulletin: http://www.debian.org/security/2009/dsa-1832 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running camlimages check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1832-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst July 13, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : camlimages Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2009-2295 Debian Bug : 535909 Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. For the old stable distribution (etch), this problem has been fixed in version 2.20-8+etch1. For the stable distribution (lenny), this problem has been fixed in version 2.2.0-4+lenny1. For the unstable distribution (sid), this problem has been fixed in version 3.0.1-2. We recommend that you upgrade your camlimages package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch1.diff.gz Size/MD5 checksum: 8737 1616ade3176c67bc862f7672d4c056dd http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch1.dsc Size/MD5 checksum: 1196 0407fcb4b885258c0b81e979e03df7c4 http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20.orig.tar.gz Size/MD5 checksum: 1385525 d933eb58c7983f70b1a000fa01893aa4 Architecture independent packages: http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-doc_2.20-8+etch1_all.deb Size/MD5 checksum: 599282 578f54fe1370704e0bc80dfdf8a20049 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_alpha.deb Size/MD5 checksum: 973198 2d06cc1c9c73ec3a5078df33dde45279 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_alpha.deb Size/MD5 checksum: 28966 acc9643b4efed997dcc1f8c1315b3936 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_amd64.deb Size/MD5 checksum: 27906 f2fc6d36ca1b496ff82cbe55c975d96d http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_amd64.deb Size/MD5 checksum: 870676 b114baff0ce4169f42847cad2f7f87e1 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_arm.deb Size/MD5 checksum: 25642 a123f0ffd1dcca413f2eca85d047a81c http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_arm.deb Size/MD5 checksum: 885436 99897af751a474b339b8ba01cd10c0b8 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_hppa.deb Size/MD5 checksum: 482368 635d36e2aec2e709b5b79e8074ab4a24 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_hppa.deb Size/MD5 checksum: 29834 b99951421ced2015ed118b4ca60cdde8 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_i386.deb Size/MD5 checksum: 24224 480002667928107c5a379008abcb6710 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_i386.deb Size/MD5 checksum: 772576 483bf540a811aa854565ec26f0812de0 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_ia64.deb Size/MD5 checksum: 1100896 2a5f01d40983c0dbb473f0efbc814b5f http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_ia64.deb Size/MD5 checksum: 36206 8bbbfd674e78d5cbfde79761aa935e34 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_mips.deb Size/MD5 checksum: 467010 de4da1b7baf6df72e8d2efaaa3f92341 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_mips.deb Size/MD5 checksum: 25614 6504eb3683990a8d733025d05c590534 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_mipsel.deb Size/MD5 checksum: 427210 a51713da2bc7d1670dc00b99863ca0f2 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_mipsel.deb Size/MD5 checksum: 25566 eeb7c800c5cafff30eb2419a2b6c841c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_powerpc.deb Size/MD5 checksum: 963708 2cdc2329f6102615fded0b247e8f854b http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_powerpc.deb Size/MD5 checksum: 32812 924085f56d6b5e3585fa4017f377b416 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_sparc.deb Size/MD5 checksum: 24596 cee3b23510a181598d7a8fa96b1c0d5b http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_sparc.deb Size/MD5 checksum: 934718 ebc2899241e369cfbfecce8ce87646c7 Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0-4+lenny1.diff.gz Size/MD5 checksum: 9707 3c88dc5e8528e685876485d310edf1c4 http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0-4+lenny1.dsc Size/MD5 checksum: 1993 06d190174afce7dbe2d337bf3577c0a8 http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0.orig.tar.gz Size/MD5 checksum: 1385525 d933eb58c7983f70b1a000fa01893aa4 Architecture independent packages: http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-doc_2.2.0-4+lenny1_all.deb Size/MD5 checksum: 601364 577c511958087e582e893a4f174fa31c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_alpha.deb Size/MD5 checksum: 32208 42eb3769e659ddbfdffd9b960412d603 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_alpha.deb Size/MD5 checksum: 543084 4c1659b52e35ee819bbca24f917824cd amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_amd64.deb Size/MD5 checksum: 31364 6d98eeb479c628858e0bc991637022e5 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_amd64.deb Size/MD5 checksum: 978144 c1977ebd20027e74de2f6f297da05e0d arm architecture (ARM) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_arm.deb Size/MD5 checksum: 28838 4ceaec79b0cdde93f51e5b49bf61fa05 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_arm.deb Size/MD5 checksum: 559286 2801a414b3c5e9002dd40f406dcc4b37 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_armel.deb Size/MD5 checksum: 29658 594886fe8311b54fccb61eaee44a3c02 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_armel.deb Size/MD5 checksum: 571664 45911009fdefb1ea30130bd33d31c35a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_hppa.deb Size/MD5 checksum: 588132 a95c95d82148d7b8b91c836a68ac7385 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_hppa.deb Size/MD5 checksum: 32858 1dee58411cfe4a51329df8592dd52a53 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_i386.deb Size/MD5 checksum: 27722 dbda0c3362977d516c9b9799a052f330 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_i386.deb Size/MD5 checksum: 953866 eebdf69c111869e266fe0d273ffc2f21 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_ia64.deb Size/MD5 checksum: 545784 c15dfebf6974c23db3058cccb3d74a97 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_ia64.deb Size/MD5 checksum: 39612 126b5b4e7eb783fb3323ff30d38a9468 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_mips.deb Size/MD5 checksum: 569842 5255f663cb728e93f56bfafc3b5953aa http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_mips.deb Size/MD5 checksum: 28610 f2b8a4aa2d67d0e59679534b5cbcb93d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_mipsel.deb Size/MD5 checksum: 515800 5aba5d1ce2e2ae5d927f111f89eed5c6 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_mipsel.deb Size/MD5 checksum: 28368 9ec52520ff65438150dfafb89ed3fc0a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_powerpc.deb Size/MD5 checksum: 987998 c9a1362f01e353424e0c028c25dc4d69 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_powerpc.deb Size/MD5 checksum: 38676 8317d63a699feeb5bfa7f829f28409b8 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_sparc.deb Size/MD5 checksum: 957764 5602e2c367324be5ca5137b8c23cb0ad http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_sparc.deb Size/MD5 checksum: 27712 c2c4c2397004024c440721709a45d4cb These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJKW5duAAoJECIIoQCMVaAcNOQH/2kCBktuB4Mv8rSFIpw6K0cO W7Rp8n8gc5JqOLm1RoD8cDrAup5yNHJSfKb+4ier35LFnKc/jKzihrbW1Hz409V0 AJ1Mdj7p7DG8wArp/5GrT/hcwLuaywUigaYw0SaQqiVorC96K9jgkyTWhqxnyHaH MSL7zM5+q9EnrNQvLR+PLP6QIj7m7Ufi3/JtJtBp1tjdxioUccwr5Lw2VFurRQje l0zegT7x4HTmOC1KSpZG/VA+qW31iSvxO11PWOHyYRGn0V8NY0ra8KJCicncBT+f QInW9hEnZtZFMoLzJdQ3bizSGyaKawHyCkDcrSaeTgNflPJVZ+9vrGWkMbM6qNc= =srad - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKW/aWNVH5XJJInbgRAgH/AKCBqsJiW4yLAeQBNYqc5tSPaQ2uSwCeKiy6 ah7kkRmm1wL4dvCVsKr2D34= =l/R8 -----END PGP SIGNATURE-----