Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0064 New gzip packages fix arbitrary code execution 21 January 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gzip Publisher: Debian Operating System: Debian GNU/Linux 5 Debian GNU/Linux 4 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-0001 CVE-2009-2624 CVE-2006-4334 Reference: ESB-2010.0062 Original Bulletin: http://www.debian.org/security/2009/dsa-1974 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1974-1 security@debian.org http://www.debian.org/security/ Steffen Joeris January 20, 2010 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : gzip Vulnerability : several Problem type : local (remote) Debian-specific: no CVE Ids : CVE-2009-2624 CVE-2010-0001 Debian Bug : 507263 Several vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2624 Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. CVE-2010-0001 Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. For the stable distribution (lenny), these problems have been fixed in version 1.3.12-6+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 1.3.5-15+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your gzip packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.dsc Size/MD5 checksum: 573 4a4c81d72ed695f7e0b710fa7da00201 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.diff.gz Size/MD5 checksum: 62547 34c6cab73195a3b9e2b187636cf69dc2 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5.orig.tar.gz Size/MD5 checksum: 331550 3d6c191dfd2bf307014b421c12dc8469 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_alpha.deb Size/MD5 checksum: 84202 2677656b86d648a05b54ba0c03028eb1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_amd64.deb Size/MD5 checksum: 76988 86e571b7bf22e4924c5d7f82306ab064 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_arm.deb Size/MD5 checksum: 79428 7e71e302f090a62f52b7f6f5d35b627b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_hppa.deb Size/MD5 checksum: 81616 02d1712f3f62de9f05810cd3a1660d77 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_i386.deb Size/MD5 checksum: 74324 ac441b57b7423d65985acaef2e40df9f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_ia64.deb Size/MD5 checksum: 96216 89b544a5f93d7607e1608d7856fa70e8 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_mipsel.deb Size/MD5 checksum: 82266 ff332d05f508dad0d3067dd713bee839 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_powerpc.deb Size/MD5 checksum: 79722 1e117918ab793443c9da0af6f137e7a7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_s390.deb Size/MD5 checksum: 80602 4c5accebc99f8b263cef9500a94ae2ca sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_sparc.deb Size/MD5 checksum: 77262 f440c798c3fe592896286047b643116d Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Debian (stable) - - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.diff.gz Size/MD5 checksum: 14580 7dac4e2e855b89ec335605722da16bd0 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12.orig.tar.gz Size/MD5 checksum: 462169 b5bac2d21840ae077e0217bc5e4845b1 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.dsc Size/MD5 checksum: 1024 40c1d638034b3c9be692af4057a9499c Architecture independent packages: http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12-6+lenny1_all.deb Size/MD5 checksum: 68438 858f1373aa128793538f5e5f6e283e24 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_alpha.deb Size/MD5 checksum: 112736 2afbb523626d0793acf7e1cb4be21938 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_amd64.deb Size/MD5 checksum: 106024 68119c7d80f94457b2f241cb90bd3aee arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_arm.deb Size/MD5 checksum: 108462 b8daebe8a54750428f6028612297e76b armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_armel.deb Size/MD5 checksum: 106906 14e79925acc936699aaa8ccee0b6d04d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_hppa.deb Size/MD5 checksum: 111448 7e94ea327492912e21b360e45ab324d5 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_i386.deb Size/MD5 checksum: 102866 4cef436339090cd800efb7e6bb92b14b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_ia64.deb Size/MD5 checksum: 123250 c38a5a05f04fa731340c254028d240c3 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_mipsel.deb Size/MD5 checksum: 109266 5e17c751ddc3a65085f005dddcf6426c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_powerpc.deb Size/MD5 checksum: 109502 3ae2e1dfc3b13d0ed4574103aca3904d s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_s390.deb Size/MD5 checksum: 108896 e7b03509583f7cbed875359a2595a3a0 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_sparc.deb Size/MD5 checksum: 106462 f166981469f7fd047ceabe5f26832638 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktXD9UACgkQ62zWxYk/rQfK4gCfdsWVkE9gjfjgkFDr7zrEPbo3 t40An1bK+hGYG7WbE0bi2D4kGJYgI/rD =LSoS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLV4ZvNVH5XJJInbgRAsf9AKCDrhYqX2oDQTvJdduGCzU1qNpphwCfbZY3 XSnxiJglB4PXlWrbHSPaVbk= =iNDh -----END PGP SIGNATURE-----