Search This Blog

Friday, December 28, 2007

[SECURITY] [DSA 1442-2] New libsndfile packages fix arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1442-1 security@debian.org
http://www.debian.org/security/

Moritz Muehlenhoff
December 29, 2007

http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : libsndfile
Vulnerability : buffer overflow
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4974

Rubert Buchholz discovered that libsndfile, a library for reading /
writing audio files performs insufficient boundary checks when
processing FLAC files, which might lead to the execution of arbitrary
code.

For the stable distribution (etch), this problem has been fixed in
version 1.0.16-2.

The old stable distribution (sarge) is not affected by this problem.

We recommend that you upgrade your libsndfile packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz

Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2.diff.gz

Size/MD5 checksum: 5465 3143afa4d8b69fe1ba9d0428d3b5b472

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2.dsc

Size/MD5 checksum: 639 778f77063bf0aee761b5d9f7af793ced

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_alpha.deb

Size/MD5 checksum: 400468 f555adb582857c57e2efc4c957661a10

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_alpha.deb

Size/MD5 checksum: 222432 5a776e9755235dfbc33881b54a69df87

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_alpha.deb

Size/MD5 checksum: 72062 0ad263c448319e10f147d4ca3a2e49cd

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_amd64.deb

Size/MD5 checksum: 70518 6ece20244584e3e33c680cba32f5bd01

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_amd64.deb

Size/MD5 checksum: 186978 15d1c0d80b1df110594b0e25dc444ca3

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_amd64.deb

Size/MD5 checksum: 322346 f8d850304a105b5b8d2beadb3e81304d

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_arm.deb

Size/MD5 checksum: 72042 6efb81b71098e378b5f702c06cb8b2d9

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_arm.deb

Size/MD5 checksum: 343534 03aef95ebfe92522c5d36a4e5590859d

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_arm.deb

Size/MD5 checksum: 220952 d01c16d518630402f6714691b829d793

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_hppa.deb

Size/MD5 checksum: 74542 cf4e50401c65e94b5ec93b488c0180c7

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_hppa.deb

Size/MD5 checksum: 236320 7c0274e6b33b5e301dcd7a474d502107

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_hppa.deb

Size/MD5 checksum: 373514 af037103e816ba426298a634057decb2

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_i386.deb

Size/MD5 checksum: 74262 834537ca8b562a4350d5a9c422f436ca

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_i386.deb

Size/MD5 checksum: 319560 9fe5127322c613449eb0dde18a27cfb8

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_i386.deb

Size/MD5 checksum: 197498 e9bc609646a45373a0d365b071950c6a

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_ia64.deb

Size/MD5 checksum: 270526 4e79bb42b5e92d68fa00bff980686eb3

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_ia64.deb

Size/MD5 checksum: 416098 3d6c672fd2480a3a5783142085445bdd

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_ia64.deb

Size/MD5 checksum: 75756 d29c6c9fe859001936087e53afdff185

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_mips.deb

Size/MD5 checksum: 217138 c59d9ffccb7d577d06f4eb8f8a875e98

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_mips.deb

Size/MD5 checksum: 374184 e0a8ce0c236b772bc58eaad8aad2006a

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_mips.deb

Size/MD5 checksum: 72760 2468de6305a9c60fdfd0fe73bad8999a

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_mipsel.deb

Size/MD5 checksum: 72800 da3ce8b83dc1ad383c23812df43cf31d

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_mipsel.deb

Size/MD5 checksum: 373316 d2e45aaad4073e64b6e3e443e6702cac

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_mipsel.deb

Size/MD5 checksum: 216758 0a66a28c249850999b90b6f90d0c027b

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_powerpc.deb

Size/MD5 checksum: 207748 7c999002bfce68181a2818eaf3e829ed

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_powerpc.deb

Size/MD5 checksum: 346286 2b9d3e4cef955ff76a963a3e40aebecd

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_powerpc.deb

Size/MD5 checksum: 75812 b8549289577e9a8bfe279592ebb68c69

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_s390.deb

Size/MD5 checksum: 346370 dca74b112ab72b4893b272aa983f6e07

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_s390.deb

Size/MD5 checksum: 72800 6fd80164e263294833c6b6a4f98faf7f

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_s390.deb

Size/MD5 checksum: 220876 8f28f995c96e3366cc98a1578aba5a46

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2_sparc.deb

Size/MD5 checksum: 70652 7560d39c5a222317decb5586c17d1d55

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2_sparc.deb

Size/MD5 checksum: 207790 e758c2a6e11a78f25df2ad1b2205206e

http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2_sparc.deb

Size/MD5 checksum: 334854 f97aba9749b0dd78f6da521399fa9937


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHdaUUXm3vHE4uyloRAr+yAJ49UzhGOxcTvtvHNh4s6dtwTHgJAgCg6NzD
UvSOyIiGxMdX3pQ5bWESksg=
=vIt9
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: