Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA-1972-2] New audiofile packages fix buffer overflow
From: Stefan Fritsch <sf () debian org>
Date: Thu, 21 Jan 2010 16:07:25 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-1972-2                  security () debian org
http://www.debian.org/security/                           Stefan Fritsch
January 21, 2010                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : audiofile
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id         : CVE-2008-5824
Debian bug     : 510205

This advisory adds the packages for the old stable distribution (etch),
with the exception of the mips packages. The updates for the mips
architecture will be released when they become available.

The packages for the stable distribution (lenny) have been released
in DSA-1972-1. For reference, the advisory text is provided below.

Max Kellermann discovered a heap-based buffer overflow in the handling
of ADPCM WAV files in libaudiofile. This flaw could result in a denial
of service (application crash) or possibly execution of arbitrary code
via a crafted WAV file.

The old stable distribution (etch), this problem has been fixed in
version 0.2.6-6+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 0.2.6-7+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.2.6-7.1.

We recommend that you upgrade your audiofile packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.diff.gz
    Size/MD5 checksum:   300089 dbc542c9c87880f436083facfb3ccc28
  http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.dsc
    Size/MD5 checksum:      629 f9f760bd11ccb13c85266ace4f87d25d
  http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6.orig.tar.gz
    Size/MD5 checksum:   374688 9c1049876cd51c0f1b12c2886cce4d42

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_alpha.deb
    Size/MD5 checksum:   158070 1d27f78ba5efee6f348fdec83497f0cf
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_alpha.deb
    Size/MD5 checksum:    89404 0c40bf5eeab7afe6b81c0ca1bc8d4add

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_amd64.deb
    Size/MD5 checksum:   128468 5307500dd56e86e86236a2e8af9258fe
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_amd64.deb
    Size/MD5 checksum:    81598 17ee5acae5158682302d9256688c272e

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_arm.deb
    Size/MD5 checksum:   114782 d6ca165e6c39f2475b23b07ea84258f3
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_arm.deb
    Size/MD5 checksum:    73324 e5a3329799553494e43586faa08c5607

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_hppa.deb
    Size/MD5 checksum:    87046 504612c1d8b826a30d55ae7688b9a37c
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_hppa.deb
    Size/MD5 checksum:   135608 5f6809474bca61b181113fff73393c56

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_i386.deb
    Size/MD5 checksum:   118410 4e3e58094cfa7314a7160d7f936baafb
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_i386.deb
    Size/MD5 checksum:    77204 e572289bc7e52fc49f256ed6d9ccbf80

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_ia64.deb
    Size/MD5 checksum:   112806 dd5f834b0b56d737f2601c63c776d658
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_ia64.deb
    Size/MD5 checksum:   170280 a25c0e6fa1024322810cb29f1204e6ff

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_mipsel.deb
    Size/MD5 checksum:    77280 2c0c057fc9f5848406ec44d26bc369d8
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_mipsel.deb
    Size/MD5 checksum:   136296 cf83ef8e66b2d8400d5e35ad52232a32

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_powerpc.deb
    Size/MD5 checksum:    79662 5e2ff6dbb8a86c1c452ef5343a2d4ac7
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_powerpc.deb
    Size/MD5 checksum:   127768 413cd4a5f93ff94210ccc160643d18ab

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_s390.deb
    Size/MD5 checksum:    82434 933bfc65aff56acea69aa5e416b6a345
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_s390.deb
    Size/MD5 checksum:   125394 c457ac81ef48d6743ff748b211f73283

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_sparc.deb
    Size/MD5 checksum:    73952 1b28318b172a18bb6aae3ddc225cf925
  http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_sparc.deb
    Size/MD5 checksum:   117070 9ea6282659991534beffdafe9dc4b985


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLWHttbxelr8HyTqQRAuFuAKCL5761UQYTYRb7IlGhU5h3a/THSgCbBsoq
zE8a0YHot28DmvbCVGZfDAQ=
=Vws6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA-1972-2] New audiofile packages fix buffer overflow Stefan Fritsch (Jan 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault