AusCERT - ESB-2009.0061 -- [UNIX/Linux][Debian] -- New amarok packages fix arbitrary code execution

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2009.0061 -- [UNIX/Linux][Debian] -- New amarok packages fix arbitrary code execution
Date: 21 January 2009

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2009.0061 -- [UNIX/Linux][Debian]
             New amarok packages fix arbitrary code execution
                              21 January 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              amarok
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-0135 CVE-2009-0136

Original Bulletin:    http://www.debian.org/security/2009/dsa-1706

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running amarok check for an updated version of the software for
         their operating system.

Revision History:     January 21 2009: Added CVEs
                      January 16 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1706-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
January 15, 2009                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : amarok
Vulnerability  : integer overflows
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : not assigned yet

Tobias Klein discovered that integer overflows in the code the Amarok
media player uses to parse Audible files may lead to the execution of
arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.4.4-4etch1. Updated packages for sparc and arm will be
provided later.

For the upcoming stable distribution (lenny) and the unstable
distribution (sid), this problem has been fixed in version 1.4.10-2.

We recommend that you upgrade your amarok packages.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Stable updates are available for alpha, amd64, hppa, i386, ia64, mips, mipsel, powerpc, s390.

Source archives:

  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4.orig.tar.gz
    Size/MD5 checksum: 17628566 0adbbd8373da2198b80e509618a2dab9
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1.diff.gz
    Size/MD5 checksum:    42402 c29b0538c033ededacc6d31339d17700
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1.dsc
    Size/MD5 checksum:      986 f8e80af55fbd8386e6b13b0b12d798f4

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_alpha.deb
    Size/MD5 checksum:    70238 16f3f3c09abb731a18a3dc48c473de6b
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_alpha.deb
    Size/MD5 checksum:   129504 287d891eceb758b606dca22be1c00373
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_alpha.deb
    Size/MD5 checksum: 17689706 f50edbcb0ecf4e4b9eb3c7bfcccdab16

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_amd64.deb
    Size/MD5 checksum:    69932 7fa4c35fe5ec1bf5c3622beaadfd9d55
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_amd64.deb
    Size/MD5 checksum: 17559012 516c270247fbb4470ec5d453edd45240
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_amd64.deb
    Size/MD5 checksum:   126688 f4dc3d7e22c5716df018e1d198756523

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_hppa.deb
    Size/MD5 checksum:    70028 ee3d6e27e1bb5412a729cda758bb4c79
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_hppa.deb
    Size/MD5 checksum: 17799030 a9ab6605a349108354a1c3642b3e017b
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_hppa.deb
    Size/MD5 checksum:   133110 025ed372785d76ee8489debf6ec06b59

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_i386.deb
    Size/MD5 checksum:   122606 af13d7d1948840398e2e0865c002f1be
  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_i386.deb
    Size/MD5 checksum:    69978 d9e962dbb56755409c73e1d29d76e8ca
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_i386.deb
    Size/MD5 checksum: 17426752 7e3dd482184056066d73844fea495000

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_ia64.deb
    Size/MD5 checksum:    69978 eaeea421c5d986247d68b24fa43645b4
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_ia64.deb
    Size/MD5 checksum:   143310 55bcb806b1ed036e0b1bf1e14cab97d1
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_ia64.deb
    Size/MD5 checksum: 18256184 8ee9cdea2583aa0efdd577a91ccb1037

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_mips.deb
    Size/MD5 checksum:    69978 2e39ff39e8a9ef544f4f9e3d00c4708e
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_mips.deb
    Size/MD5 checksum:   118582 956b27a45db711471b8a1647a7e13893
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_mips.deb
    Size/MD5 checksum: 17189438 a0cd5cbf3e68a9a481cbd42a13d0c717

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_mipsel.deb
    Size/MD5 checksum:   118316 73af2daa439ee61d07781f42fbb9bdf2
  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_mipsel.deb
    Size/MD5 checksum:    69976 084e0fabd90d5dcbc3cdaf7727a8e7c9
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_mipsel.deb
    Size/MD5 checksum: 17131354 d5a809e1e78f60ffb91ed99e697dbc13

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_powerpc.deb
    Size/MD5 checksum: 17423852 1c2428cbb97b045f3880538db423e6f4
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_powerpc.deb
    Size/MD5 checksum:   123234 224605d1f56406132ab7acc9314301c0
  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_powerpc.deb
    Size/MD5 checksum:    69978 6d0d183ed614b4627fb306aeec628b72

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_s390.deb
    Size/MD5 checksum:    69974 300b343297ec84c5520052014d237df6
  http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_s390.deb
    Size/MD5 checksum:   125914 48ca5f8f754297d200c4d87d69d6c345
  http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_s390.deb
    Size/MD5 checksum: 17480270 865a5a65b3c5ad28858d7c7538f0bbc7


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklvrVcACgkQXm3vHE4uylqxMgCfQjy6089bPkBn6j6oqOK5jDj1
D90AoN/I9JrH2veMq185ZjvW4Csol/k+
=5I+6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSXaxtCh9+71yA2DNAQI0mgP/XQ2/Gq6+Ccr+mWn3Sh34PSWmASa5cjeF
lLqpdV9jVP80Gf8qFdGglJRokiC7QOpWPsaMfndTB0RMR8gmPzsn2gS+JyPqlVci
jOzwvPPtLGGsSD+7if2oHcvZnxGDXOhlzu+X8XZ9rV2Pe6BOjmg8AwiKNjOVz+My
8kTsJYtWzzU=
=O/kn
-----END PGP SIGNATURE-----