AusCERT - ESB-2002.509 -- Debian Security Advisory DSA 166-1 -- New purity packages fix potential buffer overflows

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2002.509 -- Debian Security Advisory DSA 166-1 -- New purity packages fix potential buffer overflows
Date: 17 September 2002

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2002.509 -- Debian Security Advisory DSA 166-1
            New purity packages fix potential buffer overflows
                             17 September 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                purity
Vendor:                 Debian
Operating System:       Debian GNU/Linux 2.2 alias potato
                        Debian GNU/Linux 3.0 alias woody
Impact:                 Modify Arbitrary Files
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 166-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 13th, 2002                    http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : purity
Vulnerability  : buffer overflows
Problem-Type   : local
Debian-specific: no

Two buffer overflows have been discovered in purity, a game for nerds
and hackers, which is installed setgid games on a Debian system.  This
problem could be exploited to gain unauthorized access to the group
games.  A malicious user could alter the highscore of several games.

This problem has been fixed in version 1-14.2 for the current stable
distribution (woody), in version 1-9.1 for the old stable distribution
(potato) and in version 1-16 for the unstable distribution (sid).

We recommend that you upgrade your purity packages.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- - ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1.dsc
      Size/MD5 checksum:      513 a7a4276a6c694131a5b3bd58703c8c05
    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1.diff.gz
      Size/MD5 checksum:     5147 db47d2d1f51b5f8c97bcb93974b7b5cf
    http://security.debian.org/pool/updates/main/p/purity/purity_1.orig.tar.gz
      Size/MD5 checksum:    22249 19cbbd136a94aae3d175d8ccc963368d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1_alpha.deb
      Size/MD5 checksum:    29176 f69989e76361e30813eb233aa500b9c6

  ARM architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1_arm.deb
      Size/MD5 checksum:    27762 169dce544dcab575cc126800eeabb6ce

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1_i386.deb
      Size/MD5 checksum:    27404 6eb60f91f4cd3730bef018115268c568

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1_m68k.deb
      Size/MD5 checksum:    26934 d1337244388c4b5a183b379e34b37fd1

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1_powerpc.deb
      Size/MD5 checksum:    27760 140ce3d691acc98c27dd6851972db0e9

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-9.1_sparc.deb
      Size/MD5 checksum:    29952 cb2b48e0465b48b89b220feb30818113


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2.dsc
      Size/MD5 checksum:      550 8e669427422857640b0531e3566706f9
    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2.diff.gz
      Size/MD5 checksum:     6171 6901ba40ea0938bab43a893e4f75da8a
    http://security.debian.org/pool/updates/main/p/purity/purity_1.orig.tar.gz
      Size/MD5 checksum:    22249 19cbbd136a94aae3d175d8ccc963368d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_alpha.deb
      Size/MD5 checksum:    28890 ecb67c79c8047cc631cf63d6fcd93996

  ARM architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_arm.deb
      Size/MD5 checksum:    27434 6bb8ed0579e96fcff971086d750937ce

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_i386.deb
      Size/MD5 checksum:    26906 7ec62b9371253879b93fe6db0ef75945

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_ia64.deb
      Size/MD5 checksum:    30694 7c26d3db982acf14a2e8133cf204e164

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_hppa.deb
      Size/MD5 checksum:    29234 ceb6569248e96d1fd415de15f8f26370

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_m68k.deb
      Size/MD5 checksum:    26560 4385599f2f16238c4b2628c9a8fc54cc

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_mips.deb
      Size/MD5 checksum:    27798 e6b360203cd31c13f19d5bc257684f64

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_mipsel.deb
      Size/MD5 checksum:    27756 12bb21c88be3011bfd50045a73361255

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_powerpc.deb
      Size/MD5 checksum:    27306 c782697984b5e8ae83ed16c594d80437

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_s390.deb
      Size/MD5 checksum:    27624 c370933a2db896857c5fa3bb86a2a2db

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/purity/purity_1-14.2_sparc.deb
      Size/MD5 checksum:    29980 e48dcb304202e2e29634bd51dbd307a3


  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9gfHCW5ql+IAeqTIRAqvmAKCy9Y6wlV/RDD9fRnu0UH5k6uahGQCeLBYS
oNgLkI3hjb8O9CpXFm21t84=
=MbAv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPYcBGih9+71yA2DNAQF/pQP/aAXlzqCcfH3+MflaNiibep9iZIUQHm9w
F2f8RW3xa4JmrdxwDKRwQz3HELkvjKR0haWLcqQvAKgrzPwwLZspb+n4UPzPIu/J
Z9878ZE4tHFCtdsyTD9QJg49uvvKm1rsLGILRRoU5zYmpuvfQ2FqPm5rdszDcRfb
aFCsNs6x+84=
=P74H
-----END PGP SIGNATURE-----