Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0825 -- Debian Security Advisory DSA 618-1 New imlib packages fix arbitrary code execution 28 December 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: imlib Publisher: Debian Operating System: Debian GNU/Linux 3.0 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CAN-2004-1026 CAN-2004-1025 Original Bulletin: http://www.debian.org/security/2004/dsa-618 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 618-1 security@debian.org http://www.debian.org/security/ Martin Schulze December 24th, 2004 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : imlib Vulnerability : buffer overflows, integer overflows Problem-Type : local/remote Debian-specific: no CVE ID : CAN-2004-1025 CAN-2004-1026 BugTraq ID : 11830 Debian Bug : 284925 Pavel Kankovsky discovered that several overflows found in the libXpm library were also present in imlib, an imaging library for X and X11. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2004-1025 Multiple heap-based buffer overflows. CAN-2004-1026 Multiple integer overflows. For the stable distribution (woody) these problems have been fixed in version 1.9.14-2woody2. For the unstable distribution (sid) these problems have been fixed in version 1.9.14-17.1. We recommend that you upgrade your imlib packages immediately. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/i/imlib/imlib_1.9.14-2woody2.dsc Size/MD5 checksum: 805 6b89c44e7635494ab6309f31e8977a71 http://security.debian.org/pool/updates/main/i/imlib/imlib_1.9.14-2woody2.diff.gz Size/MD5 checksum: 273298 66b9b193f65f0f552a3c7475504b4aa3 http://security.debian.org/pool/updates/main/i/imlib/imlib_1.9.14.orig.tar.gz Size/MD5 checksum: 748591 1fa54011e4e1db532d7eadae3ced6a8c Architecture independent components: http://security.debian.org/pool/updates/main/i/imlib/imlib-base_1.9.14-2woody2_all.deb Size/MD5 checksum: 114710 04c82fdad40b4c81ca6145015d1ca9e7 Alpha architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 119716 e6b3de272b4ccded198ca1c7a8cbe9c7 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 97146 afa40cb2097baab7293694292a163373 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 117364 43f345f06377fefe9a5976a3d571876c http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 262202 2baf347e73e7833f340b72d250709b2f http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 97202 af8d9bcb83596b124cc7148b4b42a612 ARM architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_arm.deb Size/MD5 checksum: 94088 97cab67730bda9ca0a83ff1e8fd646c7 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_arm.deb Size/MD5 checksum: 75402 db81fe94e6b35c3baa2505f533f6aa01 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_arm.deb Size/MD5 checksum: 94136 d6d974eb4fb709141cd8482b45756a74 http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_arm.deb Size/MD5 checksum: 258262 da89d3962a56d4d37bcb4084e5ae4176 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_arm.deb Size/MD5 checksum: 76330 b1f75f5cc08f4175b72ba932c7b34210 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_i386.deb Size/MD5 checksum: 77884 c24a0ebb06c178eb4d473c20433b7389 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_i386.deb Size/MD5 checksum: 69338 b284172f465ac35e7fdf44bea07504e8 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_i386.deb Size/MD5 checksum: 76452 acaaca70c492ee827d678743dd990d61 http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_i386.deb Size/MD5 checksum: 258354 790ada2bfc6205c0cd43459ae95fb127 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_i386.deb Size/MD5 checksum: 69730 05f8b9bbab5f9008599f2fa37caaed2c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_ia64.deb Size/MD5 checksum: 129024 a059b5c1e0411f389c2fd39e594f5b5a http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_ia64.deb Size/MD5 checksum: 116312 9eb937b6c56c0237487b2bf2e84eed4f http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_ia64.deb Size/MD5 checksum: 129156 c726f93cf1456230e99ac2c03783080f http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_ia64.deb Size/MD5 checksum: 266510 87aee70d85386bd2c29ee89b76360c75 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_ia64.deb Size/MD5 checksum: 119094 026ac0e934b06183ee32f46cb70dbe76 HP Precision architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_hppa.deb Size/MD5 checksum: 105152 1cdbb634730781005e656d4a6f45afe4 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_hppa.deb Size/MD5 checksum: 92194 902a728a355b9090c76083e49240111c http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_hppa.deb Size/MD5 checksum: 103532 e86528e832c62b21b90e4d1a15c5821f http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_hppa.deb Size/MD5 checksum: 261002 f39d5a52457a8a348d7881a649450fe3 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_hppa.deb Size/MD5 checksum: 91622 efec147e4b6fb0bfb0d6510359dcd6a3 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_m68k.deb Size/MD5 checksum: 72004 3cb969b4018031188492c6bc448705dc http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_m68k.deb Size/MD5 checksum: 64146 8bbbf2e8b4f7c31aa4e302dffe35ad71 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_m68k.deb Size/MD5 checksum: 69820 8d7d31a6c3a44f7a3dcb5c0e17fc7bca http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_m68k.deb Size/MD5 checksum: 257372 52888389b545dc1e3cce3b899a65a2d4 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_m68k.deb Size/MD5 checksum: 64660 86ed5f17d0a2ab99c8775619b451cb17 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_mips.deb Size/MD5 checksum: 95756 615f2919772c3278475db2a123e10365 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_mips.deb Size/MD5 checksum: 75404 04fc84337f3cc79da350e63e54c0bd39 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_mips.deb Size/MD5 checksum: 92638 fc95257f5614e0ca9000083d0863e23e http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_mips.deb Size/MD5 checksum: 257934 43d3ab6970888d80aca888a90fc3b9dc http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_mips.deb Size/MD5 checksum: 75948 45b966a81a0bc4fdad17776491eebfbb Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_mipsel.deb Size/MD5 checksum: 95806 5d8184b2fa877b5140df8cd4f05bc629 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_mipsel.deb Size/MD5 checksum: 75478 54248fbb3244f95da8bd1a5e0dcc64c2 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_mipsel.deb Size/MD5 checksum: 92688 ba0e8f951706a1642ab2994a11113a0c http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_mipsel.deb Size/MD5 checksum: 257834 99d601494d76618f8974b05ba3f21401 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_mipsel.deb Size/MD5 checksum: 75884 856fed2b0af1665d36a7ac76dc4516a4 PowerPC architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_powerpc.deb Size/MD5 checksum: 94166 ce1b5d6adc54b226054a2fbd83b2a86d http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_powerpc.deb Size/MD5 checksum: 76854 ba841bf89a7af734b741a33a591cab8f http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_powerpc.deb Size/MD5 checksum: 90276 23d95df53d747a550721960c673e8d9f http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_powerpc.deb Size/MD5 checksum: 258522 4619a569bcb42a6ff4e691a9a73b4298 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_powerpc.deb Size/MD5 checksum: 75432 1f72571029157018583561cd829f47b1 IBM S/390 architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_s390.deb Size/MD5 checksum: 83314 ba3c9382fe7b468b74e36f8cd4eece90 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_s390.deb Size/MD5 checksum: 78052 2eb2a4951c05bedbe5e131b8f6ecc3eb http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_s390.deb Size/MD5 checksum: 84168 9de33add121dc1d258389522c0456544 http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_s390.deb Size/MD5 checksum: 258680 909968f199ff27b6f6a51712043925d9 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_s390.deb Size/MD5 checksum: 78622 9eb679c1377078e6065f8f0183388a70 Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_sparc.deb Size/MD5 checksum: 88778 d37e329386b3b5c9514fb9619175e75f http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_sparc.deb Size/MD5 checksum: 76534 23476af1594709264a14e72a301bd747 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_sparc.deb Size/MD5 checksum: 85812 74c633ae47eab66ee3402b9b3f8329b5 http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_sparc.deb Size/MD5 checksum: 258760 87f9a03a2528ff6dce1008ad9a7e1392 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_sparc.deb Size/MD5 checksum: 76790 db539c8ee1aff2573c2e54bb525468fc These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBzEaKW5ql+IAeqTIRAidEAJ99TQ0ZL4LDjoxN68SgmWtM/fk6GwCfWAFY IijnrLMbfiZQE0nXN+TdRjM= =0Z8H - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQdD+wih9+71yA2DNAQL8wwP/bZymhLcnf1CPfnH4yBJXWEYsmGzt5p2b 3u7citj8EdIa7ZlbWc4hL2nexWSn4Yjtuwj/SnK9QYSXkmGE3QYky3CzGynEhgaE 4+LDG2Vt7tvfvAj4BLyuqnyU5gmMDEaka5TQzTHwcqGIfV6jAHJL42es3PwhF/nq rymyl7nPaQA= =gmOH -----END PGP SIGNATURE-----