Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0665 -- [UNIX/Linux]
New id3lib3.8.3 packages fix denial of service
3 October 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: id3lib3.8.3
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Impact: Denial of Service
Access: Existing Account
CVE Names: CVE-2007-4460
Original Bulletin: http://www.debian.org/security/2007/dsa-1365
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running id3lib check for an updated version of the software for
their operating system.
Revision History: October 3 2007: mipsel packages released.
September 12 2007: Updates available for Debian 4.0
September 3 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 1365-3 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff, Dann Frazier
October 2nd, 2007 http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------
Package : id3lib3.8.3
Vulnerability : programming error
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2007-4460
Debian Bug : 438540
Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag
Library, may lead to denial of service through symlink attacks.
This update to DSA-1365-2 provides missing packages for the mipsel
architecture for the stable distribution (etch).
For the oldstable distribution (sarge) this problem has been fixed in
version 3.8.3-4.1sarge1.
For the stable distribution (etch) this problem has been fixed in
version 3.8.3-6etch1.
For the unstable distribution (sid) this problem has been fixed in
version 3.8.3-7.
We recommend that you upgrade your id3lib3.8.3 packages.
Upgrade Instructions
- - - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-4.1sarge1.dsc
Size/MD5 checksum: 655 94eda5191994c0dbe0146a85a9e94737
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-4.1sarge1.diff.gz
Size/MD5 checksum: 134382 b45300bc3341dbedf90f4c593462794f
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3.orig.tar.gz
Size/MD5 checksum: 950726 19f27ddd2dda4b2d26a559a4f0f402a7
Alpha architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_alpha.deb
Size/MD5 checksum: 200738 a089ad12c4ddd30a4f6fdb340b3c9c26
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_alpha.deb
Size/MD5 checksum: 358668 6a3178d16f20a2a4228133a0f692d197
AMD64 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_amd64.deb
Size/MD5 checksum: 190378 90cfc4e6ab66afc0618946eda78ce66d
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_amd64.deb
Size/MD5 checksum: 295174 79e8d0882c54ffceabff4b4b527317cb
ARM architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_arm.deb
Size/MD5 checksum: 204106 ae12d537affbc35f82517dbba061b332
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_arm.deb
Size/MD5 checksum: 322872 607fdb462573a9d022338c5f011363e0
HP Precision architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_hppa.deb
Size/MD5 checksum: 213312 5279c3416cd3d0c301439a8de2b70ee7
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_hppa.deb
Size/MD5 checksum: 349392 28751fdfecf730380b111537646cac03
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_i386.deb
Size/MD5 checksum: 180852 10afd005f77c934946d1bcaf04998d92
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_i386.deb
Size/MD5 checksum: 258526 3bb1cb543f6b2ab1a4985dfa536dd3e5
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_ia64.deb
Size/MD5 checksum: 214970 eb496451fad3c40a54f55dd55ff0e4d9
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_ia64.deb
Size/MD5 checksum: 371532 2a339fa9b2d875dccf416dc648b5d11a
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_m68k.deb
Size/MD5 checksum: 190796 9d8b6bb6f224470ea1ac92d92015ad95
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_m68k.deb
Size/MD5 checksum: 263074 a5747d036e6df6f1170e8c2607cb632d
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_mips.deb
Size/MD5 checksum: 197400 144d3525c130676898f379e6ab26c804
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_mips.deb
Size/MD5 checksum: 317716 31cde74a7a1328f63ce17907c539791a
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_mipsel.deb
Size/MD5 checksum: 186678 2f8a8cdbf9a89b49fb43164b248d9196
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_mipsel.deb
Size/MD5 checksum: 315966 eb8fd5f5e78b9a0537dca9b5eb5d0f27
PowerPC architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_powerpc.deb
Size/MD5 checksum: 189040 0eb109d6c6864a912de8396b2fb7be31
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_powerpc.deb
Size/MD5 checksum: 296638 4c113a84cfe17cc506043e26e6b6f094
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_s390.deb
Size/MD5 checksum: 192592 d897e59ae0f1fe48a5e64bdb8c006416
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_s390.deb
Size/MD5 checksum: 313664 84727122d6fae1d78f35ecdd3f2beefe
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_sparc.deb
Size/MD5 checksum: 184716 52c13bfcb58b41b2ce0456c046194bf4
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_sparc.deb
Size/MD5 checksum: 279552 edc8e1d5d6f4f7d7beac85e81b29cdd3
Debian GNU/Linux 4.0 alias etch
- - - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-6etch1.dsc
Size/MD5 checksum: 652 ada1a9d686cbfe925a34b2173227b47e
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-6etch1.diff.gz
Size/MD5 checksum: 135226 495cb5f4610853f02a740e9b7c1a71c5
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3.orig.tar.gz
Size/MD5 checksum: 950726 19f27ddd2dda4b2d26a559a4f0f402a7
Alpha architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_alpha.deb
Size/MD5 checksum: 341286 c074664c96375662596d490ce9e59e2f
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_alpha.deb
Size/MD5 checksum: 187286 a6cb95da944dfe5e1a28cbf5136f3b6f
AMD64 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_amd64.deb
Size/MD5 checksum: 283136 6fe99daa8aab3fd9549ab7d2db11aedc
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_amd64.deb
Size/MD5 checksum: 176214 e35c8545fe42ae16362144e23772735a
ARM architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_arm.deb
Size/MD5 checksum: 277156 4f1e8102266eb7fe3f42dd613274c02a
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_arm.deb
Size/MD5 checksum: 179072 fa3c352ad012326b3753fa1b7b189eaf
HP Precision architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_hppa.deb
Size/MD5 checksum: 305654 f9d69c8cdb5585e5b1dc3a9742b5edce
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_hppa.deb
Size/MD5 checksum: 196342 fa9087816b58d9ed207e25401906c64a
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_i386.deb
Size/MD5 checksum: 263064 6b7e0823707843fa76158a0e1ba7f42f
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_i386.deb
Size/MD5 checksum: 176662 05ca5942a44486b658a44e4bee16154d
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_ia64.deb
Size/MD5 checksum: 351960 6fd56a95a8aa66fa890a99a3264a7cbd
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_ia64.deb
Size/MD5 checksum: 202690 e1c25a15ff7a480cafd1ac5d95ea0083
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_mips.deb
Size/MD5 checksum: 285984 576083197b0d3778f9963ff697f0dd6f
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_mips.deb
Size/MD5 checksum: 173660 221f900fe4f7bb66fc1cfdae380844c5
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_mipsel.deb
Size/MD5 checksum: 285784 ac22324cd11eeb23ee2dd17c52b18401
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_mipsel.deb
Size/MD5 checksum: 172404 ff862958eca1c3257d843a956dd64d2c
PowerPC architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_powerpc.deb
Size/MD5 checksum: 283208 8d6f0c3417ba62980ff80c5084ba0cad
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_powerpc.deb
Size/MD5 checksum: 176614 89b9c136ae81ebd9918420d7d6915c28
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_s390.deb
Size/MD5 checksum: 269674 d8dd6f6d7d76a46063c0723f974198da
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_s390.deb
Size/MD5 checksum: 177402 028a696232d95ddf67ae6acb7a3aac9c
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_sparc.deb
Size/MD5 checksum: 251852 2356b2546559f20403987530357a68fc
http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_sparc.deb
Size/MD5 checksum: 176600 80690cceeeb56b25d0cd30381ee28ad4
These files will probably be moved into the stable and oldstable
distributions upon their next updates.
- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHAgVwhuANDBmkLRkRAkYSAJ4pS3pl/ek6zqHEqO2GE6cbmaXn8ACeNxSO
0SxXwI58DNaRFCsT3t5UkJQ=
=uGYs
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRwLTCyh9+71yA2DNAQIQOwP/RjWY/BECj/+bPZUX3G+tzKPNoR5ZSEXg
oHI+SpUZY5PNeBMEIZs69wRw/vJfxopXhRZn/CCFKzT6oxP6z5XZDOJ7EKcpKfuG
u5I9ehG8rdCjRfLmiLQnCWEecC4+aofL/H/yY5hNVlvCvsUKposJLqtsd7X+qdZF
c0MNLQO0YcY=
=j5z0
-----END PGP SIGNATURE-----