Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1044
New camlimages packages fix arbitrary code execution
14 July 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: camlimages
Publisher: Debian
Operating System: Debian GNU/Linux 4
Debian GNU/Linux 5
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch
CVE Names: CVE-2009-2295
Original Bulletin:
http://www.debian.org/security/2009/dsa-1832
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running camlimages check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1832-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
July 13, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : camlimages
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2009-2295
Debian Bug : 535909
Tielei Wang discovered that CamlImages, an open source image processing
library, suffers from several integer overflows which may lead to a
potentially exploitable heap overflow and result in arbitrary code
execution.
For the old stable distribution (etch), this problem has been fixed in
version 2.20-8+etch1.
For the stable distribution (lenny), this problem has been fixed in
version 2.2.0-4+lenny1.
For the unstable distribution (sid), this problem has been fixed in
version 3.0.1-2.
We recommend that you upgrade your camlimages package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch1.diff.gz
Size/MD5 checksum: 8737 1616ade3176c67bc862f7672d4c056dd
http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch1.dsc
Size/MD5 checksum: 1196 0407fcb4b885258c0b81e979e03df7c4
http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20.orig.tar.gz
Size/MD5 checksum: 1385525 d933eb58c7983f70b1a000fa01893aa4
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-doc_2.20-8+etch1_all.deb
Size/MD5 checksum: 599282 578f54fe1370704e0bc80dfdf8a20049
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_alpha.deb
Size/MD5 checksum: 973198 2d06cc1c9c73ec3a5078df33dde45279
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_alpha.deb
Size/MD5 checksum: 28966 acc9643b4efed997dcc1f8c1315b3936
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_amd64.deb
Size/MD5 checksum: 27906 f2fc6d36ca1b496ff82cbe55c975d96d
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_amd64.deb
Size/MD5 checksum: 870676 b114baff0ce4169f42847cad2f7f87e1
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_arm.deb
Size/MD5 checksum: 25642 a123f0ffd1dcca413f2eca85d047a81c
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_arm.deb
Size/MD5 checksum: 885436 99897af751a474b339b8ba01cd10c0b8
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_hppa.deb
Size/MD5 checksum: 482368 635d36e2aec2e709b5b79e8074ab4a24
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_hppa.deb
Size/MD5 checksum: 29834 b99951421ced2015ed118b4ca60cdde8
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_i386.deb
Size/MD5 checksum: 24224 480002667928107c5a379008abcb6710
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_i386.deb
Size/MD5 checksum: 772576 483bf540a811aa854565ec26f0812de0
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_ia64.deb
Size/MD5 checksum: 1100896 2a5f01d40983c0dbb473f0efbc814b5f
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_ia64.deb
Size/MD5 checksum: 36206 8bbbfd674e78d5cbfde79761aa935e34
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_mips.deb
Size/MD5 checksum: 467010 de4da1b7baf6df72e8d2efaaa3f92341
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_mips.deb
Size/MD5 checksum: 25614 6504eb3683990a8d733025d05c590534
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_mipsel.deb
Size/MD5 checksum: 427210 a51713da2bc7d1670dc00b99863ca0f2
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_mipsel.deb
Size/MD5 checksum: 25566 eeb7c800c5cafff30eb2419a2b6c841c
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_powerpc.deb
Size/MD5 checksum: 963708 2cdc2329f6102615fded0b247e8f854b
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_powerpc.deb
Size/MD5 checksum: 32812 924085f56d6b5e3585fa4017f377b416
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch1_sparc.deb
Size/MD5 checksum: 24596 cee3b23510a181598d7a8fa96b1c0d5b
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch1_sparc.deb
Size/MD5 checksum: 934718 ebc2899241e369cfbfecce8ce87646c7
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0-4+lenny1.diff.gz
Size/MD5 checksum: 9707 3c88dc5e8528e685876485d310edf1c4
http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0-4+lenny1.dsc
Size/MD5 checksum: 1993 06d190174afce7dbe2d337bf3577c0a8
http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0.orig.tar.gz
Size/MD5 checksum: 1385525 d933eb58c7983f70b1a000fa01893aa4
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-doc_2.2.0-4+lenny1_all.deb
Size/MD5 checksum: 601364 577c511958087e582e893a4f174fa31c
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_alpha.deb
Size/MD5 checksum: 32208 42eb3769e659ddbfdffd9b960412d603
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_alpha.deb
Size/MD5 checksum: 543084 4c1659b52e35ee819bbca24f917824cd
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_amd64.deb
Size/MD5 checksum: 31364 6d98eeb479c628858e0bc991637022e5
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_amd64.deb
Size/MD5 checksum: 978144 c1977ebd20027e74de2f6f297da05e0d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_arm.deb
Size/MD5 checksum: 28838 4ceaec79b0cdde93f51e5b49bf61fa05
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_arm.deb
Size/MD5 checksum: 559286 2801a414b3c5e9002dd40f406dcc4b37
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_armel.deb
Size/MD5 checksum: 29658 594886fe8311b54fccb61eaee44a3c02
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_armel.deb
Size/MD5 checksum: 571664 45911009fdefb1ea30130bd33d31c35a
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_hppa.deb
Size/MD5 checksum: 588132 a95c95d82148d7b8b91c836a68ac7385
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_hppa.deb
Size/MD5 checksum: 32858 1dee58411cfe4a51329df8592dd52a53
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_i386.deb
Size/MD5 checksum: 27722 dbda0c3362977d516c9b9799a052f330
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_i386.deb
Size/MD5 checksum: 953866 eebdf69c111869e266fe0d273ffc2f21
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_ia64.deb
Size/MD5 checksum: 545784 c15dfebf6974c23db3058cccb3d74a97
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_ia64.deb
Size/MD5 checksum: 39612 126b5b4e7eb783fb3323ff30d38a9468
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_mips.deb
Size/MD5 checksum: 569842 5255f663cb728e93f56bfafc3b5953aa
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_mips.deb
Size/MD5 checksum: 28610 f2b8a4aa2d67d0e59679534b5cbcb93d
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_mipsel.deb
Size/MD5 checksum: 515800 5aba5d1ce2e2ae5d927f111f89eed5c6
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_mipsel.deb
Size/MD5 checksum: 28368 9ec52520ff65438150dfafb89ed3fc0a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_powerpc.deb
Size/MD5 checksum: 987998 c9a1362f01e353424e0c028c25dc4d69
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_powerpc.deb
Size/MD5 checksum: 38676 8317d63a699feeb5bfa7f829f28409b8
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny1_sparc.deb
Size/MD5 checksum: 957764 5602e2c367324be5ca5137b8c23cb0ad
http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny1_sparc.deb
Size/MD5 checksum: 27712 c2c4c2397004024c440721709a45d4cb
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKW5duAAoJECIIoQCMVaAcNOQH/2kCBktuB4Mv8rSFIpw6K0cO
W7Rp8n8gc5JqOLm1RoD8cDrAup5yNHJSfKb+4ier35LFnKc/jKzihrbW1Hz409V0
AJ1Mdj7p7DG8wArp/5GrT/hcwLuaywUigaYw0SaQqiVorC96K9jgkyTWhqxnyHaH
MSL7zM5+q9EnrNQvLR+PLP6QIj7m7Ufi3/JtJtBp1tjdxioUccwr5Lw2VFurRQje
l0zegT7x4HTmOC1KSpZG/VA+qW31iSvxO11PWOHyYRGn0V8NY0ra8KJCicncBT+f
QInW9hEnZtZFMoLzJdQ3bizSGyaKawHyCkDcrSaeTgNflPJVZ+9vrGWkMbM6qNc=
=srad
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKW/aWNVH5XJJInbgRAgH/AKCBqsJiW4yLAeQBNYqc5tSPaQ2uSwCeKiy6
ah7kkRmm1wL4dvCVsKr2D34=
=l/R8
-----END PGP SIGNATURE-----