[SECURITY] [DSA-1972-2] New audiofile packages fix buffer overflow

2010-01-21T16:07:35
ID DEBIAN:DSA-1972-2:4D96D
Type debian
Reporter Debian
Modified 2010-01-21T16:07:35

Description


Debian Security Advisory DSA-1972-2 security@debian.org http://www.debian.org/security/ Stefan Fritsch January 21, 2010 http://www.debian.org/security/faq


Package : audiofile Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2008-5824 Debian bug : 510205

This advisory adds the packages for the old stable distribution (etch), with the exception of the mips packages. The updates for the mips architecture will be released when they become available.

The packages for the stable distribution (lenny) have been released in DSA-1972-1. For reference, the advisory text is provided below.

Max Kellermann discovered a heap-based buffer overflow in the handling of ADPCM WAV files in libaudiofile. This flaw could result in a denial of service (application crash) or possibly execution of arbitrary code via a crafted WAV file.

The old stable distribution (etch), this problem has been fixed in version 0.2.6-6+etch1.

For the stable distribution (lenny), this problem has been fixed in version 0.2.6-7+lenny1.

For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.2.6-7.1.

We recommend that you upgrade your audiofile packages.

Upgrade instructions


wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch (oldstable)


Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.diff.gz Size/MD5 checksum: 300089 dbc542c9c87880f436083facfb3ccc28 http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.dsc Size/MD5 checksum: 629 f9f760bd11ccb13c85266ace4f87d25d http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6.orig.tar.gz Size/MD5 checksum: 374688 9c1049876cd51c0f1b12c2886cce4d42

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_alpha.deb Size/MD5 checksum: 158070 1d27f78ba5efee6f348fdec83497f0cf http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_alpha.deb Size/MD5 checksum: 89404 0c40bf5eeab7afe6b81c0ca1bc8d4add

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_amd64.deb Size/MD5 checksum: 128468 5307500dd56e86e86236a2e8af9258fe http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_amd64.deb Size/MD5 checksum: 81598 17ee5acae5158682302d9256688c272e

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_arm.deb Size/MD5 checksum: 114782 d6ca165e6c39f2475b23b07ea84258f3 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_arm.deb Size/MD5 checksum: 73324 e5a3329799553494e43586faa08c5607

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_hppa.deb Size/MD5 checksum: 87046 504612c1d8b826a30d55ae7688b9a37c http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_hppa.deb Size/MD5 checksum: 135608 5f6809474bca61b181113fff73393c56

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_i386.deb Size/MD5 checksum: 118410 4e3e58094cfa7314a7160d7f936baafb http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_i386.deb Size/MD5 checksum: 77204 e572289bc7e52fc49f256ed6d9ccbf80

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_ia64.deb Size/MD5 checksum: 112806 dd5f834b0b56d737f2601c63c776d658 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_ia64.deb Size/MD5 checksum: 170280 a25c0e6fa1024322810cb29f1204e6ff

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_mipsel.deb Size/MD5 checksum: 77280 2c0c057fc9f5848406ec44d26bc369d8 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_mipsel.deb Size/MD5 checksum: 136296 cf83ef8e66b2d8400d5e35ad52232a32

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_powerpc.deb Size/MD5 checksum: 79662 5e2ff6dbb8a86c1c452ef5343a2d4ac7 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_powerpc.deb Size/MD5 checksum: 127768 413cd4a5f93ff94210ccc160643d18ab

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_s390.deb Size/MD5 checksum: 82434 933bfc65aff56acea69aa5e416b6a345 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_s390.deb Size/MD5 checksum: 125394 c457ac81ef48d6743ff748b211f73283

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_sparc.deb Size/MD5 checksum: 73952 1b28318b172a18bb6aae3ddc225cf925 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_sparc.deb Size/MD5 checksum: 117070 9ea6282659991534beffdafe9dc4b985

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>