XPost: linux.debian.security
From:
[email protected]
OK - send them to 1 Theed Street, London SE1 8ST
Cheers,
Have a good holiday!!
-----Original Message-----
From: Steffen Joeris [mailto:
[email protected]]
Sent: 25 March 2009 11:32
To:
[email protected]
Subject: [SECURITY] [DSA 1745-2] New lcms packages fix regression
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-
------------------------------------------------------------------------
Debian Security Advisory DSA-1745-2
[email protected] http://www.debian.org/security/ Steffen Joeris
March 25, 2009
http://www.debian.org/security/faq
-
------------------------------------------------------------------------
Package : lcms
Vulnerability : several vulnerabilities
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2009-0581 CVE-2009-0723 CVE-2009-0733
This update fixes a possible regression introduced in DSA-1745-1 and
also enhances the security patch. For reference the original advisory
text is below.
Several security issues have been discovered in lcms, a color management library. The Common Vulnerabilities andi Exposures project identifies
the following problems:
CVE-2009-0581
Chris Evans discovered that lcms is affected by a memory leak, which
could result in a denial of service via specially crafted image files.
CVE-2009-0723
Chris Evans discovered that lcms is prone to several integer overflows
via specially crafted image files, which could lead to the execution of arbitrary code.
CVE-2009-0733
Chris Evans discovered the lack of upper-gounds check on sizes leading
to a buffer overflow, which could be used to execute arbitrary code.
For the stable distribution (lenny), these problems have been fixed in
version 1.17.dfsg-1+lenny2.
For the oldstable distribution (etch), these problems have been fixed
in version 1.15-1.1+etch3.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed soon.
We recommend that you upgrade your lcms packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3. diff.gz
Size/MD5 checksum: 5160 16d7404b4dc2f31cfe8c83336013cddd
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.
dsc
Size/MD5 checksum: 644 5fe77039701cfa261d3ef84842d0e81e
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.g
z
Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1. 1+etch3_alpha.deb
Size/MD5 checksum: 181316 b06ba5e4b64f5199ef241bd9fe8f293c
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1 .1+etch3_alpha.deb
Size/MD5 checksum: 60246 89c087c9dd7e2d5dd2d78cbfb80c4017
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+et ch3_alpha.deb
Size/MD5 checksum: 154378 9ab10ab4eae2ad103b2a7abc18e6cfc4
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1. 1+etch3_amd64.deb
Size/MD5 checksum: 149534 1c06e35f87a683ad05c0fb1503859b4b
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+et ch3_amd64.deb
Size/MD5 checksum: 141016 f957d77d929d2e5ab9a4749cafab3b65
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1 .1+etch3_amd64.deb
Size/MD5 checksum: 53242 52fe759a62f8b111a65550f074c5037b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+et ch3_arm.deb
Size/MD5 checksum: 136610 d7c849cdf0eef3e2c0c1318a31f9e7c1
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1. 1+etch3_arm.deb
Size/MD5 checksum: 135176 501beeb4b4309ae863c8c0d46fde6b1a
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1 .1+etch3_arm.deb
Size/MD5 checksum: 51742 bc7e60d9b5ac44efdf24a0b384f0f173
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1. 1+etch3_hppa.deb
Size/MD5 checksum: 169464 312f7f7f841c09396a6c30ca76a35754
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+et ch3_hppa.deb
Size/MD5 checksum: 158496 9d0fa35be0159f82709447b53df2a003
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1 .1+etch3_hppa.deb
Size/MD5 checksum: 59260 88e7279014e0482a797d54140e74e828
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1 .1+etch3_i386.deb
Size/MD5 checksum: 50258 fa63f21e62c9fc8b863b60a3b470a840
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1. 1+etch3_i386.deb
Size/MD5 checksum: 144134 58a63611f27e80b39537c28171211699
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+et ch3_i386.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)