[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 126/04 - Debian Security Advisory DSA 464-1



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 126/04 dated 17.03.04  Time: 14:10  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

New gdk-pixbuf packages fix denial of service

Detail
====== 

Thomas Kristensen discovered a vulnerability in gdk-pixbuf (binary package libgdk-pixbuf2),
the GdkPixBuf image library for Gtk, that can cause the surrounding application to crash.
To exploit this problem, a remote attacker could send a carefully-crafted BMP file via mail,
which would cause e.g. Evolution to crash but is probably not limited to Evolution.


            ESB-2004.0215 -- Debian Security Advisory DSA 464-1
               New gdk-pixbuf packages fix denial of service
                               17 March 2004


Product:                gdk-pixbuf
Publisher:              Debian
Operating System:       Debian GNU/Linux 3.0
Impact:                 Denial of Service
Access Required:        Remote
CVE Names:              CAN-2004-0111

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 464-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
March 16th, 2004                        http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package        : gdk-pixbuf
Vulnerability  : broken image handling
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2004-0111

Thomas Kristensen discovered a vulnerability in gdk-pixbuf (binary package libgdk-pixbuf2), the GdkPixBuf image library for Gtk, that can cause the surrounding application to crash.  To exploit this problem, a remote attacker could send a carefully-crafted BMP file via mail, which would cause e.g. Evolution to crash but is probably not limited to Evolution.

For the stable distribution (woody) this problem has been fixed in version 0.17.0-2woody1.

For the unstable distribution (sid) this problem has been fixed in version 0.22.0-3.

We recommend that you upgrade your libgdk-pixbuf2 package.


Upgrade Instructions
- - - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0-2woody1.dsc
      Size/MD5 checksum:      706 4470e81f5d2e62a86bf95e717cb97578
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0-2woody1.diff.gz
      Size/MD5 checksum:    18621 e3462ee457eee80a17f9cdb18d2e6ef9
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0.orig.tar.gz
      Size/MD5 checksum:   547194 021914ad9104f265527c28220315e542

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_alpha.deb
      Size/MD5 checksum:   177064 c6a1d871183a1137f71f7c4e42eff75d
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_alpha.deb
      Size/MD5 checksum:     9734 40a5acf1db61778d7f6dab4966ce8eb2
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_alpha.deb
      Size/MD5 checksum:     8886 8dd1bcf33c7b7ff5c9b917a5ac5192da
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_alpha.deb
      Size/MD5 checksum:   193344 c422e889ae38986f060f12013515eeee

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_arm.deb
      Size/MD5 checksum:   156916 ca0025e989cd5068a7bdbd00742bb54a
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_arm.deb
      Size/MD5 checksum:     8144 bc4c82394dad4afb49a3377f73b02904
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_arm.deb
      Size/MD5 checksum:     7284 63a3d6e8825430aba5778ad4c5a12ad6
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_arm.deb
      Size/MD5 checksum:   160978 4ee484eb369f92fcea7c5c5574a724b6

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_i386.deb
      Size/MD5 checksum:   147602 402cc386bbe493ff3f4e2f2565c76da0
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_i386.deb
      Size/MD5 checksum:     7590 0b4d869d2a1c4b4dfb915e94de7e9d25
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_i386.deb
      Size/MD5 checksum:     7138 08433dc146656ef6f358b3630788ecc3
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_i386.deb
      Size/MD5 checksum:   151062 5565014515ef084339ba2f76f654fd01

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_ia64.deb
      Size/MD5 checksum:   194982 23b9f32e4be56f4cb27de67016cd1b37
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_ia64.deb
      Size/MD5 checksum:    11028 f0a0f12df23735653bb3024be14e0b86
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_ia64.deb
      Size/MD5 checksum:    11080 2d5d06501a3f9d53a49c56e2a86d13ce
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_ia64.deb
      Size/MD5 checksum:   228890 ab8dca6b05560fb33d406bdc2f629a4e

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_hppa.deb
      Size/MD5 checksum:   181322 2eb0efdc67d498876f2f0c4763df7fb0
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_hppa.deb
      Size/MD5 checksum:     9632 2cbc044e85607d478df32c2f2f6b7c77
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_hppa.deb
      Size/MD5 checksum:     9316 43a0da6ad670eecfafdc4d41d3b6051a
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_hppa.deb
      Size/MD5 checksum:   189494 a70d9d43ec8bf6fdcffc1be25a942313

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_m68k.deb
      Size/MD5 checksum:   142114 ed579ae41fcf877da420efe8b8d16239
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_m68k.deb
      Size/MD5 checksum:     7302 defc8a011df0860b31f4763b9289bfb8
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_m68k.deb
      Size/MD5 checksum:     7022 df6b024f8e3e3ea324f808410d5ae700
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_m68k.deb
      Size/MD5 checksum:   156056 3e58a642bc1f54734fba73f9c07e234a

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_mips.deb
      Size/MD5 checksum:   167558 9bf5967f89170eb726e4604af6853c31
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_mips.deb
      Size/MD5 checksum:     9566 7e8c7578e0bc4881b56676f43aa1a9c0
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_mips.deb
      Size/MD5 checksum:     8270 8dd6daac924c26ef623bbd02cece4214
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_mips.deb
      Size/MD5 checksum:   164928 fc70e4879fe7855af514680ec9185647

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_mipsel.deb
      Size/MD5 checksum:   168132 d486e21e94137e0604bb1524ac248970
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_mipsel.deb
      Size/MD5 checksum:     9494 54dc4f6b1c60888c0fec2f2a2749dd69
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_mipsel.deb
      Size/MD5 checksum:     8126 bb94e73d3a14b0bbd6148435a567f870
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_mipsel.deb
      Size/MD5 checksum:   165104 26ce61bc512bd9cf89e8d4a690449e92

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_powerpc.deb
      Size/MD5 checksum:   166114 06e405fad41bcd8631805ec114ccd22c
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_powerpc.deb
      Size/MD5 checksum:     9240 dd286bc081f7430e26aadba336de6fe4
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_powerpc.deb
      Size/MD5 checksum:     8066 5af0a7632060ce0af76933f2f1b998da
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_powerpc.deb
      Size/MD5 checksum:   170796 f21deb772214d5a2dab264c143aa71b2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_s390.deb
      Size/MD5 checksum:   153486 7284501f93999732b2b651ee72c6a94e
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_s390.deb
      Size/MD5 checksum:     7852 8b65bbf71d887378c45c9e849804c07e
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_s390.deb
      Size/MD5 checksum:     7554 35e992fbebbad17c5b2934d86089fb30
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_s390.deb
      Size/MD5 checksum:   167024 f57ab1aa40f486f800bcdeae2b6360a4

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody1_sparc.deb
      Size/MD5 checksum:   161134 0724cff8ffd03f9b95aeeade4e179fae
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody1_sparc.deb
      Size/MD5 checksum:     8266 ef642dce0ef4d9181326e3011df4d279
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody1_sparc.deb
      Size/MD5 checksum:     7504 e97eb405b578a5b4f6a218c2dc9130a1
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody1_sparc.deb
      Size/MD5 checksum:   166676 d513ddf095450479c778dc3e903606b2


  These files will probably be moved into the stable distribution on
  its next revision.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAVwP2W5ql+IAeqTIRAvXrAJ9yvuD+s+PlfXlGnMb8gX788R29zQCgiHwc
T2UBArT8oHjRxclNsHP2e0A=
=YRAI
- - -----END PGP SIGNATURE-----


- -----END PGP SIGNATURE-----
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Debian for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQFhbPIpao72zK539AQHw7AP+LNmVULePlvBIwFlpJX4EpPNiTwqlQGpL
4b2BJqMe6xpu9Jd2ZERV1w2GqhxojJRFpCkaS9t6pixM3ssXpkh275xskNSUoMoH
EBaQUsXjGPmDGt6YPdvai4e8H7hkA+H0zhCKPIcqDvndUGN7RFVHLPfOESgqsmj0
GMvVhlxSvtY=
=CeoH
-----END PGP SIGNATURE-----