[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 593/05 - Debian - gaim (DSA 769-1) and gopher (DSA 770-1)



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 593/05 dated 31.07.05  Time: 21:32
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Debian Security Advisories - gaim and gopher

Detail
====== 
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 769-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
July 29th, 2005                         http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : gaim
Vulnerability  : memory alignment bug
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2370

Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well.  This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.

The old stable distribution (woody) does not seem to be affected by
this problem.

For the stable distribution (sarge) this problem has been fixed in
version 1.2.1-1.4.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your gaim package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4.dsc
      Size/MD5 checksum:      915 3bee538026c525a384cbe0865d110c78
    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4.diff.gz
      Size/MD5 checksum:    31681 382649de95e8cf1417c5170d1a8a372e
    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1.orig.tar.gz
      Size/MD5 checksum:  5215565 866598947a30005c9d2a4466c7182e2a

  Architecture independent components:

    http://security.debian.org/pool/updates/main/g/gaim/gaim-data_1.2.1-1.4_all.deb
      Size/MD5 checksum:  2838720 d1b16e84e0141e8030485e36339f4faa

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_alpha.deb
      Size/MD5 checksum:  1068846 ebb2a8902f38292e34b6dc08c28a1fcd
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_alpha.deb
      Size/MD5 checksum:   102374 fb9bcb085067d216f57d39a332f2820d

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_arm.deb
      Size/MD5 checksum:   817860 23f78add9104cf3e5f79b7cd304fb3f7
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_arm.deb
      Size/MD5 checksum:   102410 b2df8a242b943aa0d1a9b6e8148169a2

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_i386.deb
      Size/MD5 checksum:   879294 d2716bd687b657f2208ad0585c13d691
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_i386.deb
      Size/MD5 checksum:   102360 4120bc2abace13ca4374651db973f448

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_ia64.deb
      Size/MD5 checksum:  1264312 5204cd503aed191f1cba6cfa6705f5c1
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_ia64.deb
      Size/MD5 checksum:   102360 69787fd4685f53e21c4bf7c2df0ecdc6

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_hppa.deb
      Size/MD5 checksum:  1007084 92d7692ec48a6311177f752049ced338
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_hppa.deb
      Size/MD5 checksum:   102412 d11aa9dca9554e751f15e2345e724b43

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_m68k.deb
      Size/MD5 checksum:   815858 ccb750c04cffe4026096da9bc1d322bd
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_m68k.deb
      Size/MD5 checksum:   102480 3dc4d6008736ff7ef71960587ef349ec

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_mips.deb
      Size/MD5 checksum:   855152 23092ea32cdc78dd67e50723444c38d5
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_mips.deb
      Size/MD5 checksum:   102382 d6d1c8c62c8ebc2eeb4a6cb5e2ab52f1

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_mipsel.deb
      Size/MD5 checksum:   846462 14cc63bc73903ffd3b391d8d3be0c326
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_mipsel.deb
      Size/MD5 checksum:   102378 f0e724ffce6ce9d80c75c4f77a341a67

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_powerpc.deb
      Size/MD5 checksum:   913460 baa3230e8857033cb9e480ecda99b01d
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_powerpc.deb
      Size/MD5 checksum:   102384 fb572b59ed02992ba80dc8c6aab6db91

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_s390.deb
      Size/MD5 checksum:   946240 f431a8a8595dbe5c5b26148f9504bda0
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_s390.deb
      Size/MD5 checksum:   102380 d7bb41baeb1391be34b1c9642ecb22a5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_1.2.1-1.4_sparc.deb
      Size/MD5 checksum:   850810 73b4bdb1206ba5b0f2a5bda0cf061470
    http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_1.2.1-1.4_sparc.deb
      Size/MD5 checksum:   102380 7d112554def1191e36f50755ca21c7f8


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC6dvqW5ql+IAeqTIRAiYMAJ9tbYHKcEgLovyXhZ/+5w4BRWP8awCggJOR
TqUQ0OtKA45RTSOzIrKmTAg=
=9WEt
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 770-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
July 29th, 2005                         http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : gopher
Vulnerability  : insecure tmpfile creating
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-1853

John Goerzen discovered that gopher, a client for the Gopher
Distributed Hypertext protocol, creates temporary files in an insecure
fashion.

For the old stable distribution (woody) this problem has been fixed in
version 3.0.3woody3.

For the stable distribution (sarge) this problem has been fixed in
version 3.0.7sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 3.0.9.

We recommend that you upgrade your gopher package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3.dsc
      Size/MD5 checksum:      552 c36368a87e599721ce6faf7f6f2b43af
    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3.tar.gz
      Size/MD5 checksum:   508858 9fafa9c495dc402c68e16b1d98578622

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_alpha.deb
      Size/MD5 checksum:   151672 43a15f4646faee119f5691500e78e8aa
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_alpha.deb
      Size/MD5 checksum:   120288 cbee60712b9c3bc4ef7df144aa2c16f5

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_arm.deb
      Size/MD5 checksum:   114782 5d02e52bcdb1e9682e5b338e88d3b1d6
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_arm.deb
      Size/MD5 checksum:    98766 adb1f0e3eefea5578fafad6faf305d3e

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_i386.deb
      Size/MD5 checksum:   112728 b2b16c3f5cfa2df5aa3a26361adba13f
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_i386.deb
      Size/MD5 checksum:    96958 ad5d261eb022846bb9099e27e1c0faea

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_ia64.deb
      Size/MD5 checksum:   173840 1a9b23617bb59a99de29c77f9438f266
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_ia64.deb
      Size/MD5 checksum:   139924 92daf67a685a0a1d7092477037fc6883

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_hppa.deb
      Size/MD5 checksum:   129958 662dcf6bc361150a7edab41fd8ace48d
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_hppa.deb
      Size/MD5 checksum:   109924 e27effcad026aa923fa6cd069abc2353

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_m68k.deb
      Size/MD5 checksum:   105804 9adb09f5a9705f668ef3f6c678beb738
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_m68k.deb
      Size/MD5 checksum:    92012 0a99b4b07a6e7f5cdfab672ecaa0c24c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_mips.deb
      Size/MD5 checksum:   131172 321d042012f31e63989901fb0a799905
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_mips.deb
      Size/MD5 checksum:   109634 9f52a094c0c3c4751ba759697b1a8a51

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_mipsel.deb
      Size/MD5 checksum:   131172 09507006f76bad2f36a7ef1b845f895e
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_mipsel.deb
      Size/MD5 checksum:   109522 0b3ee016c1135a1d7e6d9883d101f52c

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_powerpc.deb
      Size/MD5 checksum:   121388 f1e8c648dfd1a9be38c8c595c1a10d3b
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_powerpc.deb
      Size/MD5 checksum:   102924 6cacbf8097a31dac9d93ccb887294f83

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_s390.deb
      Size/MD5 checksum:   116412 4026e77e65aa9029e59191085f37d76e
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_s390.deb
      Size/MD5 checksum:    99978 00b9bfc610eb7583b1dc35757b017d87

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody3_sparc.deb
      Size/MD5 checksum:   122096 0f85aa93d4e54b4a8ecc658f7e5caa78
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody3_sparc.deb
      Size/MD5 checksum:   102280 f78c3fb64a500acc9a9b3ff714d16b34


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1.dsc
      Size/MD5 checksum:      547 31eead81f6846deabd19e34c620e368f
    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1.tar.gz
      Size/MD5 checksum:   678218 8f159dcfc9ed25335e8bc0b87fb3e3d8

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_alpha.deb
      Size/MD5 checksum:   148342 adcd570d5fc2baf7ab4bb43d54727444

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_arm.deb
      Size/MD5 checksum:   116832 ef4570961aac6e3f6e3a9b8ef640e43a

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_i386.deb
      Size/MD5 checksum:   120802 a9b89709899d3c9380219887d5a89573

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_ia64.deb
      Size/MD5 checksum:   168676 3ec0be402bd6057a56a094d7baf5b0cd

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_hppa.deb
      Size/MD5 checksum:   132718 088fc0a402a26fded33bcc374810a354

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_m68k.deb
      Size/MD5 checksum:   110014 c2155dd93f6d6c0cecf27d026a107766

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_mips.deb
      Size/MD5 checksum:   133724 42237ccac6bd4dd4c3b8a16f6fc60c8d

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_mipsel.deb
      Size/MD5 checksum:   133830 a0e6f0436a1068dd86bdac1dedf51978

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_powerpc.deb
      Size/MD5 checksum:   129276 5c2d33e24f528e9f55d7537acc960c4e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_s390.deb
      Size/MD5 checksum:   129252 462cdf9e475ef667550c419d1d5537ca

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge1_sparc.deb
      Size/MD5 checksum:   117344 ebcfe7c3898b6015f0b5a893145746ed


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC6kbxW5ql+IAeqTIRAhcQAJ9U5FcISrXnrxe9qIGm/+f4s5U2AwCfY/vt
jEptBrB5UncMKRk90NHPZvE=
=CuER
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Debian for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>




-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBQu02V4pao72zK539AQGLPQP/fk8tnwm5sRMyfJ7cc+n6O0G0TbSlct+V
DtrAGJ8BCqFZh6oCh+xpCkyETL/k8kzh9G7Lz++T4A7X5ql27PlhJ8viQp+5sa8C
4W9laeJba9bNXyC2H8cnx8IBtcpH8/fA/LhOlOZB6RNLD+fLawr0BHpMyfkA2rqS
lQUl7k7VOVg=
=JCQM
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________