DSA 1068-1: New fbi packages fix denial of service
Posted on: 05/20/2006 09:52 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1068-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 20th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : fbi
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2006-1695
Debian Bug : 361370

Jan Braun discovered that the fbgs script of fbi, an image viewer for
the framebuffer environment, creates an directory in a predictable manner,
which allows denial of service through symlink attacks.

For the old stable distribution (woody) this problem has been fixed in
version 1.23woody1.

For the stable distribution (sarge) this problem has been fixed in
version 2.01-1.2sarge1.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your fbi package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1.dsc
Size/MD5 checksum: 559 4aa635f3124ac9e654ad25c11f9c1420
http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1.tar.gz
Size/MD5 checksum: 58027 20831f12eaf6fd6f4faa928ad2d80428

Alpha architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_alpha.deb
Size/MD5 checksum: 49472 6004536fd8a9210c041bf7ab4570c254

ARM architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_arm.deb
Size/MD5 checksum: 40320 bd6d1d6addcd838e7d0d309b6f1b424a

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_i386.deb
Size/MD5 checksum: 37476 917af0dcaa790e71eef2d20d6766b472

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_ia64.deb
Size/MD5 checksum: 60846 8435e5bba35a1e2b82f52102dee7e255

HP Precision architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_hppa.deb
Size/MD5 checksum: 45078 e1343c5ab373022682ea9659c17642e1

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_m68k.deb
Size/MD5 checksum: 35324 3331d7b580216a5ba9590c936000b32c

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_mips.deb
Size/MD5 checksum: 43206 a9234c16f320296bd2167ee97a9c193d

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_mipsel.deb
Size/MD5 checksum: 43326 05850aa0862a75c0e9340ff3130b2e7a

PowerPC architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_powerpc.deb
Size/MD5 checksum: 40652 52a8724735c368dad3a6cce4fe2e2986

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_s390.deb
Size/MD5 checksum: 40358 55e2c97bb3b6e84e65220b8e36fe8bd3

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/f/fbi/fbi_1.23woody1_sparc.deb
Size/MD5 checksum: 38928 0e474d52aac9c49575e09c89cc160dc8


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1.dsc
Size/MD5 checksum: 735 af3db0f27d3d8bab9b8051dc497abaaa
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1.diff.gz
Size/MD5 checksum: 4840 66b2f2ed2577ef905865b9c18409994e
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01.orig.tar.gz
Size/MD5 checksum: 205822 7bf21eae612fd457155533a83ab075c2

Alpha architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_alpha.deb
Size/MD5 checksum: 29496 597e1fb3a2a44a3e130e71ee14c7818a
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_alpha.deb
Size/MD5 checksum: 67638 6a60e3c72741d6e6667d6dc256284361

AMD64 architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_amd64.deb
Size/MD5 checksum: 24474 b59a585d73a3c28060ad56a3aa7e7f0a
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_amd64.deb
Size/MD5 checksum: 57326 3e846d45b831c55f960792a033d4eafb

ARM architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_arm.deb
Size/MD5 checksum: 22440 6e70ab80e54f70b63a45a0476f883ff7
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_arm.deb
Size/MD5 checksum: 51178 a53903ec2a00b07c5eaad8acbe91dd4e

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_i386.deb
Size/MD5 checksum: 22644 c62296dbeb5e1aaee865595b6edd6f61
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_i386.deb
Size/MD5 checksum: 52126 5e8ce488ccf3ae55e9e18586c3dcad7a

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_ia64.deb
Size/MD5 checksum: 33838 39beccb7cb3e14c5432ca6c7c6aebaa8
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_ia64.deb
Size/MD5 checksum: 79752 c4dcf30f9d03eea3c2b88744fdb7ecb4

HP Precision architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_hppa.deb
Size/MD5 checksum: 26856 5e3917309718e88ba92acf987511f828
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_hppa.deb
Size/MD5 checksum: 60152 9a87a9cf08571d7dde5105e44aac6b09

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_m68k.deb
Size/MD5 checksum: 20692 5f02a36a487e20139fa44a6578734352
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_m68k.deb
Size/MD5 checksum: 47274 99544f2a08a563cd49e873d76a4144bb

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_mips.deb
Size/MD5 checksum: 25992 265989c07aae9d76a9d1413652d550a5
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_mips.deb
Size/MD5 checksum: 59434 db2964812374a7e991da7d590dfa9da4

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_mipsel.deb
Size/MD5 checksum: 26058 040e3d982d77cd40118f5249e1dcd996
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_mipsel.deb
Size/MD5 checksum: 59166 6ad4d70a30f65b1784269b903ea8271a

PowerPC architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_powerpc.deb
Size/MD5 checksum: 25912 24f98eff47c2ec279c37ed8e678e087a
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_powerpc.deb
Size/MD5 checksum: 57236 ba603481f53226cfe797714014f2586f

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_s390.deb
Size/MD5 checksum: 24420 8e769aa578139330b6a1211d51cce264
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_s390.deb
Size/MD5 checksum: 58016 ec38329e241e32e0a0bd00d114c1c65f

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/f/fbi/exiftran_2.01-1.2sarge1_sparc.deb
Size/MD5 checksum: 23016 4e89f15043cf08dccc1b84175e632fc2
http://security.debian.org/pool/updates/main/f/fbi/fbi_2.01-1.2sarge1_sparc.deb
Size/MD5 checksum: 52440 7adbfbe748f548614c2726265dc8f680


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEb1V/Xm3vHE4uyloRAtilAKDQHjf0Ml01J1wipeYLdQSQB5dV8QCgtf/X
nGrW4UdYYHiiClmReAoKx28=
=p2d1
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1068_1_new_fbi_packages_fix_denial_of_service.html)