DSA 1086-1: New xmcd packages fix denial of service
Posted on: 06/02/2006 01:32 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1086-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
June 2nd, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : xmcd
Vulnerability : design flaw
Problem type : local
Debian-specific: no
CVE ID : CVE-2006-2542
Debian Bug : 366816

The xmcdconfig creates directories world-writeable allowing local
users to fill the /usr and /var partition and hence cause a denial of
service. This problem has been half-fixed since version 2.3-1.

For the old stable distribution (woody) this problem has been fixed in
version 2.6-14woody1.

For the stable distribution (sarge) this problem has been fixed in
version 2.6-17sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.6-18.

We recommend that you upgrade your xmcd package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.dsc
Size/MD5 checksum: 619 42038224877b80e57969e82e14a6ee5a
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.diff.gz
Size/MD5 checksum: 19169 3144b9f7dc78b1a0a668eff06ded3b08
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz
Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f

Alpha architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_alpha.deb
Size/MD5 checksum: 65648 d4beba33b15cdef57c315666e9dbeaf3
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_alpha.deb
Size/MD5 checksum: 458520 da2013cefff5009ed770397ea7cf23fe

ARM architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_arm.deb
Size/MD5 checksum: 60464 2a9f06c9a2f888ea56ac62bdfe2eb05e
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_arm.deb
Size/MD5 checksum: 378038 932f832766a947aac29d9b40f2f8a026

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_i386.deb
Size/MD5 checksum: 58970 506435aef6b9a12c0715e73dea67eefd
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_i386.deb
Size/MD5 checksum: 324960 2eba0f70812dada62ec2fb3f3b054318

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_ia64.deb
Size/MD5 checksum: 66140 6d3eff9fdf1d9c6052c9554bc4dd584a
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_ia64.deb
Size/MD5 checksum: 543700 dce5ff73c754b4425fe642117a52f5fa

HP Precision architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_hppa.deb
Size/MD5 checksum: 60954 f48d59a10a2891bdb1842da42fe0b0f4
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_hppa.deb
Size/MD5 checksum: 406294 2b12245768fce9c5f57cc4a8818ea1be

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_m68k.deb
Size/MD5 checksum: 58890 ce57236e978ed6310d23cf1cfede3224
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_m68k.deb
Size/MD5 checksum: 309832 0de1924af1c4981505849da8e6b8c7af

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mips.deb
Size/MD5 checksum: 61476 8a4dcea7adbfb4a1c3294a2622e05d15
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mips.deb
Size/MD5 checksum: 377170 91d622c19970fe0dcda24f63e85c7350

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mipsel.deb
Size/MD5 checksum: 61436 27eaa3e4c2365f2e4b49c526acc3df00
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mipsel.deb
Size/MD5 checksum: 378122 c9b63596911f83c72a4c9b7fbd01abf0

PowerPC architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_powerpc.deb
Size/MD5 checksum: 60998 74e9b62e02f69db4dfedab57100904dd
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_powerpc.deb
Size/MD5 checksum: 364402 28547836494d0142a84c2bf58888c6bf

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_s390.deb
Size/MD5 checksum: 59818 8d3d1ca6ff1fd1ceb32c42b73d4fe3bb
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_s390.deb
Size/MD5 checksum: 347966 dd3cc13ee026156516f315b77cb1f06b

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_sparc.deb
Size/MD5 checksum: 62724 597ddc3fe6e1c56a3ecb78e2b46c7fd4
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_sparc.deb
Size/MD5 checksum: 361214 e93e33fe714c4b5429eb7a2bce8ba0ea


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1.dsc
Size/MD5 checksum: 619 25a530a0383c4ab2cbc2d23a6c95d5f2
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1.diff.gz
Size/MD5 checksum: 20482 d9ce89eebe6f068df0c1d49eacc0bb4b
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz
Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f

Alpha architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_alpha.deb
Size/MD5 checksum: 62480 d99e5ad3da64edbfbc6a9e5c610683e1
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_alpha.deb
Size/MD5 checksum: 452252 19bf881ff9a11a1d398d97ef2158f07c

AMD64 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_amd64.deb
Size/MD5 checksum: 60974 d14a6718ad2f95983d0af699aa585df2
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_amd64.deb
Size/MD5 checksum: 375978 1064343cbef2794c637ce6431935280b

ARM architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_arm.deb
Size/MD5 checksum: 60052 870eb636eb62c6b3d5fc310d82e9ae2c
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_arm.deb
Size/MD5 checksum: 363752 cf23e90fa86d845a66c297a12de2c887

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_i386.deb
Size/MD5 checksum: 59976 95f0064a7b485df46d6275e3ba98b28e
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_i386.deb
Size/MD5 checksum: 347032 2e5dfd037ca6a7d7e7ef77fa5b3cdd6a

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_ia64.deb
Size/MD5 checksum: 64146 9cf8c9c4c9aa5a6bf8da06ff9079e4df
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_ia64.deb
Size/MD5 checksum: 521072 6759905bab7f05d9cba71fa19b7b971d

HP Precision architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_hppa.deb
Size/MD5 checksum: 61618 578d619050afd48ba63fbb103a443673
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_hppa.deb
Size/MD5 checksum: 399428 b7c61aa93ff2efd42cb4375940b675df

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_m68k.deb
Size/MD5 checksum: 59428 a95f8b6d48635de344faf79d8dce01f5
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_m68k.deb
Size/MD5 checksum: 311534 313f9f8e4db059b0c58bc37ef61fe6cd

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_mips.deb
Size/MD5 checksum: 61656 35c929f75f4ab0989ab7fe94afe08a3d
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_mips.deb
Size/MD5 checksum: 379520 57b63417bfb1d07afb79767268e56022

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_mipsel.deb
Size/MD5 checksum: 61688 63b48f033d11adeb78d933e36ad0a904
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_mipsel.deb
Size/MD5 checksum: 381286 0e05464ae0243e4c6abfa50d21bf032c

PowerPC architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_powerpc.deb
Size/MD5 checksum: 60740 5bfc0950afeb05321af3623f90b015e4
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_powerpc.deb
Size/MD5 checksum: 372902 e1706bbfe5c2e920465f339824c3639a

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_s390.deb
Size/MD5 checksum: 60742 95dcd70b6713309c6f0d57017b024ed7
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_s390.deb
Size/MD5 checksum: 364676 0e28c9bf8c98276469af3b7a906f9c39

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_sparc.deb
Size/MD5 checksum: 59944 6057d32cd180068884fa63923163cc92
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_sparc.deb
Size/MD5 checksum: 354052 51387f66a75f9ab56fa036b970ace931


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEgA8TW5ql+IAeqTIRAnJoAKCo+RUx++bsD3QhPyrN+SVRsLn4fgCgom2y
kuqz0ZtlJqekaiMevzgL5EQ=
=T6Q7
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1086_1_new_xmcd_packages_fix_denial_of_service.html)