DSA 1487-1: New libexif packages fix several vulnerabilities
Posted on: 02/08/2008 06:40 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1487-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : libexif
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-2645 CVE-2007-6351 CVE-2007-6352

Several vulnerabilities have been discovered in the EXIF parsing code
of the libexif library, which can lead to denial of service or the
xecution of arbitrary code if a user is tricked into opening a
malformed image.

CVE-2007-2645

Victor Stinner discovered an integer overflow, which may result in
denial of service or potentially the execution of arbitrary code.

CVE-2007-6351

Meder Kydyraliev discovered an infinite loop, which may result in
denial of service.

CVE-2007-6352

Victor Stinner discovered an integer overflow, which may result
in denial of service or potentially the execution of arbitrary
code.

This update also fixes two potential NULL pointer deferences.

For the stable distribution (etch), these problems have been fixed in
version 0.6.13-5etch2.

For the old stable distribution (sarge), these problems have been
fixed in 0.6.9-6sarge2.


We recommend that you upgrade your libexif packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- ----------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9.orig.tar.gz
Size/MD5 checksum: 520956 0aa142335a8a00c32bb6c7dbfe95fc24
http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9-6sarge2.dsc
Size/MD5 checksum: 591 1ab880b25e1e3ba979d2b6441a3367d5
http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9-6sarge2.diff.gz
Size/MD5 checksum: 5162 47e515e0688cd1c661456df1b5d77601

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_alpha.deb
Size/MD5 checksum: 87534 d7d3df515250467671cbc2d9f158269e
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_alpha.deb
Size/MD5 checksum: 87554 ee4573f7453ca96efda9cd094d106e30

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_amd64.deb
Size/MD5 checksum: 67756 af682500abe0346627ba15e941fa0b1a
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_amd64.deb
Size/MD5 checksum: 82068 37e1b283512138577147b1acb9717ed7

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_arm.deb
Size/MD5 checksum: 64146 62d0c51dbb3339746066bb04d787af45
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_arm.deb
Size/MD5 checksum: 77004 0d1a7247d251ca72ff84e4da7dcca53b

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_i386.deb
Size/MD5 checksum: 81194 bed6762757bd00b262a0829419cd6634
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_i386.deb
Size/MD5 checksum: 66828 8cc90864578b2854bc71255638e47fb5

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_ia64.deb
Size/MD5 checksum: 84318 4a59f435077564e89aca96c95d026a10
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_ia64.deb
Size/MD5 checksum: 95484 e4ac3f25989bcfc22bc87b1e0d95772e

m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_m68k.deb
Size/MD5 checksum: 58050 7fef4665ccd47cc42632a329500e70a5
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_m68k.deb
Size/MD5 checksum: 79196 46342bf50631c9d64ed103511b1b893c

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_mips.deb
Size/MD5 checksum: 69282 708a8d5c33c9a55a4ab4756710839206
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_mips.deb
Size/MD5 checksum: 77082 97212d583943be6d83afcec731e27ac1

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_mipsel.deb
Size/MD5 checksum: 67646 c857ec6882ed8cbb47e051a90df7ca96
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_mipsel.deb
Size/MD5 checksum: 77138 47e7a22eb17e671e2ccb500a775a85d1

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_powerpc.deb
Size/MD5 checksum: 81332 72847874c73086de64a25d03f48a2780
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_powerpc.deb
Size/MD5 checksum: 69112 c4584d2f07fbdb932c85e2633ca9b2a8

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_s390.deb
Size/MD5 checksum: 82268 3f308fb9b59f68ffdbf7390e76f570c2
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_s390.deb
Size/MD5 checksum: 69724 21b6aa80c1a1c1a1b3e8bcd9165c8c43

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_sparc.deb
Size/MD5 checksum: 66296 ee6bceace68322f90e171c89c441e4c6
http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_sparc.deb
Size/MD5 checksum: 80280 4e9b6787b57c526192bdc2de9d5d6a7f

Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13.orig.tar.gz
Size/MD5 checksum: 727418 e5ad93c170bfb4fed6dc3e1c7a7948cb
http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13-5etch2.dsc
Size/MD5 checksum: 611 31d21b75dede8ab7357d68dc10f31b03
http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13-5etch2.diff.gz
Size/MD5 checksum: 9821 99a0a91ef86facebe77eb309e84187ee

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_alpha.deb
Size/MD5 checksum: 148400 569ffd818b70ff416f2b50033c504a69
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_alpha.deb
Size/MD5 checksum: 1068446 66c630fb722856971a824fc00e7ae0f5

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_amd64.deb
Size/MD5 checksum: 1044250 b3c5a88cb260655fc65d2ccbd1e2e25b
http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_amd64.deb
Size/MD5 checksum: 143178 f76de0764808bf3e2c82867954e2a214

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_arm.deb
Size/MD5 checksum: 136448 0f04c8ec7d86dd7c5e2d104cd0a8592a
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_arm.deb
Size/MD5 checksum: 1047204 0b0a09e307bd48dd38ea7be61901eec6

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_i386.deb
Size/MD5 checksum: 140088 74f55a40478fb3735293b8b20a9b29b9
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_i386.deb
Size/MD5 checksum: 1008258 98478f9f44a8121aaa68173eabb9d045

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_ia64.deb
Size/MD5 checksum: 159480 f35f6ad4c85c7d0b2898a918fd452081
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_ia64.deb
Size/MD5 checksum: 1028756 add2a11a37f72fc8e00db36acc7aba96

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_mips.deb
Size/MD5 checksum: 1043420 a2a95479dea713b082fef5c1b5309ea7
http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_mips.deb
Size/MD5 checksum: 137352 54a048d4d4d5040a026887e93dadb61d

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_mipsel.deb
Size/MD5 checksum: 136158 f713af175516742b0cda4422b85810ad
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_mipsel.deb
Size/MD5 checksum: 1008294 bc6a4b93282d64d33f1d26eee59c5bb4

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_powerpc.deb
Size/MD5 checksum: 138282 cb57a663e790a4155635009c8948eeca
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_powerpc.deb
Size/MD5 checksum: 1005588 26264ee184bad0af01f7861e3a5db6e7

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_s390.deb
Size/MD5 checksum: 143596 f4246c73e1d35cc56bc3fca55ec7675f
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_s390.deb
Size/MD5 checksum: 1007802 df0e068ffdb783f1da5418e518d623ce

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_sparc.deb
Size/MD5 checksum: 138354 d27c15349891f23956642b19733da994
http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_sparc.deb
Size/MD5 checksum: 1002854 c44f9f239a4e13da27ccb78a42d54df3


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHrJA5Xm3vHE4uyloRAkxeAJwIb/NrMfNSD4vcRt2FXSSnRNmJFwCgwrgy
syCcOf1SWUb3hogEG0nUsiw=
=N7HU
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1487_1_new_libexif_packages_fix_several_vulnerabilities.html)