DSA 1684-1: New lcms packages fix multiple vulnerabilities
Posted on: 12/10/2008 09:55 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1684 security@debian.org
http://www.debian.org/security/ Devin Carraway
December 10, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : lcms
Vulnerability : multiple vulnerabilities
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-5316 CVE-2008-5317

Two vulnerabilities have been found in lcms, a library and set of
commandline utilities for image color management. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2008-5316

Inadequate enforcement of fixed-length buffer limits allows an
attacker to overflow a buffer on the stack, potentially enabling
the execution of arbitrary code when a maliciously-crafted
image is opened.

CVS-2008-5317

An integer sign error in reading image gamma data could allow an
attacker to cause an under-sized buffer to be allocated for
subsequent image data, with unknown consequences potentially
including the execution of arbitrary code if a maliciously-crafted
image is opened.

For the stable distribution (etch), these problems have been fixed in
version 1.14-1.1+etch1.

For the upcoming stable distribution (lenny), and the unstable
distribution (sid), these problems are fixed in version 1.17.dfsg-1.

We recommend that you upgrade your lcms packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch1.diff.gz
Size/MD5 checksum: 2000 10fb445280ea38542701017292ffb1ca
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.gz
Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch1.dsc
Size/MD5 checksum: 636 188344016765736e5690a669a6dce88b

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_alpha.deb
Size/MD5 checksum: 179622 a64aa233ae03aa942c34e28af411f5fe
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_alpha.deb
Size/MD5 checksum: 153452 12b7bbd297ef50a85f19da90d1c4f30f
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_alpha.deb
Size/MD5 checksum: 61580 a821798d40f1d0990a053b825db129a8

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_amd64.deb
Size/MD5 checksum: 53284 7eb60db022f80565251a0e4d9cadd8b2
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_amd64.deb
Size/MD5 checksum: 140288 2b3fa89b3757f0431e2ab3e44f7d1c08
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_amd64.deb
Size/MD5 checksum: 147692 e8be34ecb4af9f7cfe1e51c759fc2c27

arm architecture (ARM)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_arm.deb
Size/MD5 checksum: 135546 523110a99549778b3a5a9ddf38b381e5
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_arm.deb
Size/MD5 checksum: 135376 0e4f0fabbc9a04bc593f1887a1bcf35f
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_arm.deb
Size/MD5 checksum: 50962 7f38a7371ca57f25080f227a3a3b373a

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_hppa.deb
Size/MD5 checksum: 168420 e5aab4f34d88b9f8aefd43fed5f2fe78
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_hppa.deb
Size/MD5 checksum: 59120 88bf9add52df55b353d0d26508486a96
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_hppa.deb
Size/MD5 checksum: 157652 30f8396d4f78363befd2e0d72b9e56a8

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_i386.deb
Size/MD5 checksum: 137296 46695836065eb7b734e02706191872f7
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_i386.deb
Size/MD5 checksum: 50592 4a0ca0dc60e6e212bf3692b2785b088b
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_i386.deb
Size/MD5 checksum: 143282 850ff5b97f347775c1daad08280a5b38

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_ia64.deb
Size/MD5 checksum: 204162 abd829e3c02d54dc911aa4abe343e377
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_ia64.deb
Size/MD5 checksum: 195094 5766c05fb15abe32d908f7b607464bb7
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_ia64.deb
Size/MD5 checksum: 78422 6176b8abb40f4dc50ed80472fe835fa5

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_mips.deb
Size/MD5 checksum: 51508 20274ee9af873cf1760fad77d4cb5720
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_mips.deb
Size/MD5 checksum: 172570 4dc3f233db7f2c15b26b39a04e7dd1ba
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_mips.deb
Size/MD5 checksum: 149190 db10ac87adfd9698890428f3119045fd

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_mipsel.deb
Size/MD5 checksum: 150390 62a81236533a4b708919367d5939d34c
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_mipsel.deb
Size/MD5 checksum: 173934 d8618284820cf47bc677c185c6ea5c39
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_mipsel.deb
Size/MD5 checksum: 52142 2213c852eaab6fbfee23031401214ecd

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_powerpc.deb
Size/MD5 checksum: 147308 d0c6bcfe7a23740f15b4e8dae4b9ea74
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_powerpc.deb
Size/MD5 checksum: 57630 cc7b4fc9ca44268952ef4b9fc97fe631
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_powerpc.deb
Size/MD5 checksum: 147710 8b586e00c2f39017bd2d51e0632297af

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_s390.deb
Size/MD5 checksum: 142054 622fed5f31c26119ca611e5c5aa79b1d
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_s390.deb
Size/MD5 checksum: 54150 45b3c4c471d977b53d40a2ab57e63591
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_s390.deb
Size/MD5 checksum: 144324 f8f15540a7cdbcfe5fc32fe40b3e459b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_sparc.deb
Size/MD5 checksum: 146618 2e09901e82467a8e02e12c958bf699db
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_sparc.deb
Size/MD5 checksum: 51410 7622942be787382b8abc72e9d709aeb8
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_sparc.deb
Size/MD5 checksum: 137480 111c3ff8c742773fc12237147f6d138c


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJP2/RU5XKDemr/NIRArcDAJ9TXSCs0sUBywG2XSrK/8wZyiIldACeMIrt
jE70wuDFt1ssn8saHIb/G2s=
=Cn4v
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1684_1_new_lcms_packages_fix_multiple_vulnerabilities.html)