DSA-1972-2: New audiofile packages fix buffer overflow
Posted on: 01/21/2010 06:15 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-1972-2 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
January 21, 2010 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : audiofile
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2008-5824
Debian bug : 510205

This advisory adds the packages for the old stable distribution (etch),
with the exception of the mips packages. The updates for the mips
architecture will be released when they become available.

The packages for the stable distribution (lenny) have been released
in DSA-1972-1. For reference, the advisory text is provided below.

Max Kellermann discovered a heap-based buffer overflow in the handling
of ADPCM WAV files in libaudiofile. This flaw could result in a denial
of service (application crash) or possibly execution of arbitrary code
via a crafted WAV file.

The old stable distribution (etch), this problem has been fixed in
version 0.2.6-6+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 0.2.6-7+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.2.6-7.1.

We recommend that you upgrade your audiofile packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.diff.gz
Size/MD5 checksum: 300089 dbc542c9c87880f436083facfb3ccc28
http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.dsc
Size/MD5 checksum: 629 f9f760bd11ccb13c85266ace4f87d25d
http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6.orig.tar.gz
Size/MD5 checksum: 374688 9c1049876cd51c0f1b12c2886cce4d42

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_alpha.deb
Size/MD5 checksum: 158070 1d27f78ba5efee6f348fdec83497f0cf
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_alpha.deb
Size/MD5 checksum: 89404 0c40bf5eeab7afe6b81c0ca1bc8d4add

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_amd64.deb
Size/MD5 checksum: 128468 5307500dd56e86e86236a2e8af9258fe
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_amd64.deb
Size/MD5 checksum: 81598 17ee5acae5158682302d9256688c272e

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_arm.deb
Size/MD5 checksum: 114782 d6ca165e6c39f2475b23b07ea84258f3
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_arm.deb
Size/MD5 checksum: 73324 e5a3329799553494e43586faa08c5607

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_hppa.deb
Size/MD5 checksum: 87046 504612c1d8b826a30d55ae7688b9a37c
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_hppa.deb
Size/MD5 checksum: 135608 5f6809474bca61b181113fff73393c56

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_i386.deb
Size/MD5 checksum: 118410 4e3e58094cfa7314a7160d7f936baafb
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_i386.deb
Size/MD5 checksum: 77204 e572289bc7e52fc49f256ed6d9ccbf80

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_ia64.deb
Size/MD5 checksum: 112806 dd5f834b0b56d737f2601c63c776d658
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_ia64.deb
Size/MD5 checksum: 170280 a25c0e6fa1024322810cb29f1204e6ff

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_mipsel.deb
Size/MD5 checksum: 77280 2c0c057fc9f5848406ec44d26bc369d8
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_mipsel.deb
Size/MD5 checksum: 136296 cf83ef8e66b2d8400d5e35ad52232a32

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_powerpc.deb
Size/MD5 checksum: 79662 5e2ff6dbb8a86c1c452ef5343a2d4ac7
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_powerpc.deb
Size/MD5 checksum: 127768 413cd4a5f93ff94210ccc160643d18ab

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_s390.deb
Size/MD5 checksum: 82434 933bfc65aff56acea69aa5e416b6a345
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_s390.deb
Size/MD5 checksum: 125394 c457ac81ef48d6743ff748b211f73283

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_sparc.deb
Size/MD5 checksum: 73952 1b28318b172a18bb6aae3ddc225cf925
http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_sparc.deb
Size/MD5 checksum: 117070 9ea6282659991534beffdafe9dc4b985


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLWHttbxelr8HyTqQRAuFuAKCL5761UQYTYRb7IlGhU5h3a/THSgCbBsoq
zE8a0YHot28DmvbCVGZfDAQ=
=Vws6
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1972_2_new_audiofile_packages_fix_buffer_overflow.html)