Advisories, December 5, 2005

Dec 06, 2005, 05:00 (0 Talkback[s])

Debian GNU/Linux

Debian Security Advisory DSA 913-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 1st, 2005 http://www.debian.org/security/faq

Package : gdk-pixbuf
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2005-2975 CVE-2005-2976 CVE-2005-3186
BugTraq ID : 15428
Debian Bug : 339431

Several vulnerabilities have been found in gdk-pixbuf, the Gtk+ GdkPixBuf XPM image rendering library. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2005-2975

Ludwig Nussel discovered an infinite loop when processing XPM images that allows an attacker to cause a denial of service via a specially crafted XPM file.

CVE-2005-2976

Ludwig Nussel discovered an integer overflow in the way XPM images are processed that could lead to the execution of arbitrary code or crash the application via a specially crafted XPM file.

CVE-2005-3186

"infamous41md" discovered an integer in the XPM processing routine that can be used to execute arbitrary code via a traditional heap overflow.

The following matrix explains which versions fix these problems:

	old stable (woody)	stable (sarge)	unstable (sid)
gdk-pixbuf	0.17.0-2woody3	0.22.0-8.1	0.22.0-11
gtk+2.0	2.0.2-5woody3	2.6.4-3.1	2.6.10-2

We recommend that you upgrade your gdk-pixbuf packages.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0-2woody3.dsc
      Size/MD5 checksum: 706 148ab895e798cb66959ae0bf7c725424
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0-2woody3.diff.gz
      Size/MD5 checksum: 20031 7851718d740e6e6a629e462b87269234
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0.orig.tar.gz
      Size/MD5 checksum: 547194 021914ad9104f265527c28220315e542

Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_alpha.deb
      Size/MD5 checksum: 177066 edf14dd71b77d893ca27c7768dd0a9f4
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_alpha.deb
      Size/MD5 checksum: 9730 52bcd65497f80d9f9b649f2dff012436
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_alpha.deb
      Size/MD5 checksum: 8874 1d7cfd64edf8fc05888e608bbba6edc9
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_alpha.deb
      Size/MD5 checksum: 193844 d20a90a4252d8f9ada81eb07b9798f25

ARM architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_arm.deb
      Size/MD5 checksum: 156918 7a96bcd45ce4b637283c2b966c1fbbbc
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_arm.deb
      Size/MD5 checksum: 8146 b1081dd21eadff238d9b411a71487759
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_arm.deb
      Size/MD5 checksum: 7282 b65d0f3169de9ff0bd73289de74be475
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_arm.deb
      Size/MD5 checksum: 161486 96ab7f9daf68d8f5317cf8e633e2da29

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_i386.deb
      Size/MD5 checksum: 147604 45fbdaa219558095236d758b15ab8da0
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_i386.deb
      Size/MD5 checksum: 7602 b0d9ed0671ea6b4abc1311c3b50c2821
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_i386.deb
      Size/MD5 checksum: 7142 e125861f4de9b5958e47336332532408
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_i386.deb
      Size/MD5 checksum: 151634 8db98edeeeceddca00ab90d23a3377fd

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_ia64.deb
      Size/MD5 checksum: 194976 de93fe82b55f27ae64566d9946d0fee9
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_ia64.deb
      Size/MD5 checksum: 11016 11b9ec958564155bf58ecef0ce38621f
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_ia64.deb
      Size/MD5 checksum: 11076 d425f1ddd7dda9a2b09816976e365da8
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_ia64.deb
      Size/MD5 checksum: 229474 69ad68e6ed5ea88df1abdf954e26dfa4

HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_hppa.deb
      Size/MD5 checksum: 181324 e3543dc0a15a94e57946647fdc777791
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_hppa.deb
      Size/MD5 checksum: 9638 b392986cc6d6ddf24a47589f9fc78b5b
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_hppa.deb
      Size/MD5 checksum: 9316 3be84377508b98df8f700885dc0bcb13
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_hppa.deb
      Size/MD5 checksum: 190026 4741d1df4e66ba1a90758a44a68123ab

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_m68k.deb
      Size/MD5 checksum: 142140 505be04e8005f316259cad3025d599c3
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_m68k.deb
      Size/MD5 checksum: 7306 3967ebf6db8793d6a86fd294af843260
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_m68k.deb
      Size/MD5 checksum: 7016 fb75b5d4d20a3a9f497a154622071d12
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_m68k.deb
      Size/MD5 checksum: 156574 12a13ab0e1bd6aa4557d52e433ce0128

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_mips.deb
      Size/MD5 checksum: 167564 44823af863fa6eaea95bec78a78f3c48
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_mips.deb
      Size/MD5 checksum: 9566 722001dea6d4386afdcaa5503a2734f4
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_mips.deb
      Size/MD5 checksum: 8274 8400f88e4c1ccf9d0a0fc1cdfd160818
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_mips.deb
      Size/MD5 checksum: 165456 e8f367d5b275641cac0dcdb78dd8b847

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_mipsel.deb
      Size/MD5 checksum: 168088 27fe81d3e0d259d0b2f9f1d0cb6b20c3
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_mipsel.deb
      Size/MD5 checksum: 9482 4d21b6c2528e39207b4e161ffc9f8bce
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_mipsel.deb
      Size/MD5 checksum: 8116 5465609ebc24647a0bb8cce0b855c04a
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_mipsel.deb
      Size/MD5 checksum: 165596 9a1e6e006eccecd83d1531e22a5eb69c

PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_powerpc.deb
      Size/MD5 checksum: 166132 cda8b87f950b3711955c8e3124ee40e1
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_powerpc.deb
      Size/MD5 checksum: 9246 6823a85cd60349e4ba10e24884a173fd
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_powerpc.deb
      Size/MD5 checksum: 8072 b57e887073c448885cba21df750f7b3c
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_powerpc.deb
      Size/MD5 checksum: 171316 d343436d579fbb1a359e076b84480114

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_s390.deb
      Size/MD5 checksum: 153500 4e03bafc909b4461adead1162b7b2621
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_s390.deb
      Size/MD5 checksum: 7866 20eb416547214564d687c6e1b6dc0d81
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_s390.deb
      Size/MD5 checksum: 7564 bc0b59ddcb29b96cbbe839d881a419e2
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_s390.deb
      Size/MD5 checksum: 167510 59c3f71ee91508e678a66bf28c983f82

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_sparc.deb
      Size/MD5 checksum: 161136 aa671663e7343c7f7f8b47960b558f11
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_sparc.deb
      Size/MD5 checksum: 8270 2f7862d0a6f2f98b0d4c6e3e0b6929df
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_sparc.deb
      Size/MD5 checksum: 7502 97aac947b5168472b1ab4a6a0399d1c1
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_sparc.deb
      Size/MD5 checksum: 167184 9d79c42f3dcba5026069b15e742aafdd

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-8.1.dsc
      Size/MD5 checksum: 709 7a800a91469430a28ab1900ebb92ba83
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-8.1.diff.gz
      Size/MD5 checksum: 372331 20d149f93e8093e4dbb365e9278ce741
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0.orig.tar.gz
      Size/MD5 checksum: 519266 4db0503b5a62533db68b03908b981751

Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_alpha.deb
      Size/MD5 checksum: 185780 fbfdd560a6b3591165a757797198e931
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_alpha.deb
      Size/MD5 checksum: 10376 3b5273e0e21ee40c5d540a22ff91b99a
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_alpha.deb
      Size/MD5 checksum: 8650 c5d672403f8038129d35022515e8a339
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_alpha.deb
      Size/MD5 checksum: 205704 22b1261a845cea95520acd68cf6e74ec

AMD64 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_amd64.deb
      Size/MD5 checksum: 155358 8653e4d9403ff7baeefbc7c955b83eb7
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_amd64.deb
      Size/MD5 checksum: 8474 ffad5870291f93584f70fa7645b54bdd
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_amd64.deb
      Size/MD5 checksum: 7942 d32005b5de994f10f15dfb91a6caf507
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_amd64.deb
      Size/MD5 checksum: 183366 6304fdc084b9e2ec433712b091e497c5

ARM architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_arm.deb
      Size/MD5 checksum: 153978 e13ef5dd0694f3d0cc5836d2fdbddec0
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_arm.deb
      Size/MD5 checksum: 8126 4ef59c62c86c0d567929d0e88fd4ebb9
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_arm.deb
      Size/MD5 checksum: 7076 ccc7721296431294a6a657ec5c4bf2a7
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_arm.deb
      Size/MD5 checksum: 171352 afe13217c5566e0ecf26950bc9b2f4b5

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_i386.deb
      Size/MD5 checksum: 150416 0f2d4af07ce624a4fa3af2e0964e91a3
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_i386.deb
      Size/MD5 checksum: 7860 4e0d60fa4cebefe5c434fbe2e5bf16e6
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_i386.deb
      Size/MD5 checksum: 7354 3b6d8fc4ebc1314a35c307dd51ec1e1f
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_i386.deb
      Size/MD5 checksum: 172140 0f6b383d15e21f02a9db0f3b58d31864

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_ia64.deb
      Size/MD5 checksum: 196584 25c9be6f81524a4641c8b7faf3f14b48
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_ia64.deb
      Size/MD5 checksum: 10860 a04397bc288e8abe6f8094ac5cdfc8a8
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_ia64.deb
      Size/MD5 checksum: 10544 97dec60626ea52e0ce3adf5df0619228
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_ia64.deb
      Size/MD5 checksum: 232546 973a9a9a079936e682fe352dfb2eae0a

HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_hppa.deb
      Size/MD5 checksum: 173056 0960b569e9cc3c6533e4a2394b56b18a
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_hppa.deb
      Size/MD5 checksum: 9238 5699f6b933217187a165956a4adcf8c9
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_hppa.deb
      Size/MD5 checksum: 9070 e82facecfb3184345b797176110c8795
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_hppa.deb
      Size/MD5 checksum: 201596 df67a873b1f1781b5418479802780074

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_m68k.deb
      Size/MD5 checksum: 137808 855cd148e584d2a47e15b893bc771076
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_m68k.deb
      Size/MD5 checksum: 7114 1c2ffc6287c76e8b656ac4cc8cb45197
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_m68k.deb
      Size/MD5 checksum: 6822 b23f138f206443979bef0f0d16429e9f
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_m68k.deb
      Size/MD5 checksum: 168122 fec535c555ffcec871f015251bb5d392

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_mips.deb
      Size/MD5 checksum: 166212 c3648e5b7be69cb95dd162d1532a4064
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_mips.deb
      Size/MD5 checksum: 9512 c4b9a6a610d879af5986eabeb819bd44
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_mips.deb
      Size/MD5 checksum: 8084 af031e50f98a270977aac6d3f60c37aa
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_mips.deb
      Size/MD5 checksum: 178910 0538e2bfe12f9fcd0d9b391adc4ca403

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_mipsel.deb
      Size/MD5 checksum: 167032 2739863166ce8ccdd7a289e47ce94e8f
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_mipsel.deb
      Size/MD5 checksum: 9544 cdd63315a97c0ff14fa6982811d25ac4
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_mipsel.deb
      Size/MD5 checksum: 8058 a7fee13884e082a5c0646c6723e757f4
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_mipsel.deb
      Size/MD5 checksum: 180220 d15b93b2235a05eeba9ab2fdce88327e

PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_powerpc.deb
      Size/MD5 checksum: 163132 8562f340ba8cba0079fa6c36a5c3a384
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_powerpc.deb
      Size/MD5 checksum: 9170 cd1fe56377a4313d54bbce1622c5f10f
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_powerpc.deb
      Size/MD5 checksum: 9526 c9f4119ba2c4b9b2a00fd0b44b01358c
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_powerpc.deb
      Size/MD5 checksum: 192594 3adc981ada6481239fc3c61af7781da2

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_s390.deb
      Size/MD5 checksum: 164994 c92cd17bdead77f5ab59a314208d07ea
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_s390.deb
      Size/MD5 checksum: 8168 e4bce7d526b10a608e6238d0fb602131
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_s390.deb
      Size/MD5 checksum: 7802 551bdf573b50cff118ff68360a249630
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_s390.deb
      Size/MD5 checksum: 184668 d0917c0875e16ab54637f1ac1c299208

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_sparc.deb
      Size/MD5 checksum: 155602 8c2980db112716debc75371df0ae3e3a
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_sparc.deb
      Size/MD5 checksum: 8130 462d2e5c734a69f942dd73d67224f3d4
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_sparc.deb
      Size/MD5 checksum: 7304 4935a0b91d3056e28b8375d99a13181c
    http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_sparc.deb
      Size/MD5 checksum: 174592 93b600efa8160007aa687eb67b63b141

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 915-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 2nd, 2005 http://www.debian.org/security/faq

Package : helix-player
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-2629
BugTraq ID : 15381

An integer overflow has been discovered in helix-player, the helix audio and video player. This flaw could allow a remote attacker to run arbitrary code on a victims computer by supplying a specially crafted network resource.

This vulnerability is fixed by version 1.0.6-1 in unstable. Helix-player is not currently in the testing distribution.

The old stable distribution (woody) does not contain a helix-player package.

For the stable distribution (sarge) these problems have been fixed in version 1.0.4-1sarge2.

For the unstable distribution (sid) these problems have been fixed in version 1.0.6-1.

We recommend that you upgrade your helix-player package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2.dsc
      Size/MD5 checksum: 908 5abe49b8d746b78b1f70016382d44a35
    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2.diff.gz
      Size/MD5 checksum: 9113 b7103af4ca93cb52cd548a4f7da43c3b
    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4.orig.tar.gz
      Size/MD5 checksum: 18044552 a277710be35426b317869503a4ad36d7

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2_i386.deb
Size/MD5 checksum: 4289142 afe49d505b51edefe6b66e92720e9a62

PowerPC architecture:

http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2_powerpc.deb
Size/MD5 checksum: 4415648 9a9ad7733abed7ffcd6c69ce366d576c

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core

Fedora Update Notification
FEDORA-2005-1116
2005-12-01

Product : Fedora Core 3
Name : perl
Version : 5.8.5
Release : 18.FC3
Summary : The Perl programming language.

Description :
Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications are system administration utilities and web programming. A large proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts.

Install this package if you want to program in Perl or enable your system to handle Perl scripts.

Update Information:

Fixes security vulnerabilites:
CVE-2005-3962:
http://marc.theaimsgroup.com/?l=full-disclosure&m=113342788118630&w=2
CVE-2005-3912:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3912
CVE-2005-0452:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0452
CVE-2004-0976:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0976

Thu Dec 1 2005 Jason Vas Dias <jvdias@redhat.com> - 3:5.8.5-18.FC3
- fix bug 174683 / CVE-2005-3962: sprintf integer overflow vulnerability backport upstream patch #26240
Wed Nov 9 2005 Jason Vas Dias <jvdias@redhat.com> - 3:5.8.5-17
- fix bug 136009: restore MakeMaker support for LD_RUN_PATH, while removing empty LD_RUN_PATH
Tue Nov 8 2005 Jason Vas Dias <jvdias@redhat.com> - 3:5.8.5-17
- fix CAN-2004-0976: insecure use of temporary files
Wed Nov 2 2005 Jason Vas Dias <jvdias@redhat.com> - 3:5.8.5-17
- fix bug 164772: panic (crash) on invalid UTF-8 in Encode.xs
- fix bug 172327 / upstream bug 37056: backport upstream patch 25084: prevent realloc recursion on nss get* ERANGE errno
Tue Nov 1 2005 Jason Vas Dias <jvdias@redhat.com> - 3:5.8.5-17
- fix bug 170088: broken h2ph fixed with h2ph from 5.8.7
- fix bug 171111 / upstream bug 37535: IOCPARM_LEN should be _IOC_SIZE
- fix bug 172236: make h2ph pick up gcc built-in include directory
Tue Aug 2 2005 Petr Rockai <prockai@redhat.com> - 3:5.8.5-16
- update filter-depends.sh to get rid of FCGI requires
Wed Jul 27 2005 Petr Rockai <prockai@redhat.com> - 3:5.8.5-15
- remove incorrect Provides on FCGI and Mac::File, cf. BR148848

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

2ebe04eeb426388b213977c552e6a004 SRPMS/perl-5.8.5-18.FC3.src.rpm
bb9e5f6a8e05992e4c74e532841cf686 x86_64/perl-5.8.5-18.FC3.x86_64.rpm
2d70d5e1b85d8d6f0a11cd2ef4a6b3cd x86_64/perl-suidperl-5.8.5-18.FC3.x86_64.rpm
d4904e4d622040a34d905c7bfa4a0a03 x86_64/debug/perl-debuginfo-5.8.5-18.FC3.x86_64.rpm
946544c3a8d689c3521719a2205d1aea i386/perl-5.8.5-18.FC3.i386.rpm
0dd03d80622fdbac49b53a0b76a6cf45 i386/perl-suidperl-5.8.5-18.FC3.i386.rpm
aa479beda71d9c015e283b769e4465a7 i386/debug/perl-debuginfo-5.8.5-18.FC3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Legacy

Fedora Legacy Update Advisory

Synopsis: Updated php packages fix security issues
Advisory ID: FLSA:166943
Issue date: 2005-12-02
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2498 CVE-2005-3390 CVE-2005-3389 CVE-2005-3388 CVE-2005-3353

1. Topic:

Updated PHP packages that fix multiple security issues are now available.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

[Updated 2nd December 2005]
Red Hat Linux 9 packages have been updated to add missing security patches.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2005-2498 to this issue.

A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue.

A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389)

A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388)

A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353)

Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.17.legacy.src.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm

7. Verification:

SHA1 sum Package Name

8bdf500386f11c6484c04361095061cce6c5c5f8 redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm
592c870e99523279267a0daea98c7dc08b09e5ca redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm
9f84a76296d88673ba8354f416a6ee75b86afb3f redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm
8c4b7136f2cac5f8eea394db819e0f67a973e4ff redhat/7.3/updates/i386/php-ldap

Top White Papers

Subscribe to Our Daily Newsletter

Current Newswire:

More on LinuxToday

Advisories, December 5, 2005

Debian GNU/Linux

Fedora Core

Fedora Legacy