Debian GNU/Linux
Debian Security Advisory DSA 1048-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
May 1st, 2006 http://www.debian.org/security/faq
Package : asterisk
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2005-3559 CVE-2006-1827
BugTraq ID : 15336
Debian Bug : 338116
Several problems have been discovered in Asterisk, an Open
Source Private Branch Exchange (telephone control center). The
Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2005-3559
Adam Pointon discovered that due to missing input sanitising it
is possible to retrieve recorded phone messages for a different
extension.
CVE-2006-1827
Emmanouel Kellinis discovered an integer signedness error that
could trigger a buffer overflow and hence allow the execution of
arbitrary code.
For the old stable distribution (woody) this problem has been
fixed in version 0.1.11-3woody1.
For the stable distribution (sarge) this problem has been fixed
in version 1.0.7.dfsg.1-2sarge2.
For the unstable distribution (sid) this problem has been fixed
in version 1.2.7.1.dfsg-1.
We recommend that you upgrade your asterisk package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1.dsc
Size/MD5 checksum: 664
373ab7aabc288579558c4f89f5afa6c9
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1.diff.gz
Size/MD5 checksum: 7105
0147328df3620d3a2cd4604817518c6f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11.orig.tar.gz
Size/MD5 checksum: 1094520
799022997d32f9f63ee47db4f3069cc7
Alpha architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_alpha.deb
Size/MD5 checksum: 1102026
614622fa8f8c1d528834c62b066e9502
ARM architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_arm.deb
Size/MD5 checksum: 1007528
7a764a742b9563ca733ac9d593b9f2ba
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_i386.deb
Size/MD5 checksum: 966436
aca1c73b82bab36013ec4facae76c62f
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_ia64.deb
Size/MD5 checksum: 1221462
b61d30160a3ee4192a1e1bca0cfced47
HP Precision architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_hppa.deb
Size/MD5 checksum: 1097966
82456597bb249cf1a0e92e7321537dd9
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_m68k.deb
Size/MD5 checksum: 967110
7e991ae768bdffb90338001e4384e27a
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_mipsel.deb
Size/MD5 checksum: 988628
252c7fcd9903a4c8e99842619a2e3bed
PowerPC architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_powerpc.deb
Size/MD5 checksum: 1018210
6bcdbe5da063b50f7900f46d2f679c1c
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_s390.deb
Size/MD5 checksum: 993864
eb1e66f13d2615a90b167ffbb68e1501
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_0.1.11-3woody1_sparc.deb
Size/MD5 checksum: 1073510
5cd2731fbb6afb3b8a3c4cc3e5c887df
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2.dsc
Size/MD5 checksum: 1261
e99dfbd0308ea3f26a29ce17fe30d755
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2.diff.gz
Size/MD5 checksum: 69531
8d64de4a35a37614e37770e49229cc8e
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
Size/MD5 checksum: 2929488
0d0f718ccd7a06ab998c3f637df294c0
Architecture independent components:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge2_all.deb
Size/MD5 checksum: 61454
756d8457fec2dfc73e93d4885ad99632
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge2_all.deb
Size/MD5 checksum: 83242
aede47f1e3cb5fb4b092ec106f155503
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge2_all.deb
Size/MD5 checksum: 1577520
52edf9d30e42e5f43edb417a48279bc4
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge2_all.deb
Size/MD5 checksum: 1179972
ba1498fb09ce854e91c363697e5f56c5
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge2_all.deb
Size/MD5 checksum: 28236
29cee78488bd0292e469b02f557f325a
Alpha architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_alpha.deb
Size/MD5 checksum: 1477470
4b27fd45bf591a45c1df219e7427fb3f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_alpha.deb
Size/MD5 checksum: 31268
fbd1f14dbece0fa6c35020d28cf5fc19
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_alpha.deb
Size/MD5 checksum: 21294
b2c38dc8fab098ba42b9a2b9df53365a
AMD64 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_amd64.deb
Size/MD5 checksum: 1333126
97cf9b0f02ca85a0f3988a419d74d101
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_amd64.deb
Size/MD5 checksum: 30694
3da16a12852ccde9c25fd06d20ddf165
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_amd64.deb
Size/MD5 checksum: 21298
7fdce0bf81003472019fc238c97039a6
ARM architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_arm.deb
Size/MD5 checksum: 1262564
a662f0c5b745b84c77821529a5b95c74
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_arm.deb
Size/MD5 checksum: 29408
4b2371af11e31fe17f3b1ce428009c71
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_arm.deb
Size/MD5 checksum: 21294
5695bb2ba51ba159f75186ead3aeadd8
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_i386.deb
Size/MD5 checksum: 1175100
057c97258c30084249ed87a8e67e34fe
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_i386.deb
Size/MD5 checksum: 29722
21b28111a92b3054727af9cdf7ca40db
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_i386.deb
Size/MD5 checksum: 21292
7ae9ba55b0ab039f3a0183aa4805af7c
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_ia64.deb
Size/MD5 checksum: 1771018
9a595b393cb2e6f68f27d964e3f7a11a
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_ia64.deb
Size/MD5 checksum: 32826
6922be80b649d6ad44081f6bccc512c9
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_ia64.deb
Size/MD5 checksum: 21292
bdcf965b876781e1b6aa3b185e9443f6
HP Precision architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_hppa.deb
Size/MD5 checksum: 1447646
38bce42679887ab40a5ac4a8e7f725d2
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_hppa.deb
Size/MD5 checksum: 31338
447483805146ef8cf996cb3b8c3931a0
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_hppa.deb
Size/MD5 checksum: 21296
7224f123df44bb817ac4f4fe8e4fc96d
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_m68k.deb
Size/MD5 checksum: 1184568
b6814c31545c9dfa4aea857f7e527929
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_m68k.deb
Size/MD5 checksum: 30084
f66438755ea42f48a45e1bcb977d4ed8
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_m68k.deb
Size/MD5 checksum: 21302
a29dc084d1a5a3cc9547f610d5f07ace
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_mips.deb
Size/MD5 checksum: 1263690
bcda258393f2672dd2dce565dd71e9d7
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_mips.deb
Size/MD5 checksum: 29292
a0fc61357a8949cd49e52535f89280e6
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_mips.deb
Size/MD5 checksum: 21296
b38df181f2f9689c8e71ead3cdf17af8
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_mipsel.deb
Size/MD5 checksum: 1270114
cfcfdb5ba55a4c15c2f51cd9af0ff914
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_mipsel.deb
Size/MD5 checksum: 29228
e0323dccf28dcb718a1b5c4c8ae1e9b7
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_mipsel.deb
Size/MD5 checksum: 21294
a4f3b1157e61cc14f5c3820d5b38348e
PowerPC architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_powerpc.deb
Size/MD5 checksum: 1421934
d29f00ef7f63141125a9d55dd8f03680
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_powerpc.deb
Size/MD5 checksum: 31028
ae3955beb5caff9ecba95a71f1511d6f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_powerpc.deb
Size/MD5 checksum: 21298
0e03c0122050501ca3869a442cc43cc3
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_s390.deb
Size/MD5 checksum: 1312360
1ce88997009285a2934c29f6109f3c58
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_s390.deb
Size/MD5 checksum: 30714
69eac145cbdfe8764b11b0c25de86f71
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_s390.deb
Size/MD5 checksum: 21296
778dd4c365e79f059af8a70f4a3e8af8
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge2_sparc.deb
Size/MD5 checksum: 1274034
812e80e52c2d0d0e2d0e6b9e735034dd
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge2_sparc.deb
Size/MD5 checksum: 29678
08e85cff017d51beb8834333090fb2f6
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge2_sparc.deb
Size/MD5 checksum: 21296
eab26f52aae41a639dc7221605f5e023
These files will probably be moved into the stable distribution
on its next update.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Gentoo Linux
Gentoo Linux Security Advisory GLSA 200605-01
Severity: Normal
Title: MPlayer: Heap-based buffer overflow
Date: May 01, 2006
Bugs: #127969
ID: 200605-01
Synopsis
MPlayer contains multiple integer overflows that may lead to a
heap-based buffer overflow.
Background
MPlayer is a media player that supports many multimedia file
types.
Affected packages
Package / Vulnerable / Unaffected
1 media-video/mplayer < 1.0.20060415 >= 1.0.20060415 2 media-video/mplayer-bin < 1.0.20060415 >= 1.0.20060415 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.
Description
Xfocus Team discovered multiple integer overflows that may lead
to a heap-based buffer overflow.
Impact
An attacker could entice a user to play a specially crafted
multimedia file, potentially resulting in the execution of
arbitrary code with the privileges of the user running the
application.
Workaround
There is no known workaround at this time.
Resolution
All MPlayer users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0.20060415"
All MPlayer binary users should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/mplayer-bin-1.0.20060415"
References
[ 1 ] CVE-2006-1502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1502
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200605-01.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.