---

Debian GNU/Linux Advisories: gnome-gv, pam


- --------------------------------------------------------------------------
Debian Security Advisory DSA 179-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 18th, 2002                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : gnome-gv
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2002-0838
BugTraq ID     : 5808

Zen-parse discovered a buffer overflow in gv, a PostScript and PDF
viewer for X11.  The same code is present in gnome-gv.  This problem
is triggered by scanning the PostScript file and can be exploited by
an attacker sending a malformed PostScript or PDF file.  The attacker
is able to cause arbitrary code to be run with the privileges of the
victim.

This problem has been fixed in version 1.1.96-3.1 for the current
stable distribution (woody), in version 0.82-2.1 for the old stable
distribution (potato) and version 1.99.7-9 for the unstable
distribution (sid).

We recommend that you upgrade your gnome-gv package.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1.dsc
      Size/MD5 checksum:      807 82140169547f88c38b9965be1bc9a69c
    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1.diff.gz
      Size/MD5 checksum:     8494 103905f14d882282d0e976a29111bbb2
    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82.orig.tar.gz
      Size/MD5 checksum:   369538 c4542420f0f7aeafea6764718b398341

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_alpha.deb
      Size/MD5 checksum:   145076 05ebc47d64924740b4a6efced375ed00

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_arm.deb
      Size/MD5 checksum:   131928 44f502cc48717739484999b677b23e52

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_i386.deb
      Size/MD5 checksum:   131118 7d2712b05b78e757568efabee83c9bc0

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_m68k.deb
      Size/MD5 checksum:   126710 38225171738cca0d10b9c1f91313ad0d

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_powerpc.deb
      Size/MD5 checksum:   132002 b3208e369afc8754480f80f6aa2b11c5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_sparc.deb
      Size/MD5 checksum:   136274 156b99fa91b627e91f5e2c3dde50ffc7


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1.dsc
      Size/MD5 checksum:      831 4f3c53098ca78e9532f62778f0cf3b0a
    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1.diff.gz
      Size/MD5 checksum:    23903 b33d66f44f186f88829a0537da99d549
    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96.orig.tar.gz
      Size/MD5 checksum:   742271 5d80db150adb4bfc5398d8a90ee2f9dd

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_alpha.deb
      Size/MD5 checksum:   340232 87adcdb4e9ef30d25b95734555f3c134

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_arm.deb
      Size/MD5 checksum:   325244 4a5e426144987c2ab8372976ef65c34e

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_i386.deb
      Size/MD5 checksum:   320834 73fc7baeba28750356b628eac22e7ec7

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_ia64.deb
      Size/MD5 checksum:   380740 e814ebf7089f0717e8d86912ed38cf4b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_hppa.deb
      Size/MD5 checksum:   345956 f9bfa25c891ea680d15e2c68498ba7cc

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_m68k.deb
      Size/MD5 checksum:   314324 dfee84b168b5acc1f2ae7239f7d07f28

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_mips.deb
      Size/MD5 checksum:   316934 fc8f5c0c4c71b69acce97f7666187f27

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_mipsel.deb
      Size/MD5 checksum:   315270 4d65c8f3619a14e4f0e8df6e8a3c897b

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_powerpc.deb
      Size/MD5 checksum:   322280 4cf75a0c3f3ba1cc625ee6a13009f43a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_s390.deb
      Size/MD5 checksum:   321032 60c0866b15e838f97fcdb11380d94aea

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_sparc.deb
      Size/MD5 checksum:   342248 52513f97ca364ed7978f8050a19c4ef2


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>;




- --------------------------------------------------------------------------
Debian Security Advisory DSA 177-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 17th, 2002                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : pam
Vulnerability  : serious security violation
Problem-Type   : remote 
Debian-specific: no
Distributions  : unstable only

Paul Aurich and Samuele Giovanni Tonon discovered a serious security
violation in PAM.  Disabled passwords (i.e. those with '*' in the
password file) were classified as empty password and access to such
accounts is granted through the regular login procedure (getty,
telnet, ssh).  This works for all such accounts whose shell field in
the password file does not refer to /bin/false.  Only version 0.76 of
PAM seems to be affected by this problem.

This problem has been fixed in version 0.76-6 for the current unstable
distribution (sid).  The stable distribution (woody), the old stable
distribution (potato) and the testing distribution (sarge) are not
affected by this problem.

As stated in the Debian security team FAQ (see URL in header), testing
and unstable are rapidly moving targets and the security team does not
have the resources needed to properly support those.  This security
advisory is an exception to that rule, due to the seriousness of the
problem.

We recommend that you upgrade your PAM packages immediately if you are
running Debian/unstable.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages


Debian GNU/Linux unstable alias sid
- -----------------------------------

  Source archives:

    http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc
      Size/MD5 checksum:      732 c7661ad0dcbc7df4ca967e58e93edd2e
    http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
      Size/MD5 checksum:    87185 39d8f45620b6750b34ad9128814328e7
    http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
      Size/MD5 checksum:   424671 22dd4019934cbd71bc67f13a5c2e10ec

  Architecture independent components:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb
      Size/MD5 checksum:   651724 b3fc72ee81ac4e4413c696ec42fa4ef3
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
      Size/MD5 checksum:    51922 28398b55b183e122984c4bf1a64183a9

  Alpha architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb
      Size/MD5 checksum:    53808 462dcd1a02dd799b761a05687cf08699
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
      Size/MD5 checksum:   179588 e2719b40c82af6891471c7182d8008f7
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb
      Size/MD5 checksum:    74146 727185b2d9c55a084105e2e4c43afcd0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
      Size/MD5 checksum:   116148 970c63cf78a3b7311e122069225caa06

  ARM architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb
      Size/MD5 checksum:    52268 c8f6709b9b92cac992168bfa957762cd
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
      Size/MD5 checksum:   153494 12a21eb18e0cb8fb3043c23a78b410a8
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb
      Size/MD5 checksum:    67952 bf8953d4d7227a5f8c837921da2745c4
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
      Size/MD5 checksum:   110738 10ecfcb5e44bb5af98deb4f5b27c16cb

  Intel IA-32 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb
      Size/MD5 checksum:    52116 f91a3a10c47a08aae349bd16d161a644
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
      Size/MD5 checksum:   146290 88216fe253c9e5042e8a6902bc807153
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb
      Size/MD5 checksum:    67504 a02c56dfa8949cf9abc071fc3b75ade1
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
      Size/MD5 checksum:   107490 366d7a40aecdc674920c76f8c71684b3

  Intel IA-64 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb
      Size/MD5 checksum:    56320 a52fc9867c6af83788e5d999fb3c5289
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
      Size/MD5 checksum:   204086 1b85b7156e03bef224c783e45c4f8f36
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
      Size/MD5 checksum:    81374 76d3f1c7665854f137457f7d0e75d995
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
      Size/MD5 checksum:   118930 31ff873794cfaf4da938340fbf87c275

  HP Precision architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb
      Size/MD5 checksum:    53646 10dce03fd0f16e7bb25cc7263b679cd2
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
      Size/MD5 checksum:   171266 23439afca3810b039e65e3ff5a626336
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb
      Size/MD5 checksum:    72066 166e7a5b1f72b0585b1d1fa06d5ac4f0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
      Size/MD5 checksum:   113166 bb97068c08d1e98c37a439ff044dfe0c

  Motorola 680x0 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb
      Size/MD5 checksum:    51886 aa1a506bbabef00284d5761e891edd3d
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
      Size/MD5 checksum:   151202 6064da7ddbc9ecf958e52e586b4d5fe0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb
      Size/MD5 checksum:    67578 3586a306ffe39e0b57b6ebd37196fbc7
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
      Size/MD5 checksum:   106684 db2c282058e7b2d78cb41bd7ab1bc082

  Big endian MIPS architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb
      Size/MD5 checksum:    52336 5f20d3e21ab9d2948fc74598f70a77b8
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
      Size/MD5 checksum:   149874 4ab69f9fdb67245b2c90a192f94c4f09
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb
      Size/MD5 checksum:    68280 487a9bd02b5ba9c8b3342bcebba95658
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
      Size/MD5 checksum:   111840 3bd2014016f6325e7853566d91ec91e4

  Little endian MIPS architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb
      Size/MD5 checksum:    52318 2ebabb4258a9901b601829594fae3e86
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
      Size/MD5 checksum:   149786 a8fa2ea4ba3a4ebd00ff3ea83048972f
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb
      Size/MD5 checksum:    68284 0afe5c5e849c06a4802b05c7e9fd75a0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
      Size/MD5 checksum:   111834 b7d8dab220f32c55406d7fd0175875f8

  PowerPC architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb
      Size/MD5 checksum:    52722 9122f2b7af39021cedaabcf8899b7c43
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
      Size/MD5 checksum:   157134 350a445962f3835ee8eee72aaaa7aa1c
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb
      Size/MD5 checksum:    69758 08a704d5ccd0c04505e4570d9ca8f6db
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
      Size/MD5 checksum:   109960 0a20b7da4c63d9bb40399fcc44259443

  IBM S/390 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb
      Size/MD5 checksum:    52750 4b4431e696cf93b3a31dccda1fad4244
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
      Size/MD5 checksum:   153186 c42535c78b2413ad0cd81ea4bbb3c727
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb
      Size/MD5 checksum:    68050 99382780227c0e7b109f2a11292777ba
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
      Size/MD5 checksum:   108796 32ba2eb69e35e8c9b59ef673a588307c

  Sun Sparc architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb
      Size/MD5 checksum:    53024 ea53bf69a07f62eea1df690fb650529f
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
      Size/MD5 checksum:   164550 2577423bb422423f6d7fd37547303bae
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb
      Size/MD5 checksum:    68536 a66479182486669059de5e3c36145162
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb
      Size/MD5 checksum:   110406 28d8bf606249b607d6b604a32698c821

- ---------------------------------------------------------------------------------
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>;

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis