ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-525-1] libsndfile vulnerability (Kees Cook)
2. [USN-526-1] debian-goodies vulnerability (Kees Cook)
----------------------------------------------------------------------
Message: 1
Date: Thu, 4 Oct 2007 17:17:31 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-525-1] libsndfile vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20071005001731.GP10703@outflux.net>
Content-Type: text/plain; charset="us-ascii"
===========================================================
Ubuntu Security Notice USN-525-1 October 04, 2007
libsndfile vulnerability
CVE-2007-4974
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libsndfile1 1.0.12-3ubuntu1
Ubuntu 6.10:
libsndfile1 1.0.16-1ubuntu0.6.10.1
Ubuntu 7.04:
libsndfile1 1.0.16-1ubuntu0.7.04.1
After a standard system upgrade you need to restart your session to affect
the necessary changes.
Details follow:
Robert Buchholz discovered that libsndfile did not correctly validate the
size of its memory buffers. If a user were tricked into playing a specially
crafted FLAC file, a remote attacker could execute arbitrary code with user
privileges.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.12-3ubuntu1.diff.gz
Size/MD5: 5335 a232e010747ae75f87432f426aaac11f
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.12-3ubuntu1.dsc
Size/MD5: 639 921596b90ab0e2afb1836c7e3c292f73
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.12.orig.tar.gz
Size/MD5: 798471 03718b7b225b298f41c19620b8906108
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 308020 d1274d3dbeae2e96f3a64b4395051bb6
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1_amd64.deb
Size/MD5: 179202 42f4102ac6cef2c1d4905383f646c2bf
Size/MD5: 63764 9b35c766d93f8e00590faa6b7d5351e8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.12-3ubuntu1_i386.deb
Size/MD5: 300158 e801ce100a759b4481bd9b81501d4321
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1_i386.deb
Size/MD5: 182324 3ff53ef6c00e306f05e367d316fc303a
Size/MD5: 63674 ea1f9f762ffbd80df2337fb9dc08e5d1
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 331752 99e5090a989a123445f2d6f194c36a25
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1_powerpc.deb
Size/MD5: 195800 316b04008ac17a3e13be591cf102a659
Size/MD5: 69338 72f0b032595ce60b82b9f8924cfd9cc5
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 323540 9d082dcc95f2c43378314df01d301f1f
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1_sparc.deb
Size/MD5: 197678 028e918bd6fb91e953090709974dee3a
Size/MD5: 64136 e1b0c464a3176e39a03c9645d6c4a6b9
Updated packages for Ubuntu 6.10:
Source archives:
Size/MD5: 5525 4a42e83ea97c510607085d6d393addf8
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.16-1ubuntu0.6.10.1.dsc
Size/MD5: 667 9f622edbc2aad7470161a288dcaf8ffa
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz
Size/MD5: 857117 773b6639672d39b6342030c7fd1e9719
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 321862 bcf08d7a023e522640f547f8b4519951
Size/MD5: 188260 eacc338dbf6c34d9cd4fac61b946c4bd
Size/MD5: 70778 2d616afb614861f00a6fafcc2eab2fb3
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 314374 91362ac43fb0937b564d1b5fa3242050
Size/MD5: 196146 33714e82c14ce17e628a0f2a50b7c0bc
Size/MD5: 70834 fa2eb1049320c90728ada95e5277803b
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 347156 3301ea8ab145c62df52723d5da21d4aa
Size/MD5: 208348 d274b82183319d13474a12a367bd3bfd
Size/MD5: 76186 a4ef0848989d954b40c06f0acd17c59c
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 335470 1ba9545348975046ebd333d8f33dcbe2
Size/MD5: 208484 867aaf6cf98f6be0cfdf4b4d17ab5f01
Size/MD5: 70904 55425663359b4aa24fcd913b2573f2e2
Updated packages for Ubuntu 7.04:
Source archives:
Size/MD5: 5658 06937165d9e19c82085e1ade9847b243
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.16-1ubuntu0.7.04.1.dsc
Size/MD5: 751 5f87e71d5f7101fb7e399dc43c3d60cf
http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz
Size/MD5: 857117 773b6639672d39b6342030c7fd1e9719
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 322110 c271f688da6781c0fd298262f9f7f915
Size/MD5: 188558 e92db334b4d9c1fd72b2fe00e54612e6
Size/MD5: 71060 2b363b833ea55410ee2732a413137b5f
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 314416 41c5020153269c90802136f7129e7bdd
Size/MD5: 196452 724a2058aaa745a01ecd11b970d84a45
Size/MD5: 71008 49f10761a1cccaf4ce08508ff22601f4
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 347362 3be7ff70688b3da0b99fa779f1321a19
Size/MD5: 210224 3bcc466c8cb926a5595846581b0d6f49
Size/MD5: 79066 51fbd324f3e3fa3281677408414c6251
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 335432 00f8abc6db36fcf84b74d85f5163fbd5
Size/MD5: 208866 b24b1a613ae28805071e6ab3d1912732
Size/MD5: 71638 85be6e0c7d7e141982053f5d680a76c8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20071004/cc94049a/attachment-0001.pgp
------------------------------
Message: 2
Date: Thu, 4 Oct 2007 17:18:15 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-526-1] debian-goodies vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20071005001815.GQ10703@outflux.net>
Content-Type: text/plain; charset="us-ascii"
===========================================================
Ubuntu Security Notice USN-526-1 October 04, 2007
debian-goodies vulnerability
CVE-2007-3912
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
debian-goodies 0.23ubuntu0.6.06.1
Ubuntu 6.10:
debian-goodies 0.23ubuntu0.6.10.1
Ubuntu 7.04:
debian-goodies 0.27ubuntu0.1
In general, a standard system upgrade is sufficient to affect the
necessary changes.
Details follow:
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/debian-goodies/debian-goodies_0.23ubuntu0.6.06.1.dsc
Size/MD5: 541 bf3ec3bbbb718a4bdbc33c9377391207
Size/MD5: 11792 81c701f4b438547941fc3e197fb84e0d
Architecture independent packages:
Size/MD5: 22430 30e986cc78aa15144858ec2c6f9539bf
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/debian-goodies/debian-goodies_0.23ubuntu0.6.10.1.dsc
Size/MD5: 541 76c493e084ce3ac73a5cf4c5aae9b8cc
Size/MD5: 11786 110c79f2b89ca619fe984b24782b0aa6
Architecture independent packages:
Size/MD5: 22406 9ad478564241816893d229ab92ae3c00
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/debian-goodies/debian-goodies_0.27ubuntu0.1.dsc
Size/MD5: 634 b918441edd5ef83334adc790bddf89bd
http://security.ubuntu.com/ubuntu/pool/main/d/debian-goodies/debian-goodies_0.27ubuntu0.1.tar.gz
Size/MD5: 29044 586174400e41386bb78d4764fdad755a
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/debian-goodies/debian-goodies_0.27ubuntu0.1_all.deb
Size/MD5: 36804 548f700ef0b6c09dc8daaed38f0ab367
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20071004/e38e000c/attachment-0001.pgp
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 37, Issue 3
*******************************************************
No comments:
Post a Comment