-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 919-2 security@xxxxxxxxxx http://www.debian.org/security/ Martin Schulze Marth 10th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : curl Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2005-4077 BugTraq ID : 15756 Debian Bugs : 342339 342696 The upstream developer of curl, a multi-protocol file transfer library, informed us that the former correction to several off-by-one errors are not sufficient. For completeness please find the original bug description below: Stefan Esser discovered several off-by-one errors that allows local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs. For the old stable distribution (woody) these problems have been fixed in version 7.9.5-1woody2. For the stable distribution (sarge) these problems have been fixed in version 7.13.2-2sarge5. For the unstable distribution (sid) these problems have been fixed in version 7.15.1-1. We recommend that you upgrade your libcurl packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.dsc Size/MD5 checksum: 603 62a08f0dff0d09e2cfb773c04ec9cb39 http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.diff.gz Size/MD5 checksum: 16679 4f4699069b8b03a75561c00ae346266c http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz Size/MD5 checksum: 682397 a4df6bb5aa8962c204e73c8f98077928 Alpha architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_alpha.deb Size/MD5 checksum: 118546 80578b5149b1f85908250d189ffe4fc1 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_alpha.deb Size/MD5 checksum: 195952 762e8471239a92b0c45b44e0379877f4 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_alpha.deb Size/MD5 checksum: 116624 fe65a65b7ec0529ee5778f703f45de3d ARM architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_arm.deb Size/MD5 checksum: 114494 568f2949df218f0bdc77315eca6bcdc9 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_arm.deb Size/MD5 checksum: 172996 7d0e29244038b8587dc4f393b800a19e http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_arm.deb Size/MD5 checksum: 101892 36ded7c5e5844d79bb53b64b0a1e70c6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_i386.deb Size/MD5 checksum: 113024 0a4bea4409c4b15554af6d063deff9e6 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_i386.deb Size/MD5 checksum: 163738 c91953e3083d813d51bc7d28c21cbb26 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_i386.deb Size/MD5 checksum: 100544 860e88b6f23f13beb96d1adb7e23ccc3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_ia64.deb Size/MD5 checksum: 122108 feb536a863d0d317a7fa2ddd05c91ccd http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_ia64.deb Size/MD5 checksum: 210346 d371446a9efe8b55b22a891599ca0e34 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_ia64.deb Size/MD5 checksum: 139470 6b282c866dc3d439b54565a85672f73e HP Precision architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_hppa.deb Size/MD5 checksum: 116474 6def03bfd72095d967e130947160e149 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_hppa.deb Size/MD5 checksum: 186410 8a92f7a10893e0e870c3de0008fdb7fb http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_hppa.deb Size/MD5 checksum: 113016 a1c4e05ee3a19ceb7c501e7a15c79472 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_m68k.deb Size/MD5 checksum: 112814 fe14e982348adcd471dac277c64318d7 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_m68k.deb Size/MD5 checksum: 159174 101573ffa60ada3919244812c3e549a4 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_m68k.deb Size/MD5 checksum: 97210 a679640f9f2a15ebc4cf7ecaab294b17 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_mips.deb Size/MD5 checksum: 115508 e64d4b2a5f2ca190b5c6d2c35c612875 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mips.deb Size/MD5 checksum: 183998 fe09a440ee83320deb8c87e145d5dd1c http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_mips.deb Size/MD5 checksum: 105278 0a986bde9d964600488d46f86cc13796 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_mipsel.deb Size/MD5 checksum: 115536 0a953c3fb64b1c2a717bbbedc4590930 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mipsel.deb Size/MD5 checksum: 183894 28c9494b916c4f5930fb36a24a9cb15d http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_mipsel.deb Size/MD5 checksum: 105362 fa9855c9c542dfe80279debbd5c8fe58 PowerPC architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_powerpc.deb Size/MD5 checksum: 115104 fdd19cc3dc041b832f1400b3095e3272 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_powerpc.deb Size/MD5 checksum: 181524 ec2f58f83023187dacb2dc28732db05f http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_powerpc.deb Size/MD5 checksum: 106436 b64010ddab81b1658992b226a644b7b8 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_s390.deb Size/MD5 checksum: 114424 a5651846cf7bbda1fe3bc7a7da2283e2 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_s390.deb Size/MD5 checksum: 167550 dabb8ea718530f9dbdd8858619c53157 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_s390.deb Size/MD5 checksum: 104400 81aa237a8b00e4e418d5a0a85d35e32b Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_sparc.deb Size/MD5 checksum: 114254 9df1a25a6dccea83b7a6cc7868c37247 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_sparc.deb Size/MD5 checksum: 173320 948d75e0202f6fda494d6fae9d122940 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_sparc.deb Size/MD5 checksum: 107996 2d5dade7d687ac5391bdca26016dd28e Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.dsc Size/MD5 checksum: 810 5189493504485c0048f38809d1f71eb2 http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.diff.gz Size/MD5 checksum: 172234 344704b789a63e17795dd47475af6519 http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2.orig.tar.gz Size/MD5 checksum: 2201086 b3bd4a303f35f9a2a3ed3671cedf8329 Alpha architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_alpha.deb Size/MD5 checksum: 150912 bb6f21223e11353d7d1b373e3d832395 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_alpha.deb Size/MD5 checksum: 251302 5a594c2e2b9e0e5697ae933cc9710ff2 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_alpha.deb Size/MD5 checksum: 1010904 9c1ae1862d7dbf45310c42ad1fb7bf29 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_alpha.deb Size/MD5 checksum: 1279442 0effd00cd0ec6d923e9694ceb7b8347b http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_alpha.deb Size/MD5 checksum: 132196 e09c305798f2ef2d5232fefc1138743b AMD64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_amd64.deb Size/MD5 checksum: 148046 72b46b62bb3f3d461b4d6a5734098b9b http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_amd64.deb Size/MD5 checksum: 239294 121956fb9aae3348fa9a493cdea79740 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_amd64.deb Size/MD5 checksum: 1004132 0f8d808b09bd0ab935beb218a7e53630 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_amd64.deb Size/MD5 checksum: 1238024 a447b1dd774b1f4e07b4fc5fefccef5d http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_amd64.deb Size/MD5 checksum: 119350 fa2554b51b070c1d6fd2d3f76f5038d5 ARM architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_arm.deb Size/MD5 checksum: 147080 7b4cfc50771d62e0a76ccb6209fe449a http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_arm.deb Size/MD5 checksum: 232270 e81f1ce1b439ce7778abdf60248f9a21 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_arm.deb Size/MD5 checksum: 1006548 eb5d3cd6e480e053c835bc4a0e94e45c http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_arm.deb Size/MD5 checksum: 1236336 9552fc31cae7b84855459502c0f9185f http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_arm.deb Size/MD5 checksum: 112884 9c790872f1108c9de8ad03581515cd3b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_i386.deb Size/MD5 checksum: 147610 950f7978ba6ee3b60416e9056438c6e0 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_i386.deb Size/MD5 checksum: 237898 46d8c98384d1d545d3e4d58d26d0a94b http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_i386.deb Size/MD5 checksum: 1003424 fe85527c93e5859685e72cd28ecaa15f http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_i386.deb Size/MD5 checksum: 1232116 2756464635b53395cbfda1ead83bfb62 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_i386.deb Size/MD5 checksum: 118554 a977c4931ccbd0d7ab855d4463edabbc Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_ia64.deb Size/MD5 checksum: 156722 f430eba0b5554535b21fa840baa0953b http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_ia64.deb Size/MD5 checksum: 279222 57772e931a766e8611b41de5dd82fc44 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_ia64.deb Size/MD5 checksum: 1014718 69aebd71a0c09184ee5745d38fbe5e57 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_ia64.deb Size/MD5 checksum: 1293798 072ac6f1e0b505991ded4340e71f3d2d http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_ia64.deb Size/MD5 checksum: 160790 df3faf481671c5efb79bb4e43df0cd0f HP Precision architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_hppa.deb Size/MD5 checksum: 150554 dcf951b1cdc8a8b2808b4ef5a6ed7a06 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_hppa.deb Size/MD5 checksum: 251200 409ac37bb0adc4a4bd0542c1ac661ad3 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_hppa.deb Size/MD5 checksum: 1002064 903885cbc63e47e1cca7cafe64d9061d http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_hppa.deb Size/MD5 checksum: 1253626 b09cfaed0c17cd06e69586d54d426256 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_hppa.deb Size/MD5 checksum: 132284 33802a367e971182dfaac46ab2f2b3a0 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_m68k.deb Size/MD5 checksum: 144652 11be6a48cdb019c42852c2a29523c972 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_m68k.deb Size/MD5 checksum: 227858 b58a8fa28732754776e30b478649262e http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_m68k.deb Size/MD5 checksum: 998546 3392e518130e36eba7a9598f6308e8f9 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_m68k.deb Size/MD5 checksum: 1212010 5e901a9ab9336d22ce5bffec68ed3020 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_m68k.deb Size/MD5 checksum: 108694 4f50040ed1dcb4a129b6cf5ef70196e2 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_mips.deb Size/MD5 checksum: 149942 9c11cfcc6886af0114f97b2eddb428a7 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mips.deb Size/MD5 checksum: 237440 254e37aa6c1fcb96f53b3b38fb599142 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_mips.deb Size/MD5 checksum: 1007564 fc4147e821a5908cd6b2a67f77fa55f4 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_mips.deb Size/MD5 checksum: 1246980 5e542160496f4cbe3475ad7f4c085f7e http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_mips.deb Size/MD5 checksum: 118470 41ca8bc0fb17a1922ab864790a0b583e Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_mipsel.deb Size/MD5 checksum: 150046 51a993203eefc459a63658dc80ff0fcc http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mipsel.deb Size/MD5 checksum: 238022 d52743d13cd115b6a893989af7aef032 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_mipsel.deb Size/MD5 checksum: 1010958 d3158f45cf6e904681e90608fce6673c http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_mipsel.deb Size/MD5 checksum: 1247246 5569e170ef9bda1d904b5e7e2b979ef4 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_mipsel.deb Size/MD5 checksum: 118942 d71e0823fadaeaafff74f3dfa0691621 PowerPC architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_powerpc.deb Size/MD5 checksum: 150664 2b46df904ee41bfb43c3c375cecd97dd http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_powerpc.deb Size/MD5 checksum: 243472 ae29ca3aaca1c7b031eea79102315945 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_powerpc.deb Size/MD5 checksum: 1640526 f9fe8c3eda4eff4db90b3b8a93c10403 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_powerpc.deb Size/MD5 checksum: 1245292 4fb803a4dba48d506d0aff115fa516de http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_powerpc.deb Size/MD5 checksum: 124138 55b836d703e3d516fa2e75f018ddd8d8 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_s390.deb Size/MD5 checksum: 148640 bb07ba73b8e9d90b80fb1d36a1472db6 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_s390.deb Size/MD5 checksum: 246640 93d40c902692d06f1d3a2d145b10474b http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_s390.deb Size/MD5 checksum: 1025438 c0778b7435b21cf277a2656f134d47d4 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_s390.deb Size/MD5 checksum: 1240744 6da2e87d0e60701d03f3da1cc4bf8905 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_s390.deb Size/MD5 checksum: 127458 80cf6d496e27df3765257fd1303eceb9 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_sparc.deb Size/MD5 checksum: 147660 905b8cdc96289e709644da1addd5c7a3 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_sparc.deb Size/MD5 checksum: 236994 8385a7c13cc40517b179cf21689db383 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_sparc.deb Size/MD5 checksum: 996640 5d5cb641eca75a51659dad9f499673fa http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_sparc.deb Size/MD5 checksum: 1232354 c8f891808cc67cf1756fe68898baf607 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_sparc.deb Size/MD5 checksum: 118006 5a4880af8b078ef38b148ba37ac4221a These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEEU9EW5ql+IAeqTIRAoZnAKCbJdVu6YN/j5Yk5rORoN5W/DwPAgCfaatc 46jnCRyvOFWkZx+EwTDaluI= =GO2K -----END PGP SIGNATURE-----
