-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-1814-1 security@xxxxxxxxxx http://www.debian.org/security/ Nico Golde June 13th, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : libsndfile Vulnerability : heap-based buffer overflow Problem type : local (remote) Debian-specific: no Debian bug : 528650 CVE ID : CVE-2009-1788 CVE-2009-1791 Two vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. The Common Vulnerabilities and Exposures project identified the following problems: Tobias Klein discovered that the VOC parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted VOC header (CVE-2009-1788). The vendor discovered that the AIFF parsing routines suffer of a heap-based buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker via a crafted AIFF header (CVE-2009-1791). In both cases the overflowing data is not completely attacker controlled but still leads to application crashes or under some circumstances might still lead to arbitrary code execution. For the oldstable distribution (etch), this problem has been fixed in version 1.0.16-2+etch2. For the stable distribution (lenny), this problem has been fixed in version 1.0.17-4+lenny2. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.0.20-1. We recommend that you upgrade your libsndfile packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch2.dsc Size/MD5 checksum: 659 fe69a3bbf260e7539ec189fe9d81889d http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch2.diff.gz Size/MD5 checksum: 6453 8a43fb7713b8247bd1e5f1bf7a6e9923 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_alpha.deb Size/MD5 checksum: 400794 04c86699fad7bfa734f6db94e7814574 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_alpha.deb Size/MD5 checksum: 222774 f6411ea0366b55e8cdcd308f51af7aaa http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_alpha.deb Size/MD5 checksum: 72500 fb13ac77eec3b3cb791b0d05dc4abce1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_amd64.deb Size/MD5 checksum: 70818 efc9612d010aa0e9f260e4726f7fd809 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_amd64.deb Size/MD5 checksum: 187554 1ad927a4dde060a045052031c6dee298 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_amd64.deb Size/MD5 checksum: 322608 0b5e2551db19f1e67d90fb402a3e4b55 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_hppa.deb Size/MD5 checksum: 236528 9a134046572d39fef1a8344ecdca0a23 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_hppa.deb Size/MD5 checksum: 75046 bd7b926daab6bef2036398a3ab07527c http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_hppa.deb Size/MD5 checksum: 375188 67a8110d0f4a87618af8e8d45ae24349 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_i386.deb Size/MD5 checksum: 320972 5d76ff009184ad5345a54e8d8194fffe http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_i386.deb Size/MD5 checksum: 71000 7ebac264cb5b8ffa89f25d3ccc1a75cc http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_i386.deb Size/MD5 checksum: 198076 260d7f6aa38f89f8977a3ad49e990b43 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_ia64.deb Size/MD5 checksum: 76026 cbe650d86af4ecc63a69056fd75eca87 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_ia64.deb Size/MD5 checksum: 270996 9cace4aabe93c43722c432b6c4e4442e http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_ia64.deb Size/MD5 checksum: 416638 df26e7f277e084280ffdc817ae53b7f3 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_mips.deb Size/MD5 checksum: 217472 10109974f4c321580f791bf5e49124e7 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_mips.deb Size/MD5 checksum: 73040 a9f2a80bc90165a3e92903f4edc444da http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_mips.deb Size/MD5 checksum: 374506 f6c67974732dd1de4bd3a9158f3c1c20 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_mipsel.deb Size/MD5 checksum: 73062 a508b896c5de5ebd5dff792afff15c29 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_mipsel.deb Size/MD5 checksum: 216994 96315e55d624bee6e44d015d37c710c1 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_mipsel.deb Size/MD5 checksum: 373658 65ed601088e7b02b509556d11dcd8d1d powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_powerpc.deb Size/MD5 checksum: 351902 a4123d15745b1eb1af28fdb78b63bd82 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_powerpc.deb Size/MD5 checksum: 76584 0f5fae422385aa9d839be192aed31444 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_powerpc.deb Size/MD5 checksum: 207620 557e216bb6625ee2352b161474f0d5c0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_s390.deb Size/MD5 checksum: 221198 664d13a054568b329e4d625a0b5038e0 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_s390.deb Size/MD5 checksum: 73066 89616dead6b5d3a2847e2536b8cb072b http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_s390.deb Size/MD5 checksum: 346752 85718e326019f4eb3a45daf2e67b3c1a sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_sparc.deb Size/MD5 checksum: 339010 4d7c07314114134799a36c801ab1f49e http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_sparc.deb Size/MD5 checksum: 70940 88eb23fe6f813ecd026131c863bf41f8 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_sparc.deb Size/MD5 checksum: 208148 68df6e036a2a22376e3974f614115014 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny2.dsc Size/MD5 checksum: 1134 51d9eb65dd02a51f539d841417d49f1b http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny2.diff.gz Size/MD5 checksum: 10627 2325910ddaba0afbdd7e317e38970bb8 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17.orig.tar.gz Size/MD5 checksum: 819456 2d126c35448503f6dbe33934d9581f6b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_alpha.deb Size/MD5 checksum: 226090 e2b9f5ad19011d18709d4cedaade37fa http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_alpha.deb Size/MD5 checksum: 410994 8483cb52b025c5daf82e8bb8c79e975f http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_alpha.deb Size/MD5 checksum: 74138 f7ff92888db92ee16c39d31a34b458ba amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_amd64.deb Size/MD5 checksum: 191352 a7fcfefe56bbe623aedf4c1a716fbd7c http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_amd64.deb Size/MD5 checksum: 73166 95ae8a7f7cc414b590492a5ccb8b54bb http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_amd64.deb Size/MD5 checksum: 333800 c082042884f8aa7d54456c7edda82505 arm architecture (ARM) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_arm.deb Size/MD5 checksum: 217242 b1d688c41ee46c865b28dec19d7138f1 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_arm.deb Size/MD5 checksum: 74296 2d60cc9b8e2a586ddf7f69a3550db4ac http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_arm.deb Size/MD5 checksum: 349034 2cb39ad7ca3213b2e377445d4f05204f armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_armel.deb Size/MD5 checksum: 76490 091e276cadfdcf6d1d7f6981775a2a22 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_armel.deb Size/MD5 checksum: 220838 c303edbc05beebb5021928367c49cdc9 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_armel.deb Size/MD5 checksum: 355852 d3382eaacdfb9f6c85b0ff68feade506 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_hppa.deb Size/MD5 checksum: 236520 23c8272b8abd38f01079b0b6026864cf http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_hppa.deb Size/MD5 checksum: 76920 d20fe4a5f04535145a1816db5a32df71 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_hppa.deb Size/MD5 checksum: 379156 f0499c6fd090c1898de78c5976ca78b0 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_i386.deb Size/MD5 checksum: 72948 2b409333b2ddfc6abac2c5e8a3fa4c52 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_i386.deb Size/MD5 checksum: 326262 a12481a50bc8e4d3ca8d42114a109261 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_i386.deb Size/MD5 checksum: 196632 929743d1597c465e4cf871698c8643a2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_ia64.deb Size/MD5 checksum: 274624 793a250f573b51eb3c236cceb1a1bfd5 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_ia64.deb Size/MD5 checksum: 430950 d9c31e7271ec506ed8fb427c1428064a http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_ia64.deb Size/MD5 checksum: 77798 984421618e44f369931120c39264ae45 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_mips.deb Size/MD5 checksum: 214948 a0e0e337d7902d1ef6a2a289c673f872 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_mips.deb Size/MD5 checksum: 381394 099c34ac8b3251378b923078d8b1b863 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_mips.deb Size/MD5 checksum: 75114 51ff1f2c3b21029e6b3f023756ae7f69 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_mipsel.deb Size/MD5 checksum: 379494 fc38dea8e6242b7b6562dff24a8fcdfd http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_mipsel.deb Size/MD5 checksum: 215384 ca2207de85164e39282dd1c47c8a4dc2 http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_mipsel.deb Size/MD5 checksum: 74968 b305260d39f855ec6d5abc650072753e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_powerpc.deb Size/MD5 checksum: 362142 0a4bc9e2ca82e625114545bfa00ba442 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_powerpc.deb Size/MD5 checksum: 212946 2a579d5238131e888a8608f28c8c1b4c http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_powerpc.deb Size/MD5 checksum: 81158 9f00494a4f70a89e114c8f9c8e1f70e2 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_s390.deb Size/MD5 checksum: 355712 f00055811535af5da4e6177e5641bb9a http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_s390.deb Size/MD5 checksum: 220080 f0fa6c86da09f962c5ee0ed8783164ac http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_s390.deb Size/MD5 checksum: 75230 a2a5d37ef8bb4129eaf0d33dabce9e57 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_sparc.deb Size/MD5 checksum: 73614 d3cd01e6c95f41efa016fa1e470cb300 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_sparc.deb Size/MD5 checksum: 342854 adbc2be1b13fc19b709c5a300532d6c6 http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_sparc.deb Size/MD5 checksum: 206250 f2971a5a5d4ac6ffde7c61257745d95e These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkozv60ACgkQHYflSXNkfP/NhgCgkY9naVwXzps37xOEAEXPKh03 YbgAmwSVkKF8BIfWhoqHYySdNUdZBakX =dawU -----END PGP SIGNATURE-----