Debians sikkerhedsbulletin

DSA-1814-1 libsndfile -- heap-baseret bufferoverløb

Rapporteret den:
13. jun 2009
Berørte pakker:
libsndfile
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 528650.
I Mitres CVE-ordbog: CVE-2009-1788, CVE-2009-1791.
Yderligere oplysninger:

To sårbarheder er opdaget i libsndfile, et bibliotek til læsning og skrivning af samplede lyddata. Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:

  • CVE-2009-1788

    Tobias Klein opdagede at VOC-fortolkningsrutinerne var ramt af et heap-baseret bufferoverløb, hvilket kunne udløses af en angriber gennem en fabrikeret VOC-header.

  • CVE-2009-1791

    Forhandleren opdagede at AIFF-fortolkningsrutinerne var ramt af et heap-baseret bufferoverløb svarende til CVE-2009-1788, der kunne udløses af en angriber gennem en fabrikeret AIFF-header.

I begge tilfælde er de overløbende data ikke fuldstændigt kontrollerede af angriberen, men fører stadig til at applikationen går ned, eller under visse omstændigheder kan det måske stadig føre til udførelse af vilkårlig kode.

I den gamle stabile distribution (etch), er dette problem rettet i version 1.0.16-2+etch2.

I den stabile distribution (lenny), er dette problem rettet i version 1.0.17-4+lenny2.

I distributionen testing (squeeze), vil dette problem snart blive rettet.

I den ustabile distribution (sid), er dette problem rettet i version 1.0.20-1.

Vi anbefaler at du opgraderer dine libsndfile-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch2.dsc
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16-2+etch2.diff.gz
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.16.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_alpha.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_alpha.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_amd64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_amd64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_amd64.deb
HP Precision:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_hppa.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_hppa.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_i386.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_i386.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_ia64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_ia64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_mips.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_mips.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_mipsel.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_mipsel.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_powerpc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_powerpc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_s390.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_s390.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.16-2+etch2_sparc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.16-2+etch2_sparc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.16-2+etch2_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Kildekode:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny2.dsc
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17-4+lenny2.diff.gz
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile_1.0.17.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_alpha.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_alpha.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_amd64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_amd64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_arm.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_arm.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_armel.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_armel.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_hppa.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_hppa.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_i386.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_i386.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_ia64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_ia64.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_mips.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_mips.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_mipsel.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_mipsel.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_powerpc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_powerpc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_s390.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_s390.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_sparc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_sparc.deb
http://security.debian.org/pool/updates/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.