Debian Security Advisory

DSA-1706-1 amarok -- integer overflows

Date Reported:
15 Jan 2009
Affected Packages:
amarok
Vulnerable:
Yes
Security database references:
No other external database security references currently available.
More information:

Tobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in version 1.4.4-4etch1. Updated packages for sparc and arm will be provided later.

For the upcoming stable distribution (lenny) and the unstable distribution (sid), this problem has been fixed in version 1.4.10-2.

We recommend that you upgrade your amarok packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4.orig.tar.gz
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1.diff.gz
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1.dsc
Alpha:
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_alpha.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_alpha.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_amd64.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_amd64.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_amd64.deb
HP Precision:
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_hppa.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_hppa.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_i386.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_i386.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_ia64.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_ia64.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_mips.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_mips.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_mipsel.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_mipsel.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_powerpc.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_powerpc.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/a/amarok/amarok-engines_1.4.4-4etch1_s390.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok-xine_1.4.4-4etch1_s390.deb
http://security.debian.org/pool/updates/main/a/amarok/amarok_1.4.4-4etch1_s390.deb

MD5 checksums of the listed files are available in the original advisory.