[SECURITY] [DSA 593-1] New imagemagick packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 593-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 16th, 2004 http://www.debian.org/security/faq - -- Package: imagemagick Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0981 Debian Bug : 278401 A vulnerability has been reported for ImageMagick, a commonly used image manipulation library. Due to a boundary error within the EXIF parsing routine, a specially crafted graphic images could lead to the execution of arbitrary code. For the stable distribution (woody) this problem has been fixed in version 5.4.4.5-1woody4. For the unstable distribution (sid) this problem has been fixed in version 6.0.6.2-1.5. We recommend that you upgrade your imagemagick packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4.dsc Size/MD5 checksum: 852 c053f06bcb00f7cc722814ece4c99462 http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4.diff.gz Size/MD5 checksum:15309 bb1ec78c190677ceb5311ffe167b8184 http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5.orig.tar.gz Size/MD5 checksum: 3901237 f35e356b4ac1ebc58e3cffa7ea7abc07 Alpha architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 1309792 f3e20f97b3a081cd3e73675c2131a345 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 154144 4b8abf5400526b55d41b6a23a747740d http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum:56232 d6be366bdb42ff918de236b42e5fc03e http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 833420 811a90a17be12877a5352474b4ff50b0 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum:67276 ea7ecc0c685293d0bfe90d7d5eec5eae http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 113786 896b92eda8b1572090c28f7781617bcb ARM architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 1297076 1480d317943ebd0d62af4e91cb70e8bc http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 118678 9bd22b4793a02f7d55178093950f2af1 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody4_arm.deb Size/MD5 checksum:56272 dced3c2b19dadc4a9269ca8694a9fb17 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 898586 0603ac9d5290dad892eb26cc9d3f5f9c http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody4_arm.deb Size/MD5 checksum:67312 332b1462e38cab79c3baf075124f0a52 http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 109900 d5c8d8247af36dbf8e6d38343b451c0b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4_i386.deb Size/MD5 checksum: 1295130 5c546d50eb6a1c1597c491849a74ba00 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody4_i386.deb Size/MD5 checksum: 122766 a778e5be49e9a22fea94f6a6d83f7035 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody4_i386.deb Size/MD5 checksum:56254 2758908cfe92661e70e3def07595126a http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody4_i386.deb Size/MD5 checksum: 772498 17eb974bb841ad4332e1ebbc800f7ce2 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody4_i386.deb
Who runs the buildds? (was: Rebuilding packages on *all* architectures)
[bcc'd to debian-admin] On Sun, 05 Sep 2004 18:07:43 +0200, Goswin von Brederlow asserted: And you are aware of the thread about that buildds are run partly by non DDs which can't be trusted and thus the archive is tainted by the autobuild debs? Is this still the case? Manoj madduck: only people trusted by the buildd admins have access to the infrastructure Manoj madduck: and the source for that information is me. Manoj madduck: you can quote me, but I am not authoritative here Are there any buildds run by non-DDs? Do any non-DDs have access to any buildds? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Who runs the buildds?
In article [EMAIL PROTECTED] you wrote: Are there any buildds run by non-DDs? Do any non-DDs have access to any buildds? I think to 99% of all Debian Systems exist physical access for non-DDs. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Who runs the buildds? (was: Rebuilding packages on *all* architectures)
* martin f krafft ([EMAIL PROTECTED]) wrote: On Sun, 05 Sep 2004 18:07:43 +0200, Goswin von Brederlow asserted: And you are aware of the thread about that buildds are run partly by non DDs which can't be trusted and thus the archive is tainted by the autobuild debs? Is this still the case? Manoj madduck: only people trusted by the buildd admins have access to the infrastructure Manoj madduck: and the source for that information is me. Manoj madduck: you can quote me, but I am not authoritative here Are there any buildds run by non-DDs? Do any non-DDs have access to any buildds? erm. Manoj's statements do not imply that those who are trusted by the buildd admins are DD's. It's certainly possible for the buildd admins to trust non-DD's. Stephen signature.asc Description: Digital signature
Re: Who runs the buildds?
* Bernd Eckenfels ([EMAIL PROTECTED]) wrote: In article [EMAIL PROTECTED] you wrote: Are there any buildds run by non-DDs? Do any non-DDs have access to any buildds? I think to 99% of all Debian Systems exist physical access for non-DDs. Well, my wife and son (who's, uhm, 2) have physical access to the buildds in my house. I suppose I could lock the racks that they're in but for some reason I'm just not all that worried. Stephen signature.asc Description: Digital signature
any DSA for CAN-2004-0930
Hi, Has there been any DSA released for CAN-2004-0930, an Input Vulnerability in Samba, 3.0 to 3.0.7. Ta -- Geoff Crompton Debian System Administrator StrategicData +61-3-9348-2013 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: any DSA for CAN-2004-0930
This one time, at band camp, Joey Hess said: Geoff Crompton wrote: Has there been any DSA released for CAN-2004-0930, an Input Vulnerability in Samba, 3.0 to 3.0.7. Nope, there has not. However: samba (3.0.8-1) unstable; urgency=high * New upstream package. Urgency set to high because of a potential Denial of Service vulnerability in previous 3.0.x releases (CAN-2004-0930). (Eloy) It has been fixed for unstable at least. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpzH9rVApN1E.pgp Description: PGP signature