-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1742-1                    security@debian.org
http://www.debian.org/security/                                 Nico Golde
March 16th, 2009                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libsndfile
Vulnerability  : integer overflow
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2009-0186
Debian Bug     : none
BugTraq ID     : 33963


Alan Rad Pop discovered that libsndfile, a library to read and write
sampled audio data, is prone to an integer overflow. This causes a
heap-based buffer overflow when processing crafted CAF description
chunks possibly leading to arbitrary code execution.


For the oldstable distribution (etch) this problem has been fixed in
version 1.0.16-2+etch1.

For the stable distribution (lenny) this problem has been fixed in
version 1.0.17-4+lenny1.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.19-1.

We recommend that you upgrade your libsndfile packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:      659 2782d11c87eb6cdbcbb4757bdcba3582
      Size/MD5 checksum:   857117 773b6639672d39b6342030c7fd1e9719
      Size/MD5 checksum:     5872 94c24295ef3f6461e417f7953e3df405

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   322418 5590289019e10655b831451a93b10d43
      Size/MD5 checksum:   187326 a873f6260972d3f18bb5bfcefc355894
      Size/MD5 checksum:    70686 3cbb5bbe4f0af88cd8f33e5296427cc3

arm architecture (ARM)

      Size/MD5 checksum:   342342 d2f15699c1f3d6d3a5460385ea9b99b6
      Size/MD5 checksum:    72166 e691a87d6803f4e877c12fdc7ba13e25
      Size/MD5 checksum:   221378 b4843f23c1079a4a7ea0fc2324c680fc

hppa architecture (HP PA RISC)

      Size/MD5 checksum:    74914 1f96f0eee8d6a3eb34d24a433546fd57
      Size/MD5 checksum:   236094 ce6c840fbd31cd9d715c8525616ac54c
      Size/MD5 checksum:   373868 bef1859b9f1266093be1c95531351eff

i386 architecture (Intel ia32)

      Size/MD5 checksum:   320672 3ed0f57f391284d9d7cb0b3eb95d48fb
      Size/MD5 checksum:    70872 818ad0f2460d4cc6d902809bb0d9bf4a
      Size/MD5 checksum:   197906 eba6df6a2658f8b95ed31c38c3a3ef40

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   270732 de8da4d9acfe054e5e1e9a9367d50cac
      Size/MD5 checksum:    75896 230edd89ad51fd4c4f064815f661b4c8
      Size/MD5 checksum:   416258 aecbfa75aae59f97ef88b98c805fe935

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   217258 a252e3e6dfa3a82429b1f0f614408f85
      Size/MD5 checksum:    72898 15032de6be2605a07ddcc8c1534f26c9
      Size/MD5 checksum:   374318 27cb3879cb552c881f9c52127bbe5670

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:    72948 02486480aa641705aca406a7f8dd0ed8
      Size/MD5 checksum:   216892 9c13d9332ad74db6a6a84cb018f333b0
      Size/MD5 checksum:   373456 8cef61c9e296b2134c25245133a69884

powerpc architecture (PowerPC)

      Size/MD5 checksum:   207898 47b604aebf08ad004589587b6a977dbd
      Size/MD5 checksum:    75942 98415fef5f56e16713c23c96a2e15445
      Size/MD5 checksum:   346488 eacb480134790f9e39b1332e6e84e4ee

s390 architecture (IBM S/390)

      Size/MD5 checksum:    72940 c92ba36d5ec4b092a0f07e6db712de30
      Size/MD5 checksum:   220998 a1489d9687ad8b804244a741fdd7cb35
      Size/MD5 checksum:   346540 8f2784ab3ba80709ef6f00b84194fa2a

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   207890 7788155fa7338ac0c7ede3f3c8808e9e
      Size/MD5 checksum:    70836 ce42b9f5eaf08d484c4b136833575491
      Size/MD5 checksum:   338816 17c6a3b095be526617571a9a2631e762


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:     9969 a06409102bd304eedb0bd6634bceefa1
      Size/MD5 checksum:   819456 2d126c35448503f6dbe33934d9581f6b
      Size/MD5 checksum:     1131 b44551174131c95a8cfae919907d3efa

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   332902 bb2e2e44a1a399bf089481a9facc4e19
      Size/MD5 checksum:    73016 93aef598d40745fc4531955441223ab5
      Size/MD5 checksum:   191504 6b54a2e1a53d09464c4b65d258a5deb3

arm architecture (ARM)

      Size/MD5 checksum:   347414 6c52b00fc235e1ae0a47666f31c0b212
      Size/MD5 checksum:    74216 708985007e2bb5a2426a268e6685950b
      Size/MD5 checksum:   217154 9b070d74cf8f2f0386f21bb7808bf080

armel architecture (ARM EABI)

      Size/MD5 checksum:   355992 e1c35063b71ec530cb04e78fd28cea0e
      Size/MD5 checksum:   220856 4da3e1b0575f958ad80d111a8e50f604
      Size/MD5 checksum:    76350 aa51f771719ec6015035ebe98007c2d5

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   236450 094cc8743665a6514b4ff9bc24186d03
      Size/MD5 checksum:   378900 cf6fa563b615042fc8d506043dd227ac
      Size/MD5 checksum:    76788 d175a6e5bd172eca340ac85a2d18c645

i386 architecture (Intel ia32)

      Size/MD5 checksum:    72806 5860626d1af8814f8eee7162fb3d4ea0
      Size/MD5 checksum:   196406 69991bf3467c31d730472b29c368dfef
      Size/MD5 checksum:   326094 30572ad1df19e37d3d8cfc991f2835ca

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   274480 924a7ae71b9a33be513a2ae3fd8f6d5c
      Size/MD5 checksum:    77656 e61068d4526fa2a6fa11723d6dd54d11
      Size/MD5 checksum:   430756 6674fe583f5bbe41eb796d4659ec8093

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   378808 7deca929594ab128abcffc66eb4394d0
      Size/MD5 checksum:   215100 668818f04fe4ab74a43d6c8012b96912
      Size/MD5 checksum:    74824 d06343d42dfd969c74ca9de2e805cc66

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:    74832 ded63b4fd471a3043512f57ff80247a5
      Size/MD5 checksum:   215256 777dc5b744908a615db38d6331184b17
      Size/MD5 checksum:   379332 b137cbe97da0ae209f667020a001d041

s390 architecture (IBM S/390)

      Size/MD5 checksum:   219930 46c286135742fc81b8e912bc31152165
      Size/MD5 checksum:   355566 76dfe36e9fd16c88b3c57aa57a07fba5
      Size/MD5 checksum:    75106 9a01e6255f4898e572e8239ae00da738

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   206230 e4e000f15013781e5c525ef86197ed27
      Size/MD5 checksum:   342738 387686095f690170b6339d3945e0b57f
      Size/MD5 checksum:    73494 78e59cb96a9dc8747c4bc0578853faa9


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-1742-1: New libsnd packages fix arbitrary code execution

March 16, 2009

Alan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow

Summary

Alan Rad Pop discovered that libsndfile, a library to read and write
sampled audio data, is prone to an integer overflow. This causes a
heap-based buffer overflow when processing crafted CAF description
chunks possibly leading to arbitrary code execution.

For the oldstable distribution (etch) this problem has been fixed in
version 1.0.16-2+etch1.

For the stable distribution (lenny) this problem has been fixed in
version 1.0.17-4+lenny1.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.19-1.

We recommend that you upgrade your libsndfile packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 659 2782d11c87eb6cdbcbb4757bdcba3582
Size/MD5 checksum: 857117 773b6639672d39b6342030c7fd1e9719
Size/MD5 checksum: 5872 94c24295ef3f6461e417f7953e3df405

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 322418 5590289019e10655b831451a93b10d43
Size/MD5 checksum: 187326 a873f6260972d3f18bb5bfcefc355894
Size/MD5 checksum: 70686 3cbb5bbe4f0af88cd8f33e5296427cc3

arm architecture (ARM)

Size/MD5 checksum: 342342 d2f15699c1f3d6d3a5460385ea9b99b6
Size/MD5 checksum: 72166 e691a87d6803f4e877c12fdc7ba13e25
Size/MD5 checksum: 221378 b4843f23c1079a4a7ea0fc2324c680fc

hppa architecture (HP PA RISC)

Size/MD5 checksum: 74914 1f96f0eee8d6a3eb34d24a433546fd57
Size/MD5 checksum: 236094 ce6c840fbd31cd9d715c8525616ac54c
Size/MD5 checksum: 373868 bef1859b9f1266093be1c95531351eff

i386 architecture (Intel ia32)

Size/MD5 checksum: 320672 3ed0f57f391284d9d7cb0b3eb95d48fb
Size/MD5 checksum: 70872 818ad0f2460d4cc6d902809bb0d9bf4a
Size/MD5 checksum: 197906 eba6df6a2658f8b95ed31c38c3a3ef40

ia64 architecture (Intel ia64)

Size/MD5 checksum: 270732 de8da4d9acfe054e5e1e9a9367d50cac
Size/MD5 checksum: 75896 230edd89ad51fd4c4f064815f661b4c8
Size/MD5 checksum: 416258 aecbfa75aae59f97ef88b98c805fe935

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 217258 a252e3e6dfa3a82429b1f0f614408f85
Size/MD5 checksum: 72898 15032de6be2605a07ddcc8c1534f26c9
Size/MD5 checksum: 374318 27cb3879cb552c881f9c52127bbe5670

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 72948 02486480aa641705aca406a7f8dd0ed8
Size/MD5 checksum: 216892 9c13d9332ad74db6a6a84cb018f333b0
Size/MD5 checksum: 373456 8cef61c9e296b2134c25245133a69884

powerpc architecture (PowerPC)

Size/MD5 checksum: 207898 47b604aebf08ad004589587b6a977dbd
Size/MD5 checksum: 75942 98415fef5f56e16713c23c96a2e15445
Size/MD5 checksum: 346488 eacb480134790f9e39b1332e6e84e4ee

s390 architecture (IBM S/390)

Size/MD5 checksum: 72940 c92ba36d5ec4b092a0f07e6db712de30
Size/MD5 checksum: 220998 a1489d9687ad8b804244a741fdd7cb35
Size/MD5 checksum: 346540 8f2784ab3ba80709ef6f00b84194fa2a

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 207890 7788155fa7338ac0c7ede3f3c8808e9e
Size/MD5 checksum: 70836 ce42b9f5eaf08d484c4b136833575491
Size/MD5 checksum: 338816 17c6a3b095be526617571a9a2631e762

Debian GNU/Linux 5.0 alias lenny

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 9969 a06409102bd304eedb0bd6634bceefa1
Size/MD5 checksum: 819456 2d126c35448503f6dbe33934d9581f6b
Size/MD5 checksum: 1131 b44551174131c95a8cfae919907d3efa

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 332902 bb2e2e44a1a399bf089481a9facc4e19
Size/MD5 checksum: 73016 93aef598d40745fc4531955441223ab5
Size/MD5 checksum: 191504 6b54a2e1a53d09464c4b65d258a5deb3

arm architecture (ARM)

Size/MD5 checksum: 347414 6c52b00fc235e1ae0a47666f31c0b212
Size/MD5 checksum: 74216 708985007e2bb5a2426a268e6685950b
Size/MD5 checksum: 217154 9b070d74cf8f2f0386f21bb7808bf080

armel architecture (ARM EABI)

Size/MD5 checksum: 355992 e1c35063b71ec530cb04e78fd28cea0e
Size/MD5 checksum: 220856 4da3e1b0575f958ad80d111a8e50f604
Size/MD5 checksum: 76350 aa51f771719ec6015035ebe98007c2d5

hppa architecture (HP PA RISC)

Size/MD5 checksum: 236450 094cc8743665a6514b4ff9bc24186d03
Size/MD5 checksum: 378900 cf6fa563b615042fc8d506043dd227ac
Size/MD5 checksum: 76788 d175a6e5bd172eca340ac85a2d18c645

i386 architecture (Intel ia32)

Size/MD5 checksum: 72806 5860626d1af8814f8eee7162fb3d4ea0
Size/MD5 checksum: 196406 69991bf3467c31d730472b29c368dfef
Size/MD5 checksum: 326094 30572ad1df19e37d3d8cfc991f2835ca

ia64 architecture (Intel ia64)

Size/MD5 checksum: 274480 924a7ae71b9a33be513a2ae3fd8f6d5c
Size/MD5 checksum: 77656 e61068d4526fa2a6fa11723d6dd54d11
Size/MD5 checksum: 430756 6674fe583f5bbe41eb796d4659ec8093

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 378808 7deca929594ab128abcffc66eb4394d0
Size/MD5 checksum: 215100 668818f04fe4ab74a43d6c8012b96912
Size/MD5 checksum: 74824 d06343d42dfd969c74ca9de2e805cc66

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 74832 ded63b4fd471a3043512f57ff80247a5
Size/MD5 checksum: 215256 777dc5b744908a615db38d6331184b17
Size/MD5 checksum: 379332 b137cbe97da0ae209f667020a001d041

s390 architecture (IBM S/390)

Size/MD5 checksum: 219930 46c286135742fc81b8e912bc31152165
Size/MD5 checksum: 355566 76dfe36e9fd16c88b3c57aa57a07fba5
Size/MD5 checksum: 75106 9a01e6255f4898e572e8239ae00da738

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 206230 e4e000f15013781e5c525ef86197ed27
Size/MD5 checksum: 342738 387686095f690170b6339d3945e0b57f
Size/MD5 checksum: 73494 78e59cb96a9dc8747c4bc0578853faa9

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/