Debian: DSA-1743-1: New libtk-img packages fix arbitrary code execution

    Date17 Mar 2009
    CategoryDebian
    68
    Posted ByLinuxSecurity Advisories
    Two buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1743-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Steffen Joeris
    March 17, 2009                   http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : libtk-img
    Vulnerability  : buffer overflows
    Problem type   : local (remote)
    Debian-specific: no
    CVE Ids        : CVE-2007-5137 CVE-2007-5378
    Debian Bug     : 519072
    
    Two buffer overflows have been found in the GIF image parsing code of
    Tk, a cross-platform graphical toolkit, which could lead to the execution
    of arbitrary code. The Common Vulnerabilities and Exposures project
    identifies the following problems:
    
    
    CVE-2007-5137
    
    It was discovered that libtk-img is prone to a buffer overflow via
    specially crafted multi-frame interlaced GIF files.
    
    CVE-2007-5378
    
    It was discovered that libtk-img is prone to a buffer overflow via
    specially crafted GIF files with certain subimage sizes.
    
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1.3-release-7+lenny1.
    
    For the oldstable distribution (etch), these problems have been fixed in
    version 1.3-15etch3.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), these problems have been fixed in version 1.3-release-8.
    
    
    We recommend that you upgrade your libtk-img packages.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3.diff.gz
        Size/MD5 checksum:   245234 735f4c10ef82cb9d871351b180ae47dc
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3.orig.tar.gz
        Size/MD5 checksum:  3918119 ee19a7fdaaa64e9d85eeecd3b78bce8f
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3.dsc
        Size/MD5 checksum:      663 3a273d841105b8978f96eca6533eeefd
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_alpha.deb
        Size/MD5 checksum:   491110 07e4cdac4f3fba01a3b7d84648c6809d
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_amd64.deb
        Size/MD5 checksum:   461822 cae988f3575b2087b7d04eea38a25440
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_arm.deb
        Size/MD5 checksum:   436356 7ef635df0204508e8e883eb4a54ae58f
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_i386.deb
        Size/MD5 checksum:   430104 b00a0cb661ea599ce296796547520fe0
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_ia64.deb
        Size/MD5 checksum:   601608 49309def501db030330443b5bb955d38
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_mips.deb
        Size/MD5 checksum:   441054 026d2c2af3bed4b7f3452a7bddfaaee3
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_mipsel.deb
        Size/MD5 checksum:   441044 24d9bc504e550643afd51fe1f3fff1e1
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_powerpc.deb
        Size/MD5 checksum:   452226 3769f2ee4ac052602db18ad14e5a33d0
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_s390.deb
        Size/MD5 checksum:   457496 870628476aec308c566d3f4bea697730
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_sparc.deb
        Size/MD5 checksum:   424242 5ff1ceda5f92c0ce34398ad1a375b3ce
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1.diff.gz
        Size/MD5 checksum:    31608 9aa3a3da9d17f06545411973eb66cf81
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release.orig.tar.gz
        Size/MD5 checksum:  3969630 964a692db8a120dc5ed8779521a70bc8
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1.dsc
        Size/MD5 checksum:     1207 83e0a72a0c54c38a38f1acc6006dd881
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-doc_1.3-release-7+lenny1_all.deb
        Size/MD5 checksum:    89232 963cfc7f3b480f65d23da12086099bdb
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_alpha.deb
        Size/MD5 checksum:   147218 3818c8a511e96717a159608ecffdcc90
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_alpha.deb
        Size/MD5 checksum:    59322 fc4813740e77630bb9c69cf3f4636342
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_amd64.deb
        Size/MD5 checksum:   136130 2807ef2c010419b0daa1a10bbcf26cfa
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_amd64.deb
        Size/MD5 checksum:    61522 b32861939b7bb9e5cb7dd0a0468e46f2
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_arm.deb
        Size/MD5 checksum:   129814 ab2b0b3b5ae507ef3aa0f8ad218513a7
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_arm.deb
        Size/MD5 checksum:    59210 0a1b9b43cef09ddc4613e5ca1afb9435
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_i386.deb
        Size/MD5 checksum:   119526 a7ab424a2a7ad7ec5b2a58097b96b206
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_i386.deb
        Size/MD5 checksum:    58924 3a65c23ecc11b3e581cb64d26912daab
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_ia64.deb
        Size/MD5 checksum:    59430 e54e0eb23f40d0d197db99d0dd04e651
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_ia64.deb
        Size/MD5 checksum:   186630 ebcca2c511bf43f1ef3b12e3adaae97d
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_mips.deb
        Size/MD5 checksum:    59338 fde2040f51b9bdb782382bb6bb21e74b
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_mips.deb
        Size/MD5 checksum:   128314 fa953d1ad555ba495f4e58ca824d83bc
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_mipsel.deb
        Size/MD5 checksum:    59340 9f570ecd96eba5b0c672113e7433c204
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_mipsel.deb
        Size/MD5 checksum:   128246 547d8c58d76735d00d93701028d05de7
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_powerpc.deb
        Size/MD5 checksum:    59248 95180c3c45dfbdc4dc4356253f915441
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_powerpc.deb
        Size/MD5 checksum:   156072 36b72aa56e99d26cfc773f2f5c916970
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_s390.deb
        Size/MD5 checksum:   131008 f4401f63947dd3a80f64c4b9abd80924
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_s390.deb
        Size/MD5 checksum:    59280 b0784e2a4579dff140ed9c65a7e75997
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img-dev_1.3-release-7+lenny1_sparc.deb
        Size/MD5 checksum:    59192 947382bad7ce91d54a477d59a3cd94d4
      http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1_sparc.deb
        Size/MD5 checksum:   121050 000240ceaa3638b39b3ee71bcee37406
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":51.32,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.47,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"26","type":"x","order":"3","pct":34.21,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.