- -------------------------------------------------------------------------
Debian Security Advisory DSA-1972-1                  security@debian.org
http://www.debian.org/security/                           Stefan Fritsch
January 17, 2010                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : audiofile
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id         : CVE-2008-5824
Debian bug     : 510205

Max Kellermann discovered a heap-based buffer overflow in the handling
of ADPCM WAV files in libaudiofile. This flaw could result in a denial
of service (application crash) or possibly execution of arbitrary code
via a crafted WAV file.

The old stable distribution (etch), this problem will be fixed in
version 0.2.6-6+etch1.

The packages for the oldtable distribution are not included in this
advisory. An update will be released soon.

For the stable distribution (lenny), this problem has been fixed in
version 0.2.6-7+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.2.6-7.1.

We recommend that you upgrade your audiofile packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:   374688 9c1049876cd51c0f1b12c2886cce4d42
      Size/MD5 checksum:     1048 ba1535425e02719cb32aaed448b9e615
      Size/MD5 checksum:   300816 57eece898416b8ecf3aa5dac27f2c4fc

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   158224 c1579697bbb721374da6451aa12a2030
      Size/MD5 checksum:    90028 01aa1e7a90c361cdd95f289f4d2b554d
      Size/MD5 checksum:   167796 34be04955f6912507db6855eb51fa3cf

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:    83988 1f3b65530a04afb05e077ff7ed72d331
      Size/MD5 checksum:   169514 94248270333cdf6278dc7b27d3af01d7
      Size/MD5 checksum:   130610 a5ba3174a86f15a11f8922ed892f9bec

arm architecture (ARM)

      Size/MD5 checksum:    74696 f3aa521f8ed711b4a2fd3ff14a3bba32
      Size/MD5 checksum:   164142 a87e3ac1f10e120bf8451aac693036ad
      Size/MD5 checksum:   116354 20bccdc0014746f3b07c7b19acbef513

armel architecture (ARM EABI)

      Size/MD5 checksum:    77702 0effe95d77f86d22aed53a9a93012d2b
      Size/MD5 checksum:   121328 52f253d4bbf24883ca3dd83a7d9e0686
      Size/MD5 checksum:   166310 7f5222c459b8964c6551746641b9e385

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   135830 8ad815e277bf74a7a231fd3577d1ecbb
      Size/MD5 checksum:    87580 83007039c0d0aa96508027c58d44956d
      Size/MD5 checksum:   166476 4ea9d29c71058ed703baeb407ebf74ef

i386 architecture (Intel ia32)

      Size/MD5 checksum:   164582 7c84007f5260c1b9ce714d9e090b649c
      Size/MD5 checksum:   118288 99ca6cf504847281ffee6095d6c56df9
      Size/MD5 checksum:    77984 eaa5796ba0a90db7d759719ea46e3ea7

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   171436 87e839b3f36d8374d46dd8cc46cfdf02
      Size/MD5 checksum:   160876 0a1fca9b908b5626c488befbf17951cd
      Size/MD5 checksum:   114662 fcb0924085a99cb1f5fb7352cb7c4cfe

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:    77652 cf4fdc50fb0c27d2d01ea62a00e419ae
      Size/MD5 checksum:   136234 a99b4802eac588c1a4204b4cb51ee750
      Size/MD5 checksum:   170994 e1579208d48d6eed6d5b4ee78f633c25

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:    77354 9956348cc10198f72e01ef2de9fefb3c
      Size/MD5 checksum:   169408 e442c1e3761d6417f8619b67f100d0ac
      Size/MD5 checksum:   136282 4aa8e92fdf213266c6a00815d2ee1326

powerpc architecture (PowerPC)

      Size/MD5 checksum:   168454 57af4df319a43b6bbe3f26da61b6996c
      Size/MD5 checksum:   131276 481f73af6d5b0532d830889a2d0e17b7
      Size/MD5 checksum:    82444 94db16051730d9c914d3cb1cb8eb983b

s390 architecture (IBM S/390)

      Size/MD5 checksum:   126500 aaa163e9465ea8781f6af4ca7c9d2ee1
      Size/MD5 checksum:    83506 1d9f7379d796d06ca3e18027039fab42
      Size/MD5 checksum:   169568 9e4273791c4237c68fa2e70251d6cf93

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   117968 ec723b26f1cca8f967695d0701d5defb
      Size/MD5 checksum:   154992 581562d68231ccef4ea31a33c3efcf93
      Size/MD5 checksum:    74984 b8b65cf6dc6d7c2947c4049aa27d44ca


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-1972-1: New audiofile packages fix buffer overflow

January 17, 2010
Max Kellermann discovered a heap-based buffer overflow in the handling of ADPCM WAV files in libaudiofile

Summary

The old stable distribution (etch), this problem will be fixed in
version 0.2.6-6+etch1.

The packages for the oldtable distribution are not included in this
advisory. An update will be released soon.

For the stable distribution (lenny), this problem has been fixed in
version 0.2.6-7+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.2.6-7.1.

We recommend that you upgrade your audiofile packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 374688 9c1049876cd51c0f1b12c2886cce4d42
Size/MD5 checksum: 1048 ba1535425e02719cb32aaed448b9e615
Size/MD5 checksum: 300816 57eece898416b8ecf3aa5dac27f2c4fc

alpha architecture (DEC Alpha)

Size/MD5 checksum: 158224 c1579697bbb721374da6451aa12a2030
Size/MD5 checksum: 90028 01aa1e7a90c361cdd95f289f4d2b554d
Size/MD5 checksum: 167796 34be04955f6912507db6855eb51fa3cf

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 83988 1f3b65530a04afb05e077ff7ed72d331
Size/MD5 checksum: 169514 94248270333cdf6278dc7b27d3af01d7
Size/MD5 checksum: 130610 a5ba3174a86f15a11f8922ed892f9bec

arm architecture (ARM)

Size/MD5 checksum: 74696 f3aa521f8ed711b4a2fd3ff14a3bba32
Size/MD5 checksum: 164142 a87e3ac1f10e120bf8451aac693036ad
Size/MD5 checksum: 116354 20bccdc0014746f3b07c7b19acbef513

armel architecture (ARM EABI)

Size/MD5 checksum: 77702 0effe95d77f86d22aed53a9a93012d2b
Size/MD5 checksum: 121328 52f253d4bbf24883ca3dd83a7d9e0686
Size/MD5 checksum: 166310 7f5222c459b8964c6551746641b9e385

hppa architecture (HP PA RISC)

Size/MD5 checksum: 135830 8ad815e277bf74a7a231fd3577d1ecbb
Size/MD5 checksum: 87580 83007039c0d0aa96508027c58d44956d
Size/MD5 checksum: 166476 4ea9d29c71058ed703baeb407ebf74ef

i386 architecture (Intel ia32)

Size/MD5 checksum: 164582 7c84007f5260c1b9ce714d9e090b649c
Size/MD5 checksum: 118288 99ca6cf504847281ffee6095d6c56df9
Size/MD5 checksum: 77984 eaa5796ba0a90db7d759719ea46e3ea7

ia64 architecture (Intel ia64)

Size/MD5 checksum: 171436 87e839b3f36d8374d46dd8cc46cfdf02
Size/MD5 checksum: 160876 0a1fca9b908b5626c488befbf17951cd
Size/MD5 checksum: 114662 fcb0924085a99cb1f5fb7352cb7c4cfe

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 77652 cf4fdc50fb0c27d2d01ea62a00e419ae
Size/MD5 checksum: 136234 a99b4802eac588c1a4204b4cb51ee750
Size/MD5 checksum: 170994 e1579208d48d6eed6d5b4ee78f633c25

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 77354 9956348cc10198f72e01ef2de9fefb3c
Size/MD5 checksum: 169408 e442c1e3761d6417f8619b67f100d0ac
Size/MD5 checksum: 136282 4aa8e92fdf213266c6a00815d2ee1326

powerpc architecture (PowerPC)

Size/MD5 checksum: 168454 57af4df319a43b6bbe3f26da61b6996c
Size/MD5 checksum: 131276 481f73af6d5b0532d830889a2d0e17b7
Size/MD5 checksum: 82444 94db16051730d9c914d3cb1cb8eb983b

s390 architecture (IBM S/390)

Size/MD5 checksum: 126500 aaa163e9465ea8781f6af4ca7c9d2ee1
Size/MD5 checksum: 83506 1d9f7379d796d06ca3e18027039fab42
Size/MD5 checksum: 169568 9e4273791c4237c68fa2e70251d6cf93

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 117968 ec723b26f1cca8f967695d0701d5defb
Size/MD5 checksum: 154992 581562d68231ccef4ea31a33c3efcf93
Size/MD5 checksum: 74984 b8b65cf6dc6d7c2947c4049aa27d44ca


These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Severity
Max Kellermann discovered a heap-based buffer overflow in the handling
of ADPCM WAV files in libaudiofile. This flaw could result in a denial
of service (application crash) or possibly execution of arbitrary code
via a crafted WAV file.

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up