Debian: New diatheke packages fix arbirary shell command execution

    Date25 Feb 2008
    CategoryDebian
    3703
    Posted ByLinuxSecurity Advisories
    Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1508-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                          Thijs Kinkhorst
    February 25, 2008                     http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : diatheke
    Vulnerability  : insufficient input sanitising
    Problem type   : remote
    Debian-specific: no
    CVE Id         : CVE-2008-0932
    Debian Bug     : 466449
    
    Dan Dennison discovered that Diatheke, a CGI program to make a bible
    website, performs insufficient sanitising of a parameter, allowing a
    remote attacker to execute arbitrary shell commands as the web server
    user.
    
    For the stable distribution (etch), this problem has been fixed in version
    1.5.9-2etch1.
    
    For the old stable distribution (sarge), this problem has been fixed in
    version 1.5.7-7sarge1.
    
    For the unstable distribution (sid), this problem has been fixed in version
    1.5.9-8.
    
    We recommend that you upgrade your diatheke package.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7-7sarge1.dsc
        Size/MD5 checksum:      938 4f7872250c457ac36f0b20b4be235647
      http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7-7sarge1.diff.gz
        Size/MD5 checksum:   277640 f8993cddacdac25ca55b7e99ced8ff49
      http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7.orig.tar.gz
        Size/MD5 checksum:  1482711 369f09068839c646aeab691c63a40d67
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_alpha.deb
        Size/MD5 checksum:   861694 ca88e3e550ae01cd8e3ad1a6d6471814
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_alpha.deb
        Size/MD5 checksum:   419320 35838e66e76e99777524aa81741025c8
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_alpha.deb
        Size/MD5 checksum:    61684 b97611c37f53b39941573e6c76609c40
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_amd64.deb
        Size/MD5 checksum:   602656 c4b37895a49dce481ea3c6a8817123c2
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_amd64.deb
        Size/MD5 checksum:    56944 ad12da845e900e3a28c70b9b2baa6d70
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_amd64.deb
        Size/MD5 checksum:   383486 614d4988fd26ccc58dbe1029aacb7930
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_arm.deb
        Size/MD5 checksum:    60386 3400611bc0cba8ea77e4bfbeaa659ac6
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_arm.deb
        Size/MD5 checksum:   664170 d0d17f06931f3e6076aed502e8128d5c
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_arm.deb
        Size/MD5 checksum:   423264 9951b8913a4c6b18b357aead48e53f6c
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_hppa.deb
        Size/MD5 checksum:    62772 676ff7f61ab0ee7629e7fcb59d67cfd5
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_hppa.deb
        Size/MD5 checksum:   494764 15e5da49e21a167088aacebf94a12367
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_hppa.deb
        Size/MD5 checksum:   750722 44a066596efa0bb63b184635d3d9c985
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_i386.deb
        Size/MD5 checksum:   556994 f04d2f9bc41e5703967630adf4e12754
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_i386.deb
        Size/MD5 checksum:   388072 4dabb05ea1d6b72ba61e8877cbad1544
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_i386.deb
        Size/MD5 checksum:    58108 665ce388ee9a74a0d850007beae3051a
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_ia64.deb
        Size/MD5 checksum:   466340 0a9f1874a5ee1d6617da38d4f7417802
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_ia64.deb
        Size/MD5 checksum:    64644 e50afdc379e2ee1cfc63362ca56b6a43
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_ia64.deb
        Size/MD5 checksum:   837798 81cf1be5ab2d124e9dd92a1da9c1c15d
    
    m68k architecture (Motorola Mc680x0)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_m68k.deb
        Size/MD5 checksum:   417132 f5e116fb462b5bdf9ef08211d1c6cd52
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_m68k.deb
        Size/MD5 checksum:    57980 86d8007e4816fffee69ea16c4827ce06
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_m68k.deb
        Size/MD5 checksum:   567256 2d9c3d17625959ab6cc07e4f793ffe1e
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_mips.deb
        Size/MD5 checksum:    56452 5d7c6933e70b725863bd0a66c67a55fe
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_mips.deb
        Size/MD5 checksum:   386732 9cf45f9a4f2a724ddf59f44722fe65a0
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_mips.deb
        Size/MD5 checksum:   646212 b9384991c2c1b2b8e0018b6416d31951
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_mipsel.deb
        Size/MD5 checksum:    56966 35d2052410564a85968bf742f3f68dbf
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_mipsel.deb
        Size/MD5 checksum:   379530 26b3825148616fd2d6dd3cd903a4e977
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_mipsel.deb
        Size/MD5 checksum:   638566 46b77e2b772f5541e1796e7da843a247
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_powerpc.deb
        Size/MD5 checksum:   391192 0b34febe0ebb14c92682c2dbc76771fa
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_powerpc.deb
        Size/MD5 checksum:    58252 19548157c20b44b18caef5d403e14fb7
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_powerpc.deb
        Size/MD5 checksum:   604674 be541b1d6bcc5e80316060186be21d10
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_s390.deb
        Size/MD5 checksum:    56026 b8120c2d0e5be07ddb300af6a60c1faa
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_s390.deb
        Size/MD5 checksum:   370772 ddf6d071ad5aa712420c75a8d2bfb738
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_s390.deb
        Size/MD5 checksum:   556410 ee6ddc10bfbe16de2169fdc0520141b0
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_sparc.deb
        Size/MD5 checksum:   371800 65781c2553eb412d5fde41764acda7a4
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_sparc.deb
        Size/MD5 checksum:   562484 01aab00a96c2a41a993dda30244bcd39
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_sparc.deb
        Size/MD5 checksum:    55892 269c7013235b22bb8f729d1be6afdf14
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/s/sword/sword_1.5.9.orig.tar.gz
        Size/MD5 checksum:  1806178 346539f31b41015161d8dd0d2f035243
      http://security.debian.org/pool/updates/main/s/sword/sword_1.5.9-2etch1.diff.gz
        Size/MD5 checksum:    82071 c39c316e9c81e54136eb02f68292c09d
      http://security.debian.org/pool/updates/main/s/sword/sword_1.5.9-2etch1.dsc
        Size/MD5 checksum:     1026 d93f49c3798272c9de84ec6ae5d1cbed
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_alpha.deb
        Size/MD5 checksum:    63862 f5bd3d4b2b9f4d25e4e46bd340be6574
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_alpha.deb
        Size/MD5 checksum:  1083146 9e5c12ac37f74c73de71640dc9123451
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_alpha.deb
        Size/MD5 checksum:   570134 8f0e4a8a277c52f8792fbaaf3832cad4
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_amd64.deb
        Size/MD5 checksum:    60336 bda3b15108b9219d05c912a163aebe3f
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_amd64.deb
        Size/MD5 checksum:   753952 b3317e5f636d51d0d3cb67bea6d8ff66
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_amd64.deb
        Size/MD5 checksum:   522700 c3811d54aaf90d8a1e21f15c5002fd17
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_arm.deb
        Size/MD5 checksum:   573672 8ffba4012e609e2798d350b38ddbd8c7
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_arm.deb
        Size/MD5 checksum:   766388 55b6d5123ca9b9092032bf9caee98112
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_arm.deb
        Size/MD5 checksum:    63234 958ca4da6586909d9409b40329f39f45
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_hppa.deb
        Size/MD5 checksum:   584080 6f1cc9c15b664ebb74e1cf7e939c4f75
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_hppa.deb
        Size/MD5 checksum:   845330 71c64fedf3e13c7b539f312eb086c49a
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_hppa.deb
        Size/MD5 checksum:    61824 2d469a58a247a92c465580385506f9a7
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_i386.deb
        Size/MD5 checksum:   526314 95b5aaff3ccec4dcd1f77e95f6bf2da0
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_i386.deb
        Size/MD5 checksum:   701078 e3c8ec3d6dcfcfae0cddbb618353db36
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_i386.deb
        Size/MD5 checksum:    62206 0a384fecde3e4492fda105eb9d82ce35
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_ia64.deb
        Size/MD5 checksum:    67770 c7296f050f8b6aa8b3716407c1e8bd9e
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_ia64.deb
        Size/MD5 checksum:  1056066 63924aeee34272cb2aa1488ffcb62c49
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_ia64.deb
        Size/MD5 checksum:   652744 4e403c544c3894965f828fa63336d227
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_mips.deb
        Size/MD5 checksum:   513104 4235aac60a97d5095faa74fcb6f63673
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_mips.deb
        Size/MD5 checksum:   808744 5fcc41e803e360838401204ea3d15473
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_mips.deb
        Size/MD5 checksum:    59746 c1cbe01f3531e635f30bb2b41b362222
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_mipsel.deb
        Size/MD5 checksum:   798964 db9f7c30066e22baadbcb732b6eadbf8
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_mipsel.deb
        Size/MD5 checksum:   491160 53790c7e146badd8a45bb46bf5908d7e
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_mipsel.deb
        Size/MD5 checksum:    59656 cbcedf0aa7bed75a0c633367c08b24ea
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_powerpc.deb
        Size/MD5 checksum:    61128 e66a08fccc0c312e7ae74296dda033ad
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_powerpc.deb
        Size/MD5 checksum:   777846 579e38653daaddc21914087ad5584b57
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_powerpc.deb
        Size/MD5 checksum:   535186 2f9311708b7d8ec3121831676086f333
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_s390.deb
        Size/MD5 checksum:   495200 fc79f7ccbeabbd6e7522918f1b749c75
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_s390.deb
        Size/MD5 checksum:   684810 776d22f572895a62b0a569321a9cbb8d
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_s390.deb
        Size/MD5 checksum:    58638 0c496a1f4ab88f02fd737a30a61939a3
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_sparc.deb
        Size/MD5 checksum:   689496 0d06108dda2563af38065bc454d1e9ac
      http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_sparc.deb
        Size/MD5 checksum:    59264 71c327d607c82faaacbc5a8fe498e8da
      http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_sparc.deb
        Size/MD5 checksum:   548874 6c18df8573010673e5a3855ec326604b
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.