Debian: New mtr packages fix execution of arbitrary code

    Date26 May 2008
    CategoryDebian
    3234
    Posted ByLinuxSecurity Advisories
    Adam Zabrocki discovered that under certain circumstances mtr, a full screen ncurses and X11 traceroute tool, could be tricked into executing arbitrary code via overly long reverse DNS records.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1587-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                               Steve Kemp
    May 26, 2008                          http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : mtr
    Vulnerability  : buffer overflow
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2008-2357
    
    Adam Zabrocki discovered that under certain circumstances mtr, a full 
    screen ncurses and X11 traceroute tool, could be tricked into executing
    arbitrary code via overly long reverse DNS records.
    
    For the stable distribution (etch), this problem has been fixed in version
    0.71-2etch1.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 0.73-1.
    
    We recommend that you upgrade your mtr package.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1.diff.gz
        Size/MD5 checksum:    49648 1f32f54087c5cab59d13418277c33959
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1.dsc
        Size/MD5 checksum:      594 4dae747ffc1de0170d2578b1b09261ed
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71.orig.tar.gz
        Size/MD5 checksum:   205442 8c1c9f5db2c599eea3b12bfed8b80618
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_alpha.deb
        Size/MD5 checksum:    42128 48a8e95d395b07e57852b0005e5225ff
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_alpha.deb
        Size/MD5 checksum:    57194 bd922b8c1a5891f71abbb4777faf4e63
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_amd64.deb
        Size/MD5 checksum:    52320 0d2aa3398184633044d21bdd70e23073
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_amd64.deb
        Size/MD5 checksum:    37766 7513344c840d47a8dca23e1e51d6a0cc
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_arm.deb
        Size/MD5 checksum:    49510 a361681ebc93d48e24d7cca0086b6090
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_arm.deb
        Size/MD5 checksum:    35560 69a3c71e6471813882c63e8201c34b80
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_hppa.deb
        Size/MD5 checksum:    54772 4c92f110415d9ef79b54fe91624d892c
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_hppa.deb
        Size/MD5 checksum:    39920 fff799aabfd4b1fbd313f6512e02f765
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_i386.deb
        Size/MD5 checksum:    34832 46c37b88fbaead1b97685aef100bdff3
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_i386.deb
        Size/MD5 checksum:    49498 429bf4027e3adc7a6c65739972f3637e
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_ia64.deb
        Size/MD5 checksum:    51828 52fa9d983e98c382259f844869ce2a9c
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_ia64.deb
        Size/MD5 checksum:    68066 389cccac0ec00cbd3e1b32b8372f299b
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_mips.deb
        Size/MD5 checksum:    56592 a4706a9a26ded557a35179be774cc4c2
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_mips.deb
        Size/MD5 checksum:    42158 40220a8cc23ea78e02e63899379d9211
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_mipsel.deb
        Size/MD5 checksum:    56468 e422aaae12583d2213208ea93bbf789b
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_mipsel.deb
        Size/MD5 checksum:    42014 8965536180263c10a21cd19f621c2f67
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_powerpc.deb
        Size/MD5 checksum:    39388 40bfc501ea9369f583d17094e5afe106
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_powerpc.deb
        Size/MD5 checksum:    53204 084b6accfd9f629b940b3100329e9569
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_s390.deb
        Size/MD5 checksum:    38036 f4f59a3761e2bbc202471ad64f4aa479
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_s390.deb
        Size/MD5 checksum:    52968 23670acdeae3170a5c9d9041b9785f32
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_sparc.deb
        Size/MD5 checksum:    49746 ccfde335d99f424062f5594160c7c584
      http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_sparc.deb
        Size/MD5 checksum:    35560 0e8e7a514058ec63dc283d4bb13b67cb
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.