Debian: New XMMS packages fix arbitrary code execution

    Date04 Apr 2007
    CategoryDebian
    3851
    Posted ByLinuxSecurity Advisories
    Multiple errors have been found in the skin handling routines in xmms, the X Multimedia System. These vulnerabilities could allow an attacker to run arbitrary code as the user running xmms by inducing the victim to load specially crafted interface skin files.

    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1277-1                This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Noah Meyerhans
    April 04, 2007
    - ------------------------------------------------------------------------
    
    Package        : xmms
    Vulnerability  : several
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2007-0654 CVE-2007-0653
    BugTraq ID     : 23078
    Debian Bug     : 416423
    
    Multiple errors have been found in the skin handling routines in xmms,
    the X Multimedia System.  These vulnerabilities could allow an
    attacker to run arbitrary code as the user running xmms by inducing
    the victim to load specially crafted interface skin files.
    
    For the stable distribution (sarge), these problems have been fixed in
    version 1.2.10+cvs20050209-2sarge1
    
    For the upcoming stable distrubution (etch) and the unstable
    distribution (sid), these problems have been fixed in versions
    1:1.2.10+20061101-1etch1 and 1:1.2.10+20070401-1, respectively.
    
    We recommend that you upgrade your xmms packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian 3.1 (stable)
    - -------------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.diff.gz
        Size/MD5 checksum:   333600 8d25c5173ec7d94d0db9f92b418610ce
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209.orig.tar.gz
        Size/MD5 checksum:  2796215 ec03ce185b2fd255d58ef5d2267024eb
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.dsc
        Size/MD5 checksum:     1065 d03e55ebe9c6a5ba2337d5f3542bc883
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_alpha.deb
        Size/MD5 checksum:  2700990 aa024afc093e8f415b19d783e39b81c0
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_alpha.deb
        Size/MD5 checksum:    48766 5fd631196c28fd44df02ecf25ab9c676
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_amd64.deb
        Size/MD5 checksum:  2434966 5c10a5a20aa5329b1c120cef213ef164
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_amd64.deb
        Size/MD5 checksum:    37810 06a82b2325505c9e30e4b7d9c6a17ffe
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_arm.deb
        Size/MD5 checksum:  2396722 fcead4025c4743996a4c307a003377df
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_arm.deb
        Size/MD5 checksum:    35376 e4f630de7290d4141964cc6ae8758ac4
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_hppa.deb
        Size/MD5 checksum:  2585550 c73dd34f37131785adcf699e65b55ac3
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_hppa.deb
        Size/MD5 checksum:    40834 90fe696e1dee1d694cd8148ac83a6b88
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_i386.deb
        Size/MD5 checksum:    33842 52fef7c2ef6a73f329d18b4df43ee6e5
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_i386.deb
        Size/MD5 checksum:  2395578 c0a4c275b67ce3bc166128cd4c1fa747
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_ia64.deb
        Size/MD5 checksum:  2717624 e7d9b41eda0f4b32c3bba2c2dff15fc1
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_ia64.deb
        Size/MD5 checksum:    48220 28fef757212bef0da7ed46bec7e76740
    
    m68k architecture (Motorola Mc680x0)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_m68k.deb
        Size/MD5 checksum:  2315470 1a93ec2577d2a79b9b645003e1d22a03
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_m68k.deb
        Size/MD5 checksum:    31624 30bd86c18e943f3a93a983a63c2c1fb7
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mips.deb
        Size/MD5 checksum:  2412762 e340f997cfbbe0ef8ef50f78b5ec5d71
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_mips.deb
        Size/MD5 checksum:    40580 698dfcf5c909de3a955f6337fb23e425
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mipsel.deb
        Size/MD5 checksum:  2391432 b2ef3697588a72e735f5caa02593d1b7
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_mipsel.deb
        Size/MD5 checksum:    40516 10443e075a1f4840d4de22f2dcfc355b
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_powerpc.deb
        Size/MD5 checksum:    36946 057d90024cae6e6a0fdfa2d0de666134
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_powerpc.deb
        Size/MD5 checksum:  2487280 e0571a0993112c79d6751509e548193d
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_s390.deb
        Size/MD5 checksum:  2430886 2cc8a1371309b973c1f963a93fc58a80
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_s390.deb
        Size/MD5 checksum:    37424 3e6eb798d0a7a6137fbb1ad1a961da75
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_sparc.deb
        Size/MD5 checksum:    34526 2e7e99b117f6c9ab83d9a8c0afc12f79
      http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_sparc.deb
        Size/MD5 checksum:  2422962 9d5a5484287a3773e8f7a8f5bac4d29a
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":56.1,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.2,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":31.71,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.