-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1745-2 security@debian.org http://www.debian.org/security/ Steffen Joeris March 25, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : lcms Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids : CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 This update fixes a possible regression introduced in DSA-1745-1 and also enhances the security patch. For reference the original advisory text is below. Several security issues have been discovered in lcms, a color management library. The Common Vulnerabilities andi Exposures project identifies the following problems: CVE-2009-0581 Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. CVE-2009-0723 Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. CVE-2009-0733 Chris Evans discovered the lack of upper-gounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. For the stable distribution (lenny), these problems have been fixed in version 1.17.dfsg-1+lenny2. For the oldstable distribution (etch), these problems have been fixed in version 1.15-1.1+etch3. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your lcms packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.diff.gz Size/MD5 checksum: 5160 16d7404b4dc2f31cfe8c83336013cddd http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.dsc Size/MD5 checksum: 644 5fe77039701cfa261d3ef84842d0e81e http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.gz Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_alpha.deb Size/MD5 checksum: 181316 b06ba5e4b64f5199ef241bd9fe8f293c http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_alpha.deb Size/MD5 checksum: 60246 89c087c9dd7e2d5dd2d78cbfb80c4017 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_alpha.deb Size/MD5 checksum: 154378 9ab10ab4eae2ad103b2a7abc18e6cfc4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_amd64.deb Size/MD5 checksum: 149534 1c06e35f87a683ad05c0fb1503859b4b http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_amd64.deb Size/MD5 checksum: 141016 f957d77d929d2e5ab9a4749cafab3b65 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_amd64.deb Size/MD5 checksum: 53242 52fe759a62f8b111a65550f074c5037b arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_arm.deb Size/MD5 checksum: 136610 d7c849cdf0eef3e2c0c1318a31f9e7c1 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_arm.deb Size/MD5 checksum: 135176 501beeb4b4309ae863c8c0d46fde6b1a http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_arm.deb Size/MD5 checksum: 51742 bc7e60d9b5ac44efdf24a0b384f0f173 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_hppa.deb Size/MD5 checksum: 169464 312f7f7f841c09396a6c30ca76a35754 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_hppa.deb Size/MD5 checksum: 158496 9d0fa35be0159f82709447b53df2a003 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_hppa.deb Size/MD5 checksum: 59260 88e7279014e0482a797d54140e74e828 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_i386.deb Size/MD5 checksum: 50258 fa63f21e62c9fc8b863b60a3b470a840 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_i386.deb Size/MD5 checksum: 144134 58a63611f27e80b39537c28171211699 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_i386.deb Size/MD5 checksum: 138128 4c01410bae1d6508a77708206032871d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_ia64.deb Size/MD5 checksum: 78588 17da81143523be8e6ea70be3c4044422 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_ia64.deb Size/MD5 checksum: 196180 68a05087486894adae92031ed3c7d510 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_ia64.deb Size/MD5 checksum: 205450 66244f6ebdf34dd656cf7bbbe649e110 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_mips.deb Size/MD5 checksum: 149686 8d5cb21c8f47d5576aa8d7aa5bfc6aa8 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_mips.deb Size/MD5 checksum: 173982 7101d5218722dc09f7c89e09b93bd9be http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_mips.deb Size/MD5 checksum: 52094 72ec336e06cf4042648d9ddd00509f35 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_mipsel.deb Size/MD5 checksum: 150926 c6a286b60bc31d2f48f3fb05209f0c83 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_mipsel.deb Size/MD5 checksum: 52290 91070dc723d6e000a7b78cb3221ef280 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_mipsel.deb Size/MD5 checksum: 175070 6f59ce0571035853680e96134062857d powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_powerpc.deb Size/MD5 checksum: 148372 30e1c544cbe11d7b207a361d0f8fadc7 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_powerpc.deb Size/MD5 checksum: 148342 68e7d1bd20e8a05ea8edc165e746a784 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_powerpc.deb Size/MD5 checksum: 57778 ac6467e6d888c9e64aed8612f0ec0f16 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_s390.deb Size/MD5 checksum: 54298 37e6c4d12f4f33b9b0e95119a27e9714 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_s390.deb Size/MD5 checksum: 143172 a95270d1b8a7c1f282fabdf349bea783 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_s390.deb Size/MD5 checksum: 145324 619d5b581922e40d17de03b31db02faf sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_sparc.deb Size/MD5 checksum: 51562 bf67e60a217cf1157fcd0a29a8ac1907 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_sparc.deb Size/MD5 checksum: 147482 cfef0937ca2d432f04bacbd1e7f8472a http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_sparc.deb Size/MD5 checksum: 138088 e40a9fb196fd26caec11619fbaf60cda Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/lcms/lcms_1.17.dfsg-1+lenny2.dsc Size/MD5 checksum: 1299 196c0beecdeffca26d4fd76bfa1f13fa http://security.debian.org/pool/updates/main/l/lcms/lcms_1.17.dfsg.orig.tar.gz Size/MD5 checksum: 883148 efe7467bac4f10d9b354d5733489334d http://security.debian.org/pool/updates/main/l/lcms/lcms_1.17.dfsg-1+lenny2.diff.gz Size/MD5 checksum: 11880 df69500e72128def5994ef29c66a213a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_alpha.deb Size/MD5 checksum: 153634 0e6eec2a3310e2e1f700b2a05fd9130d http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_alpha.deb Size/MD5 checksum: 66082 d78ea1ba9b77d499abfcd32762a1cb4d http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_alpha.deb Size/MD5 checksum: 227824 daa5711586870a1c9ed8d3e522e13a5f http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_alpha.deb Size/MD5 checksum: 117318 d9a92db2a1208ce29f0907156c0f21ec amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_amd64.deb Size/MD5 checksum: 109436 ca441d44b110249b98976d93ee948968 http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_amd64.deb Size/MD5 checksum: 156844 eeaac6c774c317469343296904f2d8f2 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_amd64.deb Size/MD5 checksum: 198650 cba03a4c26fbf1d306d669301375d741 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_amd64.deb Size/MD5 checksum: 59352 5d8f067f54a1a1d1236100ec3198e07b arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_arm.deb Size/MD5 checksum: 187620 69df7534d2350b0d746a4c54c822a272 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_arm.deb Size/MD5 checksum: 100818 03391efaf6b0e8a2a557fa18fb593a96 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_arm.deb Size/MD5 checksum: 56184 d40c2a788175ea465fddf9695ae0c74e http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_arm.deb Size/MD5 checksum: 135840 b184dfae5d2bc6f63118183b70746792 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_armel.deb Size/MD5 checksum: 136226 0bbf79f1a6a8be0ff7543c3cd4e42140 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_armel.deb Size/MD5 checksum: 108536 e28f48cfbca91daa41344b019cf7d5c0 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_armel.deb Size/MD5 checksum: 195116 6460336eb5a0445b0c03d9696fb5fcbc http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_armel.deb Size/MD5 checksum: 60304 e851d20fb24e31bde2831f74c1fd73d8 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_hppa.deb Size/MD5 checksum: 217310 640dccdf2c7840500c4d4df9f53d1764 http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_hppa.deb Size/MD5 checksum: 181886 dff1392a724aec6efe449767176dfd48 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_hppa.deb Size/MD5 checksum: 63650 6108c4ddbb4d2b168fb9579e263d89ec http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_hppa.deb Size/MD5 checksum: 120824 fa7b2afd7746de92c8dbbf777a63be00 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_i386.deb Size/MD5 checksum: 149512 a52ab7fa8e0e8b7876770443f7b33d26 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_i386.deb Size/MD5 checksum: 191776 67f020fc2fee74112c13c67b62bd33ac http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_i386.deb Size/MD5 checksum: 55334 d67ca2db867df6f180f370ea71352ba9 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_i386.deb Size/MD5 checksum: 102528 fce72bbf31189287d737104df10fb860 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_ia64.deb Size/MD5 checksum: 85106 bdb601f8e0628a183552ca9662395003 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_ia64.deb Size/MD5 checksum: 261388 1f4587b160e1417f7862062607aa9428 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_ia64.deb Size/MD5 checksum: 168410 32803bd752ab02745c1f5421d77e76e4 http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_ia64.deb Size/MD5 checksum: 184744 c1fc1cfab42a15f14069c7b4291b58d5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_mips.deb Size/MD5 checksum: 113914 720820898fadfe0f5c9577b94d7d596d http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_mips.deb Size/MD5 checksum: 133806 7c5158967ab58f8361c728470a8cf3ca http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_mips.deb Size/MD5 checksum: 57094 0c5f8a8e4b11636ee422e67a400d276a http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_mips.deb Size/MD5 checksum: 221442 cf73eb40bf7fca081eb72164cbad007b mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_mipsel.deb Size/MD5 checksum: 116858 5cc0672b4e6631a065822c4dbef8f6dd http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_mipsel.deb Size/MD5 checksum: 57180 e788b1715e993fd87bd450c05c8a4edb http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_mipsel.deb Size/MD5 checksum: 224906 9af1ae4fd0719c03af6bcd20c06fe8b1 http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_mipsel.deb Size/MD5 checksum: 130228 d0ab9d0595147cc05012d6d85c649c16 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_powerpc.deb Size/MD5 checksum: 197118 e968b8dc68cade76a972984ee7be6a42 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_powerpc.deb Size/MD5 checksum: 115862 6c63f6f6e720988973299bb7aaf16be1 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_powerpc.deb Size/MD5 checksum: 70946 87bf7ecd279df9b7a4378ad2aa0568b9 http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_powerpc.deb Size/MD5 checksum: 163524 888ccce8725b23b03e19ff03cd7c1dba s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_s390.deb Size/MD5 checksum: 61034 91931f080c60c2bed98b07c93a1d815c http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_s390.deb Size/MD5 checksum: 137822 57fe47c765d8dd2bd68282180786a22a http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_s390.deb Size/MD5 checksum: 109236 12d604eb4030d11e5396cab3ad2be461 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_s390.deb Size/MD5 checksum: 191326 ab66b338cb32e84f441c45d07e44c744 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_sparc.deb Size/MD5 checksum: 58624 973b4ab50eaf18dbb55648a3b49e982c http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_sparc.deb Size/MD5 checksum: 156994 d5a82f96ef78ee2739e35548c1d89953 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_sparc.deb Size/MD5 checksum: 102080 5aa8adf1027ae2a771f538b0630bcc77 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_sparc.deb Size/MD5 checksum: 195704 5040b60f738977f0686ab32e1b705bcc These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknKFP4ACgkQ62zWxYk/rQdg0gCeNPzrr/e/sg+UdyIwtEPTanhl sS0Ani3D50rMKSZXBNaZIg5GygAk8Lio =F3JP -----END PGP SIGNATURE-----