DSA 1748-1: New libsoup packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1748-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
March 20, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : libsoup
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2009-0585
Debian Bugs : 520039


It was discovered that libsoup, an HTTP library implementation in C,
handles large strings insecurely via its Base64 encoding functions. This
could possibly lead to the execution of arbitrary code.


For the oldstable distribution (etch), this problem has been fixed in
version 2.2.98-2+etch1.

The stable distribution (lenny) is not affected by this issue.

The testing distribution (squeeze) and the unstable distribution (sid)
are not affected by this issue.


We recommend that you upgrade your libsoup packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup_2.2.98-2+etch1.diff.gz
Size/MD5 checksum: 6510 65ab0f023a150170e8a181890a00b023
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup_2.2.98-2+etch1.dsc
Size/MD5 checksum: 1537 cd5b947c0b3b9203aa52f6d0ec40821c
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup_2.2.98.orig.tar.gz
Size/MD5 checksum: 692665 b20e2a41ab0d21cc8d84fd76b4dbf47b

Architecture independent packages:

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-doc_2.2.98-2+etch1_all.deb
Size/MD5 checksum: 148102 b1e78a8f3396ae6d58f3cf3889c8c6ff

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_alpha.deb
Size/MD5 checksum: 143528 45221b9485dd0b1d7a5b2a0dc68b1dc0
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_alpha.deb
Size/MD5 checksum: 225664 646feecbfdae326e7e131682c87eb490

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_amd64.deb
Size/MD5 checksum: 173460 91bbd9ff1aba8b8a5739fee06c67d5c8
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_amd64.deb
Size/MD5 checksum: 134338 4f0863cdc2d1d2b11020ea48d383da47

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_arm.deb
Size/MD5 checksum: 156102 5b9fc9b512df31fc13545b1ad5b58b59
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_arm.deb
Size/MD5 checksum: 122166 1f7ffd4f62f0e3da5dfda7bba9b6cf8e

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_i386.deb
Size/MD5 checksum: 159014 ceff344964f226cbe0c3d9fe33d269c1
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_i386.deb
Size/MD5 checksum: 127618 233269397ec53a7728efbbe4bb5ffdbf

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_ia64.deb
Size/MD5 checksum: 166682 3e731257e90366342668ae79a62d765c
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_ia64.deb
Size/MD5 checksum: 224356 ef42597d156076f2c8b14719ba86b6f7

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_mips.deb
Size/MD5 checksum: 123812 4cf102e455c0dbd0b216ba566a0c0ab8
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_mips.deb
Size/MD5 checksum: 186234 cd10eebffdc0cd2d3054312e33e4ce8e

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_mipsel.deb
Size/MD5 checksum: 123834 98548a14e5ce79bebb383a6aecee4c98
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_mipsel.deb
Size/MD5 checksum: 184598 95aaf80730c26f9d8d157946b2ac5647

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_powerpc.deb
Size/MD5 checksum: 129934 eed29efd7504d5773dfc3f9e63b86a8f
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_powerpc.deb
Size/MD5 checksum: 174982 d03e2f8a85f8e3f34f66adcd828cc96e

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_s390.deb
Size/MD5 checksum: 138932 6cddb3baf9116f406a24b3a9a0704bbf
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_s390.deb
Size/MD5 checksum: 173034 152912e389a2e79703e7b99754815f8d

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_sparc.deb
Size/MD5 checksum: 127078 ce5d52474147b2df700df515920bd392
http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_sparc.deb
Size/MD5 checksum: 163488 07d3e61ff2b929e005f9a66a2ad8354d


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknDpHcACgkQ62zWxYk/rQcqxwCgiR0gBbnd2D+e2NPMcAW2LRLL
jZoAoL4Plgu8bTUw0AgqacvBkUt7bwk4
=tp9e
-----END PGP SIGNATURE-----
"


‘American Idol’ selects 3 more finalists
(AP)

DSA 1739-1: New mldonkey packages fix information disclosure
DSA 1741-1: New psi packages fix denial of service
Another ‘American Idol’ contestant booted
(AP)

This entry was posted on 12:18 AM .