DSA 1839-1: New gst-plugins-good0.10 packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1839-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
July 19, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : gst-plugins-good0.10
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2009-1932
Debian Bugs : 531631 532352


It has been discovered that gst-plugins-good0.10, the GStreamer plugins
from the "good" set, are prone to an integer overflow, when processing
a large PNG file. This could lead to the execution of arbitrary code.


For the stable distribution (lenny), this problem has been fixed in
version 0.10.8-4.1~lenny2.

For the oldstable distribution (etch), this problem has been fixed in
version 0.10.4-4+etch1.

Packages for the s390 and hppa architectures will be released once they
are available.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.10.15-2.


We recommend that you upgrade your gst-plugins-good0.10 packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.4.orig.tar.gz
Size/MD5 checksum: 1894794 88aa3c31909ed467605ed04434474c4d
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.4-4+etch1.dsc
Size/MD5 checksum: 1576 4369a23f0e8576377918d7d07d6328dd
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.4-4+etch1.diff.gz
Size/MD5 checksum: 24338 e5b085ae2275c9da0af25175f65c7baf

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-doc_0.10.4-4+etch1_all.deb
Size/MD5 checksum: 95182 11e977d541258f5bb44fcfa9725544be

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_alpha.deb
Size/MD5 checksum: 36152 824c86b12c45a27350e4aa619e032152
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_alpha.deb
Size/MD5 checksum: 701616 03d794c04e432e88e63d46fae06280a1
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_alpha.deb
Size/MD5 checksum: 1724576 290c5da8efa9ca0fb8d891e972dd0d3a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_amd64.deb
Size/MD5 checksum: 1732384 18059f6e0ad6e22d30cd37f67e805242
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_amd64.deb
Size/MD5 checksum: 657520 38e793fe7760a4c0ff377c2334312672
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_amd64.deb
Size/MD5 checksum: 35932 07678ef5b78b7d92e558432780249b53

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_arm.deb
Size/MD5 checksum: 1682156 eae4e709d2092212c332a38584a0b02b
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_arm.deb
Size/MD5 checksum: 36330 c66b476327a3a8af4ff2007df3195ad9
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_arm.deb
Size/MD5 checksum: 648606 7eaca1b32d4f041fd8a470b4d2cde52d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_i386.deb
Size/MD5 checksum: 1663280 57029198e3d83aa970ab33d6ca350b39
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_i386.deb
Size/MD5 checksum: 35760 5edf5708f77639289fe677ed7ca2e420
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_i386.deb
Size/MD5 checksum: 627152 617ca7ae96554e009c38c2a5034f1990

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_ia64.deb
Size/MD5 checksum: 38402 aad2afd4ffa648f3dfc1f7ae906dae7a
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_ia64.deb
Size/MD5 checksum: 921426 8ca6d1599475312129e5d53d2a76bbb7
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_ia64.deb
Size/MD5 checksum: 1699382 f4f07a7d7d090ba029b39f5593bd1506

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_mips.deb
Size/MD5 checksum: 651366 81bc05502bf076091433986eedcddac3
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_mips.deb
Size/MD5 checksum: 36372 6a948078c72d522d6bbea18c8d6c8605
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_mips.deb
Size/MD5 checksum: 1757020 019dd9d275ac509ef12fec25e1b1927a

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_mipsel.deb
Size/MD5 checksum: 1736574 5fb491e85fdc9e30ec00a1785bf592ab
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_mipsel.deb
Size/MD5 checksum: 36388 a938fc1e339b3ab8df7261e75a9711cb
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_mipsel.deb
Size/MD5 checksum: 647074 5c63e0acec9f0acb2bfa8dfd4ba9ba0c

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_powerpc.deb
Size/MD5 checksum: 718846 23a52f9af7082a81c8ab0f34b253feef
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_powerpc.deb
Size/MD5 checksum: 37784 ce7cefbf74bbf303313ada78c81229fb
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_powerpc.deb
Size/MD5 checksum: 1782098 969ed616b5ab16ae09166b0e7370f67e

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_sparc.deb
Size/MD5 checksum: 1645906 2c53a10e752461a3580a56319f2a0f0c
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_sparc.deb
Size/MD5 checksum: 636014 52bb79329a93ba8e4ab1690c69845882
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_sparc.deb
Size/MD5 checksum: 35678 d9c01bd16c1ce54000b16d8385e4ef98


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.8-4.1~lenny2.diff.gz
Size/MD5 checksum: 30321 2f1494f7a2f648f84dd853f95fbc036b
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.8-4.1~lenny2.dsc
Size/MD5 checksum: 2568 bb8e690805dfc8d9eb8595cf9f8738cb
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.8.orig.tar.gz
Size/MD5 checksum: 2923109 467295921ca225aaa05afe9381f4b424

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-doc_0.10.8-4.1~lenny2_all.deb
Size/MD5 checksum: 172232 cc5f1d3077e8ab179a99e7b00952e4e3

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_alpha.deb
Size/MD5 checksum: 1085902 ec69ccbbd739370cd5cdd87097845608
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_alpha.deb
Size/MD5 checksum: 2559520 ef84a92578c2a8883cb1f08850bd2503
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_alpha.deb
Size/MD5 checksum: 46504 d20ddb4964025adddb9c8a4c8134194f

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_amd64.deb
Size/MD5 checksum: 2602660 ed45c89a649bb02e74fd313c1c6ea571
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_amd64.deb
Size/MD5 checksum: 1024404 e2e2767732a649c650db109e1b654cbc
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_amd64.deb
Size/MD5 checksum: 46620 fb72b9020cfa305b9eac7d9dfb2611c1

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_arm.deb
Size/MD5 checksum: 1032978 041875758c9abfc88ccd1a4584603986
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_arm.deb
Size/MD5 checksum: 47358 d9ff739a754c29d75bb2ad089c1eeb18
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_arm.deb
Size/MD5 checksum: 2552334 c3c6d7c30c97565b0279b439c6d15024

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_armel.deb
Size/MD5 checksum: 2575848 48e7c802f6dd71b410b75878731743c3
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_armel.deb
Size/MD5 checksum: 47988 339dbfe5fed9a1b0bb4613592cbfa4c8
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_armel.deb
Size/MD5 checksum: 1090394 ce9ac0488902b58a8e44a96ff6aeb5c5

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_hppa.deb
Size/MD5 checksum: 1246866 176058c93063fd428d5eba0e53f4f316
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_hppa.deb
Size/MD5 checksum: 2583248 20e5ed5572de7ea2b9fc6eb6da245de3
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_hppa.deb
Size/MD5 checksum: 48926 265697d276c0090ab97870e83393372e

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_i386.deb
Size/MD5 checksum: 46554 6ded8d4176f2d53019907d70813c4b3a
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_i386.deb
Size/MD5 checksum: 960766 6d091000a4edb70d2c979cfd56529357
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_i386.deb
Size/MD5 checksum: 2503536 7a8c1fad3d157cb33e5119afd6a052cc

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_ia64.deb
Size/MD5 checksum: 1409690 a0ed8bc63531bfbecd97503c68e28f60
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_ia64.deb
Size/MD5 checksum: 48676 a126fb2251d1e18da80aecb8d7325727
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_ia64.deb
Size/MD5 checksum: 2549976 9ed6df4d0afd911cf916b4a1afa32b59

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_mips.deb
Size/MD5 checksum: 2618126 83f8267b980702b558d177f0d3f88f5d
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_mips.deb
Size/MD5 checksum: 1010320 bfa7c41cbba3541c9c0986539f8e0e45
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_mips.deb
Size/MD5 checksum: 46880 5dc0f286c77dad40ffc892e2d6decc35

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_mipsel.deb
Size/MD5 checksum: 46914 91c4cb67af4427246fbb3e808bf6a699
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_mipsel.deb
Size/MD5 checksum: 1002768 4d018f16fdcb9c6a6e38fff976d0943d
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_mipsel.deb
Size/MD5 checksum: 2594052 f372eb96a51cf574f73931de4b5dfa51

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_powerpc.deb
Size/MD5 checksum: 2643186 73d5591a8aed7d66c726d7b63e53a302
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_powerpc.deb
Size/MD5 checksum: 1084064 f00985c15b1f4164072af96b2cf69af9
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_powerpc.deb
Size/MD5 checksum: 47370 9139ab03055a0cc0c58b99b6b2936c6c

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1~lenny2_sparc.deb
Size/MD5 checksum: 2448238 d9664009d14d10e9e295d66a17a84378
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1~lenny2_sparc.deb
Size/MD5 checksum: 994402 fc847a1d0cb1721b8c0348a88a272b15
http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1~lenny2_sparc.deb
Size/MD5 checksum: 45996 ccfb6b7d76be3274405f20775c2d7c9f


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpixbMACgkQ62zWxYk/rQe4IwCfUo9L78Zi48DdZEFL2908IJMt
+PcAn3U9EVMAJT2grwMoTYrZeW/D1RGd
=SyUl
-----END PGP SIGNATURE-----
"

DSA 1836-1: New fckeditor packages fix arbitrary code executionRobbie distracted by Jay Kay

This entry was posted on 6:22 AM .