From debian-security-announce@lists.debian.org Fri Jun 20 15:49:05 2003 From: debian-security-announce@lists.debian.org Resent-From: list@murphy.debian.org (SmartList) To: full-disclosure@lists.netsys.com Date: Thu, 19 Jun 2003 22:17:50 -0400 Reply-To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] [SECURITY] [DSA-327-1] New xbl packages fix buffer overflows -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 327-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman June 19th, 2003 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : xbl Vulnerability : buffer overflows Problem-Type : local Debian-specific: no Steve Kemp discovered several buffer overflows in xbl, a game, which can be triggered by long command line arguments. This vulnerability could be exploited by a local attacker to gain gid 'games'. For the stable distribution (woody) this problem has been fixed in version 1.0k-3woody1. For the old stable distribution (potato) this problem has been fixed in version 1.0i-7potato1. For the unstable distribution (sid) this problem is fixed in version 1.0k-5. We recommend that you update your xbl package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1.dsc Size/MD5 checksum: 554 d4b156eca0f35de954bd913bcd189b3e http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1.diff.gz Size/MD5 checksum: 7844 a55498b9b859c7a71744e9e9e1752af3 http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i.orig.tar.gz Size/MD5 checksum: 213223 b9ea1555044e7ca80ff781796fd867b1 Alpha architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_alpha.deb Size/MD5 checksum: 120714 dc4849970e1a724b4387e7f3f07dc820 ARM architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_arm.deb Size/MD5 checksum: 104536 74d0a2c7da8e14e1b7f425f31ab6f5d8 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_i386.deb Size/MD5 checksum: 100054 3ef40d75316e7f455868fa23f40712d9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_m68k.deb Size/MD5 checksum: 96526 22868d833d5b1ff7616709516ca91750 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_powerpc.deb Size/MD5 checksum: 108338 1bf1e03fcde2d23aa7c6bcfa751899db Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_sparc.deb Size/MD5 checksum: 107850 339f2a39f75c73d1eafd0bf20216bc95 Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1.dsc Size/MD5 checksum: 566 a25e8ecf19edb97ab3cc32d52f20712f http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1.diff.gz Size/MD5 checksum: 9244 2376e2e1b69d0d79f0b0c0f87fe99a73 http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k.orig.tar.gz Size/MD5 checksum: 135080 22e7822a449ae5b68695158fd59ea49c Alpha architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_alpha.deb Size/MD5 checksum: 122224 ef6d29658f10a304876a2f17660b92a4 ARM architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_arm.deb Size/MD5 checksum: 111094 d02b8e87910b0c410698430110eb4609 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_i386.deb Size/MD5 checksum: 103230 91c87f285064777b556e60a41b5d137e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_ia64.deb Size/MD5 checksum: 151410 f01344cab1623a36565d7ccae04ff20c HP Precision architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_hppa.deb Size/MD5 checksum: 116734 8ba40022bd13b071ce9832879bc00057 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_m68k.deb Size/MD5 checksum: 97730 5d8d438bd00e9f82b84a42f2d9797141 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_mips.deb Size/MD5 checksum: 115968 161ebcca8ea2a4adb31ecad81c151ee1 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_mipsel.deb Size/MD5 checksum: 115830 59b4a9b21a0658d6fc1f4b42d599f91d PowerPC architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_powerpc.deb Size/MD5 checksum: 112202 69b74ea9a5fb019dbcd56051789c8970 IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_s390.deb Size/MD5 checksum: 106190 59e14cbb58a28db14639bba8a3c0c802 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_sparc.deb Size/MD5 checksum: 111194 b67bf2b0ba2174935b2ef85ca45a28a3 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+8m67ArxCt0PiXR4RAt/HAJ9RJg2Q27gCeQKvIttoDEy64cSAJgCfVoL/ qmvcz1z0EUoewjK5BRdMY7A= =ku6J -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html