Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > February 2006 > Five Debian Security Advisories

February 2006

Five Debian Security Advisories

ID: 00133
Ref: 131/2006
Date: 15 February 2006:14:20:20
Version: 1
Title: Five Debian Security Advisories
Abstract:
Vendors affected: Debian
Operating systems affected: Debian
Applications affected: Debian
Title
=====

Five Debian Security Advisories:

1. DSA 968-1 - New noweb packages fix insecure temporary file creation

2. DSA 969-1 - New scponly packages fix potential root vulnerability

3. DSA 972-1 - New pdfkit.framework packages fix denial of service

4. DSA 973-1 - New OTRS packages fix several vulnerabilities

5. DSA 974-1 - New gpdf packages fix denial of service

Detail
======

1. Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that a script in noweb, a web like literate-programming
tool, creates a temporary file in an insecure fashion.

2. Max Vozeller discovered a vulnerability in scponly, a utility to
restrict user commands to scp and sftp, that could lead to the
execution of arbitray commands as root. The system is only vulnerable
if the program scponlyc is installed setuid root and if regular users
have shell access to the machine.

3. SuSE researchers discovered heap overflow errors in xpdf, the Portable
Document Format (PDF) suite, which is also present in
pdfkit.framework, the GNUstep framework for rendering PDF content, and
which can allow attackers to cause a denial of service by crashing the
application or possibly execute arbitrary code.

4. Several vulnerabilities have been discovered in otrs, the Open Ticket
Request System, that can be exploited remotely.

5. SuSE researchers discovered heap overflow errors in xpdf, the Portable
Document Format (PDF) suite, which is also present in gpdf, the GNOME
version of the Portable Document Format viewer, and which can allow
attackers to cause a denial of service by crashing the application or
possibly execute arbitrary code.




1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 968-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 13th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : noweb
Vulnerability : insecure temporary file
Problem type : local
Debian-specific: no
CVE ID : CVE-2005-3342

Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that a script in noweb, a web like literate-programming
tool, creates a temporary file in an insecure fashion.

For the old stable distribution (woody) this problem has been fixed in
version 2.9a-7.4.

For the stable distribution (sarge) this problem has been fixed in
version 2.10c-3.2.

For the unstable distribution (sid) this problem has been fixed in
version 2.10c-3.2.

We recommend that you upgrade your nowebm package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/n/noweb/noweb_2.9a-7.4.dsc
Size/MD5 checksum: 607 bf3b668844d776f0a6407b0d101387c8
http://security.debian.org/pool/updates/main/n/noweb/noweb_2.9a-7.4.diff.gz
Size/MD5 checksum: 41695 7b801aef10ce6464b1877d17975f82a4
http://security.debian.org/pool/updates/main/n/noweb/noweb_2.9a.orig.tar.gz
Size/MD5 checksum: 687372 1096b16aaa281a97e269eb5d80236296

Alpha architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_alpha.deb
Size/MD5 checksum: 1339666 ead77005297d67d7edbae25beb36a3c1

ARM architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_arm.deb
Size/MD5 checksum: 1061550 0bf9e6154471326e6d075ff1de8377d6

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_i386.deb
Size/MD5 checksum: 964162 d825f5232dc13f83f64e7c7c7a1da1d5

HP Precision architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_hppa.deb
Size/MD5 checksum: 1257692 ca737693fa77c65177318945ef0ebb21

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_m68k.deb
Size/MD5 checksum: 920590 9a2e3e06262ccbcf8f5a4d2c9a86a7d5

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_mips.deb
Size/MD5 checksum: 1145392 08e92aef2a6dd4266b55a8daed3277b2

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_mipsel.deb
Size/MD5 checksum: 1142188 9a97dbda4c8451ceeabaa89e3d27ea14

PowerPC architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_powerpc.deb
Size/MD5 checksum: 1063836 2b752a9a33a3cdde5bd638cb1ce29301

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_s390.deb
Size/MD5 checksum: 984310 659e07e3b2b1be956b97f6eab9afa478

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.9a-7.4_sparc.deb
Size/MD5 checksum: 1094822 31bad539ee4c6cca00a982a168cd8e31


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/n/noweb/noweb_2.10c-3.2.dsc
Size/MD5 checksum: 613 caa2eea783c5422d9228b21d0336d15c
http://security.debian.org/pool/updates/main/n/noweb/noweb_2.10c-3.2.diff.gz
Size/MD5 checksum: 11237 5b3d362fb1c1bac5c547969fed01a6a3
http://security.debian.org/pool/updates/main/n/noweb/noweb_2.10c.orig.tar.gz
Size/MD5 checksum: 712332 30bbacf1fb2a402410e5ad2fb600d9fc

Alpha architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_alpha.deb
Size/MD5 checksum: 538598 08451e42ced3107985de6175e579796a

AMD64 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_amd64.deb
Size/MD5 checksum: 535386 973680293dc7b0e778bcbb25db41a0b1

ARM architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_arm.deb
Size/MD5 checksum: 519836 9845b6c4fd1d774393bc1a502a9c94fb

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_i386.deb
Size/MD5 checksum: 516632 1cb91db43945c118f9f66b48ed2e6daa

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_ia64.deb
Size/MD5 checksum: 552976 29019df9ab966e815ddf02abbaa20e91

HP Precision architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_hppa.deb
Size/MD5 checksum: 525442 b6cfdbb4482a73bedc16156d141e1c09

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_m68k.deb
Size/MD5 checksum: 520616 9ed973c5d96aff4e3b20a437a9228ef3

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_mips.deb
Size/MD5 checksum: 532836 947e80ca3fae44b4152314d5433d92d6

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_mipsel.deb
Size/MD5 checksum: 530754 095d4a98e980b8085c5c91599e69975b

PowerPC architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_powerpc.deb
Size/MD5 checksum: 522700 f8828ede194357d5f7e062aa172c8cb7

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_s390.deb
Size/MD5 checksum: 524992 b5aa4136babd2b29b37c1c899e65428c

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/n/noweb/nowebm_2.10c-3.2_sparc.deb
Size/MD5 checksum: 522776 4d8491cba2d49a6ec196d0241ac1b840


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD8B7DW5ql+IAeqTIRAnd2AJsG22+dVNDjXhFfbxkfzmzFCEz84wCgtUgg
7PhyxXA6fl1186C72Oqm7Mc=
=Y1HE
- -----END PGP SIGNATURE-----


2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 969-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 13th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : scponly
Vulnerability : design error
Problem type : local
Debian-specific: no
CVE ID : CVE-2005-4532
Debian Bug : 344418

Max Vozeller discovered a vulnerability in scponly, a utility to
restrict user commands to scp and sftp, that could lead to the
execution of arbitray commands as root. The system is only vulnerable
if the program scponlyc is installed setuid root and if regular users
have shell access to the machine.

The old stable distribution (woody) does not contain an scponly package.

For the stable distribution (sarge) this problem has been fixed in
version 4.0-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 4.6-1.

We recommend that you upgrade your scponly package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1.dsc
Size/MD5 checksum: 600 ef0e45e07cfdd80fd53c0d3cd3daa31e
http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1.diff.gz
Size/MD5 checksum: 27012 96ee81daa1b248fe679106a9d9986b1b
http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0.orig.tar.gz
Size/MD5 checksum: 85053 1706732945996865ed0cccd440b64fc1

Alpha architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_alpha.deb
Size/MD5 checksum: 31270 662c573abf24bf1094e939b89acd5575

AMD64 architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_amd64.deb
Size/MD5 checksum: 30254 5db48bd53f0ca4fea76091221ceee6ac

ARM architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_arm.deb
Size/MD5 checksum: 29046 95081c9ab7115b06f4b370bf8ecadae6

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_i386.deb
Size/MD5 checksum: 29356 1f2e8799c3c018c17734665f2610bef2

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_ia64.deb
Size/MD5 checksum: 33144 887025e1e4ff759edd4f69005c6c2b3b

HP Precision architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_hppa.deb
Size/MD5 checksum: 30262 f721669ee692a8b21d975912a0a67f56

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_m68k.deb
Size/MD5 checksum: 29002 e7d63e25636483f8437b57d897fcd1b3

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_mips.deb
Size/MD5 checksum: 38582 995a79aab6d2ed7ab4bc37b921462a9e

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_mipsel.deb
Size/MD5 checksum: 38564 95bbff4502021a1a53f45c014fca20e2

PowerPC architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_powerpc.deb
Size/MD5 checksum: 29702 60138f788f40ba7ffc35de22f7bb39cc

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_s390.deb
Size/MD5 checksum: 30060 340a4ed4effca8e9e27643789ea300c9

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_sparc.deb
Size/MD5 checksum: 29302 404579837618ae530847774aab4227a3


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD8GjeW5ql+IAeqTIRAquJAKC36a6m6P8f6hvTOwl4NyB5YzHsMQCfYKhp
CPb/UdHwQhfROxTAWSr83QA=
=PXES
- -----END PGP SIGNATURE-----


3.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 972-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 15th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : pdfkit.framework
Vulnerability : buffer overflows
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-0301

SuSE researchers discovered heap overflow errors in xpdf, the Portable
Document Format (PDF) suite, which is also present in
pdfkit.framework, the GNUstep framework for rendering PDF content, and
which can allow attackers to cause a denial of service by crashing the
application or possibly execute arbitrary code.

The old stable distribution (woody) does not contain pdfkit.framework
packages.

For the stable distribution (sarge) these problems have been fixed in
version 0.8-2sarge2.

For the unstable distribution (sid) these problems have been fixed in
version 0.8-4 by switching to poppler.

We recommend that you upgrade your pdfkit.framework package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2.dsc
Size/MD5 checksum: 725 7f73aebe47f6276e59274a791dbf9f1d
http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2.diff.gz
Size/MD5 checksum: 6014 04f72fb2031311bbf6bf433e440a18e7
http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8.orig.tar.gz
Size/MD5 checksum: 1780533 7676643ff78a0602c10bfb97fe0bd448

Alpha architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_alpha.deb
Size/MD5 checksum: 1822048 8321e3be8a859346ecbe90a5d80083ce

AMD64 architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_amd64.deb
Size/MD5 checksum: 1796860 5776df0db71190ae3f8557665079dfef

ARM architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_arm.deb
Size/MD5 checksum: 1756204 6aa00d8b3cb35e825bd57a531f1d8bce

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_i386.deb
Size/MD5 checksum: 1750532 4c22f6c78b52e7ce2b0ae0e1eaf002d6

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_ia64.deb
Size/MD5 checksum: 1981414 cad4fb0db7635253e96995f3b6e651ed

HP Precision architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_hppa.deb
Size/MD5 checksum: 1862592 330d89f3ee48fed31d74a726cfaf6fcc

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_m68k.deb
Size/MD5 checksum: 1785864 a15ba6704bf5e19a279721a9f2251e00

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_mips.deb
Size/MD5 checksum: 1769322 f718f5753e07c63ce3e724d72550c77c

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_mipsel.deb
Size/MD5 checksum: 1754998 ebc4a7863f86273a524fd88ae0f3778d

PowerPC architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_powerpc.deb
Size/MD5 checksum: 1770960 f24d246b3887c84b54cd261ec881c86c

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_s390.deb
Size/MD5 checksum: 1804896 053d61ae24a468c8361f12746f512260

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge2_sparc.deb
Size/MD5 checksum: 1780072 f82233c57040266da7ce18bb5708eafe


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD8tdfW5ql+IAeqTIRAum4AJ4l88Q2IzaBP9Nls0cs+hcL232y7gCgtmrn
slAZ169vEZ31yAxJCAZ/1uE=
=GD1y
- -----END PGP SIGNATURE-----


4.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 973-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 15th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : otrs
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2005-3893 CVE-2005-3894 CVE-2005-3895
BugTraq ID : 15537
Debian Bug : 340352

Several vulnerabilities have been discovered in otrs, the Open Ticket
Request System, that can be exploited remotely. The Common
vulnerabilities and Exposures Project identifies the following
problems:

CVE-2005-3893

Multiple SQL injection vulnerabilities allow remote attackers to
execute arbitrary SQL commands and bypass authentication.

CVE-2005-3894

Multiple cross-site scripting vulnerabilities allow remote
authenticated users to inject arbitrary web script or HTML.

CVE-2005-3895

Internally attached text/html mails are rendered as HTML when the
queue moderator attempts to download the attachment, which allows
remote attackers to execute arbitrary web script or HTML.

the old stable distribution (woody) does not contain OTRS packages.

For the stable distribution (sarge) these problems have been fixed in
version 1.3.2p01-6.

For the unstable distribution (sid) these problems have been fixed in
version 2.0.4p01-1.

We recommend that you upgrade your otrs package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01-6.dsc
Size/MD5 checksum: 600 0dd0acec3580502a8f9ecf061ed931de
http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01-6.diff.gz
Size/MD5 checksum: 15917 f94589b636198b60b76d36ce074dc04f
http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01.orig.tar.gz
Size/MD5 checksum: 6639786 8861ace308c6f058b331fbd0e8437f0c

Architecture independent components:

http://security.debian.org/pool/updates/main/o/otrs/otrs-doc-de_1.3.2p01-6_all.deb
Size/MD5 checksum: 3005222 9783133f230474fabdca9b6fa30ea1d9
http://security.debian.org/pool/updates/main/o/otrs/otrs-doc-en_1.3.2p01-6_all.deb
Size/MD5 checksum: 2312748 2cd8499682e6b4a5fd3ad7472329a3da
http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01-6_all.deb
Size/MD5 checksum: 920580 c29a6b599e31d7b5a847f2f74b658a3c


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD8t7OW5ql+IAeqTIRAlRzAJ49ZonCnU4U8crIQe1h/2EqkmRlUwCcC2/h
Aee8tSb2exVGCkxqvmZVSfs=
=d0FA
- -----END PGP SIGNATURE-----



5.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 974-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 15th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : gpdf
Vulnerability : buffer overflows
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-0301

SuSE researchers discovered heap overflow errors in xpdf, the Portable
Document Format (PDF) suite, which is also present in gpdf, the GNOME
version of the Portable Document Format viewer, and which can allow
attackers to cause a denial of service by crashing the application or
possibly execute arbitrary code.

The old stable distribution (woody) does not contain gpdf packages.

For the stable distribution (sarge) these problems have been fixed in
version 2.8.2-1.2sarge3.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your gpdf package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3.dsc
Size/MD5 checksum: 1663 df225affa785bd87ec77fa638622fa22
http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3.diff.gz
Size/MD5 checksum: 35587 886283dbf45b0a52a56c568dfd01fc0c
http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2.orig.tar.gz
Size/MD5 checksum: 1245535 5ceb66aa95e51c4e1d6e10cb29560ff9

Alpha architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_alpha.deb
Size/MD5 checksum: 867776 3eae015fd887821f5b5c3284c83a6741

AMD64 architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_amd64.deb
Size/MD5 checksum: 795236 6e6723e743ac15016429832291cb1d3b

ARM architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_arm.deb
Size/MD5 checksum: 781166 ce6a73d615af8389b8d2576682db2ba3

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_i386.deb
Size/MD5 checksum: 781604 446aeb1fd82d591ac979b5dda2f0e032

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_ia64.deb
Size/MD5 checksum: 958004 ccc74856dcedb5d2e8c27598c9909546

HP Precision architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_hppa.deb
Size/MD5 checksum: 859614 73db7d560fe856c33a7babb8ed9bd7ae

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_m68k.deb
Size/MD5 checksum: 745580 b458793d535ed18877d9899f2b587ba9

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_mips.deb
Size/MD5 checksum: 818348 68656069bf8340db8815494d65366336

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_mipsel.deb
Size/MD5 checksum: 810998 896945fbcf39ab03adb5111251735f20

PowerPC architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_powerpc.deb
Size/MD5 checksum: 799502 267b2b0bed065acf22a90231400157bc

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_s390.deb
Size/MD5 checksum: 775816 1d8a34abf13fd8493a0fe91ebc8e2844

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_sparc.deb
Size/MD5 checksum: 763590 7f5b34c244d7a5c41075c116ecd9a135


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD8vZhW5ql+IAeqTIRAm0CAJ0Ql701FZoCTNWI1rMT7fVFkRWWtACgjdNY
1MWDMH+g60qb8OkM0OaDA4A=
=ESWs
- -----END PGP SIGNATURE-----

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |