-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1842-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 28, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : openexr Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2009-1720 CVE-2009-1721 CVE-2009-1722 Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1720 Drew Yao discovered integer overflows in the preview and compression code. CVE-2009-1721 Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. CVE-2009-1722 A buffer overflow was discovered in the compression code. For the old stable distribution (etch), these problems have been fixed in version 1.2.2-4.3+etch2. For the stable distribution (lenny), these problems have been fixed in version 1.6.1-3+lenny3. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your openexr packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2.orig.tar.gz Size/MD5 checksum: 9324108 a2e56af78dc47c7294ff188c8f78394b http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2.dsc Size/MD5 checksum: 841 38524b64a8f8a689b2db3a697b1bb7e3 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2.diff.gz Size/MD5 checksum: 11620 fe26549c7913a1217795382ad0f31153 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_alpha.deb Size/MD5 checksum: 649894 fc9a1c67beee9197266747ee562e0349 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_alpha.deb Size/MD5 checksum: 742016 0f11446d30377a662670724f7ea03a5c http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_alpha.deb Size/MD5 checksum: 313564 e34baa2d06d796eea67aafe84bdf7b0e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_amd64.deb Size/MD5 checksum: 287856 c051a4558f5b145e7246618b4397169a http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_amd64.deb Size/MD5 checksum: 730450 8180e6cb370177d6355f5755c865ab14 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_amd64.deb Size/MD5 checksum: 535914 0c98d699e11e308151a003ce28b7c77c arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_arm.deb Size/MD5 checksum: 531144 bd9b1cea94db20840f380a6c288cf3c9 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_arm.deb Size/MD5 checksum: 290886 bda7210cc96811000b36b3e760400f56 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_arm.deb Size/MD5 checksum: 729258 2472ecda1421bc323f978b943ae0cc96 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_hppa.deb Size/MD5 checksum: 742604 95cda2414e2f4296dee1a044978cec50 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_hppa.deb Size/MD5 checksum: 389476 8a6f6c386fd65e1c422cd8145e3a058f http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_hppa.deb Size/MD5 checksum: 641946 aed1b15e04d26de29ee314639b28f27b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_i386.deb Size/MD5 checksum: 730140 d6bd597c1c794304f02b8c2cba564cd3 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_i386.deb Size/MD5 checksum: 507006 787feeaf0e889f000f687b41f132b7b5 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_i386.deb Size/MD5 checksum: 298682 282cb1311545aeb1a9a30635fa0d8afc ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_ia64.deb Size/MD5 checksum: 758978 ad87aee6e8b0c45eec39564920461fba http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_ia64.deb Size/MD5 checksum: 351604 eb21634f92ab972a0fde896190ff1640 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_ia64.deb Size/MD5 checksum: 675014 68d763fa96db1bd9bf709386b188a0bb mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_mips.deb Size/MD5 checksum: 345100 03b43b1028d85a2fb33cb63e83980083 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_mips.deb Size/MD5 checksum: 740040 535c2f97ed619f281bbe537ac5c6bc2d http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_mips.deb Size/MD5 checksum: 621990 34ae3431d730c36710102e9f9cab12e2 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_mipsel.deb Size/MD5 checksum: 557340 211e63375b0678bdb466bf751da16d17 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_mipsel.deb Size/MD5 checksum: 286388 2bbee82ca594eb5b66bfc11ee86343b7 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_mipsel.deb Size/MD5 checksum: 738854 9d64ba8ad843bd7be11dd96aef6c585e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_powerpc.deb Size/MD5 checksum: 742280 33563d1687a45a0afc49ea323634b740 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_powerpc.deb Size/MD5 checksum: 602020 d23895c35a0452cdf7e2a942aa14a54b http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_powerpc.deb Size/MD5 checksum: 359976 6bd99f9bd3d4efb97165b01c433e4bd7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_s390.deb Size/MD5 checksum: 729526 eaaa37987326d63198ab62e03345652c http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_s390.deb Size/MD5 checksum: 568924 95504b9609ea97347343e7e289e2221a http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_s390.deb Size/MD5 checksum: 343522 3759d7bbdb019bd2195cf76290627144 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_sparc.deb Size/MD5 checksum: 726266 e42da7efdbddf2754be36487d71ce3ca http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_sparc.deb Size/MD5 checksum: 354972 a5035d03894a1addc94b3de3069d1fb9 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_sparc.deb Size/MD5 checksum: 541212 067ca7aaee21e0e1aee4f2136666bdd8 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3.dsc Size/MD5 checksum: 1350 2b8eed594d50319412ed73f5f596aafe http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1.orig.tar.gz Size/MD5 checksum: 13632660 11951f164f9c872b183df75e66de145a http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3.diff.gz Size/MD5 checksum: 9827 b93fd79da953259b8b52c2ecb906b54e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_alpha.deb Size/MD5 checksum: 2778984 0513bd0d96cb43befeee9d94add201da http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_alpha.deb Size/MD5 checksum: 281732 945acff6dee3ef769d0b7ec74598de1b http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_alpha.deb Size/MD5 checksum: 531848 c7294a235fee8cb81d6f39f374b3de40 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_amd64.deb Size/MD5 checksum: 2772630 d661672b2f65db8061fcb8776b3531ad http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_amd64.deb Size/MD5 checksum: 410338 836a7928ac2b3547a601e4414da45b09 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_amd64.deb Size/MD5 checksum: 256300 631b0ac70dcd7c8084fd0f67a8448f5d arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_arm.deb Size/MD5 checksum: 417362 55e8c445c6abd01adb77dcfdb43332e9 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_arm.deb Size/MD5 checksum: 264182 d8c430152da1c91fe5ec52067efea78b http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_arm.deb Size/MD5 checksum: 2771396 c37c1f350ca6225de25d831f0038ce37 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_armel.deb Size/MD5 checksum: 2767672 ae5e239cb77abcbe101d933f2ee4ac90 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_armel.deb Size/MD5 checksum: 234462 c4741b0bfb775bc9a40de0a643efb868 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_armel.deb Size/MD5 checksum: 417128 9aa5f7cc6ea1d81cfadad4b301a3618e hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_hppa.deb Size/MD5 checksum: 461490 7203f3346fc5aab67bbf6f57716972c2 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_hppa.deb Size/MD5 checksum: 286722 65b2a0231be6068a26ab114c405cec92 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_hppa.deb Size/MD5 checksum: 2780614 c8cca4d46105ca9fc3c7c09b28de38e1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_i386.deb Size/MD5 checksum: 261674 4abfac5164cf73b064fcfa1795e3519b http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_i386.deb Size/MD5 checksum: 382482 205c279fb515a77db06702e814fe90e1 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_i386.deb Size/MD5 checksum: 2771980 b0d9e669fa5a740fd4865d225e197489 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_ia64.deb Size/MD5 checksum: 2797400 ad32ac146a7478627d214bd2ba5f1072 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_ia64.deb Size/MD5 checksum: 326536 faffe80a1fe18d8844160c921788dd12 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_ia64.deb Size/MD5 checksum: 540098 b4d528a99548a4ac55e522f3dc884812 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_mips.deb Size/MD5 checksum: 434618 87e8fc245b6f7ce1221a7e1d270dd5b7 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_mips.deb Size/MD5 checksum: 2773808 2eb7c1e598689245fd689757fcfd6629 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_mips.deb Size/MD5 checksum: 247956 154114b76d4b48ade46950e0c3ffc7e1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_mipsel.deb Size/MD5 checksum: 245632 0b712d9c2e3b3ddbade2d8d422d1ab61 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_mipsel.deb Size/MD5 checksum: 433480 e38d09e2b43a0a15ff9e1a682df505b6 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_mipsel.deb Size/MD5 checksum: 2773436 762c3505a0be0d22d4a8a7cc320a8b57 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_powerpc.deb Size/MD5 checksum: 2790486 d58f02fd02a19e2f6c9fc09ccb820628 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_powerpc.deb Size/MD5 checksum: 280182 fcfec5652ba28f154363e60d30eb07cd http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_powerpc.deb Size/MD5 checksum: 425910 7112b7df591f2a4fb28ba8c025c74796 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_s390.deb Size/MD5 checksum: 396608 ff75777592b04a235ef600fdd5f35dbd http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_s390.deb Size/MD5 checksum: 2772984 9da82847cc89c3d7b03d16fad1fc6c98 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_s390.deb Size/MD5 checksum: 257288 ed024511c52b4fb1eb430a1922094ff4 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_sparc.deb Size/MD5 checksum: 380626 cd3003fd724c5c45b84ff3fff8fea098 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_sparc.deb Size/MD5 checksum: 264904 e3873ec73423b9119b7c010dbb2a82c1 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_sparc.deb Size/MD5 checksum: 2771744 11c15cec8db891a7ccf49f4e1f663a68 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpu61MACgkQXm3vHE4uylr29QCffNG4AC2KumZ1yRWsMcbXeOEh wusAoNYisaDfJDMKy9zCLHn/OgNCkmof =/7O6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/