[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:34275] Forward: [SECURITY] [DSA 158-1] New gaim packages fix arbitrary program execution



現在の Debian 安定版 (3.0 woody) にセキュリティに関する深刻な問題が発見
されました。

対象パッケージ: gaim

対処済みのパッケージに更新するには、

deb http://security.debian.org/ stable/updates main contrib non-free

を /etc/apt/sources.list に追加し、

apt-get update ; apt-get upgrade

を実行してください。

詳細については添付のアナウンスをご覧ください。

--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 158-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 27th, 2002                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : gaim
Vulnerability  : arbitrary program execution
Problem-Type   : remote
Debian-specific: no

The developers of Gaim, an instant messenger client that combines
several different networks, found a vulnerability in the hyperlink
handling code.  The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it.  Users who use other inbuilt browser commands aren't
vulnerable.

This problem has been fixed in version 0.58-2.2 for the current
stable distribution (woody) and in version 0.59.1-2 for the unstable
distribution (sid).  The old stable distribution (potato) is not
affected since it doesn't ship the Gaim program.

The fixed version of Gaim no longer passes the user's manual browser
command to the shell.  Commands which contain the %s in quotes will
need to be amended, so they don't contain any quotes.  The 'Manual'
browser command can be edited in the 'General' pane of the
'Preferences' dialog, which can be accessed by clicking 'Options' from
the login window, or 'Tools' and then 'Preferences' from the menu bar
in the buddy list window.

We recommend that you upgrade your gaim package immediately.

wget url
	will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2.dsc
      Size/MD5 checksum:      681 388e7ad7ea82f72e80f5e7b950b74d9f
    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2.diff.gz
      Size/MD5 checksum:    21077 f40a10f65ec69c219209f3833a601451
    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz
      Size/MD5 checksum:  1928057 644df289daeca5f9dd3983d65c8b2407

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_alpha.deb
      Size/MD5 checksum:   479720 4d8e4ea7f37653cc63bd9c6f3f5b2698
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_alpha.deb
      Size/MD5 checksum:   674568 60234f1a1896d77e924e9ebb99eee12b
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_alpha.deb
      Size/MD5 checksum:   501208 932052409cdc11ea89330709a41f32e4

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_arm.deb
      Size/MD5 checksum:   401834 6a25ab2f49f104a8cb60dfb266687b4e
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_arm.deb
      Size/MD5 checksum:   614864 251f521cfe92b00282f3d633e2ecdc06
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_arm.deb
      Size/MD5 checksum:   422330 420edd09bad2f4587b843f18e7c56a0c

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_i386.deb
      Size/MD5 checksum:   389256 bb1688d11f1e444e7116e3ce48d4b299
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_i386.deb
      Size/MD5 checksum:   606056 ff6443a2cc3be13f8d97f8c56f93bf05
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_i386.deb
      Size/MD5 checksum:   409108 028dc6cfa04b921f94500853d65f1069

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_ia64.deb
      Size/MD5 checksum:   557146 d99d9f408b423e4ecb572d6c529ec271
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_ia64.deb
      Size/MD5 checksum:   765084 20cf4447c02e5691f90f7c19088dc556
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_ia64.deb
      Size/MD5 checksum:   569896 829bba8b920ff5355cbc72dc918bc6a4

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_hppa.deb
      Size/MD5 checksum:   459416 42f17cb42279fd9148a44be663244298
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_hppa.deb
      Size/MD5 checksum:   690992 b6e1d262705760055eb6fd3c2a8b393e
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_hppa.deb
      Size/MD5 checksum:   481388 5c142618e62f2d67d2bc827722668ff5

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_m68k.deb
      Size/MD5 checksum:   370536 5d39e480ed1d679defe431f572057f84
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_m68k.deb
      Size/MD5 checksum:   622442 50592bfee0dae035546809ffbf1cb4c6
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_m68k.deb
      Size/MD5 checksum:   392112 03fd2c0fbb9609f8d3a32f72f9e0cb4c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_mips.deb
      Size/MD5 checksum:   406360 7b6285a0ff3524dd0880b1a527ed34f7
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_mips.deb
      Size/MD5 checksum:   614736 a5f56778d9f5dc6a8a994cd00dec3e11
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_mips.deb
      Size/MD5 checksum:   427188 8eae2b955d9f1d52eb98040b6a34500c

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_mipsel.deb
      Size/MD5 checksum:   396998 1c0c22d86c37c1d45be00ae5109398cb
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_mipsel.deb
      Size/MD5 checksum:   607172 656a46f56cf74c5a3344867d6035ac32
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_mipsel.deb
      Size/MD5 checksum:   416714 f0cc84cc3ebc22a57676fc772c2d0ac6

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_powerpc.deb
      Size/MD5 checksum:   413474 b550a080853403e43b22b87e93cf5d49
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_powerpc.deb
      Size/MD5 checksum:   642704 6cc33cd7c71f9d9aa876fdc8ec9d398a
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_powerpc.deb
      Size/MD5 checksum:   434308 cb41515071ff367d0ef4fc0f5584922e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_s390.deb
      Size/MD5 checksum:   392194 06512a9f37536e2e35c1f86005fd5756
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_s390.deb
      Size/MD5 checksum:   639284 4da689aa738e0a4d9e2cd8f706ba43d2
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_s390.deb
      Size/MD5 checksum:   413366 86da87c92f1683a5fc28f48a81a8fdea

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_sparc.deb
      Size/MD5 checksum:   409692 235cd54de30bc2350327f9f23402c2b3
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_sparc.deb
      Size/MD5 checksum:   653688 7db26ec6875eb42c7a655fb9622f0128
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_sparc.deb
      Size/MD5 checksum:   428526 3e4ecedebe2eeaa38c4857f5a37816dc


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9a3g3W5ql+IAeqTIRAj6IAJ9CmLA8l1torLm1aYL/34XGDrKLAgCgpxmO
2a5nTITob/hwYWDYzRs1a6w=
=tgdV
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

--- End Message ---