New xzgv packages fix arbitrary code execution

2006.04.22
Credit: joey infodrom org (Martin Schulze)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-1060
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Debian Security Advisory DSA 1038-1 security (at) debian (dot) org [email concealed] http://www.debian.org/security/ Martin Schulze April 22nd, 2006 http://www.debian.org/security/faq - ------------------------------------------------------------------------ -- Package : xzgv Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-1060 Andrea Barisani discovered that xzgv, a picture viewer for X with a thumbnail-based selector, attempts to decode JPEG images within the CMYK/YCCK colour space incorrectly, which could lead to the execution of arbitrary code. For the old stable distribution (woody) this problem has been fixed in version 0.7-6woody3. For the stable distribution (sarge) this problem has been fixed in version 0.8-3sarge1. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your xzgv package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3.dsc Size/MD5 checksum: 581 1a95ff78280e98e448b19807e6dacd14 http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3.dif f.gz Size/MD5 checksum: 7188 3af533cd6791a61c35cac448cdf7bd86 http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7.orig.tar.gz Size/MD5 checksum: 296814 9a376cc01cf486a2a8901fbc8b040d29 Alpha architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_alp ha.deb Size/MD5 checksum: 199802 8d2c31ecea7c0821a463930a795e4363 ARM architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_arm .deb Size/MD5 checksum: 187280 3e9a89fcb5bca1c3b0cd5afa88b0a628 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_i38 6.deb Size/MD5 checksum: 185464 60cc2843ea8611650074c3b6247c9a68 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_ia6 4.deb Size/MD5 checksum: 220106 81b23a2fef7ea3c0d1e45d531494acce HP Precision architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_hpp a.deb Size/MD5 checksum: 195672 de3c3a653cee6c8a810554179e07dc22 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_m68 k.deb Size/MD5 checksum: 181774 8a51dbe9d11e85c1a50831c2035c1a0d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_mip s.deb Size/MD5 checksum: 188680 10ff84344193db70d24e438f48554fc6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_mip sel.deb Size/MD5 checksum: 187718 5ba8e5fa9b7e2b54cb1f11f867431ee5 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_pow erpc.deb Size/MD5 checksum: 189770 909d2af6f68d5d7c49ecbacd2b187293 IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_s39 0.deb Size/MD5 checksum: 189282 22d9c8dad8cf2a577fca2a208e9ed745 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_spa rc.deb Size/MD5 checksum: 189208 5daa878f409a61f2ea519ac8d1ca5730 Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1.dsc Size/MD5 checksum: 642 ae7ee0519ba25087b0dbd809a5a1db43 http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1.dif f.gz Size/MD5 checksum: 8762 2f40bca80610715c3a48c7cd68733cc4 http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8.orig.tar.gz Size/MD5 checksum: 302801 e392277f1447076402df2e3d9e782cb2 Alpha architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_alp ha.deb Size/MD5 checksum: 210012 6938839b55f3a36a3732a9743ae1a7df AMD64 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_amd 64.deb Size/MD5 checksum: 201782 6b4d5abca89ec0dd92e2f34dd21a51e8 ARM architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_arm .deb Size/MD5 checksum: 194364 a80549d3f3f2e05ad37b45ff087d19c6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_i38 6.deb Size/MD5 checksum: 195816 69b8d384068d9fc7061997c63bd3075e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_ia6 4.deb Size/MD5 checksum: 223934 eb187eba5a5aa8bada015cab8d50bde1 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_hpp a.deb Size/MD5 checksum: 202856 931a992b298cc192afcd164f2c379148 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_m68 k.deb Size/MD5 checksum: 189288 61005b854fabb24ee582d66644e39e73 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_mip s.deb Size/MD5 checksum: 196818 a3ccaeb5207c03483ab2073134afff84 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_mip sel.deb Size/MD5 checksum: 195800 7d63b90f48fda8dc6004ebd65f2b280c PowerPC architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_pow erpc.deb Size/MD5 checksum: 198764 ad327072b62b9901450585abd7d687a0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_s39 0.deb Size/MD5 checksum: 200516 4a1a716179571f70adb1fa1685b374a6 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_spa rc.deb Size/MD5 checksum: 195544 cc23e85b70d38954c3d0e92cc209e2dc These files will probably be moved into the stable distribution on its next update. - ------------------------------------------------------------------------ --------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce (at) lists.debian (dot) org [email concealed] Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFESengW5ql+IAeqTIRAvQoAJ4zsax+2KVU1gLhcgWanTI3P7/qBgCaA5x0 JI7zwCVH/xWBKS4iJZICtT8= =utK/ -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top