Articles / Debian: New openexr package…

Debian: New openexr packages fix several vulnerabilities

Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. Drew Yao discovered integer overflows in the preview and compression code. Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. A buffer overflow was discovered in the compression code. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1842-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
July 28, 2009                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openexr
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2009-1720 CVE-2009-1721 CVE-2009-1722

Several vulnerabilities have been discovered in the OpenEXR image
library, which can lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2009-1720

  Drew Yao discovered integer overflows in the preview and
  compression code.

CVE-2009-1721

  Drew Yao discovered that an uninitialised pointer could be freed
  in the decompression code.

CVE-2009-1722

  A buffer overflow was discovered in the compression code.

For the old stable distribution (etch), these problems have been fixed
in version 1.2.2-4.3+etch2.

For the stable distribution (lenny), these problems have been fixed
in version 1.6.1-3+lenny3.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your openexr packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2.orig.tar.gz
   Size/MD5 checksum:  9324108 a2e56af78dc47c7294ff188c8f78394b
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2.dsc
   Size/MD5 checksum:      841 38524b64a8f8a689b2db3a697b1bb7e3
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2.diff.gz
   Size/MD5 checksum:    11620 fe26549c7913a1217795382ad0f31153

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_alpha.deb
   Size/MD5 checksum:   649894 fc9a1c67beee9197266747ee562e0349
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_alpha.deb
   Size/MD5 checksum:   742016 0f11446d30377a662670724f7ea03a5c
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_alpha.deb
   Size/MD5 checksum:   313564 e34baa2d06d796eea67aafe84bdf7b0e

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_amd64.deb
   Size/MD5 checksum:   287856 c051a4558f5b145e7246618b4397169a
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_amd64.deb
   Size/MD5 checksum:   730450 8180e6cb370177d6355f5755c865ab14
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_amd64.deb
   Size/MD5 checksum:   535914 0c98d699e11e308151a003ce28b7c77c

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_arm.deb
   Size/MD5 checksum:   531144 bd9b1cea94db20840f380a6c288cf3c9
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_arm.deb
   Size/MD5 checksum:   290886 bda7210cc96811000b36b3e760400f56
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_arm.deb
   Size/MD5 checksum:   729258 2472ecda1421bc323f978b943ae0cc96

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_hppa.deb
   Size/MD5 checksum:   742604 95cda2414e2f4296dee1a044978cec50
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_hppa.deb
   Size/MD5 checksum:   389476 8a6f6c386fd65e1c422cd8145e3a058f
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_hppa.deb
   Size/MD5 checksum:   641946 aed1b15e04d26de29ee314639b28f27b

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_i386.deb
   Size/MD5 checksum:   730140 d6bd597c1c794304f02b8c2cba564cd3
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_i386.deb
   Size/MD5 checksum:   507006 787feeaf0e889f000f687b41f132b7b5
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_i386.deb
   Size/MD5 checksum:   298682 282cb1311545aeb1a9a30635fa0d8afc

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_ia64.deb
   Size/MD5 checksum:   758978 ad87aee6e8b0c45eec39564920461fba
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_ia64.deb
   Size/MD5 checksum:   351604 eb21634f92ab972a0fde896190ff1640
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_ia64.deb
   Size/MD5 checksum:   675014 68d763fa96db1bd9bf709386b188a0bb

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_mips.deb
   Size/MD5 checksum:   345100 03b43b1028d85a2fb33cb63e83980083
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_mips.deb
   Size/MD5 checksum:   740040 535c2f97ed619f281bbe537ac5c6bc2d
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_mips.deb
   Size/MD5 checksum:   621990 34ae3431d730c36710102e9f9cab12e2

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_mipsel.deb
   Size/MD5 checksum:   557340 211e63375b0678bdb466bf751da16d17
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_mipsel.deb
   Size/MD5 checksum:   286388 2bbee82ca594eb5b66bfc11ee86343b7
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_mipsel.deb
   Size/MD5 checksum:   738854 9d64ba8ad843bd7be11dd96aef6c585e

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_powerpc.deb
   Size/MD5 checksum:   742280 33563d1687a45a0afc49ea323634b740
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_powerpc.deb
   Size/MD5 checksum:   602020 d23895c35a0452cdf7e2a942aa14a54b
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_powerpc.deb
   Size/MD5 checksum:   359976 6bd99f9bd3d4efb97165b01c433e4bd7

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_s390.deb
   Size/MD5 checksum:   729526 eaaa37987326d63198ab62e03345652c
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_s390.deb
   Size/MD5 checksum:   568924 95504b9609ea97347343e7e289e2221a
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_s390.deb
   Size/MD5 checksum:   343522 3759d7bbdb019bd2195cf76290627144

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2_sparc.deb
   Size/MD5 checksum:   726266 e42da7efdbddf2754be36487d71ce3ca
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_1.2.2-4.3+etch2_sparc.deb
   Size/MD5 checksum:   354972 a5035d03894a1addc94b3de3069d1fb9
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.2.2-4.3+etch2_sparc.deb
   Size/MD5 checksum:   541212 067ca7aaee21e0e1aee4f2136666bdd8

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3.dsc
   Size/MD5 checksum:     1350 2b8eed594d50319412ed73f5f596aafe
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1.orig.tar.gz
   Size/MD5 checksum: 13632660 11951f164f9c872b183df75e66de145a
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3.diff.gz
   Size/MD5 checksum:     9827 b93fd79da953259b8b52c2ecb906b54e

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_alpha.deb
   Size/MD5 checksum:  2778984 0513bd0d96cb43befeee9d94add201da
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_alpha.deb
   Size/MD5 checksum:   281732 945acff6dee3ef769d0b7ec74598de1b
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_alpha.deb
   Size/MD5 checksum:   531848 c7294a235fee8cb81d6f39f374b3de40

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_amd64.deb
   Size/MD5 checksum:  2772630 d661672b2f65db8061fcb8776b3531ad
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_amd64.deb
   Size/MD5 checksum:   410338 836a7928ac2b3547a601e4414da45b09
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_amd64.deb
   Size/MD5 checksum:   256300 631b0ac70dcd7c8084fd0f67a8448f5d

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_arm.deb
   Size/MD5 checksum:   417362 55e8c445c6abd01adb77dcfdb43332e9
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_arm.deb
   Size/MD5 checksum:   264182 d8c430152da1c91fe5ec52067efea78b
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_arm.deb
   Size/MD5 checksum:  2771396 c37c1f350ca6225de25d831f0038ce37

armel architecture (ARM EABI)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_armel.deb
   Size/MD5 checksum:  2767672 ae5e239cb77abcbe101d933f2ee4ac90
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_armel.deb
   Size/MD5 checksum:   234462 c4741b0bfb775bc9a40de0a643efb868
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_armel.deb
   Size/MD5 checksum:   417128 9aa5f7cc6ea1d81cfadad4b301a3618e

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_hppa.deb
   Size/MD5 checksum:   461490 7203f3346fc5aab67bbf6f57716972c2
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_hppa.deb
   Size/MD5 checksum:   286722 65b2a0231be6068a26ab114c405cec92
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_hppa.deb
   Size/MD5 checksum:  2780614 c8cca4d46105ca9fc3c7c09b28de38e1

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_i386.deb
   Size/MD5 checksum:   261674 4abfac5164cf73b064fcfa1795e3519b
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_i386.deb
   Size/MD5 checksum:   382482 205c279fb515a77db06702e814fe90e1
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_i386.deb
   Size/MD5 checksum:  2771980 b0d9e669fa5a740fd4865d225e197489

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_ia64.deb
   Size/MD5 checksum:  2797400 ad32ac146a7478627d214bd2ba5f1072
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_ia64.deb
   Size/MD5 checksum:   326536 faffe80a1fe18d8844160c921788dd12
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_ia64.deb
   Size/MD5 checksum:   540098 b4d528a99548a4ac55e522f3dc884812

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_mips.deb
   Size/MD5 checksum:   434618 87e8fc245b6f7ce1221a7e1d270dd5b7
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_mips.deb
   Size/MD5 checksum:  2773808 2eb7c1e598689245fd689757fcfd6629
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_mips.deb
   Size/MD5 checksum:   247956 154114b76d4b48ade46950e0c3ffc7e1

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_mipsel.deb
   Size/MD5 checksum:   245632 0b712d9c2e3b3ddbade2d8d422d1ab61
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_mipsel.deb
   Size/MD5 checksum:   433480 e38d09e2b43a0a15ff9e1a682df505b6
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_mipsel.deb
   Size/MD5 checksum:  2773436 762c3505a0be0d22d4a8a7cc320a8b57

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_powerpc.deb
   Size/MD5 checksum:  2790486 d58f02fd02a19e2f6c9fc09ccb820628
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_powerpc.deb
   Size/MD5 checksum:   280182 fcfec5652ba28f154363e60d30eb07cd
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_powerpc.deb
   Size/MD5 checksum:   425910 7112b7df591f2a4fb28ba8c025c74796

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_s390.deb
   Size/MD5 checksum:   396608 ff75777592b04a235ef600fdd5f35dbd
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_s390.deb
   Size/MD5 checksum:  2772984 9da82847cc89c3d7b03d16fad1fc6c98
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_s390.deb
   Size/MD5 checksum:   257288 ed024511c52b4fb1eb430a1922094ff4

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_1.6.1-3+lenny3_sparc.deb
   Size/MD5 checksum:   380626 cd3003fd724c5c45b84ff3fff8fea098
 http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6.1-3+lenny3_sparc.deb
   Size/MD5 checksum:   264904 e3873ec73423b9119b7c010dbb2a82c1
 http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3_sparc.deb
   Size/MD5 checksum:  2771744 11c15cec8db891a7ccf49f4e1f663a68


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpu61MACgkQXm3vHE4uylr29QCffNG4AC2KumZ1yRWsMcbXeOEh
wusAoNYisaDfJDMKy9zCLHn/OgNCkmof
=/7O6
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.