Articles / Debian: New silc-client/sil…

Debian: New silc-client/silc-toolkit packages fix arbitrary code execution

Several vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1879-1                    security@debian.org
http://www.debian.org/security/                                 Nico Golde
September 4th, 2009                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : silc-client/silc-toolkit
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-7159 CVE-2008-7160 CVE-2009-3051

Several vulnerabilities have been discovered in the software suite for the
SILC protocol, a network protocol designed to provide end-to-end security
for conferencing services.  The Common Vulnerabilities and Exposures
project identifies the following problems:

An incorrect format string in sscanf() used in the ASN1 encoder to scan an
OID value could overwrite a neighbouring variable on the stack as the
destination data type is smaller than the source type on 64-bit. On 64-bit
architectures this could result in unexpected application behaviour or even
code execution in some cases (CVE-2008-7159).

Various format string vulnerabilities when handling parsed SILC messages
allow an attacker to execute arbitrary code with the rights of the victim
running the SILC client via crafted nick names or channel names containing
format strings (CVE-2009-3051).

An incorrect format string in a sscanf() call used in the HTTP server
component of silcd could result in overwriting a neighbouring variable on
the stack as the destination data type is smaller than the source type on
64-bit.  An attacker could exploit this by using crafted Content-Length
header values resulting in unexpected application behaviour or even code
execution in some cases (CVE-2008-7160).


silc-server doesn't need an update as it uses the shared library provided
by silc-toolkit. silc-client/silc-toolkit in the oldstable distribution
(etch) is not affected by this problem.

For the stable distribution (lenny), this problem has been fixed in
version 1.1.7-2+lenny1 of silc-toolkit and in version 1.1.4-1+lenny1
of silc-client.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.10-1 of silc-toolkit and version 1.1-2 of silc-client
(using libsilc from silc-toolkit since this upload).

We recommend that you upgrade your silc-toolkit/silc-client packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit_1.1.7-2+lenny1.dsc
   Size/MD5 checksum:     1430 eff8a733cf7e4db92296533394f42b22
 http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit_1.1.7.orig.tar.gz
   Size/MD5 checksum:  2678989 4f2fa6678f4801fd7087b4f92dada6ee
 http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit_1.1.7-2+lenny1.diff.gz
   Size/MD5 checksum:    16935 1e5d1151029379a7ba135799dc1cd166
 http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1.1.4-1+lenny1.dsc
   Size/MD5 checksum:     1380 29601c3569b30b5e3d3307689c9c25f8
 http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1.1.4.orig.tar.gz
   Size/MD5 checksum:  2202993 979d46c78ace2dade513f33ad0081e85
 http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1.1.4-1+lenny1.diff.gz
   Size/MD5 checksum:    11593 efa43890947e5ba7a34631c689abcb60

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_alpha.deb
   Size/MD5 checksum:   788516 0cd53c076d01f2ed2f3126385c2ec4e8
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_alpha.deb
   Size/MD5 checksum:   720306 b21343d40a367e08b0e215b4a7575d4d
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_alpha.deb
   Size/MD5 checksum:  2291652 9dc47295123af7ed95cdf10f2bb48f94
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_alpha.deb
   Size/MD5 checksum:   684328 674dd1d1da7fcbd87789fb53a4128bef
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_alpha.deb
   Size/MD5 checksum:   602432 76d7f386a31c02a31fefb10167611dea

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_amd64.deb
   Size/MD5 checksum:  2010710 669d1bd65dc987f4e27263ddd427409d
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_amd64.deb
   Size/MD5 checksum:   816352 569993e597e2bfb086558d79cf404404
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_amd64.deb
   Size/MD5 checksum:   575504 8961ff37ee74c66f26ad8115e152e8a8
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_amd64.deb
   Size/MD5 checksum:   682922 69d0986a3ee58796abcbd49bb67596e7
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_amd64.deb
   Size/MD5 checksum:   636202 0be0cf64803db8179887baa654636a05

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_arm.deb
   Size/MD5 checksum:   530304 ef44fd7a87532a5eaa233bf8ff0fe35c
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_arm.deb
   Size/MD5 checksum:  1970220 af591e1b1256e237bc3874dc1436dcf8
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_arm.deb
   Size/MD5 checksum:   596952 a3f7b72e6f6afa8b112a976f81402211
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_arm.deb
   Size/MD5 checksum:   637190 1918f391d001728b090d1eccd29a1591
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_arm.deb
   Size/MD5 checksum:   729096 43b9f94059b92f89d6c0b369d4d0af03

armel architecture (ARM EABI)

 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_armel.deb
   Size/MD5 checksum:  1962612 4decc400c81cc614b92e4a1ad30ed1af
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_armel.deb
   Size/MD5 checksum:   733882 423ec8e7059493bc0fc18e82b806f285
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_armel.deb
   Size/MD5 checksum:   532724 29c468a23b0ea6ed185011b32301a62f
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_armel.deb
   Size/MD5 checksum:   633846 fb04296b8cafd4e7d963fa7b76aaeb72
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_armel.deb
   Size/MD5 checksum:   593904 35f18b5885bbc7d0c3d8266f80b4972e

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_hppa.deb
   Size/MD5 checksum:   706862 f1d684f275d2856b5901c6ba281e2c6c
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_hppa.deb
   Size/MD5 checksum:  2071298 faf1c7e0ce3ecb2d8f7b7bfda1a8c8e8
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_hppa.deb
   Size/MD5 checksum:   748138 bca4aef69adacc2ad3916dec73fa39e2
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_hppa.deb
   Size/MD5 checksum:   580570 17528232c8afce64d1001ee70ed51cfd
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_hppa.deb
   Size/MD5 checksum:   657840 33e4113f1fe83f46d37fbc402c75cdd2

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_i386.deb
   Size/MD5 checksum:  1958352 6e52615a8b32b370b494137f0300feb2
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_i386.deb
   Size/MD5 checksum:   757594 d497653d4099715dd6fd93e05b040628
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_i386.deb
   Size/MD5 checksum:   613194 ced6311eecca14af5769eb5f8b0c31c5
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_i386.deb
   Size/MD5 checksum:   654282 ec5871f734bdbe786fea918239f03e54
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_i386.deb
   Size/MD5 checksum:   535140 c337b0f6e4af21cbdf4a78e69f064469

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_ia64.deb
   Size/MD5 checksum:   831536 62b8713afd7d9fbe131991906b0dbb97
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_ia64.deb
   Size/MD5 checksum:   775238 956a12f89fa6726c7b3a6a7bcb75468b
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_ia64.deb
   Size/MD5 checksum:   736840 0204a4e63142577df5144a6130a5ce2c
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_ia64.deb
   Size/MD5 checksum:   691606 01a3e15fdbe685d4f07e3bf03c912315
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_ia64.deb
   Size/MD5 checksum:  1798590 aa499f0a6891b564a8a8c710416c609d

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_mipsel.deb
   Size/MD5 checksum:   543784 d03b80092bd257a9063583688dccb56a
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_mipsel.deb
   Size/MD5 checksum:   596180 3fd8c7843ec4bbd84b5e0e6f190caa52
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_mipsel.deb
   Size/MD5 checksum:   629238 d61e7398ccfc2bf304698c4ba753dca0
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_mipsel.deb
   Size/MD5 checksum:   766454 d1da8cc53723cad21cbbae1509202fb7
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_mipsel.deb
   Size/MD5 checksum:  1648330 b53fbf48b759f8ed6e73f57f5b80ec96

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_powerpc.deb
   Size/MD5 checksum:   676340 30c793888c95438921365283010c93d1
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_powerpc.deb
   Size/MD5 checksum:   759318 d06fa7e4b07582a55db2af4ea3c4b59f
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_powerpc.deb
   Size/MD5 checksum:   568176 3ab7e328f4b77832efbd25aac2ed9411
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_powerpc.deb
   Size/MD5 checksum:   641016 a324bb31b852d1263d368e5c52c9ad57
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_powerpc.deb
   Size/MD5 checksum:  1606250 6064261f608218c011229c2ac3e955bb

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_s390.deb
   Size/MD5 checksum:   688236 c74f47601419f18507d11e8ed96b5fce
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_s390.deb
   Size/MD5 checksum:   647672 6fc21eb1bac7df10cf097ad9946ff73f
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_s390.deb
   Size/MD5 checksum:   767682 dd900105226d9b8477144394d9db91f7
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_s390.deb
   Size/MD5 checksum:   577372 0c664657507445643e307f75b7591b11
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_s390.deb
   Size/MD5 checksum:  1597620 f46831f1d0039b369670d5d0c2e4dfc7

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2_1.1.7-2+lenny1_sparc.deb
   Size/MD5 checksum:   604228 37f7538fc5407a74d561a7e77d5fd063
 http://security.debian.org/pool/updates/main/s/silc-client/irssi-plugin-silc_1.1.4-1+lenny1_sparc.deb
   Size/MD5 checksum:   644262 0dc6b8b64ba99bfd73b9f0209ef443da
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dev_1.1.7-2+lenny1_sparc.deb
   Size/MD5 checksum:  1986452 ccea49c8bda9cd6d1199668a34456eda
 http://security.debian.org/pool/updates/main/s/silc-client/silc_1.1.4-1+lenny1_sparc.deb
   Size/MD5 checksum:   542290 18a8c0d447f2f57496c283480b3194e7
 http://security.debian.org/pool/updates/main/s/silc-toolkit/libsilc-1.1-2-dbg_1.1.7-2+lenny1_sparc.deb
   Size/MD5 checksum:   707320 e46a755fa1382dbfd179a7d50b129508


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqhL8kACgkQHYflSXNkfP8oNwCfTn3RGpcOGhRoe5yMcA2Vsgmb
KEQAoJVMeF3cRw0Lf5fRKsqRFsrIB81S
=lqqc
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.