Package : kdelibs
Vulnerability : unsanitised input
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1165
BugTraq ID : 11827
Debian Bug : 287201
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command.
For the stable distribution (woody) this problem has been fixed in
version 2.2.2-13.woody.13.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your kdelibs3 package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Package : linpopup
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1282
Debian Bug : 287044
Stephen Dranger discovered a buffer overflow in linpopup, an X11 port
of winpopup, running over Samba, that could lead to the execution of
arbitrary code when displaying a maliciously crafted message.
For the stable distribution (woody) this problem has been fixed in
version 1.2.0-2woody1.
For the unstable distribution (sid) this problem has been fixed in
version 1.2.0-7.
We recommend that you upgrade your linpopup package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Jeroen van Wolffelaar discovered a problem in lintian, the Debian
package checker. The program removes the working directory even if it
wasn't created at program start, removing an unrelated file or
directory a malicious user inserted via a symlink attack.
For the stable distribution (woody) this problem has been fixed in
version 1.20.17.1.
For the unstable distribution (sid) this problem has been fixed in
version 1.23.6.
We recommend that you upgrade your lintian package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Package: libtiff/tiff
Announcement-ID: SUSE-SA:2005:001
Date: Monday, Jan 10th 2005 11:30 MET
Affected products: 8.1, 8.2, 9.0, 9.1, 9.2
SUSE Linux Desktop 1.0
SUSE Linux Enterprise Server 8, 9
Novell Linux Desktop 9
Vulnerability Type: remote system compromise
Severity (1-10): 8
SUSE default package: yes
Cross References: CAN-2004-1183
CAN-2004-1308
Content of this advisory:
security vulnerability resolved:
integer overflow
buffer overflow
problem description
solution/workaround
special instructions and notes
package location and checksums
pending vulnerabilities, solutions, workarounds:
standard appendix (further information)
1) problem description, brief discussion
Libtiff supports reading, writing, and manipulating of TIFF image files.
iDEFENSE reported an integer overflow in libtiff that can be exploited by
specific TIFF images to trigger a heap-based buffer overflow afterwards.
This bug can be used by external attackers to execute arbitrary code
over the network by placing special image files on web-pages and
alike.
Additionally a buffer overflow in tiffdump was fixed.
2) solution/workaround
There is no workaround known.
3) special instructions and notes
It is needed that all processes using libtiff are restarted.
If you use GUI applications please close your X/GDM/KDM session(s) and
log in again.
4) package location and checksums
Download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered for installation from the maintenance web.
5) pending vulnerabilities in SUSE Distributions and Workarounds:
Please read our next summary report for more information.
6) standard appendix: authenticity verification, additional information
Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
md5sums as provided in the (cryptographically signed) announcement.
using the internal gpg signatures of the rpm package.
execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We recommend against subscribing to security lists that cause the
e-mail message containing the announcement to be modified
so that the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
file name of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
gpg is installed
The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
SUSE runs two security mailing lists to which any interested party may
subscribe:
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
LBA-Linux
LBA-Linux Security Advisory
Subject: Updated kdegraphics package for LBA-Linux R2
Advisory ID: LBASA-2004:53
Date: Tuesday, January 11, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-1125
Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products
that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows
remote attackers to cause a denial of service (application crash) and possibly execute
arbitrary code via a crafted PDF file that causes the boundaries of a maskColors array to be
exceeded.
To view previous security advisories for LBA-Linux R2,
or to unsubscribe from this email notification service, visit:
http://www.sotlinux.org/en/lbalinux/sa/
LBA-Linux Security Advisory
Subject: Updated tetex package for LBA-Linux R2
Advisory ID: LBASA-2004:54
Date: Tuesday, January 11, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-0888
Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such
as tetex, CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code.
CAN-2004-0889
Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as tetex, CUPS,
allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary
code.
CAN-2004-1125
Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products
that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows
remote attackers to cause a denial of service (application crash) and possibly execute
arbitrary code via a crafted PDF file that causes the boundaries of a maskColors array to be
exceeded.
Subject: Updated libtiff package for LBA-Linux R2
Advisory ID: LBASA-2004:55
Date: Tuesday, January 11, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-0803
Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier,
related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary
code via TIFF files.
CAN-2004-0804
Vulnerability in in tif_dirread.c for libtiff allows remote attackers to cause a denial of service
(application crash) via a TIFF image that causes a divide-by-zero error when the number of
row bytes is zero.
CAN-2004-0886
Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of
service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.
CAN-2004-1308
Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote
attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED
directory entry with a -1 entry count, which leads to a heap-based buffer overflow.
Subject: Updated samba package for LBA-Linux R2
Advisory ID: LBASA-2004:50
Date: Tuesday, January 11, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-0930
The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly
other versions allows remote authenticated users to cause a
denial of service (CPU consumption) via a SAMBA request that
contains multiple * (wildcard) characters.
CAN-2004-0882
Buffer overflow in the QFILEPATHINFO request handler in
Samba 3.0.x through 3.0.7 may allow remote attackers to
execute arbitrary code via a TRANSACT2_QFILEPATHINFO request
with a small "maximum data bytes" value.
CAN-2004-1154
Integer overflow in the Samba daemon (smbd) in Samba 2.x
and 3.0.x through 3.0.9 allows remote authenticated users to
cause a denial of service (application crash) and possibly execute
arbitrary code via a Samba request with a large number of security
descriptors that triggers a heap-based buffer overflow.
Subject: Updated xpdf package for LBA-Linux R2
Advisory ID: LBASA-2004:51
Date: Tuesday, January 11, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-1125
Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, allows remote
attackers to cause a denial of service (application crash) and possibly execute arbitrary
code via a crafted PDF file that causes the boundaries of a maskColors array to be exceeded.
Subject: Updated cups package for LBA-Linux R2
Advisory ID: LBASA-2004:52
Date: Tuesday, January 11, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-0558
The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote
attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.
CAN-2004-0888
Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as
CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code.
CAN-2004-0923
CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file,
which allows local users to obtain user names and passwords.
CAN-2004-1125
Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that
share code such as cups, allows remote attackers to cause a denial of service (application crash)
and possibly execute arbitrary code via a crafted PDF file that causes the boundaries of a maskColors
array to be exceeded.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
Product : Fedora Core 2
Name : kernel
Version : 2.6.10
Release : 1.8_FC2
Summary : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.
This update rebases the kernel to match the upstream 2.6.10 release,
and adds a number of security fixes by means of adding the latest -ac patch.
CAN-2004-1235
Paul Starzetz from isec.pl found a problem in the binary format loaders uselib()
function that could lead to potential priveledge escalation.
http://isec.pl/vulnerabilities/isec-0021-uselib.txt
NO-CAN-ASSIGNED
Brad Spengler found several problems.
An integer overflow in the random poolsize sysctl handler.
SCSI ioctl integer overflow and information leak.
RLIMIT_MEMLOCK bypass and unprivileged user DoS.
NO-CAN-ASSIGNED
Coverity Inc. found a number of bugs with their automated source checker
in coda, xfs, network bridging, rose network protocol, and the sdla wan driver.
http://linuxbugs.coverity.com
Product : Fedora Core 3
Name : kernel
Version : 2.6.10
Release : 1.737_FC3
Summary : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.
This update rebases the kernel to match the upstream 2.6.10 release,
and adds a number of security fixes by means of adding the latest -ac patch.
CAN-2004-1235
Paul Starzetz from isec.pl found a problem in the binary format loaders uselib()
function that could lead to potential priveledge escalation.
http://isec.pl/vulnerabilities/isec-0021-uselib.txt
NO-CAN-ASSIGNED
Brad Spengler found several problems.
An integer overflow in the random poolsize sysctl handler.
SCSI ioctl integer overflow and information leak.
RLIMIT_MEMLOCK bypass and unprivileged user DoS.
NO-CAN-ASSIGNED
Coverity Inc. found a number of bugs with their automated source checker
in coda, xfs, network bridging, rose network protocol, and the sdla wan driver.
http://linuxbugs.coverity.com
