Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Advisories, February 23, 2006

Feb 24, 2006, 04:45 (0 Talkback[s])

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:047
http://www.mandriva.com/security/


Package : metamail
Date : February 22, 2006
Affected: 10.1, 10.2, 2006.0, Corporate 3.0


Problem Description:

Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages. An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail.

The updated packages have been patched to address this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0709


Updated Packages:

Mandriva Linux 10.1:
ba0268bd4a41df13182c7ad54326dba5 10.1/RPMS/metamail-2.7-11.1.101mdk.i586.rpm
37738308d3dff71b6eb473c207acc588 10.1/SRPMS/metamail-2.7-11.1.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
31b1df74ae413c00e037675fb772bc86 x86_64/10.1/RPMS/metamail-2.7-11.1.101mdk.x86_64.rpm
37738308d3dff71b6eb473c207acc588 x86_64/10.1/SRPMS/metamail-2.7-11.1.101mdk.src.rpm

Mandriva Linux 10.2:
6dae955385087b6bffdebca801ac2de9 10.2/RPMS/metamail-2.7-11.1.102mdk.i586.rpm
d4f56b18f644e54f5aaadf59247b6ba9 10.2/SRPMS/metamail-2.7-11.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
b8904fd8e2d4c4b16329eb3be040ae82 x86_64/10.2/RPMS/metamail-2.7-11.1.102mdk.x86_64.rpm
d4f56b18f644e54f5aaadf59247b6ba9 x86_64/10.2/SRPMS/metamail-2.7-11.1.102mdk.src.rpm

Mandriva Linux 2006.0:
983ad9efe0f7270920f719209e29ef8d 2006.0/RPMS/metamail-2.7-11.2.20060mdk.i586.rpm
f2d440c17063c3440342afd83a939dfe 2006.0/SRPMS/metamail-2.7-11.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
3b2eb2370dd3a37a0f6e7b8e6e97d65f x86_64/2006.0/RPMS/metamail-2.7-11.2.20060mdk.x86_64.rpm
f2d440c17063c3440342afd83a939dfe x86_64/2006.0/SRPMS/metamail-2.7-11.2.20060mdk.src.rpm

Corporate 3.0:
193e9f3fe5013735ae70e1f0d123375c corporate/3.0/RPMS/metamail-2.7-11.1.C30mdk.i586.rpm
33711284aa358a2d82db961a27231e6e corporate/3.0/SRPMS/metamail-2.7-11.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
6b44f1e909779950783bbab4988e391a x86_64/corporate/3.0/RPMS/metamail-2.7-11.1.C30mdk.x86_64.rpm
33711284aa358a2d82db961a27231e6e x86_64/corporate/3.0/SRPMS/metamail-2.7-11.1.C30mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Ubuntu Linux


Ubuntu Security Notice USN-257-1 February 23, 2006
tar vulnerability
CVE-2006-0300

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

tar

The problem can be corrected by upgrading the affected package to version 1.14-2ubuntu0.1 (for Ubuntu 5.04), or 1.15.1-2ubuntu0.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user.

The tar version in Ubuntu 4.10 is not affected by this vulnerability.

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.diff.gz
      Size/MD5: 21395 1f8f561b862e0eaa1d3d76ab5b0805cc
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.dsc
      Size/MD5: 568 1ac96d117355d0c6501bcfc0603d7f35
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14.orig.tar.gz
      Size/MD5: 1485633 3094544702b1affa32d969f0b6459663

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_amd64.deb
      Size/MD5: 374144 92a29882b472aae37c4f241a2b3d70b7

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_i386.deb
      Size/MD5: 366426 bd8a627f95eea1d4dd38da1b8cb755a2

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_powerpc.deb
      Size/MD5: 377108 8d1b6600f06a051dc7236e8e65c2032f

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1.diff.gz
      Size/MD5: 28928 e545480fd691241448cd885504e50393
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1.dsc
      Size/MD5: 576 c9d9bf92c8460d314cb3320666b01294
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz
      Size/MD5: 2204322 d87021366fe6488e9dc398fcdcb6ed7d

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_amd64.deb
      Size/MD5: 531590 9f7a550698b0a138f4d92ec06ecfec96

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_i386.deb
      Size/MD5: 519510 fd362a5872f6924e491e2caf7639162b

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_powerpc.deb
      Size/MD5: 533538 c8148419548837909a81da6983af2964