dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Security Digest: January 23, 2005

Jan 24, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 654-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq


Package : enscript
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2004-1184 CAN-2004-1185 CAN-2004-1186

Erik S. has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

CAN-2004-1184

Unsanitised input can cause the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream.

CAN-2004-1185

Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed.

CAN-2004-1186

Multiple buffer overflows can cause the program to crash.

Usually, enscript is only run locally, but since it is executed inside of viewcvs some of the problems mentioned above can easily be turned into a remote vulnerability.

For the stable distribution (woody) these problems have been fixed in version 1.6.3-1.3.

For the unstable distribution (sid) these problems have been fixed in version 1.6.4-6.

We recommend that you upgrade your enscript package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.dsc
Size/MD5 checksum: 598 b64a0ab822bd8e613a96cfe534f40cbc
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.diff.gz
Size/MD5 checksum: 7312 5f39d5caad3a93f874705a10f4a4ae6d
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3.orig.tar.gz
Size/MD5 checksum: 814308 ec717f8b0de7db00a21a21f70d354610

Alpha architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_alpha.deb
Size/MD5 checksum: 488176 ef6dc427cf55c77423da2b84c04a291e

ARM architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_arm.deb
Size/MD5 checksum: 466220 6443058723684f0c7b7d14d659e909bf

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_i386.deb
Size/MD5 checksum: 458068 1b5dd9325b47b06f6fb0280a74753bdd

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_ia64.deb
Size/MD5 checksum: 506248 5a4bc6e9f0f771b694e65908bc302e64

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_hppa.deb
Size/MD5 checksum: 477426 0f2bc8aba5c8f244d6d882c87b01946a

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_m68k.deb
Size/MD5 checksum: 447374 1054d2c3a5f249b2c7167fdd2aec2726

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_mips.deb
Size/MD5 checksum: 470862 996def7fa0ca46edac520083d5d22e39

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_mipsel.deb
Size/MD5 checksum: 470122 1f886d9ab7df6d9e3b4aafe6840676f8

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_powerpc.deb
Size/MD5 checksum: 466374 a08bf7e3d47b5ed94cf436439d21922b

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_s390.deb
Size/MD5 checksum: 460778 a2f4b67a5c7af46eba735b44ccea7de1

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_sparc.deb
Size/MD5 checksum: 465822 a8da2cae1003ca40e4e8b6c81137fb63

These files will probably be moved into the stable distribution on its next update.


Debian Security Advisory DSA 652-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq


Package : unarj
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2004-0947 CAN-2004-1027
Debian Bug : 281922

Several vulnerabilities have been discovered in unarj, a non-free ARJ unarchive utility. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities:

CAN-2004-0947

A buffer overflow has been discovered when handling long file names contained in an archive. An attacker could create a specially crafted archive which could cause unarj to crash or possibly execute arbitrary code when being extracted by a victim.

CAN-2004-1027

A directory traversal vulnerability has been found so that an attacker could create a specially crafted archive which would create files in the parent directory when being extracted by a victim. When used recursively, this vulnerability could be used to overwrite critical system files and programs.

For the stable distribution (woody) these problems have been fixed in version 2.43-3woody1.

For the unstable distribution (sid) these problems don't apply since unstable/non-free does not contain the unarj package.

We recommend that you upgrade your unarj package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.dsc
Size/MD5 checksum: 528 e1d166f2eaf315641d1269a32ad1dc76
http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.diff.gz
Size/MD5 checksum: 12903 4ef4cfad33d05ecc048d63596ab2673c
http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43.orig.tar.gz
Size/MD5 checksum: 39620 7a481dc017f1fbfa7f937a97e66eb99f

Alpha architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_alpha.deb
Size/MD5 checksum: 29668 08dc91afd3146ccdfaa51d73f8be56e5

ARM architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_arm.deb
Size/MD5 checksum: 22784 ed352d363cbeb34ba2268db63a632824

Intel IA-32 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_i386.deb
Size/MD5 checksum: 20690 aa9490bd82bc9aef4f6092d19fa83eaa

Intel IA-64 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_ia64.deb
Size/MD5 checksum: 31072 0b1f0403cfaaf572399fcb60b2549664

HP Precision architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_hppa.deb
Size/MD5 checksum: 23888 15a8d6b0b7b565186398c0b8ebe3eb6a

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_m68k.deb
Size/MD5 checksum: 20384 644a6dcc9f566bad384c050bc8b8fb14

PowerPC architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_powerpc.deb
Size/MD5 checksum: 23060 5c5a1f0157aa613337f80b439e78456f

IBM S/390 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_s390.deb
Size/MD5 checksum: 22668 97dc977c8217a10d4915ee32db49edd5

Sun Sparc architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_sparc.deb
Size/MD5 checksum: 25386 bd2210a978ad30306e3db2ab112c87e8

These files will probably be moved into the stable distribution on its next update.


Debian Security Advisory DSA 653-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq


Package : ethereal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0084

A buffer overflow has been detected in the X11 dissector of ethereal, a commonly used network traffic analyser. A remote attacker may be able to overflow a buffer using a specially crafted IP packet. More problems have been discovered which don't apply to the version in woody but are fixed in sid as well.

For the stable distribution (woody) this problem has been fixed in version 0.9.4-1woody11.

For the unstable distribution (sid) this problem has been fixed in version 0.10.9-1.

We recommend that you upgrade your ethereal package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.dsc
Size/MD5 checksum: 681 8e8bbe73bf65d45446fb7c03dddb41a1
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.diff.gz
Size/MD5 checksum: 40601 a9a6e17ee6c2e1749ac3d140628c77c6
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 1941102 aab1360769a64476ce4113068230c8ad
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 334424 c3647ca04af3f48b4e24ec6ae2fa6b4d
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 222460 06e7e8c5713efa6f102bb436c6251e61
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 1707844 08f64c248a99394a8366ca5b512e096d

ARM architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 1635456 190bd5415abaf62c1cde340605079152
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 297770 6d5ee1df687aeee0e49d4bc27cfab0da
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 206356 fcba9b5be975e62bd5cf8efca338a299
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 1439676 d825f5c16e37f1a5c1a7aaa6ba0798b1

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 1513338 996070722f320a6d6d40652101480ec6
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 286736 69fd768db07ee2ac52b33f3188fdba97
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 198652 50e416b732e5d02d1f8e6bfb5269d1f9
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 1326536 c8415c2297b0bc30a297b3b07e0a1186

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 2150414 b46cc7da4c46e2a920299cef6d6f1f1c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 373372 1b977535a20b449ea7c1b21e09f9493b
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 234004 e8c69f3f1db9708ceb2e74122e81c168
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 1861780 6c48358d2c8c892d24ebbc29b020931d

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 1804712 495491720997b53f60f5b9dbfeabac27
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 322696 cccbc77685f25eb8aa1a8429e0298dd7
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 217116 3bcb0ff60d01b12b85d25ee6e277fbe2
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 1576164 67ecb81ffa522198b999353ce6294b19

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 1424704 7014155418ca6c1947e71a04ab716b03
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 282996 c73d8c241771bbe5f89c1e859e436aba
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 195364 21d07bf8bb05d52dfd45d91c73c656a6
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 1248922 5cd077cf05e8e14f627a10e44ced739d

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 1617160 41dd4cd8059c472ff109bb002d9b5074
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 305514 855a56f8596f0bb4da7fe0024616d87a
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 213936 8459c58071700c436ea96af9a6fd7901
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 1422110 bdcdf3c021429ccaf8eb95027a48f69e

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 1598210 0c60efc6fcdea7d25359ecd88dd8aeff
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 304982 63cea39a93b19891ae0bbfaa8c5e0327
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 213596 e7d160f30cd5e9360fc90d4ef160dfb6
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 1406444 e8f3d141f724da42a16d051c12879efb

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 1618676 f3890280569d1b2a7e66c039c0def6b4
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 302174 d5c364dcb6039f637005c4ce259bed2c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 209172 ae06ac9e4e976d4fd846b3b222efe911
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 1419454 2a6a56b278e0e647cbb7c41881e5aaa0

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 1574786 17c662f34613b6b0fb24e033dd1fc463
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 301014 7f0c78cce38eb8927b708146cb4b8463
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 204250 f85efb4e0c75da840c7b1224292f7005
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 1387552 c4e2e39307ca9b70793e1b8a6dc9a3ee

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 1583368 199f9efbe4d98e43882bb28d054c8ff6
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 318282 87d2b4c8298e3e179d89aa3827602011
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 205026 0c71e4c61947bc0f198de8d66a1892b4
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 1389390 8327f812bcaee04cf83fc34f8450aacc

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200501-30

http://security.gentoo.org/


Severity: Normal
Title: CUPS: Stack overflow in included Xpdf code
Date: January 22, 2005
Bugs: #78249
ID: 200501-30


Synopsis

CUPS includes Xpdf code and therefore is vulnerable to the recent stack overflow issue, potentially resulting in the remote execution of arbitrary code.

Background

The Common UNIX Printing System (CUPS) is a cross-platform print spooler. It makes use of Xpdf code to handle PDF files.

Affected packages


     Package         /   Vulnerable   /                     Unaffected

  1  net-print/cups      < 1.1.23-r1                      >= 1.1.23-r1

Description

The Decrypt::makeFileKey2 function in Xpdf's Decrypt.cc insufficiently checks boundaries when processing /Encrypt /Length tags in PDF files (GLSA 200501-28).

Impact

This issue could be exploited by a remote attacker to execute arbitrary code by sending a malicious print job to a CUPS spooler.

Workaround

There is no known workaround at this time.

Resolution

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r1"

References

[ 1 ] CAN-2005-0064

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

[ 2 ] GLSA 200501-28

http://www.gentoo.org/security/en/glsa/glsa-200501-28.xml

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-30.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-28

http://security.gentoo.org/


Severity: Normal
Title: Xpdf, GPdf: Stack overflow in Decrypt::makeFileKey2
Date: January 21, 2005
Bugs: #77888, #78128
ID: 200501-28


Synopsis

A stack overflow was discovered in Xpdf, potentially resulting in the execution of arbitrary code. GPdf includes Xpdf code and therefore is vulnerable to the same issue.

Background

Xpdf is an open source viewer for Portable Document Format (PDF) files. GPdf is a Gnome-based PDF viewer that includes some Xpdf code.

Affected packages


     Package        /  Vulnerable  /                        Unaffected

  1  app-text/xpdf     <= 3.00-r7                           >= 3.00-r8
  2  app-text/gpdf       < 2.8.2                              >= 2.8.2
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

iDEFENSE reports that the Decrypt::makeFileKey2 function in Xpdf's Decrypt.cc insufficiently checks boundaries when processing /Encrypt /Length tags in PDF files.

Impact

An attacker could entice an user to open a specially-crafted PDF file which would trigger a stack overflow, potentially resulting in execution of arbitrary code with the rights of the user running Xpdf or GPdf.

Workaround

There is no known workaround at this time.

Resolution

All Xpdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.00-r8"

All GPdf users should also upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.8.2"

References

[ 1 ] CAN-2005-0064

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

[ 2 ] iDEFENSE Advisory

http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities&flashstatus=true

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-28.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-26

http://security.gentoo.org/


Severity: Normal
Title: ImageMagick: PSD decoding heap overflow
Date: January 20, 2005
Bugs: #77932
ID: 200501-26


Synopsis

ImageMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution.

Background

ImageMagick is a collection of tools to read, write and manipulate images in many formats.

Affected packages


     Package                /  Vulnerable  /                Unaffected

  1  media-gfx/imagemagick      < 6.1.8.8                   >= 6.1.8.8

Description

Andrei Nigmatulin discovered that a Photoshop Document (PSD) file with more than 24 layers could trigger a heap overflow.

Impact

An attacker could potentially design a mailicous PSD image file to cause arbitrary code execution with the permissions of the user running ImageMagick.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.1.8.8"

References

[ 1 ] CAN-2005-0005

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005

[ 2 ] iDEFENSE Advisory

http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-26.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-29

http://security.gentoo.org/


Severity: Low
Title: Mailman: Cross-site scripting vulnerability
Date: January 22, 2005
Bugs: #77524
ID: 200501-29


Synopsis

Mailman is vulnerable to cross-site scripting attacks.

Background

Mailman is a Python-based mailing list server with an extensive web interface.

Affected packages


     Package           /  Vulnerable  /                     Unaffected

  1  net-mail/mailman     < 2.1.5-r3                       >= 2.1.5-r3

Description

Florian Weimer has discovered a cross-site scripting vulnerability in the error messages that are produced by Mailman.

Impact

By enticing a user to visiting a specially-crafted URL, an attacker can execute arbitrary script code running in the context of the victim's browser.

Workaround

There is no known workaround at this time.

Resolution

All Mailman users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.5-r3"

References

[ 1 ] CAN-2004-1177

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1177

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-29.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-27

http://security.gentoo.org/


Severity: High
Title: Ethereal: Multiple vulnerabilities
Date: January 20, 2005
Bugs: #78559
ID: 200501-27


Synopsis

Multiple vulnerabilities exist in Ethereal, which may allow an attacker to run arbitrary code, crash the program or perform DoS by CPU and disk utilization.

Background

Ethereal is a feature rich network protocol analyzer.

Affected packages


     Package                /  Vulnerable  /                Unaffected

  1  net-analyzer/ethereal      < 0.10.9                     >= 0.10.9

Description

There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.9, including:

  • The COPS dissector could go into an infinite loop (CAN-2005-0006).
  • The DLSw dissector could cause an assertion, making Ethereal exit prematurely (CAN-2005-0007).
  • The DNP dissector could cause memory corruption (CAN-2005-0008).
  • The Gnutella dissector could cause an assertion, making Ethereal exit prematurely (CAN-2005-0009).
  • The MMSE dissector could free statically-allocated memory (CAN-2005-0010).
  • The X11 dissector is vulnerable to a string buffer overflow (CAN-2005-0084).

Impact

An attacker might be able to use these vulnerabilities to crash Ethereal, perform DoS by CPU and disk space utilization or even execute arbitrary code with the permissions of the user running Ethereal, which could be the root user.

Workaround

For a temporary workaround you can disable all affected protocol dissectors by selecting Analyze->Enabled Protocols... and deselecting them from the list. However, it is strongly recommended to upgrade to the latest stable version.

Resolution

All Ethereal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.9"

References

[ 1 ] CAN-2005-0006

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0006

[ 2 ] CAN-2005-0007

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0007

[ 3 ] CAN-2005-0008

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0008

[ 4 ] CAN-2005-0009

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0009

[ 5 ] CAN-2005-0010

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0010

[ 6 ] CAN-2005-0084

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0084

[ 7 ] Ethereal Release Notes

http://www.ethereal.com/news/item_20050120_01.html

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-27.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

KDE

KDE Security Advisory: KOffice PDF Import Filter Vulnerability
Original Release Date: 2005-01-20
URL: http://www.kde.org/info/security/advisory-20050120-1.txt

0. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0064
http://www.idefense.com/application/poi/display?id=3D186&type=3Dvulnerab= ilities

1. Systems affected:

KOffice 1.3 up to including KOffice 1.3.5

2. Overview:

The KOffice PDF Import Filter shares code with xpdf. xpdf contains a buffer overflow that can be triggered by a specially crafted PDF file.

3. Impact:

Remotely supplied pdf files can be used to execute arbitrary code on the client machine when the user opens such file in KOffice.

4. Solution:

Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages.

5. Patch:

Patch for KOffice 1.3.5 is available from=20 ftp://ftp.kde.org/pub/kde/security_patches :
0e6194cbfe3f6d3b3c848c2c76ef5bfb post-1.3.5-koffice.diff

6. Time line and credits:

19/01/2005 KDE Security Team alerted by Carsten Lohrke
19/01/2005 Patches from xpdf 3.00pl3 applied to KDE CVS and patches prepared.
20/01/2005 Public disclosure.


KDE Security Advisory: Multiple vulnerabilities in Konversation
Original Release Date: 20050121
URL: http://www.kde.org/info/security/advisory-20050121-1.txt

0. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0131
http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html

1. Systems affected:

All Konversation versions up to and including 0.15

2. Overview:

Multiple vulnerabilities have been discovered in Konversation, an IRC client for KDE. A flaw in the expansion of %-escaped variables makes that %-escaped variables in certain input strings will be inadvertently expanded too. The Common Vulnerabilities and Exposures project (cve.mitre.org has assigned the name CAN-2005-0129 to this issue. Several perl scripts included with Konversation fail to properly handle command line arguments causing a command line injection vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0130 to this issue. Nick and password are confused in the quick connection dialog,=20 so connecting with that dialog and filling in a password, would use that password as nick, and may inadvertently expose the password to others. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0131 to this issue.

3. Impact:

A user might be tricked to join a channel with a specially crafted channel name containing shell commands. If user runs a script in that channel it will result in an arbitrary command execution.

If quick connect is used with a password, the password is used as nickname instead. As a result the password may be exposed to others.

4. Solution:

Upgrade to Konversation 0.15.1 available from http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2

5. Patch:

A patch for Konversation 0.15 is available from ftp://ftp.kde.org/pub/kde/security_patches
36f8b6beac18a9d173339388d13e2335 post-0.15-konversation.diff

6. Time line and credits:

18/01/2005 Konversation developers informed by Wouter Coekaerts
19/01/2005 Patches applied to KDE CVS.
19/01/2005 Konversation 0.15.1 released.
21/01/2005 KDE Security Advisory released.

LBA-Linux


LBA-Linux Security Advisory

Subject: Updated cups package for LBA-Linux R2
Advisory ID: LBASA-2004:59
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2004-1267
Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file.

CAN-2004-1268
lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS passwd file, which allows local users to corrupt the file by filling the associated file system and triggering the write errors.

CAN-2004-1269
lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.

CAN-2004-1270
lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.

Updated packages:

LBA-Linux R2:

i386:
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/cups-1.1.20-4.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/cups-libs-1.1.20-4.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/cups-devel-1.1.20-4.lba.4.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named cups to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated kdegraphics package for LBA-Linux R2
Advisory ID: LBASA-2004:60
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.

Updated packages:

LBA-Linux R2:

i386:
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/kdegraphics-3.2.0-1.3.lba.7.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/kdegraphics-devel-3.2.0-1.3.lba.7.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named kdegraphics to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated tetex package for LBA-Linux R2
Advisory ID: LBASA-2004:61
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.

Updated packages:

LBA-Linux R2:

i386:
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-2.0.2-12.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-afm-2.0.2-12.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-doc-2.0.2-12.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-dvips-2.0.2-12.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-fonts-2.0.2-12.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-latex-2.0.2-12.lba.4.i386.rpm
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-xdvi-2.0.2-12.lba.4.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named tetex to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated xpdf package for LBA-Linux R2
Advisory ID: LBASA-2004:58
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.

Updated packages:

LBA-Linux R2:

i386:
ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/xpdf-3.00-3.lba.8.i386.rpm

U