dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Advisories: July 14, 2005

Jul 15, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 746-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 13, 2005 http://www.debian.org/security/faq


Package : phpgroupware
Vulnerability : remote command execution
Problem type : input validation error
Debian-specific: no
CVE Id(s) : CAN-2005-1921

A vulnerability had been identified in the xmlrpc library included with phpgroupware, a web-based application including email, calendar and other groupware functionality. This vulnerability could lead to the execution of arbitrary commands on the server running phpgroupware.

The security team is continuing to investigate the version of phpgroupware included with the old stable distribution (sarge). At this time we recommend disabling phpgroupware or upgrading to the current stable distribution (sarge).

For the current stable distribution (sarge) this problem has been fixed in version 0.9.16.005-3.sarge0.

For the unstable distribution (sid) this problem has been fixed in version 0.9.16.006-1.

We recommend that you upgrade your phpgroupware package.

Upgrade instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian 3.1 (sarge)


sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.dsc
Size/MD5 checksum: 1665 6b60af214470336fb8dd24d029ab6326
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.diff.gz
Size/MD5 checksum: 31814 f9f0fdb982212255037d4129736e7c21
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz
Size/MD5 checksum: 19442629 5edd5518e8f77174c12844f9cfad6ac4

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 35984 4a87585b9a1c5f7ac32cd6a7fb217242
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 185894 c33f2c74c3df4d7ecaba47499adfcfc2
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 9674304 8f9bc38f2610d7aeeab769f6571f8ce6
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 135960 bbc1ca292006147f097cc79396de8808
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 29534 ed73d7edab4ceae62b2b2bde8d279387
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 176070 29005653b28191bc31f2f09b49e4b681
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 40858 18b367628b687ae793281ddb6399aa0a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 1355020 ebe912a08a7b8721d21b98b95cd0eda2
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 59198 f7d81622bd273a1bb7aa2ff227f2c007
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 46498 565979513780536ee9cc6573728cea48
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 902042 fe53830690ad59fd3711b156260f39ad
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 22760 d40b76c6cfde48dc863eb07fa68f618c
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 39746 0a0e1480285d96d2b9cf175df30284a8
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 20272 f9b8d9bd93eb716f1ff689eea0307038
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 69878 cafaf90a5c9053ba36614fd9140d2dec
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 100516 67d9c3435e6b55f7f5961772267ca1ad
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 32896 1e2af590a4887c3ba471930d6eb99128
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 18770 1c69b89be7e3cdf5003b3d6e4b7eb1d8
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 323552 22390645056bcb021c2e608644f4f591
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 166002 f7a6ba93175803e7de9517698397cb90
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 1328904 4c2982ec97a5b08f6d2d83fafbdbbe43
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 179716 0706f78f53596f7adeddda57a6977a09
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 91192 f49356e1ba4540c657ff64ebbca6ce62
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 49828 3001c35e7b6780a063a1c6dc74a7785d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 119876 21d5eb594517b56f348186189292a0dc
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 62508 922fe6644df12d786b2500eb07bd5523
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 1117384 b7f5819fed77a668023204786ec00d68
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 433776 0ddc8573dff45912049bb3c516889f4c
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 42338 4a17fcf60a2575be7182ffa780a7eb0e
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 266852 2e05a4e8f1dea399e5b8ddc99322d2d1
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 21542 2beb7d5a99acdc2a33c8fe672574d025
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 6092 cb1f96251a63d5fadba172f648f7f909
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 18390 95374052008b852fbea203d3f6fd1d75
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 155778 b1e8dc55d9e5a4ed9d868750957babb7
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 63476 3bc0223e4550a7a56295017885f07998
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 116012 bdffce5b093fb41e0429a7d4eee8ea93
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 8272 f4649ebb3b674661a1a172d1f503a673
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 49984 0ba721f8a669b6b6338ae90c7bb9070f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 25578 461e9804f5ce01b332cbe6569529bdc9
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 23596 2e3454fa36009152beb0695c80a238ec
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 45118 996eebff648f4b688403cfb00255b924
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 90172 2196aa43de438b0a5d3754ba0b4f8089
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 23050 02ed1690b4d3547dbbcfe8145d234062
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 55322 9f8ddccce78aa7ac488d6bd965bb2732
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 34538 0de0c8c676a0e1efca8845c78d0ae201
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge0_all.deb
Size/MD5 checksum: 31116 2b7e22a553c0bc0457757993dda7cfe8


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Legacy


Fedora Legacy Update Advisory

Synopsis: Updated ImageMagick packages fix security issues
Advisory ID: FLSA:152777
Issue date: 2005-07-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2003-0455 CAN-2004-0827 CAN-2004-0981 CAN-2005-0005 CAN-2005-0397 CAN-2005-0759 CAN-2005-0760 CAN-2005-0761 CAN-2005-0762 CAN-2005-1275 CAN-2005-1739



1. Topic:

Updated ImageMagick packages that fix multiple security vulnerabilities are now available.

ImageMagick(TM) is an image display and manipulation tool for the X Window System.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A temporary file handling bug has been found in ImageMagick's libmagick library. A local user could overwrite or create files as a different user if a program was linked with the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0455 to this issue.

A heap overflow flaw has been discovered in the ImageMagick image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0827 to this issue.

A buffer overflow flaw was discovered in the ImageMagick image handler. An attacker could create a carefully crafted image file with an improper EXIF information in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0981 to this issue.

Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0005 to this issue.

A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0397 to this issue.

A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0759 to this issue.

A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0760 to this issue.

A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0761 to this issue.

A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0762 to this issue.

A heap based buffer overflow bug was found in the way ImageMagick parses PNM files. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted PNM file. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-1275 to this issue.

A denial of service bug was found in the way ImageMagick parses XWD files. A user or program executing ImageMagick to process a malicious XWD file can cause ImageMagick to enter an infinite loop causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-1739 to this issue.

Users of ImageMagick should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152777

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-5.4.7-18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-5.5.6-13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


7b27cf41597ccc41f50f5f3fd26a3c6cb1909bdd redhat/7.3/updates/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm
83414dfc20fff160d3b1c4a695658e331c0d3377 redhat/7.3/updates/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm
9d3a2639f252fcc0630577e8472363095c94b593 redhat/7.3/updates/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm
a45ea97141ccce7c7341bb71c45253b43b11f7f8 redhat/7.3/updates/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm
15f0d5eb36b9aa9a747ac5dbef8711ce5ad4cd72 redhat/7.3/updates/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm
05387637ee1ebca6c8be0a53c6e13d9823a69b49 redhat/7.3/updates/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm
a6308b069f58c6360005ea56f3feb47eaae3bd65 redhat/9/updates/i386/ImageMagick-5.4.7-18.legacy.i386.rpm
9f489f4e8e8b806a9633bb919f1d6c86717b7f27 redhat/9/updates/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm
889cc1c0ac6d8a467d5af14f7e8d7b0e6f20d8ac redhat/9/updates/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm
7e88b3ec777a2389778b8dc872893a145a18f84b redhat/9/updates/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm
b08d36cd4582a49599ae8d74c89996d154462f85 redhat/9/updates/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm
a5af8dee9a7b06b0bc1b21e5765496cfd1ef7783 redhat/9/updates/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm
893208f6a36ec085645e3bf355b6bd4d7f4385c0 fedora/1/updates/i386/ImageMagick-5.5.6-13.legacy.i386.rpm
2ceb1c41c4b6e326e1b936eb5400350ab4ff6e31 fedora/1/updates/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm
d30be986c274be4ed48f242c9e110fab67b242a5 fedora/1/updates/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm
2bd96e8c2282b2679c2b667392c406d5907bdf0b fedora/1/updates/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm
2a3c951dad27669d92b2d96def0a7c99af1ae5e2 fedora/1/updates/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm
6140077bd02c06b986324ece6d8c13dc57ce7b16 fedora/1/updates/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm
54d9009c07aeb2fcf9bf229261db01dab803dc60 fedora/2/updates/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm
ad54fd8a3e168a327d3132180d203e1e9d1cb5d9 fedora/2/updates/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm
6c5e6d0b1e190d7eb3e04caa348544f40a0be1c3 fedora/2/updates/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
c57f484f174292c09b8dc5926e69a78b3f01b203 fedora/2/updates/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
74bb46945e783a9ffc8d2299924496a5f4334d79 fedora/2/updates/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm
00ca9b91408f73c74d7574b4cf1247d8f6cf8749 fedora/2/updates/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0827
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1739

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org


Gentoo Linux


Gentoo Linux Security Advisory GLSA 200507-13

http://security.gentoo.org/


Severity: Normal
Title: pam_ldap and nss_ldap: Plain text authentication leak
Date: July 14, 2005
Bugs: #96767
ID: 200507-13


Synopsis

pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text.

Background

pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications.

Affected packages


     Package            /  Vulnerable  /                    Unaffected


1 sys-auth/nss_ldap < 239-r1 >= 239-r1 *>= 226-r1 2 sys-auth/pam_ldap < 178-r1 >= 178-r1 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting.

Impact

An attacker could sniff passwords or other sensitive information as the communication is not encrypted.

Workaround

pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS.

Resolution

All pam_ldap users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"

All nss_ldap users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose sys-auth/nss_ldap

References

[ 1 ] CAN-2005-2069

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200507-13.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux


Mandriva Linux Security Update Advisory


Package name: krb5
Advisory ID: MDKSA-2005:119
Date: July 13th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1, Multi Network Firewall 2.0


Problem Description:

A number of vulnerabilities have been corrected in this Kerberos update:

The rcp protocol would allow a server to instruct a client to write to arbitrary files outside of the current directory. The Kerberos-aware rcp could be abused to copy files from a malicious server (CAN-2004-0175).

Gael Delalleau discovered an information disclosure vulnerability in the way some telnet clients handled messages from a server. This could be abused by a malicious telnet server to collect information from the environment of any victim connecting to the server using the Kerberosaware telnet client (CAN-2005-0488).

Daniel Wachdorf disovered that in error conditions that could occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory, which could cause the KDC to crash resulting in a Denial of Service (CAN-2005-1174).

Daniel Wachdorf also discovered a single-byte heap overflow in the krb5_unparse_name() function that could, if successfully exploited, lead to a crash, resulting in a DoS. To trigger this flaw, an attacker would need to have control of a Kerberos realm that shares a crossrealm key with the target (CAN-2005-1175).

Finally, a double-free flaw was discovered in the krb5_recvauth() routine which could be triggered by a remote unauthenticated attacker. This issue could potentially be exploited to allow for the execution of arbitrary code on a KDC. No exploit is currently known to exist (CAN-2005-1689).

The updated packages have been patched to address this issue and Mandriva urges all users to upgrade to these packages as quickly as possible.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689
http://www.kb.cert.org/vuls/id/623332
http://www.kb.cert.org/vuls/id/259798
http://www.kb.cert.org/vuls/id/885830
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt


Updated Packages:

Mandrakelinux 10.0:
c87b9ac1660b8cb7909f0d7809e60c16 10.0/RPMS/ftp-client-krb5-1.3-6.6.100mdk.i586.rpm
6f42470b37ea66bb7570694acf4b170c 10.0/RPMS/ftp-server-krb5-1.3-6.6.100mdk.i586.rpm
bf802310809218151a91f70b431f58f7 10.0/RPMS/krb5-server-1.3-6.6.100mdk.i586.rpm
dd0120f441cbe289189c98d1a6e7c9b5 10.0/RPMS/krb5-workstation-1.3-6.6.100mdk.i586.rpm
69c40a89709e887063a3e817325125b9 10.0/RPMS/libkrb51-1.3-6.6.100mdk.i586.rpm
34a0289675fc35576e2cb715a6e2117b 10.0/RPMS/libkrb51-devel-1.3-6.6.100mdk.i586.rpm
bed8b731d7e752b4bcffe98abdbd7d3e 10.0/RPMS/telnet-client-krb5-1.3-6.6.100mdk.i586.rpm
7b01eaa867670ef32aafc0c62d1e9b01 10.0/RPMS/telnet-server-krb5-1.3-6.6.100mdk.i586.rpm
7b00ffd04e5fb1328a8ecfc3bad58827 10.0/SRPMS/krb5-1.3-6.6.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
174fdb05eb1f32630ff9e7796800f554 amd64/10.0/RPMS/ftp-client-krb5-1.3-6.6.100mdk.amd64.rpm
97eb89e96cccdd269d1aed4c19d0c31c amd64/10.0/RPMS/ftp-server-krb5-1.3-6.6.100mdk.amd64.rpm
f57777163fcbca96e8f032fe22134414 amd64/10.0/RPMS/krb5-server-1.3-6.6.100mdk.amd64.rpm
befa694e6b367b7ad9ac6f127edb28c4 amd64/10.0/RPMS/krb5-workstation-1.3-6.6.100mdk.amd64.rpm
caaa22fb8566f59f749234cb6d2065f1 amd64/10.0/RPMS/lib64krb51-1.3-6.6.100mdk.amd64.rpm
8f869dbf84022f913fc14841741cba82 amd64/10.0/RPMS/lib64krb51-devel-1.3-6.6.100mdk.amd64.rpm
83d63d52ab2fa1545a8bfbcd81cf4b89 amd64/10.0/RPMS/telnet-client-krb5-1.3-6.6.100mdk.amd64.rpm
ba7fc18ac57bda1f05aaf42c82dcd196 amd64/10.0/RPMS/telnet-server-krb5-1.3-6.6.100mdk.amd64.rpm
7b00ffd04e5fb1328a8ecfc3bad58827 amd64/10.0/SRPMS/krb5-1.3-6.6.100mdk.src.rpm

Mandrakelinux 10.1:
fb9247177c9a8e1c97058458c70e6a38 10.1/RPMS/ftp-client-krb5-1.3.4-2.3.101mdk.i586.rpm
dc55f0d19df94d5c4314ba7476d267f7 10.1/RPMS/ftp-server-krb5-1.3.4-2.3.101mdk.i586.rpm
0a87d233095d1cd13ee637153dcc5b59 10.1/RPMS/krb5-server-1.3.4-2.3.101mdk.i586.rpm
f8e4067a77c9d5bb681d2460bf2063b9 10.1/RPMS/krb5-workstation-1.3.4-2.3.101mdk.i586.rpm
e0d4e8e580f3b6499bc405aed49552d3 10.1/RPMS/libkrb53-1.3.4-2.3.101mdk.i586.rpm
73e3abef9c847fe90db56483531a1cf1 10.1/RPMS/libkrb53-devel-1.3.4-2.3.101mdk.i586.rpm
ab219aaacc9c024b737f323350f20745 10.1/RPMS/telnet-client-krb5-1.3.4-2.3.101mdk.i586.rpm
59950fc14b9ebde521822ceb72e020b5 10.1/RPMS/telnet-server-krb5-1.3.4-2.3.101mdk.i586.rpm
b6791f0e031795f328a2373bd6bff4af 10.1/SRPMS/krb5-1.3.4-2.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
7cc15d17e2dd069951ae1033e2e5da0f x86_64/10.1/RPMS/ftp-client-krb5-1.3.4-2.3.101mdk.x86_64.rpm
08d8d3cd6b8e3be3a0647feb3a041cc0 x86_64/10.1/RPMS/ftp-server-krb5-1.3.4-2.3.101mdk.x86_64.rpm
6ef2f47ace0c658673c20e7428058b3f x86_64/10.1/RPMS/krb5-server-1.3.4-2.3.101mdk.x86_64.rpm
eb7c38bbfacd43534d2508872ae07637 x86_64/10.1/RPMS/krb5-workstation-1.3.4-2.3.101mdk.x86_64.rpm
911d542523934cae7891eb3aa1b4c22c x86_64/10.1/RPMS/lib64krb53-1.3.4-2.3.101mdk.x86_64.rpm
42c8a131ea1bb6b4a71826fa0367dcd9 x86_64/10.1/RPMS/lib64krb53-devel-1.3.4-2.3.101mdk.x86_64.rpm
991aadec0a33745198589b1619f42190 x86_64/10.1/RPMS/telnet-client-krb5-1.3.4-2.3.101mdk.x86_64.rpm
9fecbd14c5b908416e2eb5b8b7900602 x86_64/10.1/RPMS/telnet-server-krb5-1.3.4-2.3.101mdk.x86_64.rpm
b6791f0e031795f328a2373bd6bff4af x86_64/10.1/SRPMS/krb5-1.3.4-2.3.101mdk.src.rpm

Mandrakelinux 10.2:
2370d0bcd8e1055b828cbc5fd61b80fb 10.2/RPMS/ftp-client-krb5-1.3.6-6.1.102mdk.i586.rpm
77d6d6822faf2d46126324d52b7de350 10.2/RPMS/ftp-server-krb5-1.3.6-6.1.102mdk.i586.rpm
fd97b673156aab9df1dd084fa00ca4ee 10.2/RPMS/krb5-server-1.3.6-6.1.102mdk.i586.rpm
e097b32bff94a889e9287328ea4383a7 10.2/RPMS/krb5-workstation-1.3.6-6.1.102mdk.i586.rpm
10b12d24aeacbc51a72c5f6df7e063ab 10.2/RPMS/libkrb53-1.3.6-6.1.102mdk.i586.rpm
c1b8458fdd25b9ac51338978958886b9 10.2/RPMS/libkrb53-devel-1.3.6-6.1.102mdk.i586.rpm
225fb2cfd2b8a30d0743cc691a98f862 10.2/RPMS/telnet-client-krb5-1.3.6-6.1.102mdk.i586.rpm
c7145ab6eb80b5a5bd6438dc1292c208 10.2/RPMS/telnet-server-krb5-1.3.6-6.1.102mdk.i586.rpm
fc23e2f504e65b3ed2304bbf44b17626 10.2/SRPMS/krb5-1.3.6-6.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
48bf82662d9dc709f7b6fc93d408ec36 x86_64/10.2/RPMS/ftp-client-krb5-1.3.6-6.1.102mdk.x86_64.rpm
a99dcafc0f131bee2fdd481a3c3b74ae x86_64/10.2/RPMS/ftp-server-krb5-1.3.6-6.1.102mdk.x86_64.rpm
6575fa785756ec309bc9a532ea201998 x86_64/10.2/RPMS/krb5-server-1.3.6-6.1.102mdk.x86_64.rpm
9de12fff0f2556fc1b37309f3df38f43 x86_64/10.2/RPMS/krb5-workstation-1.3.6-6.1.102mdk.x86_64.rpm
979d3a3a1076b5e1379388dfa12cbf14 x86_64/10.2/RPMS/lib64krb53-1.3.6-6.1.102mdk.x86_64.rpm
51fdffc99853d03ae464cfd45e477cf8 x86_64/10.2/RPMS/lib64krb53-devel-1.3.6-6.1.102mdk.x86_64.rpm
0f52ac0e1c637d1c9cd8ec0ce40f9221 x86_64/10.2/RPMS/telnet-client-krb5-1.3.6-6.1.102mdk.x86_64.rpm
398385ff0c438b3ddf4e086a44ae118c x86_64/10.2/RPMS/telnet-server-krb5-1.3.6-6.1.102mdk.x86_64.rpm
fc23e2f504e65b3ed2304bbf44b17626 x86_64/10.2/SRPMS/krb5-1.3.6-6.1.102mdk.src.rpm

Multi Network Firewall 2.0:
fabcf16faccef529a4a5d95e52e4474a mnf/2.0/RPMS/libkrb51-1.3-6.6.M20mdk.i586.rpm
0a612cf3624c0e0279705eb4658cf08e mnf/2.0/SRPMS/krb5-1.3-6.6.M20mdk.src.rpm

Corporate Server 2.1:
fb109362079c6f8a2aec1ca618882513 corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.10.C21mdk.i586.rpm
92725fca271543c54c907c4860a9c225 corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.10.C21mdk.i586.rpm
bc56956b9c25b804e9238aa750c79688 corporate/2.1/RPMS/krb5-devel-1.2.5-1.10.C21mdk.i586.rpm
85da226bcd5c58f611c77e457505e660 corporate/2.1/RPMS/krb5-libs-1.2.5-1.10.C21mdk.i586.rpm
680c3f4ff6a53c12ea5f706858a29c30 corporate/2.1/RPMS/krb5-server-1.2.5-1.10.C21mdk.i586.rpm
ed55cd70d63d65c1ef644672a331beca corporate/2.1/RPMS/krb5-workstation-1.2.5-1.10.C21mdk.i586.rpm
2032b8637d45463118b6b2cec796ea89 corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.10.C21mdk.i586.rpm
2f0aedf68f2a0e33a6a94139eaf50cac corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.10.C21mdk.i586.rpm
5998fcf5b2a19bac3f513fd9a196093f corporate/2.1/SRPMS/krb5-1.2.5-1.10.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
ef0287c7f515b77e4ee9c816564298c1 x86_64/corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.10.C21mdk.x86_64.rpm
94268948f1c84bb9f2b194d02467e3e6 x86_64/corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.10.C21mdk.x86_64.rpm
5f07977c217d7e8f03cf1264671100ea x86_64/corporate/2.1/RPMS/krb5-devel-1.2.5-1.10.C21mdk.x86_64.rpm
2af63c080bcce672cb112ecfcddd79cd x86_64/corporate/2.1/RPMS/krb5-libs-1.2.5-1.10.C21mdk.x86_64.rpm
224dfdac58646589d1bd5a50bb4ca3b9 x86_64/corporate/2.1/RPMS/krb5-server-1.2.5-1.10.C21mdk.x86_64.rpm
199e3235e0ed34edc0d2ce377534c441 x86_64/corporate/2.1/RPMS/krb5-workstation-1.2.5-1.10.C21mdk.x86_64.rpm
65b63aa5728e478eb566100c1e2a8061 x86_64/corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.10.C21mdk.x86_64.rpm
0550444014da765a97deea983332d45e x86_64/corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.10.C21mdk.x86_64.rpm
5998fcf5b2a19bac3f513fd9a196093f x86_64/corporate/2.1/SRPMS/krb5-1.2.5-1.10.C21mdk.src.rpm

Corporate 3.0:
dc39a416e792dbe6bd3c30e2a4be7350 corporate/3.0/RPMS/ftp-client-krb5-1.3-6.6.C30mdk.i586.rpm
1a351c0d939faecda9051d9432afe724 corporate/3.0/RPMS/ftp-server-krb5-1.3-6.6.C30mdk.i586.rpm
ddd38c40766625e7ac7a2c7964d1bf99 corporate/3.0/RPMS/krb5-server-1.3-6.6.C30mdk.i586.rpm
8e83fef835a01e12aa3273b8b8970717 corporate/3.0/RPMS/krb5-workstation-1.3-6.6.C30mdk.i586.rpm
24a4d0ffa3c2651121d7f7381cafad29 corporate/3.0/RPMS/libkrb51-1.3-6.6.C30mdk.i586.rpm
be8a2e1088d1b06054a97c773960b0e0 corporate/3.0/RPMS/libkrb51-devel-1.3-6.6.C30mdk.i586.rpm
1274d73b2ada444ebe50b998d1d83d6a corporate/3.0/RPMS/telnet-client-krb5-1.3-6.6.C30mdk.i586.rpm
fdf3981cdc25a9afee54a61cb01d042c corporate/3.0/RPMS/telnet-server-krb5-1.3-6.6.C30mdk.i586.rpm
1738741854a9259ef09e6a6325349a14 corporate/3.0/SRPMS/krb5-1.3-6.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
e6eda8a4875598ce56e56a7c45a9ca95 x86_64/corporate/3.0/RPMS/ftp-client-krb5-1.3-6.6.C30mdk.x86_64.rpm
e7bd3ed8c1e29b25ebb3bffc3fa8c46a x86_64/corporate/3.0/RPMS/ftp-server-krb5-1.3-6.6.C30mdk.x86_64.rpm
e134c8918d95e99784b9e1a4078fd7ab x86_64/corporate/3.0/RPMS/krb5-server-1.3-6.6.C30mdk.x86_64.rpm
0bf662ecfd42b2f68b2af8e05ad510c7 x86_64/corporate/3.0/RPMS/krb5-workstation-1.3-6.6.C30mdk.x86_64.rpm
262c7ec2ae2a0f72f3891abd5ed1b400 x86_64/corporate/3.0/RPMS/lib64krb51-1.3-6.6.C30mdk.x86_64.rpm
be39364202543ef56bbce8f5d69bf309 x86_64/corporate/3.0/RPMS/lib64krb51-devel-1.3-6.6.C30mdk.x86_64.rpm
d734050c0bfc0e5e65834aee4df6c77d x86_64/corporate/3.0/RPMS/telnet-client-krb5-1.3-6.6.C30mdk.x86_64.rpm
3a78f34256effe43feb9d6f3dc0fc62d x86_64/corporate/3.0/RPMS/telnet-server-krb5-1.3-6.6.C30mdk.x86_64.rpm
1738741854a9259ef09e6a6325349a14 x86_64/corporate/3.0/SRPMS/krb5-1.3-6.6.C30mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Update Advisory


Package name: mozilla-firefox
Advisory ID: MDKSA-2005:120
Date: July 13th, 2005
Affected versions: 10.2


Problem Description:

A number of vulnerabilities were reported and fixed in Firefox 1.0.5 and Mozilla 1.7.9. The following vulnerabilities have been backported and patched for this update:

In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events (MFSA 2005-45).

Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them. In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection (MFSA 2005-46).

If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitary code on the user's computer. The image "source" must be a javascript: url containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image. The attacker would have to convince the user to change their desktop background to the exploit image, and to do so by using the Firefox context menu rather than first saving the image locally and using the normal mechanism provided by their operating system. This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected. The implementation of this feature in the Mozilla Suite is also unaffected (MFSA 2005-47).

The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site. In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector. In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability. The browser has been fixed to clear any pending callback function when switching to a new site (MFSA 2005-48).

Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data (MFSA 2005-49).

When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation. shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address (MFSA 2005-50).

The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases (MFSA 2005-51).

A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner (MFSA 2005-52).

Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a javascript: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent javascript: url could execute arbitrary code. External javascript: urls will now run in a blank context regardless of what content it's replacing, and external apps will no longer be able to load privileged chrome: urls in a browser window. The -chrome command line option to load chrome applications is still supported (MFSA 2005-53).

Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user. In the fixed version these prompts will contain the hostname from the page which created it (MFSA 2005-54).

Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake <IMG> elements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements. The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine (MFSA 2005-55).

Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges (MFSA 2005-56).

The updated packages have been patched to address these issue.


References:

http://www.mozilla.org/security/announce/mfsa2005-45.html
http://www.mozilla.org/security/announce/mfsa2005-46.html
http://www.mozilla.org/security/announce/mfsa2005-47.html
http://www.mozilla.org/security/announce/mfsa2005-48.html
http://www.mozilla.org/security/announce/mfsa2005-49.html
http://www.mozilla.org/security/announce/mfsa2005-50.html
http://www.mozilla.org/security/announce/mfsa2005-51.html