dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories, October 6, 2005

Oct 07, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 845-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 6th, 2005 http://www.debian.org/security/faq


Package : mason
Vulnerability : programming error
Problem type : remote
Debian-specific: yes
CVE ID : CAN-2005-3118
Debian Bug : 222384

Christoph Martin noticed that upon configuration mason, which interactively creates a Linux packet filtering firewall, does not install the init script to actually load the firewall during system boot. This will leave the machine without a firewall after a reboot.

For the old stable distribution (woody) this problem has been fixed in version 0.13.0.92-2woody1.

For the stable distribution (sarge) this problem has been fixed in version 1.0.0-2.2.

For the unstable distribution (sid) this problem has been fixed in version 1.0.0-3.

We recommend that you upgrade your mason package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1.dsc
      Size/MD5 checksum: 541 ecb992ca78a35ca58a14eeab6cf4f15c
    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1.diff.gz
      Size/MD5 checksum: 3659 222ab145878984b9e181eea0046b6526
    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92.orig.tar.gz
      Size/MD5 checksum: 218789 e1de238f5adc99bdbd519c92513f96b4

Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1_all.deb
      Size/MD5 checksum: 184824 e32b3597c9bbf77624e205a6c4a8fdd2

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2.dsc
      Size/MD5 checksum: 593 e899d7d2eeee90bdf85b37053613e0b4
    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2.diff.gz
      Size/MD5 checksum: 47013 0a8b604f753b008eaf3a5f2cca030023
    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0.orig.tar.gz
      Size/MD5 checksum: 506940 62785d59e03df309fed8abe97e479af0

Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2_all.deb
      Size/MD5 checksum: 423220 cc8e8f0ed22d2efdbb0e9d0e4cd61d8e

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200510-05

http://security.gentoo.org/


Severity: Normal
Title: Ruby: Security bypass vulnerability
Date: October 06, 2005
Bugs: #106996
ID: 200510-05


Synopsis

Ruby is vulnerable to a security bypass of the safe level mechanism.

Background

Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby supports the safe execution of untrusted code using a safe level and taint flag mechanism.

Affected packages


     Package        /  Vulnerable  /                        Unaffected

  1  dev-lang/ruby       < 1.8.3                              >= 1.8.3

Description

Dr. Yutaka Oiwa discovered that Ruby fails to properly enforce safe level protections.

Impact

An attacker could exploit this vulnerability to execute arbitrary code beyond the restrictions specified in each safe level.

Workaround

There is no known workaround at this time.

Resolution

All Ruby users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.3"

References

[ 1 ] CAN-2005-2337

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2337

[ 2 ] Ruby release announcement

http://www.ruby-lang.org/en/20051003.html

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200510-05.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200510-06

http://security.gentoo.org/


Severity: Normal
Title: Dia: Arbitrary code execution through SVG import
Date: October 06, 2005
Bugs: #107916
ID: 200510-06


Synopsis

Improperly sanitised data in Dia allows remote attackers to execute arbitrary code.

Background

Dia is a gtk+ based diagram creation program released under the GPL license.

Affected packages


     Package         /  Vulnerable  /                       Unaffected

  1  app-office/dia      < 0.94-r3                          >= 0.94-r3

Description

Joxean Koret discovered that the SVG import plugin in Dia fails to properly sanitise data read from an SVG file.

Impact

An attacker could create a specially crafted SVG file, which, when imported into Dia, could lead to the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All Dia users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-office/dia-0.94-r3"

References

[ 1 ] CAN-2005-2966

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2966

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200510-06.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Ubuntu Linux


Ubuntu Security Notice USN-194-1 October 06, 2005
texinfo vulnerability
CAN-2005-3011

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

texinfo

The problem can be corrected by upgrading the affected package to version 4.6-1ubuntu1.1 (for Ubuntu 4.10), or 4.7-2.2ubuntu1.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Frank Lichtenheld discovered that the "texindex" program created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running texindex.

Updated packages for Ubuntu 4.10 (Warty Warthog):

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1.diff.gz
      Size/MD5: 125053 f97e652490198d27c6e29af9951cdc71
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1.dsc
      Size/MD5: 625 f669384d1ae30bae7c70063d9a65d31e
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6.orig.tar.gz
      Size/MD5: 1892091 5730c8c0c7484494cca7a7e2d7459c64

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_amd64.deb
      Size/MD5: 280644 31eb0286bda40317d0e33553bf1dde59
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_amd64.deb
      Size/MD5: 875828 b1c85f8b941d67dac908f8d8c4edf483

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_i386.deb
      Size/MD5: 265932 7296ff8a26d8b7c720ffe7b28347e82f
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_i386.deb
      Size/MD5: 858092 7e52b8db866cbbe2352217a03bc39b14

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_powerpc.deb
      Size/MD5: 279674 3ac6bc00d8742c696f7793aadc264ba1
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_powerpc.deb
      Size/MD5: 868758 f49ff63604c06a5077ce06f2ca64382b

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1.diff.gz
      Size/MD5: 10615 b2a3812bcfe8f069e888170c2eaf73f8
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1.dsc
      Size/MD5: 628 cee74cea6cd661b85c0f1038fa5fd0e3
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7.orig.tar.gz
      Size/MD5: 1979183 72a57e378efb9898c9e41ca839554dae

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_amd64.deb
      Size/MD5: 191328 273d9d321578a301f46a7bd0712c54e6
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_amd64.deb
      Size/MD5: 488278 8da6138a72e9261433dc8d8d90e1b725

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_i386.deb
      Size/MD5: 177586 8c60d776b23d9ba81ee600805c38dbb5
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_i386.deb
      Size/MD5: 470502 82ebb862c685c13ced8a55c5ad0a6515

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_powerpc.deb
      Size/MD5: 190400 983de1de47c40a3f90e549ab875ba99b
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_powerpc.deb
      Size/MD5: 483932 38e2d37a8d0ae17bd492e556e4d42dd0