dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories: November 30, 2005

Dec 01, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 912-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
November 30th, 2005 http://www.debian.org/security/faq


Package : centericq
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-3694
Debian Bug : 334089

Wernfried Haas discovered that centericq, a text-mode multi-protocol instant messenger client, can crash when it receives certain zero length packets and is directly connected to the Internet.

For the old stable distribution (woody) this problem has been fixed in version 4.5.1-1.1woody1.

For the stable distribution (sarge) this problem has been fixed in version 4.20.0-1sarge3.

For the unstable distribution (sid) this problem has been fixed in version 4.21.0-4.

We recommend that you upgrade your centericq package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1.dsc
      Size/MD5 checksum: 603 adc70e793721c0968ca4502ae3698e37
    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1.diff.gz
      Size/MD5 checksum: 3655 582ef0aecc37162611871ae159a5a2a1
    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1.orig.tar.gz
      Size/MD5 checksum: 680625 e50121ea43a54140939b7bec8efdefe0

Alpha architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_alpha.deb
      Size/MD5 checksum: 868548 43f1db770fa8fe7cf8d03e7bddbc97e7

ARM architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_arm.deb
      Size/MD5 checksum: 809002 7af9b13e885f9a3e4bc2324fc74318d3

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_i386.deb
      Size/MD5 checksum: 648688 3229599d676695a14160215f39bb473d

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_ia64.deb
      Size/MD5 checksum: 930848 6d54ca84f2861499702019cd50d9c351

HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_hppa.deb
      Size/MD5 checksum: 821280 2ca221ccebbf2dae0ff30a198defd08b

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_m68k.deb
      Size/MD5 checksum: 611984 a1e44d2f4cd3c52700295a72dfce1868

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_mips.deb
      Size/MD5 checksum: 649002 edd2b6f73fec90e3e7142093bb3c6b3e

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_mipsel.deb
      Size/MD5 checksum: 634442 987c44dbb499ab61b7d2b254bc9ff984

PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_powerpc.deb
      Size/MD5 checksum: 633166 41ab0b819882d62ec6467a4d7542ce1f

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_s390.deb
      Size/MD5 checksum: 534784 7fb270cf1f195514510aef8445b2ece6

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody1_sparc.deb
      Size/MD5 checksum: 617274 d284648d4388edddf349130e9ed13332

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3.dsc
      Size/MD5 checksum: 875 5d132cb379014c621fc81232baf9ae4f
    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3.diff.gz
      Size/MD5 checksum: 106011 259f44fb98da9322ff61a6ab36df6fbc
    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0.orig.tar.gz
      Size/MD5 checksum: 1796894 874165f4fbd40e3be677bdd1696cee9d

Alpha architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_alpha.deb
      Size/MD5 checksum: 1650464 6757ab69461655c915f01c2ffb03e7cd
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_alpha.deb
      Size/MD5 checksum: 335886 7dcf13f17f952cc36802f7732dcf67a5
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_alpha.deb
      Size/MD5 checksum: 1651492 f3412af4c8f8310d2e21fc4155582ca8
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_alpha.deb
      Size/MD5 checksum: 1650508 9436f313af694fbe9ec97da7a168b9c4

AMD64 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_amd64.deb
      Size/MD5 checksum: 1355448 6e94f8aa9438a489bd94369a1655c475
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_amd64.deb
      Size/MD5 checksum: 335908 bd7fb5325d61c02add148be10d8c2f40
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_amd64.deb
      Size/MD5 checksum: 1355704 399b6045d35c21d7d767ccc6755662e1
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_amd64.deb
      Size/MD5 checksum: 1355498 9da6bce36bfd754e09ad91d65484ba39

ARM architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_arm.deb
      Size/MD5 checksum: 2185402 598cb4714af77dda74e956a7f13c0355
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_arm.deb
      Size/MD5 checksum: 336006 4f8fd48660de8d67581aeaaf7fc26dfa
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_arm.deb
      Size/MD5 checksum: 2186270 92a29d09e5630bf9e4029811b487aadf
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_arm.deb
      Size/MD5 checksum: 2185456 38e3f614efa5f448bdae8f2fd68eb929

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_i386.deb
      Size/MD5 checksum: 1348784 6d32e6d410250dbc7a220ad8d5a563a6
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_i386.deb
      Size/MD5 checksum: 336626 7628a48c891b62253369c5f6d0fd1272
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_i386.deb
      Size/MD5 checksum: 1349606 902e8f158e71b9a21de69d586941f090
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_i386.deb
      Size/MD5 checksum: 1348864 e38a08c798ad303c66c1ef313faee73f

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_ia64.deb
      Size/MD5 checksum: 1881326 29a00f7babe9fcbd3031d7b3d032bf53
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_ia64.deb
      Size/MD5 checksum: 335884 0d8612578ca347c502d04ea5cd1b4e4e
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_ia64.deb
      Size/MD5 checksum: 1882224 fc679fe6d852efb6e9e3d8d1888d525f
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_ia64.deb
      Size/MD5 checksum: 1881394 ffda1eed53efc1f8599fcb837cd66cc0

HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_hppa.deb
      Size/MD5 checksum: 1812462 f253748c6a8bf09d31db8dd5f5554ad0
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_hppa.deb
      Size/MD5 checksum: 336634 1aa8cbb6f893217af25cc5af5e9bdc0c
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_hppa.deb
      Size/MD5 checksum: 1813518 3e6083c3e3438ebc40fd21ee414e2c3b
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_hppa.deb
      Size/MD5 checksum: 1812508 68a3677b2dac459f970834975f912b31

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_m68k.deb
      Size/MD5 checksum: 1399430 44c35ad2e854ab372a8a1491842e0956
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_m68k.deb
      Size/MD5 checksum: 336720 bd4440ba3d65a24caa97b0438aaaa5c0
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_m68k.deb
      Size/MD5 checksum: 1400044 7cda71a1524e83942e82c6de54dba1d3
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_m68k.deb
      Size/MD5 checksum: 1399462 37249094705dc33b8f56e8b042c6f519

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_mips.deb
      Size/MD5 checksum: 1493070 1dfa1f92a38b12c7643711db57d63d58
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_mips.deb
      Size/MD5 checksum: 336634 a1c3383dcd7a2be6a57c3b9e140b63ff
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_mips.deb
      Size/MD5 checksum: 1493688 bb4f5026b751a06335dddbbf10396726
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_mips.deb
      Size/MD5 checksum: 1493134 c1edf7389fa031bd22e93e87efaf56ad

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_mipsel.deb
      Size/MD5 checksum: 1483286 f41bb70b6c3e94b9d34382070f1b904a
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_mipsel.deb
      Size/MD5 checksum: 335926 95d59321de2d69437a51dd57cc3f3968
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_mipsel.deb
      Size/MD5 checksum: 1483854 5304d58c141da6d498bd1ca44257a00f
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_mipsel.deb
      Size/MD5 checksum: 1483342 965a7c6b445968094da416ef59155e94

PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_powerpc.deb
      Size/MD5 checksum: 1385102 b461f814a843a99cf02279c38c2a13c1
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_powerpc.deb
      Size/MD5 checksum: 336630 c52ee41c89e18fe67ed255f6ed06b391
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_powerpc.deb
      Size/MD5 checksum: 1385672 561fd887df51fd281fb1b00a4705dec5
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_powerpc.deb
      Size/MD5 checksum: 1385268 5e2818805952871d4385d3f83dc1446e

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_s390.deb
      Size/MD5 checksum: 1193992 85972c3db828122d8bf3587b5aab56cf
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_s390.deb
      Size/MD5 checksum: 336612 d4ea593319ad2cd29ae841ba41dec7fc
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_s390.deb
      Size/MD5 checksum: 1194290 29fb2417371e7883551312f71e2cd452
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_s390.deb
      Size/MD5 checksum: 1194030 c383023e1dad16a48cba3699bf978bc4

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge3_sparc.deb
      Size/MD5 checksum: 1325960 2d36893524353a685bc15a02f7cdfcfe
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge3_sparc.deb
      Size/MD5 checksum: 336630 5903d1d68b6a0bc21fbd09e2b668827b
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge3_sparc.deb
      Size/MD5 checksum: 1326906 6e5d6c3230ce3cef504608f8e7472c43
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge3_sparc.deb
      Size/MD5 checksum: 1325994 7192ffdae9ca8748d9cca9453789075d

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2005:217
http://www.mandriva.com/security/


Package : netpbm
Date : November 30, 2005
Affected: 10.1, Corporate 2.1, Corporate 3.0


Problem Description:

Greg Roelofs discovered and fixed several buffer overflows in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file.

Multiple buffer overflows in pnmtopng in netpbm 10.0 and earlier allow attackers to execute arbitrary code via a crafted PNM file. (CVE-2005-3632)

An off-by-one buffer overflow in pnmtopng, when using the -alpha command line option, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PNM file with exactly 256 colors. (CVE-2005-3662)

The updated packages have been patched to correct this problem.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3662


Updated Packages:

Mandriva Linux 10.1:
550eae5a55b39101687b7a0532219627 10.1/RPMS/libnetpbm9-9.24-8.2.101mdk.i586.rpm
b3b2ea4437130703b68a5b3868eaec0b 10.1/RPMS/libnetpbm9-devel-9.24-8.2.101mdk.i586.rpm
653e84715019165ea620d64e5969714f 10.1/RPMS/libnetpbm9-static-devel-9.24-8.2.101mdk.i586.rpm
ac1db50f9caf2731a0dbc63e55688ef9 10.1/RPMS/netpbm-9.24-8.2.101mdk.i586.rpm
c0b1026156fd6376adba353b4f5d0528 10.1/SRPMS/netpbm-9.24-8.2.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
a4fb05222ac3917637ae6a0773f7cdc9 x86_64/10.1/RPMS/lib64netpbm9-9.24-8.2.101mdk.x86_64.rpm
32951fca67c13886bdb779de08f8edf3 x86_64/10.1/RPMS/lib64netpbm9-devel-9.24-8.2.101mdk.x86_64.rpm
dafac5b2622f774bc311ef6004e4fa3e x86_64/10.1/RPMS/lib64netpbm9-static-devel-9.24-8.2.101mdk.x86_64.rpm
6984338299c35aca2489b8dae94e9e65 x86_64/10.1/RPMS/netpbm-9.24-8.2.101mdk.x86_64.rpm
c0b1026156fd6376adba353b4f5d0528 x86_64/10.1/SRPMS/netpbm-9.24-8.2.101mdk.src.rpm

Corporate Server 2.1:
cfeeabb6edac6d7234f6e09beb19ff36 corporate/2.1/RPMS/libnetpbm9-9.24-4.5.C21mdk.i586.rpm
4b34fb42803f511646d0129d7fc7dd2f corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.5.C21mdk.i586.rpm
89b46b4d6a89797916ee54a48a38a732 corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.5.C21mdk.i586.rpm
c4af1176267c16480c3d15f24dcb5db9 corporate/2.1/RPMS/netpbm-9.24-4.5.C21mdk.i586.rpm
0bf9af1326905eb13fb3f4fb66424653 corporate/2.1/SRPMS/netpbm-9.24-4.5.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
27b0f5ef22581bc5c5c23bf880302c58 x86_64/corporate/2.1/RPMS/libnetpbm9-9.24-4.5.C21mdk.x86_64.rpm
1743d3247a1e3de046fbf31ce37e443d x86_64/corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.5.C21mdk.x86_64.rpm
4e67e3d7940f30c3bc86cf5a2f215543 x86_64/corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.5.C21mdk.x86_64.rpm
7ab637139c9b1977923cae04dd3cc9de x86_64/corporate/2.1/RPMS/netpbm-9.24-4.5.C21mdk.x86_64.rpm
0bf9af1326905eb13fb3f4fb66424653 x86_64/corporate/2.1/SRPMS/netpbm-9.24-4.5.C21mdk.src.rpm

Corporate 3.0:
784b993f4e0409fe5255c3228c72ea3b corporate/3.0/RPMS/libnetpbm9-9.24-8.3.C30mdk.i586.rpm
319272b7f74900cabd06c6fa5e0b52b2 corporate/3.0/RPMS/libnetpbm9-devel-9.24-8.3.C30mdk.i586.rpm
e6feb19b8b2c0ac6d522c1a73035811d corporate/3.0/RPMS/libnetpbm9-static-devel-9.24-8.3.C30mdk.i586.rpm
42406aa8e04afd173d2194b50d11ca13 corporate/3.0/RPMS/netpbm-9.24-8.3.C30mdk.i586.rpm
17a729bc07c296f77efb87301d122aa6 corporate/3.0/SRPMS/netpbm-9.24-8.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
d0f1d6da66166acfc0ce18dfd55548e1 x86_64/corporate/3.0/RPMS/lib64netpbm9-9.24-8.3.C30mdk.x86_64.rpm
9e5d975423d7d00a1cfc5b1ea87c07c4 x86_64/corporate/3.0/RPMS/lib64netpbm9-devel-9.24-8.3.C30mdk.x86_64.rpm
f3f7f6ec681c2edbf29e789e1f9e1887 x86_64/corporate/3.0/RPMS/lib64netpbm9-static-devel-9.24-8.3.C30mdk.x86_64.rpm
5f27304b1b68639211c34e573c163b52 x86_64/corporate/3.0/RPMS/netpbm-9.24-8.3.C30mdk.x86_64.rpm
17a729bc07c296f77efb87301d122aa6 x86_64/corporate/3.0/SRPMS/netpbm-9.24-8.3.C30mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2005:218
http://www.mandriva.com/security/


Package : kernel
Date : November 30, 2005
Affected: Corporate 3.0, Multi Network Firewall 2.0


Problem Description:

Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update:

An integer overflow in vc_resize (CAN-2004-1333).

A race condition in the sysfs_readfile and sysfswrite_file functions in 2.6.10 and earlier allows local users to read kernel memory and cause a DoS (crash) via large offsets in sysfs files (CAN-2004-2302).

An integer signedness error in scsi_ioctl.c (CVE-2005-0180).

Netfilter allows a local user to cause a DoS (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice (CVE-2005-0210).

The netfilter/iptables module in versions prior to 2.6.8.1 allow remote attackers to cause a DoS (crash) or bypass firewall rules via crafted packets, which are not properly handled by skb_checksum_help function (CVE-2005-0449).

The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457).

The kernel does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via ipv4/ip_sockglue.c and ipv6/ipv6_sockglue.c (CVE-2005-2555).

A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800).

Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044).

Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055).

The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180).

Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181).

The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257).

Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posixtimers than specified by the quota for a single user (CVE-2005-3271).

The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273).

A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274).

The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275).

The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276).

The following non-security fixes are also applied:

Support for the arp_ignore and arp_announce sysctls were added to the Corporate 3 kernels (bugzilla #16346).

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3257
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276
http://qa.mandriva.com/show_bug.cgi?id=16346


Updated Packages:

Corporate 3.0:
7e38bcdc8a3900485d17d08e13963700 corporate/3.0/RPMS/kernel-2.6.3.29mdk-1-1mdk.i586.rpm
be4dc943991be67f9f612ac5ca2f6c10 corporate/3.0/RPMS/kernel-enterprise-2.6.3.29mdk-1-1mdk.i586.rpm
9acc6e90b1a8620be6af552baa8524ab corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.29mdk-1-1mdk.i586.rpm
1a171d91312764089f2f0c84a6e9131a corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.29mdk-1-1mdk.i586.rpm
e6f42b56669ca4ac5515d728051c4f88 corporate/3.0/RPMS/kernel-secure-2.6.3.29mdk-1-1mdk.i586.rpm
5f3e473fae7614433328756156f2b953 corporate/3.0/RPMS/kernel-smp-2.6.3.29mdk-1-1mdk.i586.rpm
c98b0f07cb49a918201d2daa1ac23e7c corporate/3.0/RPMS/kernel-source-2.6.3-29mdk.i586.rpm
e816bcde98728e85a86c565259364f8a corporate/3.0/RPMS/kernel-source-stripped-2.6.3-29mdk.i586.rpm
b2497e007272f38b30e98b4231a77a76 corporate/3.0/SRPMS/kernel-2.6.3.29mdk-1-1mdk.src.rpm

Corporate 3.0/X86_64:
5261e06d1085ff9c61bf29789f10669f x86_64/corporate/3.0/RPMS/kernel-2.6.3.29mdk-1-1mdk.x86_64.rpm
3cb631841cf4e9d29e1f667d940d9ab4 x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.29mdk-1-1mdk.x86_64.rpm
61024ad1c23dbde624c3cd43c8805f26 x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.29mdk-1-1mdk.x86_64.rpm
ba1514dcafcc748796bd9b23cd1905e4 x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-29mdk.x86_64.rpm
48a9eb1de36653665e6d7de333d25cb0 x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-29mdk.x86_64.rpm
b2497e007272f38b30e98b4231a77a76 x86_64/corporate/3.0/SRPMS/kernel-2.6.3.29mdk-1-1mdk.src.rpm

Multi Network Firewall 2.0:
7e38bcdc8a3900485d17d08e13963700 mnf/2.0/RPMS/kernel-2.6.3.29mdk-1-1mdk.i586.rpm
9acc6e90b1a8620be6af552baa8524ab mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.29mdk-1-1mdk.i586.rpm
1a171d91312764089f2f0c84a6e9131a mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.29mdk-1-1mdk.i586.rpm
e6f42b56669ca4ac5515d728051c4f88 mnf/2.0/RPMS/kernel-secure-2.6.3.29mdk-1-1mdk.i586.rpm
5f3e473fae7614433328756156f2b953 mnf/2.0/RPMS/kernel-smp-2.6.3.29mdk-1-1mdk.i586.rpm
b2497e007272f38b30e98b4231a77a76 mnf/2.0/SRPMS/kernel-2.6.3.29mdk-1-1mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2005:219
http://www.mandriva.com/security/


Package : kernel
Date : November 30, 2005
Affected: 10.1


Problem Description:

Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update:

An integer overflow in vc_resize (CAN-2004-1333).

A race condition in the sysfs_readfile and sysfswrite_file functions in 2.6.10 and earlier allows local users to read kernel memory and cause a DoS (crash) via large offsets in sysfs files (CAN-2004-2302).

An integer signedness error in scsi_ioctl.c (CVE-2005-0180).

Netfilter allows a local user to cause a DoS (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice (CVE-2005-0210).

A DoS in pkt_ioctl in pktcdvc.c (CVE-2005-1589).

An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456).

The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457).

inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with "improper tables" (CVE-2005-2458).

The huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a null pointer dereference (CVE-2005-2459).

A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490).

vlan_dev.c in version 2.6.8 allows remote attackers to cause a DoS (oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument (CVE-2005-2548).

The kernel does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via ipv4/ip_sockglue.c and ipv6/ipv6_sockglue.c (CVE-2005-2555).

A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800).

xattr.c in the ext2 and ext3 file system code does not properly compare the name_index fields when sharing xattr blocks which could prevent ACLs from being applied (CVE-2005-2801).

The ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872).

The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873).

Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044).

The sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053).

Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055).

The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180).

Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181).

The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257).

Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posixtimers than specified by the quota for a single user (CVE-2005-3271).

The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273).

A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274).

The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275).

The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276).

The following non-security fixes are also applied:

Driver updates were made to the aic97xx and sata_sil modules.

Support was added for ATI ipx400 chipsets, for IDE and sound.

A build problem with icecream on the x86_64 platform was fixed.

The pin1 APIC timer on RS480-based motherboards was disabled.

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3257
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276


Updated Packages:

Mandriva Linux 10.1:
cc60a0c2a5c0425db63a625526475898 10.1/RPMS/kernel-2.6.8.1.26mdk-1-1mdk.i586.rpm
9c85d79e18e3dec0bd80605ab4ed7bc6 10.1/RPMS/kernel-enterprise-2.6.8.1.26mdk-1-1mdk.i586.rpm
619c620342e4786903ad174827a78982 10.1/RPMS/kernel-i586-up-1GB-2.6.8.1.26mdk-1-1mdk.i586.rpm
bdfc653a5ca1e456d3c15c2f8f35d98d 10.1/RPMS/kernel-i686-up-64GB-2.6.8.1.26mdk-1-1mdk.i586.rpm
a9241f9cd330bc79360f0dda4fa1eec5 10.1/RPMS/kernel-secure-2.6.8.1.26mdk-1-1mdk.i586.rpm
29bbd09a962d59cd92e60ab644439b6f 10.1/RPMS/kernel-smp-2.6.8.1.26mdk-1-1mdk.i586.rpm
cae06806ff7412caa156fcea3d86c78f 10.1/RPMS/kernel-source-2.6-2.6.8.1-26mdk.i586.rpm
34122459890fa39f27a81cec4c3e56e6 10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-26mdk.i586.rpm
104478404575b1903f8ca961a0e68a21 10.1/SRPMS/kernel-2.6.8.1.26mdk-1-1mdk.src.rpm

Mandriva Linux 10.1/X86_64:
d8d56fcbe9daa46d35e80aa61ba6a6ce x86_64/10.1/RPMS/kernel-2.6.8.1.26mdk-1-1mdk.x86_64.rpm
f784c422b1f5874e6456d8fc3eeb2449 x86_64/10.1/RPMS/kernel-secure-2.6.8.1.26mdk-1-1mdk.x86_64.rpm
1566275e89bb4087535f9de77157a5b6 x86_64/10.1/RPMS/kernel-smp-2.6.8.1.26mdk-1-1mdk.x86_64.rpm
d30568e225088db18fe1bc72fc108ea9 x86_64/10.1/RPMS/kernel-source-2.6-2.6.8.1-26mdk.x86_64.rpm
e1b2c9cf2feb58611eb7d48d8216bb45 x86_64/10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-26mdk.x86_64.rpm
104478404575b1903f8ca961a0e68a21 x86_64/10.1/SRPMS/kernel-2.6.8.1.26mdk-1-1mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2005:220
http://www.mandriva.com/security/


Package : kernel
Date : November 30, 2005
Affected: 10.2


Problem Description:

Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update:

The kernel on x86_64 platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug which allows a local user to cause a DoS (CVE-2005-1764).

The KEYCTL_JOIN_SESSION_KEYRING operation in versions prior to 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a DoS (semaphore hang) via a new session keyring with an empty name string, a long name string, the key quota reached, or ENOMEM (CVE-2005-2098).

Kernels prior to 2.6.12.5 do not properly destroy a keyring that is not instantiated properly, allowing a local user or remote attacker to cause a DoS (oops) via a keyring with a payload that is not empty (CVE-2005-2099).

An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456).

The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457).

inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with "improper tables" (CVE-2005-2458).

The huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a null pointer dereference (CVE-2005-2459).

A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490).

The raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492).

A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800).

The ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872).

The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873).

Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044).

The sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053).

Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055).

drm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179).

The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180).

Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181).

The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257).

Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posixtimers than specified by the quota for a single user (CVE-2005-3271).

The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273).

A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274).

The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275).

The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276).

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at: