Advisories, December 18, 2005

Dec 19, 2005, 04:45 (0 Talkback[s])

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200512-07

http://security.gentoo.org/

Severity: Low
Title: OpenLDAP, Gauche: RUNPATH issues
Date: December 15, 2005
Bugs: #105380, #112577
ID: 200512-07

Synopsis

OpenLDAP and Gauche suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges.

Background

OpenLDAP is a suite of LDAP-related application and development tools. Gauche is an R5RS Scheme interpreter.

Affected packages

     Package           /   Vulnerable   /                   Unaffected



  1  net-nds/openldap      < 2.2.28-r3                    >= 2.2.28-r3
                                                         *>= 2.1.30-r6
  2  dev-lang/gauche       < 0.8.6-r1                      >= 0.8.6-r1
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths into the list of directories that are searched for libraries at runtime.

A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent binary, potentially resulting in privilege escalation.

Workaround

Only grant "portage" group rights to trusted users.

Resolution

All OpenLDAP users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose net-nds/openldap

All Gauche users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/gauche-0.8.6-r1"

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-07.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200512-08

http://security.gentoo.org/

Severity: Normal
Title: Xpdf, GPdf, CUPS, Poppler: Multiple vulnerabilities
Date: December 16, 2005
Bugs: #114428, #115286
ID: 200512-08

Synopsis

Multiple vulnerabilities have been discovered in Xpdf, GPdf, CUPS and Poppler potentially resulting in the execution of arbitrary code.

Background

Xpdf and GPdf are PDF file viewers that run under the X Window System. Poppler is a PDF rendering library based on Xpdf code. The Common UNIX Printing System (CUPS) is a cross-platform print spooler. It makes use of Xpdf code to handle PDF files.

Affected packages

     Package           /   Vulnerable   /                   Unaffected



  1  app-text/xpdf          < 3.01-r2                       >= 3.01-r2
  2  app-text/gpdf         < 2.10.0-r2                    >= 2.10.0-r2
  3  app-text/poppler      < 0.4.2-r1                      >= 0.4.2-r1
  4  net-print/cups        < 1.1.23-r3                    >= 1.1.23-r3
    -------------------------------------------------------------------
     4 affected packages on all of their supported architectures.

Description

infamous41md discovered that several Xpdf functions lack sufficient boundary checking, resulting in multiple exploitable buffer overflows.

Impact

An attacker could entice a user to open a specially-crafted PDF file which would trigger an overflow, potentially resulting in execution of arbitrary code with the rights of the user running Xpdf, CUPS, GPdf or Poppler.

Workaround

There is no known workaround at this time.

Resolution

All Xpdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r2"

All GPdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r2"

All Poppler users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/poppler-0.4.2-r1"

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r3"

References

[ 1 ] CVE-2005-3191

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191

[ 2 ] CVE-2005-3192

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192

[ 3 ] CVE-2005-3193

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-08.xml

Concerns?

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200512-09

http://security.gentoo.org/

Severity: Low
Title: cURL: Off-by-one errors in URL handling
Date: December 16, 2005
Bugs: #114710
ID: 200512-09

Synopsis

cURL is vulnerable to local arbitrary code execution via buffer overflow due to the insecure parsing of URLs.

Background

cURL is a command line tool for transferring files with URL syntax, supporting numerous protocols.

Affected packages

     Package        /  Vulnerable  /                        Unaffected

  1  net-misc/curl      < 7.15.1                             >= 7.15.1

Description

Stefan Esser from the Hardened-PHP Project has reported a vulnerability in cURL that allows for a local buffer overflow when cURL attempts to parse specially crafted URLs. The URL can be specially crafted in one of two ways: the URL could be malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer; or the URL could contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.

Impact

An attacker capable of getting cURL to parse a maliciously crafted URL could cause a denial of service or execute arbitrary code with the privileges of the user making the call to cURL. An attacker could also escape open_basedir or safe_mode pseudo-restrictions when exploiting this problem from within a PHP program when PHP is compiled with libcurl.

Workaround

There is no known workaround at this time.

Resolution

All cURL users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/curl-7.15.1"

References

[ 1 ] CVE-2005-4077

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077

[ 2 ] Hardened-PHP Advisory

http://www.hardened-php.net/advisory_242005.109.html

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-09.xml

Concerns?

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Ubuntu Linux

Ubuntu Security Notice USN-230-2 December 16, 2005 xine-lib vulnerability
CVE-2005-4048

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libxine1
libxine1c2

The problem can be corrected by upgrading the affected package to version 1-rc5-1ubuntu2.4 (for Ubuntu 4.10), 1.0-1ubuntu3.6 (for Ubuntu 5.04), or 1.0.1-1ubuntu10.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw.

For reference, this is the original advisory:

Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user's privileges.

Updated packages for Ubuntu 4.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.4.dsc
      Size/MD5: 950 0b0865913672df5c80783279f471bf66
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.4.diff.gz
      Size/MD5: 222131 bf99e51c425cfdbac9b6c76e17504ed6

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_i386.deb
      Size/MD5: 101724 195cb67c660bc24a63991c3e69ec381e
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_i386.deb
      Size/MD5: 3729248 596d1f0437b94625ab38770f1086a03e

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_powerpc.deb
      Size/MD5: 3886766 1635110e5c74867f1657aacf8ff0e09a
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_powerpc.deb
      Size/MD5: 101728 e2960b0070421b8ef2be3f9ee40f6528

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_amd64.deb
      Size/MD5: 3543532 82f8b13cd4cf2fc51f6d90a64ad214b4
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_amd64.deb
      Size/MD5: 101722 0bb5d4a49d5f04f680dd1a38c5790191

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.6.diff.gz
      Size/MD5: 4401 f6a606d82d9379f6bb6fdf4c0f9e4cb3
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.6.dsc
      Size/MD5: 1070 1fae1b7df974523161bcc5e90bb47912
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz
      Size/MD5: 7384258 96e5195c366064e7778af44c3e71f43a