Linux Today: Linux News On Internet Time.

More on LinuxToday

Advisories, December 22, 2005

Dec 23, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux

Debian Security Advisory DSA 925-1 Martin Schulze
December 22nd, 2005

Package : phpbb2
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
BugTraq IDs : 15170 15243
Debian Bugs : 35662 336582 336587

Several vulnerabilities have been discovered in phpBB, a fully featured and skinnable flat webforum,

The Common Vulnerabilities and Exposures project identifies the following problems:


Multiple interpretation errors allow remote authenticated users to inject arbitrary web script when remote avatars and avatar uploading are enabled.


phpBB allows remote attackers to bypass protection mechanisms that deregister global variables that allows attackers to manipulate the behaviour of phpBB.


phpBB allows remote attackers to bypass security checks when register_globals is enabled and the session_start function has not been called to handle a session.


phpBB allows remote attackers to modify global variables and bypass security mechanisms.


Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web scripts.


An SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands.


phpBB allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter.


Missing input sanitising of the topic type allows remote attackers to inject arbitrary SQL commands.


Missing request validation permitted remote attackers to edit private messages of other users.

The old stable distribution (woody) does not contain phpbb2 packages.

For the stable distribution (sarge) these problems have been fixed in version 2.0.13+1-6sarge2.

For the unstable distribution (sid) these problems have been fixed in version 2.0.18-1.

We recommend that you upgrade your phpbb2 packages.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:
      Size/MD5 checksum: 783 84a0dab5af965cf6ff418c2b2383a9ee
      Size/MD5 checksum: 64580 e644237009e5eff92b86f21a5f6f4cbe
      Size/MD5 checksum: 3340445 678d0cb0372e46402a472c510fb90d78

Architecture independent components:
      Size/MD5 checksum: 37474 4cbfd2fe1e336214a3defddeff55ce65
      Size/MD5 checksum: 2873096 f71e21b77d9f5bffa076a25d6687b4c2
      Size/MD5 checksum: 525514 f88101af29bf00db9a8fdb264e35d891

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200512-12

Severity: Normal
Title: Mantis: Multiple vulnerabilities
Date: December 22, 2005
Bugs: #116036
ID: 200512-12


Mantis is affected by multiple vulnerabilities ranging from file upload and SQL injection to cross-site scripting and HTTP response splitting.


Mantis is a web-based bugtracking system written in PHP.

Affected packages

     Package            /  Vulnerable  /                    Unaffected

  1  www-apps/mantisbt      < 0.19.4                         >= 0.19.4


Tobias Klein discovered that Mantis contains several vulnerabilities, including:

  • a file upload vulnerability.
  • an injection vulnerability in filters.
  • an SQL injection vulnerability in the user-management page.
  • a port cross-site-scripting vulnerability in filters.
  • an HTTP header CRLF injection vulnerability.


An attacker could possibly exploit the file upload vulnerability to execute arbitrary script code, and the SQL injection vulnerability to access or modify sensitive information from the Mantis database. Furthermore, the cross-site scripting and HTTP response splitting may allow an attacker to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.


There is no known workaround at this time.


All Mantis users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-0.19.4"


[ 1 ] Mantis ChangeLog


This GLSA and any updates to it are available for viewing at the Gentoo Security Website:


Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to or alternatively, you may file a bug at


Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Mandriva Linux

Mandriva Linux Security Advisory MDKSA-2005:235

Package : kernel
Date : December 21, 2005
Affected: 2006.0

Problem Description:

Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update:

A stack-based buffer overflow in the sendmsg function call in versions prior to allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490).

The raw_sendmsg function in versions prior to allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492).

The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873).

Multiple vulnerabilities in versions prior to allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044).

Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055).

drm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179).

The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180).

Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181).

The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257).

A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274).

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at:


Updated Packages:

Mandriva Linux 2006.0:
a010bd5617177d007f3907e5cb1a7eaf 2006.0/RPMS/kernel-
ae019c85ae823dd0045759e68e5a415f 2006.0/RPMS/kernel-i586-up-1GB-
519cffb096c4371fcdba4ea15c7af8ac 2006.0/RPMS/kernel-i686-up-4GB-
2093641b27dd2917afd50f8daa68100b 2006.0/RPMS/kernel-smp-
d8532d9bc53c3abd28f530ed536ac1b1 2006.0/RPMS/kernel-source-2.6-2.6.12-14mdk.i586.rpm
8fbab680135fccd60c7da9533af72d33 2006.0/RPMS/kernel-source-stripped-2.6-2.6.12-14mdk.i586.rpm
475fc01a6bcd294890ca55b814bd0151 2006.0/RPMS/kernel-xbox-
cdde86f8ae57d9b08f732268e534ef85 2006.0/RPMS/kernel-xen0-
834ddd648671714a008303f5d8be5561 2006.0/RPMS/kernel-xenU-
6bb497c8205003ffc8538e81cdc2e0f9 2006.0/SRPMS/kernel-

Mandriva Linux 2006.0/X86_64:
9fce74d95a1678c5c5217d6b113e08be x86_64/2006.0/RPMS/kernel-
5997517d826bf551567f2f7586f2f2ea x86_64/2006.0/RPMS/kernel-smp-
0f57a42ee8ef90cf2f60c8f3cc011f26 x86_64/2006.0/RPMS/kernel-source-2.6-2.6.12-14mdk.x86_64.rpm
26a234853ea00c0e6f29526e023c26e4 x86_64/2006.0/RPMS/kernel-source-stripped-2.6-2.6.12-14mdk.x86_64.rpm
6bb497c8205003ffc8538e81cdc2e0f9 x86_64/2006.0/SRPMS/kernel-

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver 0x22458A98

You can view other update advisories for Mandriva Linux at:

If you want to report vulnerabilities, please contact


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*>

Ubuntu Linux

Ubuntu Security Notice USN-231-1 December 22, 2005
linux-source- vulnerabilities
CVE-2005-3257, CVE-2005-3783, CVE-2005-3784, CVE-2005-3805, CVE-2005-3806, CVE-2005-3808, CVE-2005-3848, CVE-2005-3857, CVE-2005-3858

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:


The problem can be corrected by upgrading the affected package to version (for Ubuntu 4.10), 2.6.10-34.9 (for Ubuntu 5.04), or 2.6.12-10.25 (for Ubuntu 5.10). After a standard system upgrade you need to reboot the computer to effect the necessary changes.

Details follow:

Rudolf Polzer reported an abuse of the 'loadkeys' command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the usage of 'loadkeys' to root. (CVE-2005-3257)

The ptrace() system call did not correctly check whether a process tried to attach to itself. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3783)

A Denial of Service vulnerability was found in the handler that automatically cleans up and terminates child processes that are not correctly handled by their parent process ("auto-reaper"). The check did not correctly handle processes which were currently traced by another process. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3784)

A locking problem was discovered in the POSIX timer cleanup handling on process exit. A local attacker could exploit this to cause the machine to hang (Denial of Service). This flaw only affects multiprocessor (SMP) systems. (CVE-2005-3805)

A Denial of Service vulnerability was discovered in the IPv6 flowlabel handling code. By invoking setsockopt(IPV6_FLOWLABEL_MGR) in a special way, a local attacker could cause memory corruption which eventually led to a kernel crash. (CVE-2005-3806)

A memory leak was discovered in the VFS lease handling. These operations are commonly executed by the Samba server, which led to steady memory exhaustion. By repeatedly triggering the affected operations in quick succession, a local attacker could exploit this to drain all memory, which leads to a Denial of Service. (CVE-2005-3807)

An integer overflow was discovered in the invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls on a 32 bit system, a local user could exploit this to crash the machine, thereby causing Denial of Service. This flaw does not affect the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)

Ollie Wild discovered a memory leak in the icmp_push_reply() function. By sending a large amount of specially crafted packets, a remote attacker could exploit this to drain all memory, which eventually leads to a Denial of Service. (CVE-2005-3848)

Chris Wrigth found a Denial of Service vulnerability in the time_out_leases() function. By allocating a large number of VFS file lock leases and having them timeout at the same time, a large number of 'printk' debugging statements was generated at the same time, which could exhaust kernel memory. (CVE-2005-3857)

Patrick McHardy discovered a memory leak in the ip6_input_finish() function. A remote attacker could exploit this by sending specially crafted IPv6 packets, which would eventually drain all available kernel memory, thus causing a Denial of Service. (CVE-2005-3858)

Updated packages for Ubuntu 4.10:

Source archives:
      Size/MD5: 3170552 832cc0e756a1d6745fac1f1192164051
      Size/MD5: 2621 d80a34d63f68d57cf9b41e3a62d8a5fd
      Size/MD5: 44728688 79730a3ad4773ba65fab65515369df84

Architecture independent packages:
      Size/MD5: 6163566 a2cead0ca74ab15480b77d971345da04
      Size/MD5: 1525504 eda4efc1e49ae2fc3d125a9e55c0e8a2
      Size/MD5: 36727926 68646a3965e9a68ee380e66528653d1a
      Size/MD5: 310734 b1af150de1f688ec90bd8a63666673a9

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5: 250446 c2825f1ad32acd2e3e1e7f209518d1f0
      Size/MD5: 245676 5f41d408017acfe5ef2472366df67f0e
      Size/MD5: 249428 4800655fdd579a236872b6209c619d8f
      Size/MD5: 244160 7a6b0f5a27f5e598468e35ce8f9d9b44
      Size/MD5: 3181900 efe94f286a7ad2acfc11502e2758843e
      Size/MD5: 14355574 8bd6fa79b06b53e21d5386d8689f5f7e
      Size/MD5: 14834294 ff7d860ed947f0055e0cc3e33c49c1f5
      Size/MD5: 14867554 cc996f71eb6fb830be6a88305e8405cf
      Size/MD5: 14689444 068a59e07779c886a8f39495219c2e59

i386 architecture (x86 compatible Intel/AMD)
      Size/MD5: 279392 31a606be538eb5b4a0039f9245e50a0e
      Size/MD5: 274480 8cb3539e6ccf850f39a12fca99c5824f
      Size/MD5: 277424 f243af08bc7b971c00c7f1911957cc0b
      Size/MD5: 274668 676b1cdbb07daaf1e59daf4379f90d41
      Size/MD5: 277316 2e4b212e8851b8ebebcb6e11fc4e95c4
      Size/MD5: 3222690 c0a49e48f2acbcfa8158e1d3508edf4d
      Size/MD5: 15499122 c057a0f020e65f820616480dec86efd7
      Size/MD5: 16350082 077cd7705843e9735b97523fc68d848a
      Size/MD5: 16522126 c5107134a7df85767ba34f7ea2aa8f3c
      Size/MD5: 16451508 437e3bdc941350ffebc378737124b5b1
      Size/MD5: 16577002 b51a395a23cf6cc4e2db48e21e9059a4

powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5: 215406 31367d21f92a1652a8edbd0857930a6d
      Size/MD5: 216288 ae1eb9335c762606e4d85a4cd8bfdceb
      Size/MD5: 215300 840f755ebafa0a4f1aa735767288d113
      Size/MD5: 216050 aa22681d63977507c4968c9d12bacbf7
      Size/MD5: 215766 0f42c778baae6668cd7f0892aca80dc3
      Size/MD5: 217834 d71d028a66ef8d08540164b5f5d0a07e
      Size/MD5: 3299816 2c8ce356254d6666bd09d1ddc416aa96
      Size/MD5: 16376792 ee18a809e85d8ec02f0b876edbc7b7aa
      Size/MD5: 15941840 17d5cee523dad9e01ebf73e448d29ffc
      Size/MD5: 16362160 96ac56ba61e5e512b94fb94d80296013
      Size/MD5: 15934294 91e46887699a93fef26669485768a1fa
      Size/MD5: 16296020 e27f3e627f2261fc2ed2cd2d5f75c835
      Size/MD5: 15977246 cde71c6f5f13350170d3dc35c2acbd71

Updated packages for Ubuntu 5.04:

Source archives:
      Size/MD5: 6106913 4ab709e955455a8462ed14b6bf23765c
      Size/MD5: 3145 d0ec696544bf43603e3fb7d4bee59aae
      Size/MD5: 46244465 063a64fc0efd9c9901cf07effef1b747

Architecture independent packages:
      Size/MD5: 6786114 b9ca3648c990ac6a818bf9d23901e5b8
      Size/MD5: 37514576 a3ca3007277f1d6087eb9d5c04d5339f
      Size/MD5: 505088 5fea08f2c855390168beaff3d3a85aef

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5: 20824 4cd45992f8d434ab12ba02ac1ff5287d
      Size/MD5: 47392 db52b9fd7e86d5516e087c769aec2ba1
      Size/MD5: 88898 7571117b0d474659d22be36d52c4e90b
      Size/MD5: 30020 21b0e4c54e81371bc0650f0880662856
      Size/MD5: 41242 bc305f667fd84710aa02cb8b975f3f9f
      Size/MD5: 73596 7688e093de1a4ced4e15f7edd9a60d7a
      Size/MD5: 5736 37a5030470f6932bde183af4f79b115a
      Size/MD5: 34852 84eb464811f314db0ba9ab2601b90dbd
      Size/MD5: 55184 24a20b6a3fd1de72562582ea2cd55f5e
      Size/MD5: 112986 6baef547b8cb4065fa636fff6813d481
      Size/MD5: 40808 81a10edd2bc8cfa18469190e556222e8
      Size/MD5: 115724 d4345cb047f346cb99322e9ad0b73b12
      Size/MD5: 174640 21a69880d0757086530e0889d39e6995
      Size/MD5: 82594 d3a263147fcae21c67b21c5b75968ade
      Size/MD5: 1467028 dcca60d1954caaed9747fecacdd93af3
      Size/MD5: 286854 18ef5a2c4203c08207258e75443d413d
      Size/MD5: 283700 9a3152f95df24f5838fb493f5c858768
      Size/MD5: 285652 a5e893bd70c1cf20b2f8e4db7b02e9ed
      Size/MD5: 281160 0eeb78731437357459b67ff41b258d3f
      Size/MD5: 6138076 971e8c65aa1d9ef9706d765c2ff25428
      Size/MD5: 14577226 132c0d8cb07cce4b39a17d8224f9b214
      Size/MD5: 15121616 fdd5425104067c12d4450b892335830e
      Size/MD5: 15089954 eff3971f7ca98fe85c76e58ad9383287
      Size/MD5: 14960698 11144e3d069cb021b30436a0b6e1343f
      Size/MD5: 1363088 098539c9c1323acee8a8376d27d43082
      Size/MD5: 14228 a5c7e990e2bd73d5ffa0bea864bfb2cc
      Size/MD5: 178486 6bf3b6eb9fcb296fd399314fd3ab01e0
      Size/MD5: 174852 63c4f98092b8295a8f78f9c5e46fcc46
      Size/MD5: 731132 d70252df3aa69e982099bac2997f0b52
      Size/MD5: 780918 6974a907c34f25c99ee592cd792d9b23
      Size/MD5: 150020 37a9d821e9f0ca67987f5eeafe90d3e9
      Size/MD5: 168122 62cd7e3c16281c74013f0035fc523aac
      Size/MD5: 9554 2d36e8303bbf31cff1970c0b808a1e97
      Size/MD5: 94856 ce272989496145c8c466d8ea7d7fb209
      Size/MD5: 45730 525cad65ab4b9945302c0de920ffdfc4
      Size/MD5: 33156 8057008f1a18f79c043e1b3b3e511508
      Size/MD5: 55280 64c0a4496e0c9f63287abb051df482b9
      Size/MD5: 4662 cc6e49f1ef31a094d358fdd0b54068a8
      Size/MD5: 7840 534f69488f84a855ed44e2257bcdbe11
      Size/MD5: 53796 7a591b707bb66b847f32ff1f99f586fb
      Size/MD5: 111112 5894f5dcc627e706f3b46cee814fe82c
      Size/MD5: 10160 ee7a9f07d183603c31cdc00b52ef0d07
      Size/MD5: 60460 034ac891de70103fc676ea8453154b16
      Size/MD5: 208570 f65c80ab64e461736a5a3cc44a77fd07
      Size/MD5: 69258 cf4dc68bbc5d42d2a09d3bd38497f00d
      Size/MD5: 394754 b0bf8e097102ac7d69d8220be8abc2e8
      Size/MD5: 294482 8044a6ac76e515b9aa53dd62b2b02023
      Size/MD5: 12074 30321be8e21e3034340a6d5f6ff454be
      Size/MD5: 22654 9018466c860833bef3b580696471bab5
      Size/MD5: 28798 220edf3cde99cdfd194f77f4aeff1e50
      Size/MD5: 56790 8aba087dbcea5c11f657cfa8a468633f
      Size/MD5: 34938 34e3b2012980615302cee0703b275d65
      Size/MD5: 247458 d6d480e6ce9c036a9af9f63cde35571d

i386 architecture (x86 compatible Intel/AMD)
      Size/MD5: 18164 7202be47e3582260d69a0fc914d15cd1
      Size/MD5: 44826 83a88b389d657889954812e2ee7f9059
      Size/MD5: 103040 84c50c6a8b0d22929430ed0d4ec57068
      Size/MD5: 86004 cf8272e03346b2ef2e9c79a0bf8c21e0