---

Advisories, April 23, 2006

Debian GNU/Linux


Debian Security Advisory DSA 1037-1 [email protected]
http://www.debian.org/security/
Martin Schulze
April 21st, 2006 http://www.debian.org/security/faq


Package : zgv
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-1060

Andrea Barisani discovered that zgv, an svgalib graphics viewer,
attempts to decode JPEG images within the CMYK/YCCK colour space
incorrectly, which could lead to the execution of arbitrary
code.

For the old stable distribution (woody) this problem has been
fixed in version 5.5-3woody3.

For the stable distribution (sarge) this problem has been fixed
in version 5.7-1.4.

For the unstable distribution (sid) this problem has been fixed
soon.

We recommend that you upgrade your zgv package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody3.dsc

      Size/MD5 checksum: 603
17ee0337d957181e091a5ab098cab68f
    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody3.diff.gz

      Size/MD5 checksum: 9037
fdf06ee05dda8d8804e41c77e9061e75
    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5.orig.tar.gz

      Size/MD5 checksum: 329235
629386a4df72f6ec007319bf12db1374

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody3_i386.deb

      Size/MD5 checksum: 211964
bfb2b46ca2d2009f2577c7ee88fe3693

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.7-1.4.dsc

      Size/MD5 checksum: 604
2ca8cd8b405de9c7e63f047878292b77
    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.7-1.4.diff.gz

      Size/MD5 checksum: 10353
f904838cdc843ca9928f416a5195bc4a
    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.7.orig.tar.gz

      Size/MD5 checksum: 384977
50f0127c250b6efe9c5f8850b96f3841

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/z/zgv/zgv_5.7-1.4_i386.deb

      Size/MD5 checksum: 227920
9666a9563aee30e0a5123c6e8c9fa682

These files will probably be moved into the stable distribution
on its next update.



Debian Security Advisory DSA 1038-1 [email protected]
http://www.debian.org/security/
Martin Schulze
April 22nd, 2006 http://www.debian.org/security/faq


Package : xzgv
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-1060

Andrea Barisani discovered that xzgv, a picture viewer for X
with a thumbnail-based selector, attempts to decode JPEG images
within the CMYK/YCCK colour space incorrectly, which could lead to
the execution of arbitrary code.

For the old stable distribution (woody) this problem has been
fixed in version 0.7-6woody3.

For the stable distribution (sarge) this problem has been fixed
in version 0.8-3sarge1.

For the unstable distribution (sid) this problem will be fixed
soon.

We recommend that you upgrade your xzgv package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3.dsc

      Size/MD5 checksum: 581
1a95ff78280e98e448b19807e6dacd14
    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3.diff.gz

      Size/MD5 checksum: 7188
3af533cd6791a61c35cac448cdf7bd86
    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7.orig.tar.gz

      Size/MD5 checksum: 296814
9a376cc01cf486a2a8901fbc8b040d29

Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_alpha.deb

      Size/MD5 checksum: 199802
8d2c31ecea7c0821a463930a795e4363

ARM architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_arm.deb

      Size/MD5 checksum: 187280
3e9a89fcb5bca1c3b0cd5afa88b0a628

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_i386.deb

      Size/MD5 checksum: 185464
60cc2843ea8611650074c3b6247c9a68

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_ia64.deb

      Size/MD5 checksum: 220106
81b23a2fef7ea3c0d1e45d531494acce

HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_hppa.deb

      Size/MD5 checksum: 195672
de3c3a653cee6c8a810554179e07dc22

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_m68k.deb

      Size/MD5 checksum: 181774
8a51dbe9d11e85c1a50831c2035c1a0d

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_mips.deb

      Size/MD5 checksum: 188680
10ff84344193db70d24e438f48554fc6

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_mipsel.deb

      Size/MD5 checksum: 187718
5ba8e5fa9b7e2b54cb1f11f867431ee5

PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_powerpc.deb

      Size/MD5 checksum: 189770
909d2af6f68d5d7c49ecbacd2b187293

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_s390.deb

      Size/MD5 checksum: 189282
22d9c8dad8cf2a577fca2a208e9ed745

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.7-6woody3_sparc.deb

      Size/MD5 checksum: 189208
5daa878f409a61f2ea519ac8d1ca5730

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1.dsc

      Size/MD5 checksum: 642
ae7ee0519ba25087b0dbd809a5a1db43
    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1.diff.gz

      Size/MD5 checksum: 8762
2f40bca80610715c3a48c7cd68733cc4
    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8.orig.tar.gz

      Size/MD5 checksum: 302801
e392277f1447076402df2e3d9e782cb2

Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_alpha.deb

      Size/MD5 checksum: 210012
6938839b55f3a36a3732a9743ae1a7df

AMD64 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_amd64.deb

      Size/MD5 checksum: 201782
6b4d5abca89ec0dd92e2f34dd21a51e8

ARM architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_arm.deb

      Size/MD5 checksum: 194364
a80549d3f3f2e05ad37b45ff087d19c6

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_i386.deb

      Size/MD5 checksum: 195816
69b8d384068d9fc7061997c63bd3075e

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_ia64.deb

      Size/MD5 checksum: 223934
eb187eba5a5aa8bada015cab8d50bde1

HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_hppa.deb

      Size/MD5 checksum: 202856
931a992b298cc192afcd164f2c379148

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_m68k.deb

      Size/MD5 checksum: 189288
61005b854fabb24ee582d66644e39e73

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_mips.deb

      Size/MD5 checksum: 196818
a3ccaeb5207c03483ab2073134afff84

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_mipsel.deb

      Size/MD5 checksum: 195800
7d63b90f48fda8dc6004ebd65f2b280c

PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_powerpc.deb

      Size/MD5 checksum: 198764
ad327072b62b9901450585abd7d687a0

IBM S/390 architecture:

    phttp://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_s390.deb

      Size/MD5 checksum: 200516
4a1a716179571f70adb1fa1685b374a6

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xzgv/xzgv_0.8-3sarge1_sparc.deb

      Size/MD5 checksum: 195544
cc23e85b70d38954c3d0e92cc209e2dc

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: [email protected]

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Fedora Core


Fedora Update Notification
FEDORA-2006-423
2006-04-20


Product : Fedora Core 4
Name : kernel
Version : 2.6.16
Release : 1.2096_FC4
Summary : The Linux kernel (the core of the Linux operating
system)

Description :
The kernel package contains the Linux kernel (vmlinuz), the core of
any Linux operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation,
device input and output, etc.


Update Information:

This update includes a number of security issues that have been
fixed upstream over the last week or so.

i386/x86-64: Fix x87 information leak between processes
(CVE-2006-1056)
ip_route_input panic fix (CVE-2006-1525)
fix MADV_REMOVE vulnerability (CVE-2006-1524)
shmat: stop mprotect from giving write permission to a readonly
attachment (CVE-2006-1524)
Fix MPBL0010 driver insecure sysfs permissions
x86_64: When user could have changed RIP always force IRET
(CVE-2006-0744)
Fix RCU signal handling
Keys: Fix oops when adding key to non-keyring (CVE-2006-1522)
sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

It also includes various other fixes from the -stable tree. Full
changelogs are available from:

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.9

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.7

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.5

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.4

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.3

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.2



This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

190315d5016bfe17af6abbc475b9a4e2f22ea16d
SRPMS/kernel-2.6.16-1.2096_FC4.src.rpm
910fcb7755289388e7a144b5ae410ff2fa68a18e
ppc/kernel-2.6.16-1.2096_FC4.ppc.rpm
5ee253da9ce9d38b90607179fd3da38c078aad00
ppc/kernel-devel-2.6.16-1.2096_FC4.ppc.rpm
01c44a4c831fe833ad8dcdc631bf9fd7827e7a1b
ppc/kernel-smp-2.6.16-1.2096_FC4.ppc.rpm
7a9ab31acecda7dde7979a20dd842bfbcf9927f4
ppc/kernel-smp-devel-2.6.16-1.2096_FC4.ppc.rpm
b7e7f93899d92ac4a7b02bf9e8ce170ff6da7820
ppc/debug/kernel-debuginfo-2.6.16-1.2096_FC4.ppc.rpm
d00a96620e1f71d10ac94b94e5b3299f73d86bb2
ppc/kernel-doc-2.6.16-1.2096_FC4.noarch.rpm
fbe000f24405342e59ac3b34b01c76ff65124b7b
x86_64/kernel-2.6.16-1.2096_FC4.x86_64.rpm
19669089c59f7dba1db1cb2222319f77e2d8c29e
x86_64/kernel-devel-2.6.16-1.2096_FC4.x86_64.rpm
32e92f3cfd342ea10e27d249e33ed2634dc010bd
x86_64/kernel-smp-2.6.16-1.2096_FC4.x86_64.rpm
2acab6261c423b032887f5fffef104cde72d0492
x86_64/kernel-smp-devel-2.6.16-1.2096_FC4.x86_64.rpm
578ff9d8e1ca013de5f80a5f570f33ddd18e78a3
x86_64/debug/kernel-debuginfo-2.6.16-1.2096_FC4.x86_64.rpm
d00a96620e1f71d10ac94b94e5b3299f73d86bb2
x86_64/kernel-doc-2.6.16-1.2096_FC4.noarch.rpm
400517b3dd2ae4b5465eee500e87a7275da47420
i386/kernel-2.6.16-1.2096_FC4.i586.rpm
09329c1a246c252f0edcd0dfa056168b53ebc722
i386/kernel-devel-2.6.16-1.2096_FC4.i586.rpm
676e5e914d20af47530c852d53029f459422497c
i386/debug/kernel-debuginfo-2.6.16-1.2096_FC4.i586.rpm
4a66d6b80ce14e09ca15441a4b3de5906a98a371
i386/kernel-2.6.16-1.2096_FC4.i686.rpm
860914ddf10330977d4ef369823701d2befdb808
i386/kernel-devel-2.6.16-1.2096_FC4.i686.rpm
c21b746ec5c54052627473d6089ed89bb68a1118
i386/kernel-smp-2.6.16-1.2096_FC4.i686.rpm
33e1965ad75fd3db2d879231f6df33f692188d35
i386/kernel-smp-devel-2.6.16-1.2096_FC4.i686.rpm
60ff2aeabd93b6a24ec9a2d92885efef399a062e
i386/debug/kernel-debuginfo-2.6.16-1.2096_FC4.i686.rpm
d00a96620e1f71d10ac94b94e5b3299f73d86bb2
i386/kernel-doc-2.6.16-1.2096_FC4.noarch.rpm

This update can be installed with the ‘yum’ update program. Use
‘yum update package-name’ at the command line. For more
information, refer to ‘Managing Software with yum,’ available at
http://fedora.redhat.com/docs/yum/.


Fedora Update Notification
FEDORA-2006-440
2006-04-21


Product : Fedora Core 5
Name : beagle
Version : 0.2.5
Release : 1.fc5.1
Summary : The Beagle Search Infrastructure

Description :
A general infrastructure for making your data easy to find.


Update Information:

This upgrade to 0.2.5 fixes various bugs, including making the
firefox extension work again. It also contains fixes for a minor
security issue where you could inject command line argument into
the indexer helpers.


  • Fri Apr 21 2006 Alexander Larsson <[email protected]> –
    0.2.5-1.fc5.1

    • update to 0.2.5
    • Contains fix for command line injection security problem
      (#189282)

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/

526d72a0542b7e3a34e7f406d72fbd05a9a57ded
SRPMS/beagle-0.2.5-1.fc5.1.src.rpm
b91f035173cec8d0a6a1d183c2593a0d21213ea1
ppc/beagle-0.2.5-1.fc5.1.ppc.rpm
774b48502cb92ac57dac308279351a87a118bd2a
ppc/libbeagle-0.2.5-1.fc5.1.ppc.rpm
b864c22cf5abc8c2eae57dc58230f54f7cf22ae2
ppc/libbeagle-devel-0.2.5-1.fc5.1.ppc.rpm
f0254ad78398a9dfc4da745e3d5421ed26506bd7
ppc/libbeagle-python-0.2.5-1.fc5.1.ppc.rpm
bcd3c304c44f204fec3c7d989b5a3c3cfca4e34c
ppc/debug/beagle-debuginfo-0.2.5-1.fc5.1.ppc.rpm
1036eaf5401ff6e436621191e79a07acbfd271d0
x86_64/beagle-0.2.5-1.fc5.1.x86_64.rpm
0bb834a91b87668a035e7f5ab6a9e250a5b7304e
x86_64/libbeagle-0.2.5-1.fc5.1.x86_64.rpm
b021aa1339a8183ded60a8a173790cdc7a1da36a
x86_64/libbeagle-devel-0.2.5-1.fc5.1.x86_64.rpm
229eace43ea7f6e29a2a0df179969100124d7519
x86_64/libbeagle-python-0.2.5-1.fc5.1.x86_64.rpm
364eaa840c390ca37c0c4a01ed7fc08ae6455b0e
x86_64/debug/beagle-debuginfo-0.2.5-1.fc5.1.x86_64.rpm
218737c95c4c9372c9627d2c7a9f082a0a6d15a4
i386/beagle-0.2.5-1.fc5.1.i386.rpm
3921a006b5d2f744dfceb0f74fba807290ea7381
i386/libbeagle-0.2.5-1.fc5.1.i386.rpm
d01141fdcbb370fc37d2448f93dde34213db8625
i386/libbeagle-devel-0.2.5-1.fc5.1.i386.rpm
900bbd9abc52b8abe1128aa8f47606cbb7c0b921
i386/libbeagle-python-0.2.5-1.fc5.1.i386.rpm
7622e26df4028a7afc2725b3e49550eb4fb29bfd
i386/debug/beagle-debuginfo-0.2.5-1.fc5.1.i386.rpm

This update can be installed with the ‘yum’ update program. Use
‘yum update package-name’ at the command line. For more
information, refer to ‘Managing Software with yum,’ available at
http://fedora.redhat.com/docs/yum/.

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200604-09


http://security.gentoo.org/


Severity: Normal
Title: Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of
Service
Date: April 21, 2006
Bugs: #129523
ID: 200604-09


Synopsis

Cyrus-SASL contains a vulnerability in the DIGEST-MD5 process
that could lead to a Denial of Service.

Background

Cyrus-SASL is an implementation of the Simple Authentication and
Security Layer.

Affected packages


     Package              /   Vulnerable   /                Unaffected

  1  dev-libs/cyrus-sasl      < 2.1.21-r2                 >= 2.1.21-r2

Description

Cyrus-SASL contains an unspecified vulnerability in the
DIGEST-MD5 process that could lead to a Denial of Service.

Impact

An attacker could possibly exploit this vulnerability by sending
specially crafted data stream to the Cyrus-SASL server, resulting
in a Denial of Service even if the attacker is not able to
authenticate.

Workaround

There is no known workaround at this time.

Resolution

All Cyrus-SASL users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/cyrus-sasl-2.1.21-r2"

References

[ 1 ] CVE-2006-1721

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200604-09.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200604-10


http://security.gentoo.org/


Severity: Normal
Title: zgv, xzgv: Heap overflow
Date: April 21, 2006
Bugs: #127008
ID: 200604-10


Synopsis

xzgv and zgv attempt to decode JPEG images within the CMYK/YCCK
colour space incorrectly, potentially resulting in the execution of
arbitrary code.

Background

xzgv and zgv are picture viewing utilities with a thumbnail
based file selector.

Affected packages


     Package         /  Vulnerable  /                       Unaffected


1 media-gfx/xzgv < 0.8-r2 >= 0.8-r2 2 media-gfx/zgv < 5.8 >= 5.8 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate
insufficient memory when rendering images with more than 3 output
components, such as images using the YCCK or CMYK colour space.
When xzgv or zgv attempt to render the image, data from the image
overruns a heap allocated buffer.

Impact

An attacker may be able to construct a malicious image that
executes arbitrary code with the permissions of the xzgv or zgv
user when attempting to render the image.

Workaround

There is no known workaround at this time.

Resolution

All xzgv users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/xzgv-0.8-r2"

All zgv users should also upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/zgv-5.8"

References

[ 1 ] CVE-2006-1060

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1060

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200604-10.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200604-11


http://security.gentoo.org/


Severity: High
Title: Crossfire server: Denial of Service and potential arbitrary
code execution
Date: April 22, 2006
Bugs: #126169
ID: 200604-11


Synopsis

The Crossfire game server is vulnerable to a Denial of Service
and potentially to the execution of arbitrary code.

Background

Crossfire is a cooperative multiplayer graphical adventure and
role-playing game. The Crossfire game server allows various
compatible clients to connect to participate in a cooperative
game.

Affected packages


     Package                        /  Vulnerable  /        Unaffected

  1  games-server/crossfire-server       < 1.9.0              >= 1.9.0

Description

Luigi Auriemma discovered a vulnerability in the Crossfire game
server, in the handling of the “oldsocketmode” option when
processing overly large requests.

Impact

An attacker can set up a malicious Crossfire client that would
send a large request in “oldsocketmode”, resulting in a Denial of
Service on the Crossfire server and potentially in the execution of
arbitrary code on the server with the rights of the game
server.

Workaround

There is no known workaround at this time.

Resolution

All Crossfire server users should upgrade to the latest
version:

    # emerge --sync
# emerge --ask --oneshot --verbose
">=games-server/crossfire-server-1.9.0"

References

[ 1 ] CVE-2006-1010

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1010

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200604-11.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Red Hat Linux


Red Hat Security Advisory

Synopsis: Critical: thunderbird security update
Advisory ID: RHSA-2006:0330-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0330.html

Issue date: 2006-04-21
Updated on: 2006-04-21
Product: Red Hat Enterprise Linux
CVE Names: CVE-2006-0292 CVE-2006-0296 CVE-2006-0749 CVE-2006-1045
CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1730
CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734
CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739
CVE-2006-1741 CVE-2006-1742 CVE-2006-1790


1. Summary:

An updated thunderbird package that fixes various bugs is now
available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by
the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 – i386, ia64, ppc, s390,
s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 – i386, x86_64
Red Hat Enterprise Linux ES version 4 – i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 – i386, ia64, x86_64

3. Problem description:

Mozilla Thunderbird is a standalone mail and newsgroup
client.

Several bugs were found in the way Thunderbird processes
malformed javascript. A malicious HTML mail message could modify
the content of a different open HTML mail message, possibly
stealing sensitive information or conducting a cross-site scripting
attack. Please note that JavaScript support is disabled by default
in Thunderbird. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741)

Several bugs were found in the way Thunderbird processes certain
javascript actions. A malicious HTML mail message could execute
arbitrary javascript instructions with the permissions of ‘chrome’,
allowing the page to steal sensitive information or install browser
malware. Please note that JavaScript support is disabled by default
in Thunderbird. (CVE-2006-0292, CVE-2006-0296, CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)

Several bugs were found in the way Thunderbird processes
malformed HTML mail messages. A carefully crafted malicious HTML
mail message could cause the execution of arbitrary code as the
user running Thunderbird. (CVE-2006-0749, CVE-2006-1724,
CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739,
CVE-2006-1790)

A bug was found in the way Thunderbird processes certain inline
content in HTML mail messages. It may be possible for a remote
attacker to send a carefully crafted mail message to the victim,
which will fetch remote content, even if Thunderbird is configured
not to fetch remote content. (CVE-2006-1045)

Users of Thunderbird are advised to upgrade to this updated
package containing Thunderbird version 1.0.8, which is not
vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat
Network, launch the Red Hat Update Agent with the following
command:

up2date

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

188848 – CVE-2006-1741 Cross-site JavaScript injection using
event handlers
188850 – CVE-2006-1742 JavaScript garbage-collection hazard
audit
188852 – CVE-2006-1737 Crashes with evidence of memory corruption
(CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)
188855 – CVE-2006-1735 Privilege escalation via XBL.method.eval
188857 – CVE-2006-1734 Privilege escalation using a JavaScript
function’s cloned parent
188859 – CVE-2006-1733 Accessing XBL compilation scope via
valueOf.call()
188861 – CVE-2006-1732 cross-site scripting through
window.controllers
188863 – CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability
188865 – CVE-2006-1731 Cross-site scripting using
.valueOf.call()
188867 – CVE-2006-1724 Crashes with evidence of memory corruption
(1.5.0.2)
188871 – CVE-2006-1730 CSS Letter-Spacing Heap Overflow
Vulnerability
188873 – CVE-2006-1728 Privilege escalation using
crypto.generateCRMFRequest
188875 – CVE-2006-1727 Privilege escalation through Print
Preview
188877 – CVE-2006-1045 Mail Multiple Information Disclosure
189180 – CVE-2006-0292 javascript unrooted access
189181 – CVE-2006-0296 XULDocument.persist() RDF data injection

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.0.8-1.4.1.src.rpm

c8305acb3d2dedacf40a58f56e448f41
thunderbird-1.0.8-1.4.1.src.rpm

i386:
02ed6ce066e985a656c653deb060a0bd
thunderbird-1.0.8-1.4.1.i386.rpm
d5dc52769b9e62ad67fc2089706c3aea
thunderbird-debuginfo-1.0.8-1.4.1.i386.rpm

ia64:
b2ff6e3b2eb9b50e4b0b1c90f9a9b431
thunderbird-1.0.8-1.4.1.ia64.rpm
45d0598f33b90de2eb6bac64e90e070b
thunderbird-debuginfo-1.0.8-1.4.1.ia64.rpm

ppc:
dc58090fa480cff7f44ff7fb4e1ad3b3
thunderbird-1.0.8-1.4.1.ppc.rpm
ce2a278a172bb89a574e2ddb5f938b0e
thunderbird-debuginfo-1.0.8-1.4.1.ppc.rpm

s390:
9edcfee0fa0f8b382d5093b53484f091
thunderbird-1.0.8-1.4.1.s390.rpm
c5647159643d7599866c519fa622daa2
thunderbird-debuginfo-1.0.8-1.4.1.s390.rpm

s390x:
703a6290f8025d58e5d9b39410b9d2f5
thunderbird-1.0.8-1.4.1.s390x.rpm
21c101500f58d5e1db7017a5d726a677
thunderbird-debuginfo-1.0.8-1.4.1.s390x.rpm

x86_64:
acf9ac0262007fea4805c4bbfa49f228
thunderbird-1.0.8-1.4.1.x86_64.rpm
1fc5ff66ee06fa583f3fc6591ef5990f
thunderbird-debuginfo-1.0.8-1.4.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.0.8-1.4.1.src.rpm

c8305acb3d2dedacf40a58f56e448f41
thunderbird-1.0.8-1.4.1.src.rpm

i386:
02ed6ce066e985a656c653deb060a0bd
thunderbird-1.0.8-1.4.1.i386.rpm
d5dc52769b9e62ad67fc2089706c3aea
thunderbird-debuginfo-1.0.8-1.4.1.i386.rpm

x86_64:
acf9ac0262007fea4805c4bbfa49f228
thunderbird-1.0.8-1.4.1.x86_64.rpm
1fc5ff66ee06fa583f3fc6591ef5990f
thunderbird-debuginfo-1.0.8-1.4.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.0.8-1.4.1.src.rpm

c8305acb3d2dedacf40a58f56e448f41
thunderbird-1.0.8-1.4.1.src.rpm

i386:
02ed6ce066e985a656c653deb060a0bd
thunderbird-1.0.8-1.4.1.i386.rpm
d5dc52769b9e62ad67fc2089706c3aea
thunderbird-debuginfo-1.0.8-1.4.1.i386.rpm

ia64:
b2ff6e3b2eb9b50e4b0b1c90f9a9b431
thunderbird-1.0.8-1.4.1.ia64.rpm
45d0598f33b90de2eb6bac64e90e070b
thunderbird-debuginfo-1.0.8-1.4.1.ia64.rpm

x86_64:
acf9ac0262007fea4805c4bbfa49f228
thunderbird-1.0.8-1.4.1.x86_64.rpm
1fc5ff66ee06fa583f3fc6591ef5990f
thunderbird-debuginfo-1.0.8-1.4.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.0.8-1.4.1.src.rpm

c8305acb3d2dedacf40a58f56e448f41
thunderbird-1.0.8-1.4.1.src.rpm

i386:
02ed6ce066e985a656c653deb060a0bd
thunderbird-1.0.8-1.4.1.i386.rpm
d5dc52769b9e62ad67fc2089706c3aea
thunderbird-debuginfo-1.0.8-1.4.1.i386.rpm

ia64:
b2ff6e3b2eb9b50e4b0b1c90f9a9b431
thunderbird-1.0.8-1.4.1.ia64.rpm
45d0598f33b90de2eb6bac64e90e070b
thunderbird-debuginfo-1.0.8-1.4.1.ia64.rpm

x86_64:
acf9ac0262007fea4805c4bbfa49f228
thunderbird-1.0.8-1.4.1.x86_64.rpm
1fc5ff66ee06fa583f3fc6591ef5990f
thunderbird-debuginfo-1.0.8-1.4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1045

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790

http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <[email protected]>. More
contact details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.

Ubuntu Linux


Ubuntu Security Notice USN-271-1 April 19, 2006
mozilla-firefox, firefox vulnerabilities
CVE-2005-4134, CVE-2006-0292, CVE-2006-0296, CVE-2006-0749,
CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730,
CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734,
CVE-2006-1735, CVE-2006-1736, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742,
CVE-2006-1790


A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

firefox
mozilla-firefox

The problem can be corrected by upgrading the affected package
to version 1.0.8-0ubuntu4.10 (for Ubuntu 4.10), 1.0.8-0ubuntu5.04
(for Ubuntu 5.04), or 1.0.8-0ubuntu5.10 (for Ubuntu 5.10). After a
standard system upgrade you need to restart Firefox to effect the
necessary changes.

Details follow:

Web pages with extremely long titles caused subsequent launches
of Firefox browser to hang for up to a few minutes, or caused
Firefox to crash on computers with insufficient memory.
(CVE-2005-4134)

Igor Bukanov discovered that the JavaScript engine did not
properly declare some temporary variables. Under some rare
circumstances, a malicious website could exploit this to execute
arbitrary code with the privileges of the user. (CVE-2006-0292,
CVE-2006-1742)

The function XULDocument.persist() did not sufficiently validate
the names of attributes. An attacker could exploit this to inject
arbitrary XML code into the file ‘localstore.rdf’, which is read
and evaluated at startup. This could include JavaScript commands
that would be run with the user’s privileges. (CVE-2006-0296)

Due to a flaw in the HTML tag parser a specific sequence of HTML
tags caused memory corruption. A malicious web site could exploit
this to crash the browser or even execute arbitrary code with the
user’s privileges. (CVE-2006-0749)

Georgi Guninski discovered that embedded XBL scripts of web
sites could escalate their (normally reduced) privileges to get
full privileges of the user if that page is viewed with “Print
Preview”. (CVE-2006-1727)

The crypto.generateCRMFRequest() function had a flaw which could
be exploited to run arbitrary code with the user’s privileges.
(CVE-2006-1728)

Claus Jørgensen and Jesse Ruderman discovered that
a text input box could be pre-filled with a filename and then
turned into a file-upload control with the contents intact. A
malicious web site could exploit this to read any local file the
user has read privileges for. (CVE-2006-1729)

An integer overflow was detected in the handling of the CSS
property “letter-spacing”. A malicious web site could exploit this
to run arbitrary code with the user’s privileges.
(CVE-2006-1730)

The methods valueOf.call() and .valueOf.apply() returned an
object whose privileges were not properly confined to those of the
caller, which made them vulnerable to cross-site scripting attacks.
A malicious web site could exploit this to modify the contents or
steal confidential data (such as passwords) from other opened web
pages. (CVE-2006-1731) The window.controllers array variable
(CVE-2006-1732) and event handlers (CVE-2006-1741) were vulnerable
to a similar attack.

The privileged built-in XBL bindings were not fully protected
from web content and could be accessed by calling valueOf.call()
and valueOf.apply() on a method of that binding. A malicious web
site could exploit this to run arbitrary JavaScript code with the
user’s privileges. (CVE-2006-1733)

It was possible to use the Object.watch() method to access an
internal function object (the “clone parent”). A malicious web site
could exploit this to execute arbitrary JavaScript code with the
user’s privileges. (CVE-2006-1734)

By calling the XBL.method.eval() method in a special way it was
possible to create JavaScript functions that would get compiled
with the wrong privileges. A malicious web site could exploit this
to execute arbitrary JavaScript code with the user’s privileges.
(CVE-2006-1735)

Michael Krax discovered that by layering a transparent image
link to an executable on top of a visible (and presumably
desirable) image a malicious site could fool the user to
right-click and choose “Save image as…” from the context menu,
which would download the executable instead of the image.
(CVE-2006-1736)

Several crashes have been fixed which could be triggered by web
sites and involve memory corruption. These could potentially be
exploited to execute arbitrary code with the user’s privileges.
(CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)

If the user has turned on the “Entering secure site” modal
warning dialog, it was possible to spoof the browser’s secure-site
indicators (the lock icon and the gold URL field background) by
first loading the target secure site in a pop-up window, then
changing its location to a different site, which retained the
displayed secure-browsing indicators from the original site.
(CVE-2006-1740)

Updated packages for Ubuntu 4.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10.diff.gz

      Size/MD5: 235111
b2ebfed686a487adf1244307dfd266b9
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10.dsc

      Size/MD5: 987
c60705b0fd14c4ef6295d5ed001915d6
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8.orig.tar.gz

      Size/MD5: 41545571
74feb5a7af741bc5e24f1a622ce698c8

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu4.10_amd64.deb

      Size/MD5: 148312
62c914a0e040677be53af936bb3a17ed
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10_amd64.deb

      Size/MD5: 10677328
ad7cf73fd3f546291a959ddd5ffc96e9

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu4.10_i386.deb

      Size/MD5: 143192
9e442b0a7c2f3cc9e456e6afea8d0c60
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10_i386.deb

      Size/MD5: 9850946
79d68b23803a61cb330b849b15068f54

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu4.10_powerpc.deb

      Size/MD5: 141946
342abccbb3fa9cdd70495d7b8395eac2
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10_powerpc.deb

      Size/MD5: 9507830
0d44cda71daf7d14725daf34d6cfc175

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04.diff.gz

      Size/MD5: 804535
00b1fc4d98dfa001442144c8d7745572
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04.dsc

      Size/MD5: 1060
a3c93f7d8fa6ce8dcd91aa2151a5f005
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8.orig.tar.gz

      Size/MD5: 41545571
74feb5a7af741bc5e24f1a622ce698c8

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.04_amd64.deb

      Size/MD5: 2633684
1ff190c377531df8542e3b02560d4536
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu5.04_amd64.deb

      Size/MD5: 158486
604e2a6d94958224debffabf5d03a702
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.8-0ubuntu5.04_amd64.deb

      Size/MD5: 57812
8fb2a4a30727c03d5aa8016fbd4d38e7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04_amd64.deb

      Size/MD5: 9771928
d438cbb1c473650c70f9b3b58e1b7613

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.04_i386.deb

      Size/MD5: 2633766
92c92229157c7549ad186cdf0e0c8733
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu5.04_i386.deb

      Size/MD5: 153396
9d6b58b4ae7a631e1799f3c4bbe55db8
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.8-0ubuntu5.04_i386.deb

      Size/MD5: 54368
8dbd371b16cac675aa57ba815c97cdd1
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04_i386.deb

      Size/MD5: 8811088
2d2d0ff095a8e0f2bcc247cc8163faf4

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.04_powerpc.deb

      Size/MD5: 2633816
7548fe24b857258efe6670286676175b
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu5.04_powerpc.deb

      Size/MD5: 152158
14b412512616688e2dcb85e121a91c95