---

Home Security

Advisories, April 28, 2005

By

Debian GNU/Linux

Debian Security Advisory DSA 718-2 security@debian.org
http://www.debian.org/security/
Martin Schulze
April 28th, 2005 http://www.debian.org/security/faq

Package : ethereal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0739

[ This version lists the correct packages in the packages
section. ]

A buffer overflow has been detected in the IAPP dissector of
Ethereal, a commonly used network traffic analyser. A remote
attacker may be able to overflow a buffer using a specially crafted
packet. More problems have been discovered which don’t apply to the
version in woody but are fixed in sid as well.

For the stable distribution (woody) this problem has been fixed
in version 0.9.4-1woody12.

For the unstable distribution (sid) these problems have been
fixed in version 0.10.10-1.

We recommend that you upgrade your ethereal packages.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12.dsc

Size/MD5 checksum: 681 4a66adc24391cf92ae57e072f8cff668

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12.diff.gz

Size/MD5 checksum: 42743 78a9c2b0df034ed8cfd821bb1007ee13

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz

Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_alpha.deb

Size/MD5 checksum: 1940348 f8132086d17c44a77ce56e3514234aff

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_alpha.deb

Size/MD5 checksum: 334394 2db8ab849d239dcd08a9f1a693e26be2

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_alpha.deb

Size/MD5 checksum: 222588 2b51550545b4b9bc8e8a19af37f4eadf

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_alpha.deb

Size/MD5 checksum: 1707602 f05a8025502c0ae0941ee6a4eaff5215

ARM architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_arm.deb

Size/MD5 checksum: 1635332 b39c6c07669ee7750cfcf5b41a31bba0

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_arm.deb

Size/MD5 checksum: 297832 92c98f82cd31ad7e069140257f8e5b80

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_arm.deb

Size/MD5 checksum: 206462 e12807990b0995006ea24ffd27938f2a

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_arm.deb

Size/MD5 checksum: 1439522 4b53ec534ecf2148bf32dc52027117e7

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_i386.deb

Size/MD5 checksum: 1512990 ce1e6172813918e06a7db629d30c6914

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_i386.deb

Size/MD5 checksum: 286808 400d994f31eca783431c35f784caa7fa

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_i386.deb

Size/MD5 checksum: 198386 5bb0277bad80dabdb9e684f64833e5a8

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_i386.deb

Size/MD5 checksum: 1326498 4ff0a73562de1ed879113da2b15bd972

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_ia64.deb

Size/MD5 checksum: 2150020 b11ad9be36cfb9c35f312fc34ec52929

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_ia64.deb

Size/MD5 checksum: 373420 191531c4220ba200f1bb646f808d0348

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_ia64.deb

Size/MD5 checksum: 234076 06a7e2b1ea8e940d3edb93fdac9bc606

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_ia64.deb

Size/MD5 checksum: 1861518 a8f7a3363abfe7be570edbd20f751b44

HP Precision architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_hppa.deb

Size/MD5 checksum: 1804650 ba5c084760261b2ff6c6d13e5dfee5d8

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_hppa.deb

Size/MD5 checksum: 322746 bd47c147c7ef301fcba04bfbd12f4a0e

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_hppa.deb

Size/MD5 checksum: 217164 888088c4b2fed932f890ae8931ed5de4

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_hppa.deb

Size/MD5 checksum: 1576110 379f41355e1d9590d5d03b67f64d84aa

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_m68k.deb

Size/MD5 checksum: 1424634 c931c1da4a7de71d7980f6b6b9cd4f4a

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_m68k.deb

Size/MD5 checksum: 283060 ae509526418709d023a15fcb16db1ee0

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_m68k.deb

Size/MD5 checksum: 195450 51bbdb440db2c5ca2c46e3537560b13c

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_m68k.deb

Size/MD5 checksum: 1248726 2a0fc0956bb08ba3f1eeb294ccf3d52c

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_mips.deb

Size/MD5 checksum: 1617010 9d71224d003f77dc07dfdb44fd2c3a44

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_mips.deb

Size/MD5 checksum: 305586 e3d8d59e016942145bd3df4d42750635

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_mips.deb

Size/MD5 checksum: 214026 0373d06002c81f18633dcc84d142cb4a

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_mips.deb

Size/MD5 checksum: 1421854 f0d382ebf5aafb38c3ecebc925d451b7

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_mipsel.deb

Size/MD5 checksum: 1598998 cdc724a4d50486caa3f5a4d64935234e

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_mipsel.deb

Size/MD5 checksum: 305088 1b83d697e81df853200e5f01c5dc0988

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_mipsel.deb

Size/MD5 checksum: 213740 dadfeb96a4773091fe2650eb7af3257c

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_mipsel.deb

Size/MD5 checksum: 1406882 9b80509f83717db2915eb4a1e3c60312

PowerPC architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_powerpc.deb

Size/MD5 checksum: 1618560 2d59d0d9637d6b8d4fa0e3a4d6f9db7d

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_powerpc.deb

Size/MD5 checksum: 302248 e8e72c62030bc974b31d8af4e0d63852

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_powerpc.deb

Size/MD5 checksum: 209252 b3a4d8eb2e92f7a246f05dae2a0fed5f

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_powerpc.deb

Size/MD5 checksum: 1419328 622dc47f9c98cad778c8d70902daf923

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_s390.deb

Size/MD5 checksum: 1574694 c6294f826dfd8b4f317d280813402c41

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_s390.deb

Size/MD5 checksum: 301070 f172764728c5d5dde499eb7a899cd0b0

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_s390.deb

Size/MD5 checksum: 204354 425f219731ab8727431ef95d74c8b127

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_s390.deb

Size/MD5 checksum: 1387250 b85f112f84d1998f7b3548001be1c3ef

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_sparc.deb

Size/MD5 checksum: 1583266 13d30be49f62ee046d2a8053efc32bbf

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_sparc.deb

Size/MD5 checksum: 318356 94dd17eb13f1d1111031e75ca1fe089a

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_sparc.deb

Size/MD5 checksum: 205120 f414e5cbb6fb969792c0170a4dcaa0a4

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_sparc.deb

Size/MD5 checksum: 1389310 193250254cd301644e8ee6b50b260ec4

These files will probably be moved into the stable distribution
on its next update.

Debian Security Advisory DSA 719-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
April 28th, 2005 http://www.debian.org/security/faq

Package : prozilla
Vulnerability : format string problems Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0523
BugTraq ID : 12635

Several format string problems have been discovered in prozilla,
a multi-threaded download accelerator, that can be exploited by a
malicious server to execute arbitrary code with the rights of the
user running prozilla.

For the stable distribution (woody) these problems have been
fixed in version 1.3.6-3woody2.

For the unstable distribution (sid) these problems have been
fixed in version 1.3.7.4-1.

We recommend that you upgrade your prozilla package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2.dsc

Size/MD5 checksum: 612 b928187dd8f03148a2539d4b3c80b438

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2.diff.gz

Size/MD5 checksum: 9649 fe452d3b07b843d9bdb0a62eea08b32e

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6.orig.tar.gz

Size/MD5 checksum: 152755 65864dfe72f5cb7d7e595ca6f34fc7d7

Alpha architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_alpha.deb

Size/MD5 checksum: 78456 67eb74ad4ef6f7b11fb6d0c84e97e885

ARM architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_arm.deb

Size/MD5 checksum: 65416 ee4e2b27282f5d797388cf9db6bb1ae6

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_i386.deb

Size/MD5 checksum: 64420 ca9cf2d80468eb3c6f262efd2865f32f

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_ia64.deb

Size/MD5 checksum: 93510 41775fe0d297ef48a07decba2df534d0

HP Precision architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_hppa.deb

Size/MD5 checksum: 74488 8d7ccf055d158ddd57f29ff6a67a54ba

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_m68k.deb

Size/MD5 checksum: 61402 087350199da0c600391b0975956d097a

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_mips.deb

Size/MD5 checksum: 73084 5a5e06a2436b08c7133ce1a21b97a167

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_mipsel.deb

Size/MD5 checksum: 73182 8479c67ce0ccb680821aeddba9fdb2e5

PowerPC architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_powerpc.deb

Size/MD5 checksum: 68490 7c83bdce09185e681b20c3903fcc18fd

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_s390.deb

Size/MD5 checksum: 65476 e25037beaff259f42db818fb8e8a403b

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_sparc.deb

Size/MD5 checksum: 68120 a1c98ba0fad335c84930c8894bf57435

These files will probably be moved into the stable distribution
on its next update.

For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Fedora Core

Fedora Update Notification
FEDORA-2005-344
2005-04-27

Product : Fedora Core 3
Name : ImageMagick
Version : 6.2.2.0
Release : 1.fc3
Summary : An X application for displaying and manipulating
images.

Description :
ImageMagick(TM) is an image display and manipulation tool for the X
Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF,
and Photo CD image formats. It can resize, rotate, sharpen, color
reduce, or add special effects to an image, and when finished you
can either save the completed work in the original format or a
different one. ImageMagick also includes command line programs for
creating animated or transparent .gifs, creating composite images,
creating thumbnail images, and more.

ImageMagick is one of your choices if you need a program to
manipulate and dis play images. If you want to develop your own
applications which use ImageMagick code or APIs, you need to
install ImageMagick-devel as well.

Update Information:

The update fixes a possible heap corruption issue in the pnm
decoder. It also includes a number of other bug fixes and
improvements.

  • Tue Apr 26 2005 Matthias Clasen <mclasen@redhat.com> –
    6.2.2.0-1.fc3

    • Update to 6.2.2 to fix a heap corruption issue in the pnm
      coder.
  • Mon Apr 25 2005 <mclasen@redhat.com> – 6.2.1.7-2.fc3
    • Update to 6.2.1
    • Include multiple improvements and bugfixes by Rex Dieter et al
      (111961, 145466, 151196, 149970, 146518, 113951, 145449, 144977,
      144570, 139298)
  • Sun Apr 24 2005 <mclasen@redhat.com> – 6.2.0.7-3
    • Make zip compression work for tiff (#154045)

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

7f39cda1085fea8a4e478bd726ba6bca
SRPMS/ImageMagick-6.2.2.0-1.fc3.src.rpm
091faa0bf0349d921ed2997e84a75792
x86_64/ImageMagick-6.2.2.0-1.fc3.x86_64.rpm
666a2b8a817beba8c9aa01b17159afa2
x86_64/ImageMagick-devel-6.2.2.0-1.fc3.x86_64.rpm
f52c1afdf5adfe6424067393783747d1
x86_64/ImageMagick-perl-6.2.2.0-1.fc3.x86_64.rpm
fd826d5ee8e25dbe4806257ce624d949 x86_64/ImageMagick-c
++-6.2.2.0-1.fc3.x86_64.rpm
6f2e58f3e4fe891d27a374e7fb291cbf x86_64/ImageMagick-c
++-devel-6.2.2.0-1.fc3.x86_64.rpm
be0adb07ba72b45e315a7a406c0ed97f
x86_64/debug/ImageMagick-debuginfo-6.2.2.0-1.fc3.x86_64.rpm
4ac7fe1a4e22b3e7eea9b8102104c73b
x86_64/ImageMagick-6.2.2.0-1.fc3.i386.rpm
591932d15e406856088a7023f02b0eaa x86_64/ImageMagick-c
++-6.2.2.0-1.fc3.i386.rpm
4ac7fe1a4e22b3e7eea9b8102104c73b
i386/ImageMagick-6.2.2.0-1.fc3.i386.rpm
70796447044d3b0c38be3aec006c66d1
i386/ImageMagick-devel-6.2.2.0-1.fc3.i386.rpm
a7b9b8c68d9c9f63ead862296a89fc09
i386/ImageMagick-perl-6.2.2.0-1.fc3.i386.rpm
591932d15e406856088a7023f02b0eaa i386/ImageMagick-c
++-6.2.2.0-1.fc3.i386.rpm
442158cf21be6ca2eaf94385d3f090b9 i386/ImageMagick-c
++-devel-6.2.2.0-1.fc3.i386.rpm
09aa2af0b08abbb279167deeeca66e26
i386/debug/ImageMagick-debuginfo-6.2.2.0-1.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Fedora Update Notification
FEDORA-2005-345
2005-04-28

Product : Fedora Core 3
Name : kdewebdev
Version : 3.3.1
Release : 2.1
Summary : WEB Development package for the K Desktop
Environment.

Description :
The kdewebdev package contains Quanta Plus and other applications,
which are useful
for web development. They are runtime dependencies of Quanta Plus,
and it is highly recommended that you install them.

  • Wed Apr 27 2005 Than Ngo <than@redhat.com> 6:3.3.1-2.1
    • apply patch to fix CAN-2005-0754, Kommander untrusted code
      execution, thanks to KDE security team
  • Mon Oct 18 2004 Than Ngo <than@redhat.com> 6:3.3.1-2
    • rebuilt

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

4d5d22019cab362058135ec8faa14d25
SRPMS/kdewebdev-3.3.1-2.1.src.rpm
59d982f1666a49d1085946700e52f30d
x86_64/kdewebdev-3.3.1-2.1.x86_64.rpm
1535e28501e0d82b95e51aeabc032b44
x86_64/kdewebdev-devel-3.3.1-2.1.x86_64.rpm
26226ae521ad3134352bd9b99fbece49
x86_64/debug/kdewebdev-debuginfo-3.3.1-2.1.x86_64.rpm
a749308d15c2d15e3bd00d859c06ee92
i386/kdewebdev-3.3.1-2.1.i386.rpm
1cb8f8ec42a9810a12a2113c02d09b45
i386/kdewebdev-devel-3.3.1-2.1.i386.rpm
2d7c68a65e20f78fc856c4dc55dbb527
i386/debug/kdewebdev-debuginfo-3.3.1-2.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200504-28

http://security.gentoo.org/

Severity: Normal
Title: Heimdal: Buffer overflow vulnerabilities
Date: April 28, 2005
Bugs: #89861
ID: 200504-28

Synopsis

Buffer overflow vulnerabilities have been found in the telnet
client in Heimdal which could lead to execution of arbitrary
code.

Background

Heimdal is a free implementation of Kerberos 5 that includes a
telnet client program.

Affected packages

     Package            /  Vulnerable  /                    Unaffected

  1  app-crypt/heimdal       < 0.6.4                          >= 0.6.4

Description

Buffer overflow vulnerabilities in the slc_add_reply() and
env_opt_add() functions have been discovered by Gael Delalleau in
the telnet client in Heimdal.

Impact

Successful exploitation would require a vulnerable user to
connect to an attacker-controlled host using the telnet client,
potentially executing arbitrary code with the permissions of the
user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Heimdal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.6.4"

References

[ 1 ] CAN-2005-0468

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

[ 2 ] CAN-2005-0469

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200504-28.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.