Advisories: April 6, 2005

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200504-04

http://security.gentoo.org/

Severity: Normal
Title: mit-krb5: Multiple buffer overflows in telnet client
Date: April 06, 2005
Bugs: #87145
ID: 200504-04

Synopsis

The mit-krb5 telnet client is vulnerable to two buffer
overflows, which could allow a malicious telnet server operator to
execute arbitrary code.

Background

The MIT Kerberos 5 implementation provides a command line telnet
client which is used for remote login via the telnet protocol.

Affected packages

     Package             /  Vulnerable  /                   Unaffected

  1  app-crypt/mit-krb5     < 1.3.6-r2                     >= 1.3.6-r2

A buffer overflow has been identified in the env_opt_add()
function, where a response requiring excessive escaping can cause a
heap-based buffer overflow. Another issue has been identified in
the slc_add_reply() function, where a large number of SLC commands
can overflow a fixed size buffer.

Impact

Successful exploitation would require a vulnerable user to
connect to an attacker-controlled telnet host, potentially
executing arbitrary code with the permissions of the telnet user on
the client.

Workaround

There is no known workaround at this time.

Resolution

All mit-krb5 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.3.6-r2"

References

[ 1 ] CAN-2005-0468

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

[ 2 ] CAN-2005-0469

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

[ 3 ] MITKRB5-SA-2005-001

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200504-04.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200504-05

http://security.gentoo.org/

Severity: Low
Title: Gaim: Denial of Service issues
Date: April 06, 2005
Updated: April 06, 2005
Bugs: #87903
ID: 200504-05:02

Synopsis

Gaim contains multiple vulnerabilities that can lead to a Denial
of Service.

Background

Gaim is a full featured instant messaging client which handles a
variety of instant messaging protocols.

Affected packages

     Package      /  Vulnerable  /                          Unaffected

  1  net-im/gaim       < 1.2.1                                >= 1.2.1

Description

Multiple vulnerabilities have been addressed in the latest
release of Gaim:

A buffer overread in the gaim_markup_strip_html() function,
which is used when logging conversations (CAN-2005-0965).
Markup tags are improperly escaped using Gaim’s IRC plugin
(CAN-2005-0966).
Sending a specially crafted file transfer request to a Gaim
Jabber user can trigger a crash (CAN-2005-0967).

Impact

An attacker could possibly cause a Denial of Service by
exploiting any of these vulnerabilities.

Workaround

There is no known workaround at this time.

Resolution

All Gaim users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-im/gaim-1.2.1"

References

[ 1 ] CAN-2005-0967

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0967

[ 2 ] CAN-2005-0966

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0966

[ 3 ] CAN-2005-0965

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0965

[ 4 ] Gaim Vulnerability Index

http://gaim.sourceforge.net/security/

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200504-05.xml

Concerns?

License

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Slackware Linux

[slackware-security] PHP (SSA:2005-095-01)

New PHP packages are available for Slackware 8.1, 9.0, 9.1,
10.0, 10.1, and -current to fix security issues.

More details about the issues may be found in the PHP ChangeLogs
on the PHP web site: http://php.net

Here are the details from the Slackware 10.1 ChangeLog:
+————————–+
patches/packages/php-4.3.11-i486-1.tgz: Upgraded to php-4.3.11.
“This is a maintenance release that in addition to over 70
non-critical bug fixes addresses several security issues inside the
exif and fbsql extensions as well as the unserialize(),
swf_definepoly() and getimagesize() functions.”
(* Security fix *)
testing/packages/php-5.0.4/php-5.0.4-i486-1.tgz: Upgraded to
php-5.0.4. Fixes various bugs (and security issues.)
(* Security fix *)
+————————–+

Where to find the new
packages:

Updated package for Slackware 8.1:

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.11-i386-1.tgz

Updated package for Slackware 9.0:

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.11-i386-1.tgz

Updated package for Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.11-i486-1.tgz

Updated package for Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/php-4.3.11-i486-1.tgz

Updated packages for Slackware 10.1:

ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/php-4.3.11-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-10.1/testing/packages/php-5.0.4/php-5.0.4-i486-1.tgz

Updated packages for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.11-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/php-5.0.4/php-5.0.4-i486-1.tgz

MD5 signatures:

Slackware 8.1 package:
fdc05e23a4132fc5a27e53fe056e8349 php-4.3.11-i386-1.tgz

Slackware 9.0 package:
c39802066035ae18b087059db9e48d33 php-4.3.11-i386-1.tgz

Slackware 9.1 package:
644da7c59b6b707a4e9afd389c595d33 php-4.3.11-i486-1.tgz

Slackware 10.0 package:
0361b80a4b69d35f3cd7b45f6ae801c3 php-4.3.11-i486-1.tgz

Slackware 10.1 packages:
8a62d6953f5a5a08f59daba2b6bb1085 php-4.3.11-i486-1.tgz
843fe926a820cfbaf2360dd65499ccb0 php-5.0.4-i486-1.tgz

Slackware -current packages:
a03e8b481895e80578b93fe57c0510fc php-4.3.11-i486-1.tgz
843fe926a820cfbaf2360dd65499ccb0 php-5.0.4-i486-1.tgz

Installation instructions:

First, stop apache:
# apachectl stop

Next, upgrade to the new PHP package:
# upgradepkg php-4.3.11-i486-1.tgz

Finally, restart apache:
# apachectl start (or: apachectl startssl)

+—–+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

Ubuntu Linux

Ubuntu Security Notice USN-108-1 April 05, 2005
gtk+2.0, gdk-pixbuf vulnerabilities
CAN-2005-0891

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libgdk-pixbuf2
libgtk2.0-0

The problem can be corrected by upgrading the affected package
to version 0.22.0-7ubuntu1.1 (libgdk-pixbuf2) and 2.4.10-1ubuntu1.1
(libgtk2.0-0). In general, a standard system upgrade is sufficient
to effect the necessary changes.

Details follow:

Matthias Clasen discovered a Denial of Service vulnerability in
the BMP image module of gdk. Processing a specially crafted BMP
image with an application using gdk-pixbuf caused an allocated
memory block to be free()’ed twice, leading to a crash of the
application. However, it is believed that this cannot be exploited
to execute arbitrary attacker provided code.

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-7ubuntu1.1.diff.gz

Size/MD5: 371559 6eda65660063879e8fcb9c13f32acc8a

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-7ubuntu1.1.dsc

Size/MD5: 723 1733720ee9e346a1564ae45c4e5ab2b2

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0.orig.tar.gz

Size/MD5: 519266 4db0503b5a62533db68b03908b981751

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/gtk+2.0_2.4.10-1ubuntu1.1.diff.gz

Size/MD5: 46203 8a6ebac91a341bfec1a4e40e22c6e4e2

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/gtk+2.0_2.4.10-1ubuntu1.1.dsc

Size/MD5: 1936 45ca99b8b54fb1a34716380edcdc22d2

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/gtk+2.0_2.4.10.orig.tar.gz

Size/MD5: 14140860 b1876ebde3b85bceb576ee5e2ecfd60b

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-common_2.4.10-1ubuntu1.1_all.deb

Size/MD5: 2778688 7817b2b2187db31d21ee3c3d72ef6c64

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-doc_2.4.10-1ubuntu1.1_all.deb

Size/MD5: 1877562 392cfa514cdfac3307a5c051a1d83be9

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/universe/g/gtk+2.0/gtk2.0-examples_2.4.10-1ubuntu1.1_amd64.deb

Size/MD5: 261990 acd7487241d60424bf0901a36ea49c20

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-7ubuntu1.1_amd64.deb

Size/MD5: 155396 824fb12f5f2c808d1fe9be57d18cc24b

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-7ubuntu1.1_amd64.deb

Size/MD5: 8524 1e22ab97a0f2ea92f13f61f1dd8e7901

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-7ubuntu1.1_amd64.deb

Size/MD5: 7944 83ccb50f72b4adf65e8dd83cc3112d28

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-7ubuntu1.1_amd64.deb

Size/MD5: 183296 412c10985e923bb6f965bba344b1b584

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-0_2.4.10-1ubuntu1.1_amd64.deb

Size/MD5: 2183922 2f95da8893c36ef012daacb33b64a68b

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-bin_2.4.10-1ubuntu1.1_amd64.deb

Size/MD5: 13934 3f15e4e19464edee9bec3e03bceb6a5a

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dbg_2.4.10-1ubuntu1.1_amd64.deb

Size/MD5: 10299776 69bee0e979b89a26fc2bdfb0d0936da0

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dev_2.4.10-1ubuntu1.1_amd64.deb

Size/MD5: 2841746 da7656c49d7a53144fdcc0cc30e10300

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/universe/g/gtk+2.0/gtk2.0-examples_2.4.10-1ubuntu1.1_i386.deb

Size/MD5: 258614 b4143d9c3f9508a4d02b321a83587a13

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-7ubuntu1.1_i386.deb

Size/MD5: 147238 b753bfcecffb4694572a1fd23f365f25

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-7ubuntu1.1_i386.deb

Size/MD5: 7636 69e339f1559495af69bd1e2729a969ae

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-7ubuntu1.1_i386.deb

Size/MD5: 7188 fd233fc7c62a0ccb3353d802aa3e347e

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-7ubuntu1.1_i386.deb

Size/MD5: 167464 85d56ca9adbbf4b12d90665f14cbab9d

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-0_2.4.10-1ubuntu1.1_i386.deb

Size/MD5: 2000760 a48d7ccb98352bdec84cb066fb6cad14

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-bin_2.4.10-1ubuntu1.1_i386.deb

Size/MD5: 13288 812f0d4bd1e6fbc7c1b0d85caa11c228

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dbg_2.4.10-1ubuntu1.1_i386.deb

Size/MD5: 10067810 6d984fa1f6b3abaf4a1861aaa955820f

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dev_2.4.10-1ubuntu1.1_i386.deb

Size/MD5: 2484426 b283dce0ceebe5cfdff2ac86960445b5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/universe/g/gtk+2.0/gtk2.0-examples_2.4.10-1ubuntu1.1_powerpc.deb

Size/MD5: 260412 de11296455cd7b06eea78e6f49a7bcd2

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-7ubuntu1.1_powerpc.deb

Size/MD5: 163118 fbde558bcf35a4334b431e362ab854ac

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-7ubuntu1.1_powerpc.deb

Size/MD5: 9162 6dd4f1856a9ccd034bb09a4aa691ca0e

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-7ubuntu1.1_powerpc.deb

Size/MD5: 9494 af0e66ba1520dedf6f4edd1bddc62a17

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-7ubuntu1.1_powerpc.deb

Size/MD5: 192186 88f579eeff03b81ce45ff03dfb260df5

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-0_2.4.10-1ubuntu1.1_powerpc.deb

Size/MD5: 2118578 3be811e254b9f042267f937a3b9f8171

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-bin_2.4.10-1ubuntu1.1_powerpc.deb

Size/MD5: 16056 8f00fc4931970ff94ef915194d81031f

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dbg_2.4.10-1ubuntu1.1_powerpc.deb

Size/MD5: 10329060 9dfecd1aab94c16f2c8cf90d5e94c91d

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dev_2.4.10-1ubuntu1.1_powerpc.deb

Size/MD5: 3084834 2e84877a938df6886104119ba59c8e2a

Ubuntu Security Notice USN-109-1 April 06, 2005
mysql-dfsg vulnerability
CAN-2004-0957

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

mysql-server

The problem can be corrected by upgrading the affected package
to version 4.0.20-2ubuntu1.5. In general, a standard system upgrade
is sufficient to effect the necessary changes.

Details follow:

USN-32-1 fixed a database privilege escalation vulnerability;
original advisory text:

“If a user was granted privileges to a database with a name
containing an underscore (“_”), the user also gained the ability to
grant privileges to other databases with similar names.
(CAN-2004-0957)”

Recently a corner case was discovered where this vulnerability
can still be exploited, so another update is necessary.=20

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.5.diff.gz

Size/MD5: 176049 5327f1a5d1a3827fba4f33d7292e1b41

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.5.dsc

Size/MD5: 892 a5317ab608e8c23ad3363b4d7fe96ba9

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20.orig.tar.gz

Size/MD5: 9760117 f092867f6df2f50b34b8065312b9fb2b

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.20-2ubuntu1.5_all.deb

Size/MD5: 24778 2a297ce189a18851dd5a7423f25d905e

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.5_amd64.deb

Size/MD5: 2810714 7869e26ba1893de1feb7633f409a90da

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient_4.0.20-2ubuntu1.5_amd64.deb

Size/MD5: 304846 86393fa9f4ecae507b17707f5e3a8eaf

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.5_amd64.deb

Size/MD5: 422898 67670eeeddad130ecca1045a2f9e67fd

http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.5_amd64.deb

Size/MD5: 3577760 8357127a732b5592d3642fc9314b7154