Advisories, December 18, 2005

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200512-07

http://security.gentoo.org/

Severity: Low
Title: OpenLDAP, Gauche: RUNPATH issues
Date: December 15, 2005
Bugs: #105380, #112577
ID: 200512-07

Synopsis

OpenLDAP and Gauche suffer from RUNPATH issues that may allow
users in the “portage” group to escalate privileges.

Background

OpenLDAP is a suite of LDAP-related application and development
tools. Gauche is an R5RS Scheme interpreter.

Affected packages

     Package           /   Vulnerable   /                   Unaffected



  1  net-nds/openldap      < 2.2.28-r3                    >= 2.2.28-r3
                                                         *>= 2.1.30-r6
  2  dev-lang/gauche       < 0.8.6-r1                      >= 0.8.6-r1
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

Gentoo packaging for OpenLDAP and Gauche may introduce insecure
paths into the list of directories that are searched for libraries
at runtime.

A local attacker, who is a member of the “portage” group, could
create a malicious shared object in the Portage temporary build
directory that would be loaded at runtime by a dependent binary,
potentially resulting in privilege escalation.

Workaround

Only grant “portage” group rights to trusted users.

Resolution

All OpenLDAP users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose net-nds/openldap

All Gauche users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/gauche-0.8.6-r1"

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-07.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200512-08

http://security.gentoo.org/

Severity: Normal
Title: Xpdf, GPdf, CUPS, Poppler: Multiple vulnerabilities
Date: December 16, 2005
Bugs: #114428, #115286
ID: 200512-08

Synopsis

Multiple vulnerabilities have been discovered in Xpdf, GPdf,
CUPS and Poppler potentially resulting in the execution of
arbitrary code.

Background

Xpdf and GPdf are PDF file viewers that run under the X Window
System. Poppler is a PDF rendering library based on Xpdf code. The
Common UNIX Printing System (CUPS) is a cross-platform print
spooler. It makes use of Xpdf code to handle PDF files.

Affected packages

     Package           /   Vulnerable   /                   Unaffected



  1  app-text/xpdf          < 3.01-r2                       >= 3.01-r2
  2  app-text/gpdf         < 2.10.0-r2                    >= 2.10.0-r2
  3  app-text/poppler      < 0.4.2-r1                      >= 0.4.2-r1
  4  net-print/cups        < 1.1.23-r3                    >= 1.1.23-r3
    -------------------------------------------------------------------
     4 affected packages on all of their supported architectures.

Description

infamous41md discovered that several Xpdf functions lack
sufficient boundary checking, resulting in multiple exploitable
buffer overflows.

Impact

An attacker could entice a user to open a specially-crafted PDF
file which would trigger an overflow, potentially resulting in
execution of arbitrary code with the rights of the user running
Xpdf, CUPS, GPdf or Poppler.

Workaround

There is no known workaround at this time.

Resolution

All Xpdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r2"

All GPdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r2"

All Poppler users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/poppler-0.4.2-r1"

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r3"

References

[ 1 ] CVE-2005-3191

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191

[ 2 ] CVE-2005-3192

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192

[ 3 ] CVE-2005-3193

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-08.xml

Concerns?

License

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200512-09

http://security.gentoo.org/

Severity: Low
Title: cURL: Off-by-one errors in URL handling
Date: December 16, 2005
Bugs: #114710
ID: 200512-09

Synopsis

cURL is vulnerable to local arbitrary code execution via buffer
overflow due to the insecure parsing of URLs.

Background

cURL is a command line tool for transferring files with URL
syntax, supporting numerous protocols.

Affected packages

     Package        /  Vulnerable  /                        Unaffected

  1  net-misc/curl      < 7.15.1                             >= 7.15.1

Description

Stefan Esser from the Hardened-PHP Project has reported a
vulnerability in cURL that allows for a local buffer overflow when
cURL attempts to parse specially crafted URLs. The URL can be
specially crafted in one of two ways: the URL could be malformed in
a way that prevents a terminating null byte from being added to
either a hostname or path buffer; or the URL could contain a “?”
separator in the hostname portion, which causes a “/” to be
prepended to the resulting string.

Impact

An attacker capable of getting cURL to parse a maliciously
crafted URL could cause a denial of service or execute arbitrary
code with the privileges of the user making the call to cURL. An
attacker could also escape open_basedir or safe_mode
pseudo-restrictions when exploiting this problem from within a PHP
program when PHP is compiled with libcurl.

Workaround

There is no known workaround at this time.

Resolution

All cURL users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/curl-7.15.1"

References

[ 1 ] CVE-2005-4077

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077

[ 2 ] Hardened-PHP Advisory

http://www.hardened-php.net/advisory_242005.109.html

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-09.xml

Concerns?

License

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Ubuntu Linux

Ubuntu Security Notice USN-230-2 December 16, 2005 xine-lib
vulnerability
CVE-2005-4048

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libxine1
libxine1c2

The problem can be corrected by upgrading the affected package
to version 1-rc5-1ubuntu2.4 (for Ubuntu 4.10), 1.0-1ubuntu3.6 (for
Ubuntu 5.04), or 1.0.1-1ubuntu10.2 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary
changes.

Details follow:

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine
library contains a copy of the ffmpeg code, thus it is vulnerable
to the same flaw.

For reference, this is the original advisory:

Simon Kilvington discovered a buffer overflow in the
avcodec_default_get_buffer() function of the ffmpeg library. By
tricking an user into opening a malicious movie which contains
specially crafted PNG images, this could be exploited to execute
arbitrary code with the user’s privileges.

Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.4.dsc

Size/MD5: 950
0b0865913672df5c80783279f471bf66
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.4.diff.gz

Size/MD5: 222131
bf99e51c425cfdbac9b6c76e17504ed6

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_i386.deb

Size/MD5: 101724
195cb67c660bc24a63991c3e69ec381e
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_i386.deb

Size/MD5: 3729248
596d1f0437b94625ab38770f1086a03e

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_powerpc.deb

Size/MD5: 3886766
1635110e5c74867f1657aacf8ff0e09a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_powerpc.deb