Advisories, February 23, 2006

Mandriva Linux

Mandriva Linux Security Advisory MDKSA-2006:047
http://www.mandriva.com/security/

Package : metamail
Date : February 22, 2006
Affected: 10.1, 10.2, 2006.0, Corporate 3.0

Problem Description:

Ulf Harnhammar discovered a buffer overflow vulnerability in the
way that metamail handles certain mail messages. An attacker could
create a carefully-crafted message that, when parsed via metamail,
could execute arbitrary code with the privileges of the user
running metamail.

The updated packages have been patched to address this
issue.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0709

Updated Packages:

Mandriva Linux 10.1:
ba0268bd4a41df13182c7ad54326dba5
10.1/RPMS/metamail-2.7-11.1.101mdk.i586.rpm
37738308d3dff71b6eb473c207acc588
10.1/SRPMS/metamail-2.7-11.1.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
31b1df74ae413c00e037675fb772bc86
x86_64/10.1/RPMS/metamail-2.7-11.1.101mdk.x86_64.rpm
37738308d3dff71b6eb473c207acc588
x86_64/10.1/SRPMS/metamail-2.7-11.1.101mdk.src.rpm

Mandriva Linux 10.2:
6dae955385087b6bffdebca801ac2de9
10.2/RPMS/metamail-2.7-11.1.102mdk.i586.rpm
d4f56b18f644e54f5aaadf59247b6ba9
10.2/SRPMS/metamail-2.7-11.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
b8904fd8e2d4c4b16329eb3be040ae82
x86_64/10.2/RPMS/metamail-2.7-11.1.102mdk.x86_64.rpm
d4f56b18f644e54f5aaadf59247b6ba9
x86_64/10.2/SRPMS/metamail-2.7-11.1.102mdk.src.rpm

Mandriva Linux 2006.0:
983ad9efe0f7270920f719209e29ef8d
2006.0/RPMS/metamail-2.7-11.2.20060mdk.i586.rpm
f2d440c17063c3440342afd83a939dfe
2006.0/SRPMS/metamail-2.7-11.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
3b2eb2370dd3a37a0f6e7b8e6e97d65f
x86_64/2006.0/RPMS/metamail-2.7-11.2.20060mdk.x86_64.rpm
f2d440c17063c3440342afd83a939dfe
x86_64/2006.0/SRPMS/metamail-2.7-11.2.20060mdk.src.rpm

Corporate 3.0:
193e9f3fe5013735ae70e1f0d123375c
corporate/3.0/RPMS/metamail-2.7-11.1.C30mdk.i586.rpm
33711284aa358a2d82db961a27231e6e
corporate/3.0/SRPMS/metamail-2.7-11.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
6b44f1e909779950783bbab4988e391a
x86_64/corporate/3.0/RPMS/metamail-2.7-11.1.C30mdk.x86_64.rpm
33711284aa358a2d82db961a27231e6e
x86_64/corporate/3.0/SRPMS/metamail-2.7-11.1.C30mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Ubuntu Linux

Ubuntu Security Notice USN-257-1 February 23, 2006
tar vulnerability
CVE-2006-0300

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

tar

The problem can be corrected by upgrading the affected package
to version 1.14-2ubuntu0.1 (for Ubuntu 5.04), or 1.15.1-2ubuntu0.1
(for Ubuntu 5.10). In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Jim Meyering discovered that tar did not properly verify the
validity of certain header fields in a GNU tar archive. By tricking
an user into processing a specially crafted tar archive, this could
be exploited to execute arbitrary code with the privileges of the
user.

The tar version in Ubuntu 4.10 is not affected by this
vulnerability.

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.diff.gz

      Size/MD5: 21395
1f8f561b862e0eaa1d3d76ab5b0805cc
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.dsc

      Size/MD5: 568
1ac96d117355d0c6501bcfc0603d7f35
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14.orig.tar.gz

      Size/MD5: 1485633
3094544702b1affa32d969f0b6459663

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_amd64.deb

      Size/MD5: 374144
92a29882b472aae37c4f241a2b3d70b7

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_i386.deb

      Size/MD5: 366426
bd8a627f95eea1d4dd38da1b8cb755a2

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_powerpc.deb

      Size/MD5: 377108
8d1b6600f06a051dc7236e8e65c2032f

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1.diff.gz

      Size/MD5: 28928
e545480fd691241448cd885504e50393
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1.dsc

      Size/MD5: 576
c9d9bf92c8460d314cb3320666b01294
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz

      Size/MD5: 2204322
d87021366fe6488e9dc398fcdcb6ed7d

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_amd64.deb

      Size/MD5: 531590
9f7a550698b0a138f4d92ec06ecfec96

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_i386.deb

      Size/MD5: 519510
fd362a5872f6924e491e2caf7639162b

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_powerpc.deb

      Size/MD5: 533538
c8148419548837909a81da6983af2964