---

Advisories: July 14, 2005

Debian GNU/Linux


Debian Security Advisory DSA 746-1 [email protected]
http://www.debian.org/security/
Michael Stone
July 13, 2005 http://www.debian.org/security/faq


Package : phpgroupware
Vulnerability : remote command execution
Problem type : input validation error
Debian-specific: no
CVE Id(s) : CAN-2005-1921

A vulnerability had been identified in the xmlrpc library
included with phpgroupware, a web-based application including
email, calendar and other groupware functionality. This
vulnerability could lead to the execution of arbitrary commands on
the server running phpgroupware.

The security team is continuing to investigate the version of
phpgroupware included with the old stable distribution (sarge). At
this time we recommend disabling phpgroupware or upgrading to the
current stable distribution (sarge).

For the current stable distribution (sarge) this problem has
been fixed in version 0.9.16.005-3.sarge0.

For the unstable distribution (sid) this problem has been fixed
in version 0.9.16.006-1.

We recommend that you upgrade your phpgroupware package.

Upgrade instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (sarge)


sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips,
mipsel, powerpc, s390 and sparc.

Source archives:


http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.dsc

Size/MD5 checksum: 1665 6b60af214470336fb8dd24d029ab6326

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.diff.gz

Size/MD5 checksum: 31814 f9f0fdb982212255037d4129736e7c21

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz

Size/MD5 checksum: 19442629 5edd5518e8f77174c12844f9cfad6ac4

Architecture independent packages:


http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 35984 4a87585b9a1c5f7ac32cd6a7fb217242

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 185894 c33f2c74c3df4d7ecaba47499adfcfc2

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 9674304 8f9bc38f2610d7aeeab769f6571f8ce6

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 135960 bbc1ca292006147f097cc79396de8808

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 29534 ed73d7edab4ceae62b2b2bde8d279387

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 176070 29005653b28191bc31f2f09b49e4b681

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 40858 18b367628b687ae793281ddb6399aa0a

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 1355020 ebe912a08a7b8721d21b98b95cd0eda2

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 59198 f7d81622bd273a1bb7aa2ff227f2c007

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 46498 565979513780536ee9cc6573728cea48

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 902042 fe53830690ad59fd3711b156260f39ad

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 22760 d40b76c6cfde48dc863eb07fa68f618c

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 39746 0a0e1480285d96d2b9cf175df30284a8

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 20272 f9b8d9bd93eb716f1ff689eea0307038

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 69878 cafaf90a5c9053ba36614fd9140d2dec

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 100516 67d9c3435e6b55f7f5961772267ca1ad

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 32896 1e2af590a4887c3ba471930d6eb99128

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 18770 1c69b89be7e3cdf5003b3d6e4b7eb1d8

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 323552 22390645056bcb021c2e608644f4f591

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 166002 f7a6ba93175803e7de9517698397cb90

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 1328904 4c2982ec97a5b08f6d2d83fafbdbbe43

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 179716 0706f78f53596f7adeddda57a6977a09

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 91192 f49356e1ba4540c657ff64ebbca6ce62

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 49828 3001c35e7b6780a063a1c6dc74a7785d

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 119876 21d5eb594517b56f348186189292a0dc

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 62508 922fe6644df12d786b2500eb07bd5523

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 1117384 b7f5819fed77a668023204786ec00d68

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 433776 0ddc8573dff45912049bb3c516889f4c

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 42338 4a17fcf60a2575be7182ffa780a7eb0e

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 266852 2e05a4e8f1dea399e5b8ddc99322d2d1

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 21542 2beb7d5a99acdc2a33c8fe672574d025

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 6092 cb1f96251a63d5fadba172f648f7f909

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 18390 95374052008b852fbea203d3f6fd1d75

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 155778 b1e8dc55d9e5a4ed9d868750957babb7

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 63476 3bc0223e4550a7a56295017885f07998

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 116012 bdffce5b093fb41e0429a7d4eee8ea93

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 8272 f4649ebb3b674661a1a172d1f503a673

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 49984 0ba721f8a669b6b6338ae90c7bb9070f

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 25578 461e9804f5ce01b332cbe6569529bdc9

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 23596 2e3454fa36009152beb0695c80a238ec

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 45118 996eebff648f4b688403cfb00255b924

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 90172 2196aa43de438b0a5d3754ba0b4f8089

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 23050 02ed1690b4d3547dbbcfe8145d234062

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 55322 9f8ddccce78aa7ac488d6bd965bb2732

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 34538 0de0c8c676a0e1efca8845c78d0ae201

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge0_all.deb

Size/MD5 checksum: 31116 2b7e22a553c0bc0457757993dda7cfe8


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: [email protected]

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Fedora Legacy


Fedora Legacy Update Advisory

Synopsis: Updated ImageMagick packages fix security issues
Advisory ID: FLSA:152777
Issue date: 2005-07-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2003-0455 CAN-2004-0827 CAN-2004-0981 CAN-2005-0005
CAN-2005-0397 CAN-2005-0759 CAN-2005-0760 CAN-2005-0761
CAN-2005-0762 CAN-2005-1275 CAN-2005-1739



1. Topic:

Updated ImageMagick packages that fix multiple security
vulnerabilities are now available.

ImageMagick(TM) is an image display and manipulation tool for
the X Window System.

2. Relevant releases/architectures:

Red Hat Linux 7.3 – i386
Red Hat Linux 9 – i386
Fedora Core 1 – i386
Fedora Core 2 – i386

3. Problem description:

A temporary file handling bug has been found in ImageMagick’s
libmagick library. A local user could overwrite or create files as
a different user if a program was linked with the vulnerable
library. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0455 to this issue.

A heap overflow flaw has been discovered in the ImageMagick
image handler. An attacker could create a carefully crafted BMP
file in such a way that it could cause ImageMagick to execute
arbitrary code when processing the image. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0827 to this issue.

A buffer overflow flaw was discovered in the ImageMagick image
handler. An attacker could create a carefully crafted image file
with an improper EXIF information in such a way that it would cause
ImageMagick to execute arbitrary code when processing the image.
The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0981 to this issue.

Andrei Nigmatulin discovered a heap based buffer overflow flaw
in the ImageMagick image handler. An attacker could create a
carefully crafted Photoshop Document (PSD) image in such a way that
it would cause ImageMagick to execute arbitrary code when
processing the image. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2005-0005 to this issue.

A format string bug was found in the way ImageMagick handles
filenames. An attacker could execute arbitrary code on a victim’s
machine if they were able to trick the victim into opening a file
with a specially crafted name. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-0397 to this issue.

A bug was found in the way ImageMagick handles TIFF tags. It is
possible that a TIFF image file with an invalid tag could cause
ImageMagick to crash. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2005-0759 to this issue.

A bug was found in ImageMagick’s TIFF decoder. It is possible
that a specially crafted TIFF image file could cause ImageMagick to
crash. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-0760 to this issue.

A bug was found in the way ImageMagick parses PSD files. It is
possible that a specially crafted PSD file could cause ImageMagick
to crash. The Common Vulnerabilities and Exposures project
(cve.mitre.org/) has assigned
the name CAN-2005-0761 to this issue.

A heap overflow bug was found in ImageMagick’s SGI parser. It is
possible that an attacker could execute arbitrary code by tricking
a user into opening a specially crafted SGI image file. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-0762 to this issue.

A heap based buffer overflow bug was found in the way
ImageMagick parses PNM files. An attacker could execute arbitrary
code on a victim’s machine if they were able to trick the victim
into opening a specially crafted PNM file. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-1275 to this issue.

A denial of service bug was found in the way ImageMagick parses
XWD files. A user or program executing ImageMagick to process a
malicious XWD file can cause ImageMagick to enter an infinite loop
causing a denial of service condition. The Common Vulnerabilities
and Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-1739 to this issue.

Users of ImageMagick should upgrade to these updated packages,
which contain backported patches, and are not vulnerable to these
issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152777

6. RPMs required:

Red Hat Linux 7.3:
SRPM:

http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm

Red Hat Linux 9:

SRPM:

http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-5.4.7-18.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm

Fedora Core 1:

SRPM:

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-5.5.6-13.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm

Fedora Core 2:

SRPM:

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


7b27cf41597ccc41f50f5f3fd26a3c6cb1909bdd
redhat/7.3/updates/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm

83414dfc20fff160d3b1c4a695658e331c0d3377
redhat/7.3/updates/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm

9d3a2639f252fcc0630577e8472363095c94b593
redhat/7.3/updates/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm

a45ea97141ccce7c7341bb71c45253b43b11f7f8
redhat/7.3/updates/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm

15f0d5eb36b9aa9a747ac5dbef8711ce5ad4cd72
redhat/7.3/updates/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm

05387637ee1ebca6c8be0a53c6e13d9823a69b49
redhat/7.3/updates/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm

a6308b069f58c6360005ea56f3feb47eaae3bd65
redhat/9/updates/i386/ImageMagick-5.4.7-18.legacy.i386.rpm
9f489f4e8e8b806a9633bb919f1d6c86717b7f27
redhat/9/updates/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm
889cc1c0ac6d8a467d5af14f7e8d7b0e6f20d8ac
redhat/9/updates/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm

7e88b3ec777a2389778b8dc872893a145a18f84b
redhat/9/updates/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm

b08d36cd4582a49599ae8d74c89996d154462f85
redhat/9/updates/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm
a5af8dee9a7b06b0bc1b21e5765496cfd1ef7783
redhat/9/updates/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm
893208f6a36ec085645e3bf355b6bd4d7f4385c0
fedora/1/updates/i386/ImageMagick-5.5.6-13.legacy.i386.rpm
2ceb1c41c4b6e326e1b936eb5400350ab4ff6e31
fedora/1/updates/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm
d30be986c274be4ed48f242c9e110fab67b242a5
fedora/1/updates/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm

2bd96e8c2282b2679c2b667392c406d5907bdf0b
fedora/1/updates/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm

2a3c951dad27669d92b2d96def0a7c99af1ae5e2
fedora/1/updates/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm
6140077bd02c06b986324ece6d8c13dc57ce7b16
fedora/1/updates/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm
54d9009c07aeb2fcf9bf229261db01dab803dc60
fedora/2/updates/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm

ad54fd8a3e168a327d3132180d203e1e9d1cb5d9
fedora/2/updates/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm

6c5e6d0b1e190d7eb3e04caa348544f40a0be1c3
fedora/2/updates/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm

c57f484f174292c09b8dc5926e69a78b3f01b203
fedora/2/updates/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm

74bb46945e783a9ffc8d2299924496a5f4334d79
fedora/2/updates/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm

00ca9b91408f73c74d7574b4cf1247d8f6cf8749
fedora/2/updates/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0827

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0981

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0759

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0760

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0761

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0762

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1275

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1739

9. Contact:

The Fedora Legacy security contact is <[email protected]>.
More project details at http://www.fedoralegacy.org


Gentoo Linux


Gentoo Linux Security Advisory GLSA 200507-13


http://security.gentoo.org/


Severity: Normal
Title: pam_ldap and nss_ldap: Plain text authentication leak
Date: July 14, 2005
Bugs: #96767
ID: 200507-13


Synopsis

pam_ldap and nss_ldap fail to restart TLS when following a
referral, possibly leading to credentials being sent in plain
text.

Background

pam_ldap is a Pluggable Authentication Module which allows
authentication against an LDAP directory. nss_ldap is a Name
Service Switch module which allows ‘passwd’, ‘group’ and ‘host’
database information to be pulled from LDAP. TLS is Transport Layer
Security, a protocol that allows encryption of network
communications.

Affected packages


     Package            /  Vulnerable  /                    Unaffected


1 sys-auth/nss_ldap < 239-r1 >= 239-r1 *>= 226-r1 2 sys-auth/pam_ldap < 178-r1 >= 178-r1 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

Rob Holland of the Gentoo Security Audit Team discovered that
pam_ldap and nss_ldap fail to use TLS for referred connections if
they are referred to a master after connecting to a slave,
regardless of the “ssl start_tls” ldap.conf setting.

Impact

An attacker could sniff passwords or other sensitive information
as the communication is not encrypted.

Workaround

pam_ldap and nss_ldap can be set to force the use of SSL instead
of TLS.

Resolution

All pam_ldap users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"

All nss_ldap users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose sys-auth/nss_ldap

References

[ 1 ] CAN-2005-2069

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200507-13.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux


Mandriva Linux Security Update Advisory


Package name: krb5
Advisory ID: MDKSA-2005:119
Date: July 13th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate
Server 2.1, Multi Network Firewall 2.0


Problem Description:

A number of vulnerabilities have been corrected in this Kerberos
update:

The rcp protocol would allow a server to instruct a client to
write to arbitrary files outside of the current directory. The
Kerberos-aware rcp could be abused to copy files from a malicious
server (CAN-2004-0175).

Gael Delalleau discovered an information disclosure
vulnerability in the way some telnet clients handled messages from
a server. This could be abused by a malicious telnet server to
collect information from the environment of any victim connecting
to the server using the Kerberosaware telnet client
(CAN-2005-0488).

Daniel Wachdorf disovered that in error conditions that could
occur in response to correctly-formatted client requests, the
Kerberos 5 KDC may attempt to free uninitialized memory, which
could cause the KDC to crash resulting in a Denial of Service
(CAN-2005-1174).

Daniel Wachdorf also discovered a single-byte heap overflow in
the krb5_unparse_name() function that could, if successfully
exploited, lead to a crash, resulting in a DoS. To trigger this
flaw, an attacker would need to have control of a Kerberos realm
that shares a crossrealm key with the target (CAN-2005-1175).

Finally, a double-free flaw was discovered in the
krb5_recvauth() routine which could be triggered by a remote
unauthenticated attacker. This issue could potentially be exploited
to allow for the execution of arbitrary code on a KDC. No exploit
is currently known to exist (CAN-2005-1689).

The updated packages have been patched to address this issue and
Mandriva urges all users to upgrade to these packages as quickly as
possible.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

http://www.kb.cert.org/vuls/id/623332

http://www.kb.cert.org/vuls/id/259798

http://www.kb.cert.org/vuls/id/885830


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt


Updated Packages:

Mandrakelinux 10.0:
c87b9ac1660b8cb7909f0d7809e60c16
10.0/RPMS/ftp-client-krb5-1.3-6.6.100mdk.i586.rpm
6f42470b37ea66bb7570694acf4b170c
10.0/RPMS/ftp-server-krb5-1.3-6.6.100mdk.i586.rpm
bf802310809218151a91f70b431f58f7
10.0/RPMS/krb5-server-1.3-6.6.100mdk.i586.rpm
dd0120f441cbe289189c98d1a6e7c9b5
10.0/RPMS/krb5-workstation-1.3-6.6.100mdk.i586.rpm
69c40a89709e887063a3e817325125b9
10.0/RPMS/libkrb51-1.3-6.6.100mdk.i586.rpm
34a0289675fc35576e2cb715a6e2117b
10.0/RPMS/libkrb51-devel-1.3-6.6.100mdk.i586.rpm
bed8b731d7e752b4bcffe98abdbd7d3e
10.0/RPMS/telnet-client-krb5-1.3-6.6.100mdk.i586.rpm
7b01eaa867670ef32aafc0c62d1e9b01
10.0/RPMS/telnet-server-krb5-1.3-6.6.100mdk.i586.rpm
7b00ffd04e5fb1328a8ecfc3bad58827
10.0/SRPMS/krb5-1.3-6.6.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
174fdb05eb1f32630ff9e7796800f554
amd64/10.0/RPMS/ftp-client-krb5-1.3-6.6.100mdk.amd64.rpm
97eb89e96cccdd269d1aed4c19d0c31c
amd64/10.0/RPMS/ftp-server-krb5-1.3-6.6.100mdk.amd64.rpm
f57777163fcbca96e8f032fe22134414
amd64/10.0/RPMS/krb5-server-1.3-6.6.100mdk.amd64.rpm
befa694e6b367b7ad9ac6f127edb28c4
amd64/10.0/RPMS/krb5-workstation-1.3-6.6.100mdk.amd64.rpm
caaa22fb8566f59f749234cb6d2065f1
amd64/10.0/RPMS/lib64krb51-1.3-6.6.100mdk.amd64.rpm
8f869dbf84022f913fc14841741cba82
amd64/10.0/RPMS/lib64krb51-devel-1.3-6.6.100mdk.amd64.rpm
83d63d52ab2fa1545a8bfbcd81cf4b89
amd64/10.0/RPMS/telnet-client-krb5-1.3-6.6.100mdk.amd64.rpm
ba7fc18ac57bda1f05aaf42c82dcd196
amd64/10.0/RPMS/telnet-server-krb5-1.3-6.6.100mdk.amd64.rpm
7b00ffd04e5fb1328a8ecfc3bad58827
amd64/10.0/SRPMS/krb5-1.3-6.6.100mdk.src.rpm

Mandrakelinux 10.1:
fb9247177c9a8e1c97058458c70e6a38
10.1/RPMS/ftp-client-krb5-1.3.4-2.3.101mdk.i586.rpm
dc55f0d19df94d5c4314ba7476d267f7
10.1/RPMS/ftp-server-krb5-1.3.4-2.3.101mdk.i586.rpm
0a87d233095d1cd13ee637153dcc5b59
10.1/RPMS/krb5-server-1.3.4-2.3.101mdk.i586.rpm
f8e4067a77c9d5bb681d2460bf2063b9
10.1/RPMS/krb5-workstation-1.3.4-2.3.101mdk.i586.rpm
e0d4e8e580f3b6499bc405aed49552d3
10.1/RPMS/libkrb53-1.3.4-2.3.101mdk.i586.rpm
73e3abef9c847fe90db56483531a1cf1
10.1/RPMS/libkrb53-devel-1.3.4-2.3.101mdk.i586.rpm
ab219aaacc9c024b737f323350f20745
10.1/RPMS/telnet-client-krb5-1.3.4-2.3.101mdk.i586.rpm
59950fc14b9ebde521822ceb72e020b5
10.1/RPMS/telnet-server-krb5-1.3.4-2.3.101mdk.i586.rpm
b6791f0e031795f328a2373bd6bff4af
10.1/SRPMS/krb5-1.3.4-2.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
7cc15d17e2dd069951ae1033e2e5da0f
x86_64/10.1/RPMS/ftp-client-krb5-1.3.4-2.3.101mdk.x86_64.rpm
08d8d3cd6b8e3be3a0647feb3a041cc0
x86_64/10.1/RPMS/ftp-server-krb5-1.3.4-2.3.101mdk.x86_64.rpm
6ef2f47ace0c658673c20e7428058b3f
x86_64/10.1/RPMS/krb5-server-1.3.4-2.3.101mdk.x86_64.rpm
eb7c38bbfacd43534d2508872ae07637
x86_64/10.1/RPMS/krb5-workstation-1.3.4-2.3.101mdk.x86_64.rpm
911d542523934cae7891eb3aa1b4c22c
x86_64/10.1/RPMS/lib64krb53-1.3.4-2.3.101mdk.x86_64.rpm
42c8a131ea1bb6b4a71826fa0367dcd9
x86_64/10.1/RPMS/lib64krb53-devel-1.3.4-2.3.101mdk.x86_64.rpm
991aadec0a33745198589b1619f42190
x86_64/10.1/RPMS/telnet-client-krb5-1.3.4-2.3.101mdk.x86_64.rpm
9fecbd14c5b908416e2eb5b8b7900602
x86_64/10.1/RPMS/telnet-server-krb5-1.3.4-2.3.101mdk.x86_64.rpm
b6791f0e031795f328a2373bd6bff4af
x86_64/10.1/SRPMS/krb5-1.3.4-2.3.101mdk.src.rpm

Mandrakelinux 10.2:
2370d0bcd8e1055b828cbc5fd61b80fb
10.2/RPMS/ftp-client-krb5-1.3.6-6.1.102mdk.i586.rpm
77d6d6822faf2d46126324d52b7de350
10.2/RPMS/ftp-server-krb5-1.3.6-6.1.102mdk.i586.rpm
fd97b673156aab9df1dd084fa00ca4ee
10.2/RPMS/krb5-server-1.3.6-6.1.102mdk.i586.rpm
e097b32bff94a889e9287328ea4383a7
10.2/RPMS/krb5-workstation-1.3.6-6.1.102mdk.i586.rpm
10b12d24aeacbc51a72c5f6df7e063ab
10.2/RPMS/libkrb53-1.3.6-6.1.102mdk.i586.rpm
c1b8458fdd25b9ac51338978958886b9
10.2/RPMS/libkrb53-devel-1.3.6-6.1.102mdk.i586.rpm
225fb2cfd2b8a30d0743cc691a98f862
10.2/RPMS/telnet-client-krb5-1.3.6-6.1.102mdk.i586.rpm
c7145ab6eb80b5a5bd6438dc1292c208
10.2/RPMS/telnet-server-krb5-1.3.6-6.1.102mdk.i586.rpm
fc23e2f504e65b3ed2304bbf44b17626
10.2/SRPMS/krb5-1.3.6-6.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
48bf82662d9dc709f7b6fc93d408ec36
x86_64/10.2/RPMS/ftp-client-krb5-1.3.6-6.1.102mdk.x86_64.rpm
a99dcafc0f131bee2fdd481a3c3b74ae
x86_64/10.2/RPMS/ftp-server-krb5-1.3.6-6.1.102mdk.x86_64.rpm
6575fa785756ec309bc9a532ea201998
x86_64/10.2/RPMS/krb5-server-1.3.6-6.1.102mdk.x86_64.rpm
9de12fff0f2556fc1b37309f3df38f43
x86_64/10.2/RPMS/krb5-workstation-1.3.6-6.1.102mdk.x86_64.rpm
979d3a3a1076b5e1379388dfa12cbf14
x86_64/10.2/RPMS/lib64krb53-1.3.6-6.1.102mdk.x86_64.rpm
51fdffc99853d03ae464cfd45e477cf8
x86_64/10.2/RPMS/lib64krb53-devel-1.3.6-6.1.102mdk.x86_64.rpm
0f52ac0e1c637d1c9cd8ec0ce40f9221
x86_64/10.2/RPMS/telnet-client-krb5-1.3.6-6.1.102mdk.x86_64.rpm
398385ff0c438b3ddf4e086a44ae118c
x86_64/10.2/RPMS/telnet-server-krb5-1.3.6-6.1.102mdk.x86_64.rpm
fc23e2f504e65b3ed2304bbf44b17626
x86_64/10.2/SRPMS/krb5-1.3.6-6.1.102mdk.src.rpm

Multi Network Firewall 2.0:
fabcf16faccef529a4a5d95e52e4474a
mnf/2.0/RPMS/libkrb51-1.3-6.6.M20mdk.i586.rpm
0a612cf3624c0e0279705eb4658cf08e
mnf/2.0/SRPMS/krb5-1.3-6.6.M20mdk.src.rpm

Corporate Server 2.1:
fb109362079c6f8a2aec1ca618882513
corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.10.C21mdk.i586.rpm
92725fca271543c54c907c4860a9c225
corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.10.C21mdk.i586.rpm
bc56956b9c25b804e9238aa750c79688
corporate/2.1/RPMS/krb5-devel-1.2.5-1.10.C21mdk.i586.rpm
85da226bcd5c58f611c77e457505e660
corporate/2.1/RPMS/krb5-libs-1.2.5-1.10.C21mdk.i586.rpm
680c3f4ff6a53c12ea5f706858a29c30
corporate/2.1/RPMS/krb5-server-1.2.5-1.10.C21mdk.i586.rpm
ed55cd70d63d65c1ef644672a331beca
corporate/2.1/RPMS/krb5-workstation-1.2.5-1.10.C21mdk.i586.rpm
2032b8637d45463118b6b2cec796ea89
corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.10.C21mdk.i586.rpm

2f0aedf68f2a0e33a6a94139eaf50cac
corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.10.C21mdk.i586.rpm

5998fcf5b2a19bac3f513fd9a196093f
corporate/2.1/SRPMS/krb5-1.2.5-1.10.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
ef0287c7f515b77e4ee9c816564298c1
x86_64/corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.10.C21mdk.x86_64.rpm

94268948f1c84bb9f2b194d02467e3e6
x86_64/corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.10.C21mdk.x86_64.rpm

5f07977c217d7e8f03cf1264671100ea
x86_64/corporate/2.1/RPMS/krb5-devel-1.2.5-1.10.C21mdk.x86_64.rpm

2af63c080bcce672cb112ecfcddd79cd
x86_64/corporate/2.1/RPMS/krb5-libs-1.2.5-1.10.C21mdk.x86_64.rpm

224dfdac58646589d1bd5a50bb4ca3b9
x86_64/corporate/2.1/RPMS/krb5-server-1.2.5-1.10.C21mdk.x86_64.rpm

199e3235e0ed34edc0d2ce377534c441
x86_64/corporate/2.1/RPMS/krb5-workstation-1.2.5-1.10.C21mdk.x86_64.rpm

65b63aa5728e478eb566100c1e2a8061
x86_64/corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.10.C21mdk.x86_64.rpm

0550444014da765a97deea983332d45e
x86_64/corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.10.C21mdk.x86_64.rpm

5998fcf5b2a19bac3f513fd9a196093f
x86_64/corporate/2.1/SRPMS/krb5-1.2.5-1.10.C21mdk.src.rpm

Corporate 3.0:
dc39a416e792dbe6bd3c30e2a4be7350
corporate/3.0/RPMS/ftp-client-krb5-1.3-6.6.C30mdk.i586.rpm
1a351c0d939faecda9051d9432afe724
corporate/3.0/RPMS/ftp-server-krb5-1.3-6.6.C30mdk.i586.rpm
ddd38c40766625e7ac7a2c7964d1bf99
corporate/3.0/RPMS/krb5-server-1.3-6.6.C30mdk.i586.rpm
8e83fef835a01e12aa3273b8b8970717
corporate/3.0/RPMS/krb5-workstation-1.3-6.6.C30mdk.i586.rpm
24a4d0ffa3c2651121d7f7381cafad29
corporate/3.0/RPMS/libkrb51-1.3-6.6.C30mdk.i586.rpm
be8a2e1088d1b06054a97c773960b0e0
corporate/3.0/RPMS/libkrb51-devel-1.3-6.6.C30mdk.i586.rpm
1274d73b2ada444ebe50b998d1d83d6a
corporate/3.0/RPMS/telnet-client-krb5-1.3-6.6.C30mdk.i586.rpm
fdf3981cdc25a9afee54a61cb01d042c
corporate/3.0/RPMS/telnet-server-krb5-1.3-6.6.C30mdk.i586.rpm
1738741854a9259ef09e6a6325349a14
corporate/3.0/SRPMS/krb5-1.3-6.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
e6eda8a4875598ce56e56a7c45a9ca95
x86_64/corporate/3.0/RPMS/ftp-client-krb5-1.3-6.6.C30mdk.x86_64.rpm

e7bd3ed8c1e29b25ebb3bffc3fa8c46a
x86_64/corporate/3.0/RPMS/ftp-server-krb5-1.3-6.6.C30mdk.x86_64.rpm

e134c8918d95e99784b9e1a4078fd7ab
x86_64/corporate/3.0/RPMS/krb5-server-1.3-6.6.C30mdk.x86_64.rpm
0bf662ecfd42b2f68b2af8e05ad510c7
x86_64/corporate/3.0/RPMS/krb5-workstation-1.3-6.6.C30mdk.x86_64.rpm

262c7ec2ae2a0f72f3891abd5ed1b400
x86_64/corporate/3.0/RPMS/lib64krb51-1.3-6.6.C30mdk.x86_64.rpm
be39364202543ef56bbce8f5d69bf309
x86_64/corporate/3.0/RPMS/lib64krb51-devel-1.3-6.6.C30mdk.x86_64.rpm

d734050c0bfc0e5e65834aee4df6c77d
x86_64/corporate/3.0/RPMS/telnet-client-krb5-1.3-6.6.C30mdk.x86_64.rpm

3a78f34256effe43feb9d6f3dc0fc62d
x86_64/corporate/3.0/RPMS/telnet-server-krb5-1.3-6.6.C30mdk.x86_64.rpm

1738741854a9259ef09e6a6325349a14
x86_64/corporate/3.0/SRPMS/krb5-1.3-6.6.C30mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Update Advisory


Package name: mozilla-firefox
Advisory ID: MDKSA-2005:120
Date: July 13th, 2005
Affected versions: 10.2


Problem Description:

A number of vulnerabilities were reported and fixed in Firefox
1.0.5 and Mozilla 1.7.9. The following vulnerabilities have been
backported and patched for this update:

In several places the browser UI did not correctly distinguish
between true user events, such as mouse clicks or keystrokes, and
synthetic events genenerated by web content. The problems ranged
from minor annoyances like switching tabs or entering full-screen
mode, to a variant on MFSA 2005-34 Synthetic events are now
prevented from reaching the browser UI entirely rather than depend
on each potentially spoofed function to protect itself from
untrusted events (MFSA 2005-45).

Scripts in XBL controls from web content continued to be run
even when Javascript was disabled. By itself this causes no harm,
but it could be combined with most script-based exploits to attack
people running vulnerable versions who thought disabling javascript
would protect them. In the Thunderbird and Mozilla Suite mail
clients Javascript is disabled by default for protection against
denial-of-service attacks and worms; this vulnerability could be
used to bypass that protection (MFSA 2005-46).

If an attacker can convince a victim to use the “Set As
Wallpaper” context menu item on a specially crafted image then they
can run arbitary code on the user’s computer. The image “source”
must be a javascript: url containing an eval() statement and such
an image would get the “broken image” icon, but with CSS it could
be made transparent and placed on top of a real image. The attacker
would have to convince the user to change their desktop background
to the exploit image, and to do so by using the Firefox context
menu rather than first saving the image locally and using the
normal mechanism provided by their operating system. This affects
only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected. The
implementation of this feature in the Mozilla Suite is also
unaffected (MFSA 2005-47).

The InstallTrigger.install() method for launching an install
accepts a callback function that will be called with the final
success or error status. By forcing a page navigation immediately
after calling the install method this callback function can end up
running in the context of the new page selected by the attacker.
This is true even if the user cancels the unwanted install dialog:
cancel is an error status. This callback script can steal data from
the new page such as cookies or passwords, or perform actions on
the user’s behalf such as make a purchase if the user is already
logged into the target site. In Firefox the default settings allow
only http://addons.mozilla.org to bring
up this install dialog. This could only be exploited if users have
added questionable sites to the install whitelist, and if a
malicious site can convince you to install from their site that’s a
much more powerful attack vector. In the Mozilla Suite the
whitelist feature is turned off by default, any site can prompt the
user to install software and exploit this vulnerability. The
browser has been fixed to clear any pending callback function when
switching to a new site (MFSA 2005-48).

Sites can use the _search target to open links in the Firefox
sidebar. A missing security check allows the sidebar to inject
data: urls containing scripts into any page open in the browser.
This could be used to steal cookies, passwords or other sensitive
data (MFSA 2005-49).

When InstallVersion.compareTo() is passed an object rather than
a string it assumed the object was another InstallVersion without
verifying it. When passed a different kind of object the browser
would generally crash with an access violation. shutdown has
demonstrated that different javascript objects can be passed on
some OS versions to get control over the instruction pointer. We
assume this could be developed further to run arbitrary machine
code if the attacker can get exploit code loaded at a predictable
address (MFSA 2005-50).

The original frame-injection spoofing bug was fixed in the
Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was
accidentally bypassed by one of the fixes in the Firefox 1.0.3 and
Mozilla Suite 1.7.7 releases (MFSA 2005-51).

A child frame can call top.focus() even if the framing page
comes from a different origin and has overridden the focus()
routine. The call is made in the context of the child frame. The
attacker would look for a target site with a framed page that makes
this call but doesn’t verify that its parent comes from the same
site. The attacker could steal cookies and passwords from the
framed page, or take actions on behalf of a signed-in user. This
attack would work only against sites that use frames in this manner
(MFSA 2005-52).

Several media players, for example Flash and QuickTime, support
scripted content with the ability to open URLs in the default
browser. The default behavior for Firefox was to replace the
currently open browser window’s content with the externally opened
content. If the external URL was a javascript: url it would run as
if it came from the site that served the previous content, which
could be used to steal sensitive information such as login cookies
or passwords. If the media player content first caused a privileged
chrome: url to load then the subsequent javascript: url could
execute arbitrary code. External javascript: urls will now run in a
blank context regardless of what content it’s replacing, and
external apps will no longer be able to load privileged chrome:
urls in a browser window. The -chrome command line option to load
chrome applications is still supported (MFSA 2005-53).

Alerts and prompts created by scripts in web pages are presented
with the generic title [JavaScript Application] which sometimes
makes it difficult to know which site created them. A malicious
page could attempt to cause a prompt to appear in front of a
trusted site in an attempt to extract information such as passwords
from the user. In the fixed version these prompts will contain the
hostname from the page which created it (MFSA 2005-54).

Parts of the browser UI relied too much on DOM node names
without taking different namespaces into account and verifying that
nodes really were of the expected type. An XHTML document could be
used to create fake <IMG> elements, for example, with
content-defined properties that the browser would access as if they
were the trusted built-in properties of the expected HTML elements.
The severity of the vulnerability would depend on what the attacker
could convince the victim to do, but could result in executing
user-supplied script with elevated “chrome” privileges. This could
be used to install malicious software on the victim’s machine (MFSA
2005-55).

Improper cloning of base objects allowed web content scripts to
walk up the prototype chain to get to a privileged object. This
could be used to execute code with enhanced privileges (MFSA
2005-56).

The updated packages have been patched to address these
issue.


References:

http://www.mozilla.org/security/announce/mfsa2005-45.html

http://www.mozilla.org/security/announce/mfsa2005-46.html

http://www.mozilla.org/security/announce/mfsa2005-47.html

http://www.mozilla.org/security/announce/mfsa2005-48.html

http://www.mozilla.org/security/announce/mfsa2005-49.html

http://www.mozilla.org/security/announce/mfsa2005-50.html

http://www.mozilla.org/security/announce/mfsa2005-51.html

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis