---

Advisories, June 13, 2006

Debian GNU/Linux


Debian Security Advisory DSA 1096-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
June 13th, 2006 http://www.debian.org/security/faq


Package : webcalendar
Vulnerability : uninitialised variable
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2762

A vulnerability has been discovered in webcalendar, a PHP-based
multi-user calendar, that allows a remote attacker to execute
arbitrary PHP code when register_globals is turned on.

The old stable distribution (woody) does not contain a
webcalendar package.

For the stable distribution (sarge) this problem has been fixed
in version 0.9.45-4sarge5.

For the unstable distribution (sid) this problem has been fixed
in version 1.0.4-1

We recommend that you upgrade your webcalendar package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5.dsc

      Size/MD5 checksum: 608
216c1f9f764169fa877f1717f37dd73a
    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5.diff.gz

      Size/MD5 checksum: 12569
3a996902a10791fe764548728885d812
    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz

      Size/MD5 checksum: 612360
a6a66dc54cd293429b604fe6da7633a6

Architecture independent components:

    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5_all.deb

      Size/MD5 checksum: 629442
f918fe96d26d5cbfa99efe2b2e938d2f

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200606-09


http://security.gentoo.org/


Severity: High
Title: SpamAssassin: Execution of arbitrary code
Date: June 11, 2006
Bugs: #135746
ID: 200606-09


Synopsis

SpamAssassin, when running with certain options, could allow
local or even remote attackers to execute arbitrary commands,
possibly as the root user.

Background

SpamAssassin is an extensible email filter used to identify junk
email. spamd is the daemonized version of SpamAssassin.

Affected packages


     Package                   /  Vulnerable  /             Unaffected

  1  mail-filter/spamassassin       < 3.1.3                   >= 3.1.3

Description

When spamd is run with both the “–vpopmail” (-v) and
“–paranoid” (-P) options, it is vulnerable to an unspecified
issue.

Impact

With certain configuration options, a local or even remote
attacker could execute arbitrary code with the rights of the user
running spamd, which is root by default, by sending a crafted
message to the spamd daemon. Furthermore, the attack can be
remotely performed if the “–allowed-ips” (-A) option is present
and specifies non-local adresses. Note that Gentoo Linux is not
vulnerable in the default configuration.

Workaround

Don’t use both the “–paranoid” (-P) and the “–vpopmail” (-v)
options.

Resolution

All SpamAssassin users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.3"

References

[ 1 ] CVE-2006-2447

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-09.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200606-10


http://security.gentoo.org/


Severity: Normal
Title: Cscope: Many buffer overflows
Date: June 11, 2006
Bugs: #133829
ID: 200606-10


Synopsis

Cscope is vulnerable to multiple buffer overflows that could
lead to the execution of arbitrary code.

Background

Cscope is a developer’s tool for browsing source code.

Affected packages


     Package          /  Vulnerable  /                      Unaffected

  1  dev-util/cscope      < 15.5-r6                         >= 15.5-r6

Description

Cscope does not verify the length of file names sourced in
#include statements.

Impact

A user could be enticed to source a carefully crafted file which
will allow the attacker to execute arbitrary code with the
permissions of the user running Cscope.

Workaround

There is no known workaround at this time.

Resolution

All Cscope users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-util/cscope-15.5-r6"

References

[ 1 ] CVE-2004-2541

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2541

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-10.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200606-11


http://security.gentoo.org/


Severity: Normal
Title: JPEG library: Denial of Service
Date: June 11, 2006
Bugs: #130889
ID: 200606-11


Synopsis

The JPEG library is vulnerable to a Denial of Service.

Background

The JPEG library is able to load, handle and manipulate images
in the JPEG format.

Affected packages


     Package          /  Vulnerable  /                      Unaffected

  1  media-libs/jpeg       < 6b-r7                            >= 6b-r7

Description

Tavis Ormandy of the Gentoo Linux Auditing Team discovered that
the vulnerable JPEG library ebuilds compile JPEG without the
–maxmem feature which is not recommended.

Impact

By enticing a user to load a specially crafted JPEG image file
an attacker could cause a Denial of Service, due to memory
exhaustion.

Workaround

There is no known workaround at this time.

Resolution

JPEG users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/jpeg-6b-r7"

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-11.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200606-12


http://security.gentoo.org/


Severity: Normal
Title: Mozilla Firefox: Multiple vulnerabilities
Date: June 11, 2006
Bugs: #135254
ID: 200606-12


Synopsis

Vulnerabilities in Mozilla Firefox allow privilege escalations
for JavaScript code, cross site scripting attacks, HTTP response
smuggling and possibly the execution of arbitrary code.

Background

Mozilla Firefox is the next-generation web browser from the
Mozilla project.

Affected packages


     Package                         /  Vulnerable  /       Unaffected


1 www-client/mozilla-firefox < 1.5.0.4 >= 1.5.0.4 2 www-client/mozilla-firefox-bin < 1.5.0.4 >= 1.5.0.4 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

A number of vulnerabilities were found and fixed in Mozilla
Firefox. For details please consult the references below.

Impact

By enticing the user to visit a malicious website, a remote
attacker can inject arbitrary HTML and JavaScript Code into the
user’s browser, execute JavaScript code with elevated privileges
and possibly execute arbitrary code with the permissions of the
user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Firefox users should upgrade to the latest
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.4"

All Mozilla Firefox binary users should upgrade to the latest
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.4"

Note: There is no stable fixed version for the Alpha
architecture yet. Users of Mozilla Firefox on Alpha should consider
unmerging it until such a version is available.

References

[ 1 ] CVE-2006-2775

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2775

[ 2 ] CVE-2006-2776

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2776

[ 3 ] CVE-2006-2777

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2777

[ 4 ] CVE-2006-2778

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2778

[ 5 ] CVE-2006-2779

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2779

[ 6 ] CVE-2006-2780

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2780

[ 7 ] CVE-2006-2782

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2782

[ 8 ] CVE-2006-2783

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2783

[ 9 ] CVE-2006-2784

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2784

[ 10 ] CVE-2006-2785

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2785

[ 11 ] CVE-2006-2786

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2786

[ 12 ] CVE-2006-2787

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2787

[ 13 ] Mozilla Foundation Security Advisories


http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-12.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200606-13


http://security.gentoo.org/


Severity: Normal
Title: MySQL: SQL Injection
Date: June 11, 2006
Bugs: #135076
ID: 200606-13


Synopsis

MySQL is vulnerable to an SQL Injection flaw in the multi-byte
encoding process.

Background

MySQL is a popular multi-threaded, multi-user SQL server.

Affected packages


     Package       /  Vulnerable  /                         Unaffected


1 dev-db/mysql < 4.1.20 *>= 4.1.20 >= 5.0.22 dev-db/mysql < 5.0.22 *>= 4.1.20 >= 5.0.22

Description

MySQL is vulnerable to an injection flaw in mysql_real_escape()
when used with multi-byte characters.

Impact

Due to a flaw in the multi-byte character process, an attacker
is still able to inject arbitary SQL statements into the MySQL
server for execution.

Workaround

There are a few workarounds available: NO_BACKSLASH_ESCAPES mode
as a workaround for a bug in mysql_real_escape_string(): SET
sql_mode=’NO_BACKSLASH_ESCAPES’; SET GLOBAL
sql_mode=’NO_BACKSLASH_ESCAPES’; and server command line options:
–sql-mode=NO_BACKSLASH_ESCAPES.

Resolution

All MySQL users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.1.20"

References

[ 1 ] CVE-2006-2753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-13.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200606-14


http://security.gentoo.org/


Severity: High
Title: GDM: Privilege escalation
Date: June 12, 2006
Bugs: #135027
ID: 200606-14


Synopsis

An authentication error in GDM could allow users to gain
elevated privileges.

Background

GDM is the GNOME display manager.

Affected packages


     Package         /  Vulnerable  /                       Unaffected

  1  gnome-base/gdm      < 2.8.0.8                          >= 2.8.0.8

Description

GDM allows a normal user to access the configuration
manager.

Impact

When the “face browser” in GDM is enabled, a normal user can use
the “configure login manager” with his/her own password instead of
the root password, and thus gain additional privileges.

Workaround

There is no known workaround at this time.

Resolution

All GDM users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=gnome-base/gdm-2.8.0.8"

References

[ 1 ] Gnome Bugzilla entry

http://bugzilla.gnome.org/show_bug.cgi?id=343476

[ 2 ] CVE-2006-2452

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2452

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-14.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:099
http://www.mandriva.com/security/


Package : freetype2
Date : June 12, 2006
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall
2.0


Problem Description:

Integer underflow in Freetype before 2.2 allows remote attackers
to cause a denial of service (crash) via a font file with an odd
number of blue values, which causes the underflow when decrementing
by 2 in a context that assumes an even number of values.
(CVE-2006-0747)

Multiple integer overflows in FreeType before 2.2 allow remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2)
sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function
and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861)

Ftutil.c in Freetype before 2.2 allows remote attackers to cause
a denial of service (crash) via a crafted font file that triggers a
null dereference. (CVE-2006-2661)

In addition, a patch is applied to 2.1.10 in Mandriva 2006 to
fix a serious bug in ttkern.c that caused some programs to go into
an infinite loop when dealing with fonts that don’t have a properly
sorted kerning sub-table. This patch is not applicable to the
earlier Mandriva releases.

Packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0747

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2661


Updated Packages:

Mandriva Linux 10.2:
500d6a0363b912d3708164333618ea9a
10.2/RPMS/libfreetype6-2.1.9-6.1.102mdkmdk.i586.rpm
8dc7ea21f0c7485fb2e89722b61662e6
10.2/RPMS/libfreetype6-devel-2.1.9-6.1.102mdkmdk.i586.rpm
822d356b7df358d6fd33fdcba1ecce48
10.2/RPMS/libfreetype6-static-devel-2.1.9-6.1.102mdkmdk.i586.rpm

01fc46490cdad24a0ac7145ad1400fbe
10.2/SRPMS/freetype2-2.1.9-6.1.102mdkmdk.src.rpm

Mandriva Linux 10.2/X86_64:
8bafa7103832649910ff29e46d3414da
x86_64/10.2/RPMS/lib64freetype6-2.1.9-6.1.102mdkmdk.x86_64.rpm
116215379bbfe0cdf14cccce370fd74c
x86_64/10.2/RPMS/lib64freetype6-devel-2.1.9-6.1.102mdkmdk.x86_64.rpm

01ce8b9853b9e509a7d8f034ff21cfb6
x86_64/10.2/RPMS/lib64freetype6-static-devel-2.1.9-6.1.102mdkmdk.x86_64.rpm

500d6a0363b912d3708164333618ea9a
x86_64/10.2/RPMS/libfreetype6-2.1.9-6.1.102mdkmdk.i586.rpm
8dc7ea21f0c7485fb2e89722b61662e6
x86_64/10.2/RPMS/libfreetype6-devel-2.1.9-6.1.102mdkmdk.i586.rpm

822d356b7df358d6fd33fdcba1ecce48
x86_64/10.2/RPMS/libfreetype6-static-devel-2.1.9-6.1.102mdkmdk.i586.rpm

01fc46490cdad24a0ac7145ad1400fbe
x86_64/10.2/SRPMS/freetype2-2.1.9-6.1.102mdkmdk.src.rpm

Mandriva Linux 2006.0:
6068722811b9404d5aa08ee477987fb2
2006.0/RPMS/libfreetype6-2.1.10-9.2.20060mdk.i586.rpm
817917e69abb5674f646544308536419
2006.0/RPMS/libfreetype6-devel-2.1.10-9.2.20060mdk.i586.rpm
dc4748e47335cc44243e39711c04def5
2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.2.20060mdk.i586.rpm

6fbbc5e83a43e7c0b4c09593892ca554
2006.0/SRPMS/freetype2-2.1.10-9.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
985900ddba982582ecb7d7eb51c20200
x86_64/2006.0/RPMS/lib64freetype6-2.1.10-9.2.20060mdk.x86_64.rpm

afe093ac0ef65d5f5505f0c907d9c8dc
x86_64/2006.0/RPMS/lib64freetype6-devel-2.1.10-9.2.20060mdk.x86_64.rpm

6f924308e4c1fe2da976a8d7905b9c45
x86_64/2006.0/RPMS/lib64freetype6-static-devel-2.1.10-9.2.20060mdk.x86_64.rpm

6068722811b9404d5aa08ee477987fb2
x86_64/2006.0/RPMS/libfreetype6-2.1.10-9.2.20060mdk.i586.rpm
817917e69abb5674f646544308536419
x86_64/2006.0/RPMS/libfreetype6-devel-2.1.10-9.2.20060mdk.i586.rpm

dc4748e47335cc44243e39711c04def5
x86_64/2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.2.20060mdk.i586.rpm

6fbbc5e83a43e7c0b4c09593892ca554
x86_64/2006.0/SRPMS/freetype2-2.1.10-9.2.20060mdk.src.rpm

Corporate 3.0:
ffb8fe54281b48ae7c8c0df2cdff4226
corporate/3.0/RPMS/libfreetype6-2.1.7-4.1.C30mdkmdk.i586.rpm
8160069b2aedc139d573d06786362b38
corporate/3.0/RPMS/libfreetype6-devel-2.1.7-4.1.C30mdkmdk.i586.rpm

3dc8f49900b644bdbed9c1ff87eab2e8
corporate/3.0/RPMS/libfreetype6-static-devel-2.1.7-4.1.C30mdkmdk.i586.rpm

f3435422496277db7390cfc62ca58b3a
corporate/3.0/SRPMS/freetype2-2.1.7-4.1.C30mdkmdk.src.rpm

Corporate 3.0/X86_64:
86b12f1232fd54bcd76c59f9598a190d
x86_64/corporate/3.0/RPMS/lib64freetype6-2.1.7-4.1.C30mdkmdk.x86_64.rpm

db3ab38c85b3a39b848a499e4f2688c3
x86_64/corporate/3.0/RPMS/lib64freetype6-devel-2.1.7-4.1.C30mdkmdk.x86_64.rpm

e689dbcd16c9541b6704c50a4c6e39c1
x86_64/corporate/3.0/RPMS/lib64freetype6-static-devel-2.1.7-4.1.C30mdkmdk.x86_64.rpm

ffb8fe54281b48ae7c8c0df2cdff4226
x86_64/corporate/3.0/RPMS/libfreetype6-2.1.7-4.1.C30mdkmdk.i586.rpm

f3435422496277db7390cfc62ca58b3a
x86_64/corporate/3.0/SRPMS/freetype2-2.1.7-4.1.C30mdkmdk.src.rpm

Multi Network Firewall 2.0:
cd2ba6684b905ded5e1c41ea052d78d7
mnf/2.0/RPMS/libfreetype6-2.1.7-4.1.M20mdkmdk.i586.rpm
0b4bbd4fa79099031c2186f51a5defaa
mnf/2.0/SRPMS/freetype2-2.1.7-4.1.M20mdkmdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis