---

Mandrakelinux Advisories: cdrecord, zlib, imlib2


Mandrakelinux Security Update Advisory


Package name: cdrecord
Advisory ID: MDKSA-2004:091
Date: September 7th, 2004
Affected versions: 10.0, 9.2


Problem Description:

Max Vozeler found that the cdrecord program, which is suid root,
fails to drop euid=0 when it exec()s a program specified by the
user through the $RSH environment variable. This can be abused by a
local attacker to obtain root privileges.

The updated packages are patched to fix the vulnerability.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806


Updated Packages:

Mandrakelinux 10.0:
4b5efe36a9a154b70e62da203c21fb48
10.0/RPMS/cdrecord-2.01-0.a28.2.100mdk.i586.rpm
793909d6cce70205939fdb0b48f037e5
10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.2.100mdk.i586.rpm
7dd067450567cf5d9a18233fe2379a5d
10.0/RPMS/cdrecord-devel-2.01-0.a28.2.100mdk.i586.rpm
1bd94d54eed67497a8427f91239538e5
10.0/RPMS/mkisofs-2.01-0.a28.2.100mdk.i586.rpm
6afbd923794d2af44ef2e248e361382b
10.0/SRPMS/cdrecord-2.01-0.a28.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
df08036127fd28e366fa6669ed59f88b
amd64/10.0/RPMS/cdrecord-2.01-0.a28.2.100mdk.amd64.rpm
f0b5a254593697ef0ac13f7574cf536f
amd64/10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.2.100mdk.amd64.rpm
ec1c76a1b4977e4f6e45dd097f7a45ef
amd64/10.0/RPMS/cdrecord-devel-2.01-0.a28.2.100mdk.amd64.rpm
4ec3142c182f957a6d344b375d626320
amd64/10.0/RPMS/mkisofs-2.01-0.a28.2.100mdk.amd64.rpm
6afbd923794d2af44ef2e248e361382b
amd64/10.0/SRPMS/cdrecord-2.01-0.a28.2.100mdk.src.rpm

Mandrakelinux 9.2:
e891b428d8a011447eb6462dca30514e
9.2/RPMS/cdrecord-2.01-0.a18.2.1.92mdk.i586.rpm
9778aa9258911700bffe590be69e3782
9.2/RPMS/cdrecord-cdda2wav-2.01-0.a18.2.1.92mdk.i586.rpm
2cdd7b8f33dd7f7ce0c08aa682498891
9.2/RPMS/cdrecord-devel-2.01-0.a18.2.1.92mdk.i586.rpm
78b0c2cb0b529a54eb4607f4305809d1
9.2/RPMS/mkisofs-2.01-0.a18.2.1.92mdk.i586.rpm
3ede5ae3288520fc3a51c63cd05cc3db
9.2/SRPMS/cdrecord-2.01-0.a18.2.1.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
c5306547c4f1221f3fd787d2b09dfa32
amd64/9.2/RPMS/cdrecord-2.01-0.a18.2.1.92mdk.amd64.rpm
5abf5f3fad0ec3d05f923c88c2255827
amd64/9.2/RPMS/cdrecord-cdda2wav-2.01-0.a18.2.1.92mdk.amd64.rpm
b23bc43f135cc19254c81cf96e793780
amd64/9.2/RPMS/cdrecord-devel-2.01-0.a18.2.1.92mdk.amd64.rpm
86e60c70ee807846ace4b7e2a7e5db7a
amd64/9.2/RPMS/mkisofs-2.01-0.a18.2.1.92mdk.amd64.rpm
3ede5ae3288520fc3a51c63cd05cc3db
amd64/9.2/SRPMS/cdrecord-2.01-0.a18.2.1.92mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>


Mandrakelinux Security Update Advisory


Package name: zlib
Advisory ID: MDKSA-2004:090
Date: September 7th, 2004
Affected versions: 10.0


Problem Description:

Due to a Debian bug report, a Denial of Service vulnerability
was discovered in the zlib compression library versions 1.2.x, in
the inflate() and inflateBack() functions. Older versions of zlib
are not affected.

Once the updated packages have been installed, all programs
linked against zlib must be restarted for the new packages to take
effect.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797


Updated Packages:

Mandrakelinux 10.0:
a9299193c467df186f5ec74438b7f39e
10.0/RPMS/zlib1-1.2.1-2.1.100mdk.i586.rpm
77e1313ce85f26c83f6b994606dceb5a
10.0/RPMS/zlib1-devel-1.2.1-2.1.100mdk.i586.rpm
bfc9a9419f3c7daf4a226383d6be6ea6
10.0/SRPMS/zlib-1.2.1-2.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
954d58fcaa1576278f8c71de40361d72
amd64/10.0/RPMS/zlib1-1.2.1-2.1.100mdk.amd64.rpm
976edb0aa85913b28ef38b7d5efd2fbd
amd64/10.0/RPMS/zlib1-devel-1.2.1-2.1.100mdk.amd64.rpm
bfc9a9419f3c7daf4a226383d6be6ea6
amd64/10.0/SRPMS/zlib-1.2.1-2.1.100mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux
Mandrake Security Team <security linux-mandrake.com>


Mandrakelinux Security Update Advisory


Package name: imlib2
Advisory ID: MDKSA-2004:089
Date: September 7th, 2004
Affected versions: 10.0, 9.2, Corporate Server 2.1


Problem Description:

Marcus Meissner discovered that the imlib and imlib2 libraries
are also affected with a similar BMP-related vulnerability as the
recent QT updates. The updated imlib and imlib2 packages are
patched to protect against this problem.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0802

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817


Updated Packages:

Mandrakelinux 10.0:
45c2e00642a3261e4f084327bde0759b
10.0/RPMS/imlib-1.9.14-8.1.100mdk.i586.rpm
76ee25761136e631bc099fd76da43080
10.0/RPMS/imlib-cfgeditor-1.9.14-8.1.100mdk.i586.rpm
09f1757ab48d983437b0d40acefcf646
10.0/RPMS/libimlib1-1.9.14-8.1.100mdk.i586.rpm
94567c151d4de01561681faac1f50cbb
10.0/RPMS/libimlib1-devel-1.9.14-8.1.100mdk.i586.rpm
0f82a3fda2a6d0d22c01f6b342521840
10.0/RPMS/libimlib2_1-1.0.6-4.1.100mdk.i586.rpm
538f333c36fc795d76889e708021378e
10.0/RPMS/libimlib2_1-devel-1.0.6-4.1.100mdk.i586.rpm
0f9e9d497591a5df950a47447a7a5295
10.0/RPMS/libimlib2_1-filters-1.0.6-4.1.100mdk.i586.rpm
44636a6d15888387fa665d1ee1891ec3
10.0/RPMS/libimlib2_1-loaders-1.0.6-4.1.100mdk.i586.rpm
00f1d3fd452e0fa6099d9f3cb6a1f1d3
10.0/SRPMS/imlib-1.9.14-8.1.100mdk.src.rpm
c67b09002eb29fc6a3335467a098b0bd
10.0/SRPMS/imlib2-1.0.6-4.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
356ba1d0ed3b224dafc8aa935550f1c8
amd64/10.0/RPMS/imlib-1.9.14-8.1.100mdk.amd64.rpm
0020bc9b34df76ea0f5957586f4057ca
amd64/10.0/RPMS/imlib-cfgeditor-1.9.14-8.1.100mdk.amd64.rpm
30b95081b048b4b2a16267e188adf06b
amd64/10.0/RPMS/lib64imlib1-1.9.14-8.1.100mdk.amd64.rpm
b591c6da970481fdf0eb1737689e5b7c
amd64/10.0/RPMS/lib64imlib1-devel-1.9.14-8.1.100mdk.amd64.rpm
7851372f5ca5ab3d249906dbd7431690
amd64/10.0/RPMS/lib64imlib2_1-1.0.6-4.1.100mdk.amd64.rpm
a66906219141ad3eaa156f4d2f18ad80
amd64/10.0/RPMS/lib64imlib2_1-devel-1.0.6-4.1.100mdk.amd64.rpm
6c086b3408883a5e05426327aa1cf020
amd64/10.0/RPMS/lib64imlib2_1-filters-1.0.6-4.1.100mdk.amd64.rpm

b017bad9400095893e8faf8456db2937
amd64/10.0/RPMS/lib64imlib2_1-loaders-1.0.6-4.1.100mdk.amd64.rpm

00f1d3fd452e0fa6099d9f3cb6a1f1d3
amd64/10.0/SRPMS/imlib-1.9.14-8.1.100mdk.src.rpm
c67b09002eb29fc6a3335467a098b0bd
amd64/10.0/SRPMS/imlib2-1.0.6-4.1.100mdk.src.rpm

Corporate Server 2.1:
45155b9dc3c7ca0a08c6277f4d27d8ee
corporate/2.1/RPMS/imlib-1.9.14-5.1.C21mdk.i586.rpm
dd7059319056c8f87e1d464ef04745fb
corporate/2.1/RPMS/imlib-cfgeditor-1.9.14-5.1.C21mdk.i586.rpm
4498f5b1821fe1c1aae742f3a97aa2b0
corporate/2.1/RPMS/libimlib1-1.9.14-5.1.C21mdk.i586.rpm
1f4019dccb0b2e027fd094fb5e079875
corporate/2.1/RPMS/libimlib1-devel-1.9.14-5.1.C21mdk.i586.rpm
22aadbc163940e8ebecb5142b90a5f56
corporate/2.1/RPMS/libimlib2_1-1.0.5-2.1.C21mdk.i586.rpm
fd124ccb8b37c6f302405f059eec56da
corporate/2.1/RPMS/libimlib2_1-devel-1.0.5-2.1.C21mdk.i586.rpm
ab77824f06eaacfba54146ccb5f5a539
corporate/2.1/RPMS/libimlib2_1-filters-1.0.5-2.1.C21mdk.i586.rpm

ba02b9c07de55f19df4d772b4b6dac39
corporate/2.1/RPMS/libimlib2_1-loaders-1.0.5-2.1.C21mdk.i586.rpm

efcdd5a520d8313c1e1e4ee46c3c6dd3
corporate/2.1/SRPMS/imlib-1.9.14-5.1.C21mdk.src.rpm
e4bb939ab61671005eec878af3733533
corporate/2.1/SRPMS/imlib2-1.0.5-2.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
f574361c2152d8dbbe39e67b752a0aae
x86_64/corporate/2.1/RPMS/imlib-1.9.14-5.1.C21mdk.x86_64.rpm
084cf40c7fa5e3dbb3433091c902629d
x86_64/corporate/2.1/RPMS/imlib-cfgeditor-1.9.14-5.1.C21mdk.x86_64.rpm

87adccfd0de38af4bfac1746e87715fa
x86_64/corporate/2.1/RPMS/libimlib1-1.9.14-5.1.C21mdk.x86_64.rpm

8627df2906d6f4a5e6d1062219d4a57d
x86_64/corporate/2.1/RPMS/libimlib1-devel-1.9.14-5.1.C21mdk.x86_64.rpm

9a8a30c93e69eea65f57ee33d5bbbc46
x86_64/corporate/2.1/RPMS/libimlib2_1-1.0.5-2.1.C21mdk.x86_64.rpm

c335f9793c4ae08a39e8181af4ed6349
x86_64/corporate/2.1/RPMS/libimlib2_1-devel-1.0.5-2.1.C21mdk.x86_64.rpm

0702ec29b746e5446e03a74082120114
x86_64/corporate/2.1/RPMS/libimlib2_1-filters-1.0.5-2.1.C21mdk.x86_64.rpm

9d3238eebc7cb6c7bde0c7d7e98a51c4
x86_64/corporate/2.1/RPMS/libimlib2_1-loaders-1.0.5-2.1.C21mdk.x86_64.rpm

efcdd5a520d8313c1e1e4ee46c3c6dd3
x86_64/corporate/2.1/SRPMS/imlib-1.9.14-5.1.C21mdk.src.rpm
e4bb939ab61671005eec878af3733533
x86_64/corporate/2.1/SRPMS/imlib2-1.0.5-2.1.C21mdk.src.rpm

Mandrakelinux 9.2:
de030104e6dd6bb5c4aa2f076c4514c6
9.2/RPMS/imlib-1.9.14-8.1.92mdk.i586.rpm
fd99bd742d696ea8ac43aef9ee86d25e
9.2/RPMS/imlib-cfgeditor-1.9.14-8.1.92mdk.i586.rpm
b1ef54878da62d2e5a69bdf305c574c5
9.2/RPMS/libimlib1-1.9.14-8.1.92mdk.i586.rpm
08a13f893c88051cbc66c685d8cd635d
9.2/RPMS/libimlib1-devel-1.9.14-8.1.92mdk.i586.rpm
2e4efaa54b9929fbf2e0e390907b9225
9.2/RPMS/libimlib2_1-1.0.6-4.1.92mdk.i586.rpm
525c7dc281fb0da4edf99cb3ce7d2545
9.2/RPMS/libimlib2_1-devel-1.0.6-4.1.92mdk.i586.rpm
cc2460b560c5b11eeb804502954aa038
9.2/RPMS/libimlib2_1-filters-1.0.6-4.1.92mdk.i586.rpm
e80a879d5da05b68ef5d9cad932ba921
9.2/RPMS/libimlib2_1-loaders-1.0.6-4.1.92mdk.i586.rpm
7dd8f9265ede345c58d05ae6ed376145
9.2/SRPMS/imlib-1.9.14-8.1.92mdk.src.rpm
0766a9aead77eec5cec8ebbc06504003
9.2/SRPMS/imlib2-1.0.6-4.1.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
4391a5aecba284eabf0337002fbb924c
amd64/9.2/RPMS/imlib-1.9.14-8.1.92mdk.amd64.rpm
67ba3ab94dea87029de4a64620c4f066
amd64/9.2/RPMS/imlib-cfgeditor-1.9.14-8.1.92mdk.amd64.rpm
9edd6ec450997a5773919f8035e9b159
amd64/9.2/RPMS/lib64imlib1-1.9.14-8.1.92mdk.amd64.rpm
448531d483a3c6499bface39c4cb9dfb
amd64/9.2/RPMS/lib64imlib1-devel-1.9.14-8.1.92mdk.amd64.rpm
9dc5a05d737d00c5a3a18b23de02c144
amd64/9.2/RPMS/lib64imlib2_1-1.0.6-4.1.92mdk.amd64.rpm
2bcca43ad1a5138f929ce78cd753100f
amd64/9.2/RPMS/lib64imlib2_1-devel-1.0.6-4.1.92mdk.amd64.rpm
87cc1762967d2aefe5f46e43a2d546b2
amd64/9.2/RPMS/lib64imlib2_1-filters-1.0.6-4.1.92mdk.amd64.rpm
dbabc4165886cfeaa2c234ee7ed5b277
amd64/9.2/RPMS/lib64imlib2_1-loaders-1.0.6-4.1.92mdk.amd64.rpm
7dd8f9265ede345c58d05ae6ed376145
amd64/9.2/SRPMS/imlib-1.9.14-8.1.92mdk.src.rpm
0766a9aead77eec5cec8ebbc06504003
amd64/9.2/SRPMS/imlib2-1.0.6-4.1.92mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis