---

Security Digest: January 23, 2005

Debian GNU/Linux


Debian Security Advisory DSA 654-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq


Package : enscript
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2004-1184 CAN-2004-1185 CAN-2004-1186

Erik S. has discovered several security relevant problems in
enscript, a program to convert ASCII text into Postscript and other
formats. The Common Vulnerabilities and Exposures project
identifies the following vulnerabilities:

CAN-2004-1184

Unsanitised input can cause the execution of arbitrary commands
via EPSF pipe support. This has been disabled, also upstream.

CAN-2004-1185

Due to missing sanitising of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be
executed.

CAN-2004-1186

Multiple buffer overflows can cause the program to crash.

Usually, enscript is only run locally, but since it is executed
inside of viewcvs some of the problems mentioned above can easily
be turned into a remote vulnerability.

For the stable distribution (woody) these problems have been
fixed in version 1.6.3-1.3.

For the unstable distribution (sid) these problems have been
fixed in version 1.6.4-6.

We recommend that you upgrade your enscript package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.dsc

Size/MD5 checksum: 598 b64a0ab822bd8e613a96cfe534f40cbc

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.diff.gz

Size/MD5 checksum: 7312 5f39d5caad3a93f874705a10f4a4ae6d

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3.orig.tar.gz

Size/MD5 checksum: 814308 ec717f8b0de7db00a21a21f70d354610

Alpha architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_alpha.deb

Size/MD5 checksum: 488176 ef6dc427cf55c77423da2b84c04a291e

ARM architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_arm.deb

Size/MD5 checksum: 466220 6443058723684f0c7b7d14d659e909bf

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_i386.deb

Size/MD5 checksum: 458068 1b5dd9325b47b06f6fb0280a74753bdd

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_ia64.deb

Size/MD5 checksum: 506248 5a4bc6e9f0f771b694e65908bc302e64

HP Precision architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_hppa.deb

Size/MD5 checksum: 477426 0f2bc8aba5c8f244d6d882c87b01946a

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_m68k.deb

Size/MD5 checksum: 447374 1054d2c3a5f249b2c7167fdd2aec2726

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_mips.deb

Size/MD5 checksum: 470862 996def7fa0ca46edac520083d5d22e39

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_mipsel.deb

Size/MD5 checksum: 470122 1f886d9ab7df6d9e3b4aafe6840676f8

PowerPC architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_powerpc.deb

Size/MD5 checksum: 466374 a08bf7e3d47b5ed94cf436439d21922b

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_s390.deb

Size/MD5 checksum: 460778 a2f4b67a5c7af46eba735b44ccea7de1

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_sparc.deb

Size/MD5 checksum: 465822 a8da2cae1003ca40e4e8b6c81137fb63

These files will probably be moved into the stable distribution
on its next update.


Debian Security Advisory DSA 652-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq


Package : unarj
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2004-0947 CAN-2004-1027
Debian Bug : 281922

Several vulnerabilities have been discovered in unarj, a
non-free ARJ unarchive utility. The Common Vulnerabilities and
Exposures Project identifies the following vulnerabilities:

CAN-2004-0947

A buffer overflow has been discovered when handling long file
names contained in an archive. An attacker could create a specially
crafted archive which could cause unarj to crash or possibly
execute arbitrary code when being extracted by a victim.

CAN-2004-1027

A directory traversal vulnerability has been found so that an
attacker could create a specially crafted archive which would
create files in the parent directory when being extracted by a
victim. When used recursively, this vulnerability could be used to
overwrite critical system files and programs.

For the stable distribution (woody) these problems have been
fixed in version 2.43-3woody1.

For the unstable distribution (sid) these problems don’t apply
since unstable/non-free does not contain the unarj package.

We recommend that you upgrade your unarj package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.dsc

Size/MD5 checksum: 528 e1d166f2eaf315641d1269a32ad1dc76

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.diff.gz

Size/MD5 checksum: 12903 4ef4cfad33d05ecc048d63596ab2673c

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43.orig.tar.gz

Size/MD5 checksum: 39620 7a481dc017f1fbfa7f937a97e66eb99f

Alpha architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_alpha.deb

Size/MD5 checksum: 29668 08dc91afd3146ccdfaa51d73f8be56e5

ARM architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_arm.deb

Size/MD5 checksum: 22784 ed352d363cbeb34ba2268db63a632824

Intel IA-32 architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_i386.deb

Size/MD5 checksum: 20690 aa9490bd82bc9aef4f6092d19fa83eaa

Intel IA-64 architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_ia64.deb

Size/MD5 checksum: 31072 0b1f0403cfaaf572399fcb60b2549664

HP Precision architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_hppa.deb

Size/MD5 checksum: 23888 15a8d6b0b7b565186398c0b8ebe3eb6a

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_m68k.deb

Size/MD5 checksum: 20384 644a6dcc9f566bad384c050bc8b8fb14

PowerPC architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_powerpc.deb

Size/MD5 checksum: 23060 5c5a1f0157aa613337f80b439e78456f

IBM S/390 architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_s390.deb

Size/MD5 checksum: 22668 97dc977c8217a10d4915ee32db49edd5

Sun Sparc architecture:


http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_sparc.deb

Size/MD5 checksum: 25386 bd2210a978ad30306e3db2ab112c87e8

These files will probably be moved into the stable distribution
on its next update.


Debian Security Advisory DSA 653-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq


Package : ethereal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0084

A buffer overflow has been detected in the X11 dissector of
ethereal, a commonly used network traffic analyser. A remote
attacker may be able to overflow a buffer using a specially crafted
IP packet. More problems have been discovered which don’t apply to
the version in woody but are fixed in sid as well.

For the stable distribution (woody) this problem has been fixed
in version 0.9.4-1woody11.

For the unstable distribution (sid) this problem has been fixed
in version 0.10.9-1.

We recommend that you upgrade your ethereal package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.dsc

Size/MD5 checksum: 681 8e8bbe73bf65d45446fb7c03dddb41a1

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.diff.gz

Size/MD5 checksum: 40601 a9a6e17ee6c2e1749ac3d140628c77c6

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz

Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_alpha.deb

Size/MD5 checksum: 1941102 aab1360769a64476ce4113068230c8ad

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_alpha.deb

Size/MD5 checksum: 334424 c3647ca04af3f48b4e24ec6ae2fa6b4d

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_alpha.deb

Size/MD5 checksum: 222460 06e7e8c5713efa6f102bb436c6251e61

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_alpha.deb

Size/MD5 checksum: 1707844 08f64c248a99394a8366ca5b512e096d

ARM architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_arm.deb

Size/MD5 checksum: 1635456 190bd5415abaf62c1cde340605079152

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_arm.deb

Size/MD5 checksum: 297770 6d5ee1df687aeee0e49d4bc27cfab0da

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_arm.deb

Size/MD5 checksum: 206356 fcba9b5be975e62bd5cf8efca338a299

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_arm.deb

Size/MD5 checksum: 1439676 d825f5c16e37f1a5c1a7aaa6ba0798b1

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_i386.deb

Size/MD5 checksum: 1513338 996070722f320a6d6d40652101480ec6

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_i386.deb

Size/MD5 checksum: 286736 69fd768db07ee2ac52b33f3188fdba97

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_i386.deb

Size/MD5 checksum: 198652 50e416b732e5d02d1f8e6bfb5269d1f9

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_i386.deb

Size/MD5 checksum: 1326536 c8415c2297b0bc30a297b3b07e0a1186

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_ia64.deb

Size/MD5 checksum: 2150414 b46cc7da4c46e2a920299cef6d6f1f1c

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_ia64.deb

Size/MD5 checksum: 373372 1b977535a20b449ea7c1b21e09f9493b

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_ia64.deb

Size/MD5 checksum: 234004 e8c69f3f1db9708ceb2e74122e81c168

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_ia64.deb

Size/MD5 checksum: 1861780 6c48358d2c8c892d24ebbc29b020931d

HP Precision architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_hppa.deb

Size/MD5 checksum: 1804712 495491720997b53f60f5b9dbfeabac27

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_hppa.deb

Size/MD5 checksum: 322696 cccbc77685f25eb8aa1a8429e0298dd7

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_hppa.deb

Size/MD5 checksum: 217116 3bcb0ff60d01b12b85d25ee6e277fbe2

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_hppa.deb

Size/MD5 checksum: 1576164 67ecb81ffa522198b999353ce6294b19

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_m68k.deb

Size/MD5 checksum: 1424704 7014155418ca6c1947e71a04ab716b03

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_m68k.deb

Size/MD5 checksum: 282996 c73d8c241771bbe5f89c1e859e436aba

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_m68k.deb

Size/MD5 checksum: 195364 21d07bf8bb05d52dfd45d91c73c656a6

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_m68k.deb

Size/MD5 checksum: 1248922 5cd077cf05e8e14f627a10e44ced739d

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_mips.deb

Size/MD5 checksum: 1617160 41dd4cd8059c472ff109bb002d9b5074

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_mips.deb

Size/MD5 checksum: 305514 855a56f8596f0bb4da7fe0024616d87a

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_mips.deb

Size/MD5 checksum: 213936 8459c58071700c436ea96af9a6fd7901

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_mips.deb

Size/MD5 checksum: 1422110 bdcdf3c021429ccaf8eb95027a48f69e

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_mipsel.deb

Size/MD5 checksum: 1598210 0c60efc6fcdea7d25359ecd88dd8aeff

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_mipsel.deb

Size/MD5 checksum: 304982 63cea39a93b19891ae0bbfaa8c5e0327

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_mipsel.deb

Size/MD5 checksum: 213596 e7d160f30cd5e9360fc90d4ef160dfb6

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_mipsel.deb

Size/MD5 checksum: 1406444 e8f3d141f724da42a16d051c12879efb

PowerPC architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_powerpc.deb

Size/MD5 checksum: 1618676 f3890280569d1b2a7e66c039c0def6b4

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_powerpc.deb

Size/MD5 checksum: 302174 d5c364dcb6039f637005c4ce259bed2c

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_powerpc.deb

Size/MD5 checksum: 209172 ae06ac9e4e976d4fd846b3b222efe911

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_powerpc.deb

Size/MD5 checksum: 1419454 2a6a56b278e0e647cbb7c41881e5aaa0

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_s390.deb

Size/MD5 checksum: 1574786 17c662f34613b6b0fb24e033dd1fc463

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_s390.deb

Size/MD5 checksum: 301014 7f0c78cce38eb8927b708146cb4b8463

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_s390.deb

Size/MD5 checksum: 204250 f85efb4e0c75da840c7b1224292f7005

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_s390.deb

Size/MD5 checksum: 1387552 c4e2e39307ca9b70793e1b8a6dc9a3ee

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_sparc.deb

Size/MD5 checksum: 1583368 199f9efbe4d98e43882bb28d054c8ff6

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_sparc.deb

Size/MD5 checksum: 318282 87d2b4c8298e3e179d89aa3827602011

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_sparc.deb

Size/MD5 checksum: 205026 0c71e4c61947bc0f198de8d66a1892b4

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_sparc.deb

Size/MD5 checksum: 1389390 8327f812bcaee04cf83fc34f8450aacc

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200501-30


http://security.gentoo.org/


Severity: Normal
Title: CUPS: Stack overflow in included Xpdf code
Date: January 22, 2005
Bugs: #78249
ID: 200501-30


Synopsis

CUPS includes Xpdf code and therefore is vulnerable to the
recent stack overflow issue, potentially resulting in the remote
execution of arbitrary code.

Background

The Common UNIX Printing System (CUPS) is a cross-platform print
spooler. It makes use of Xpdf code to handle PDF files.

Affected packages


     Package         /   Vulnerable   /                     Unaffected

  1  net-print/cups      < 1.1.23-r1                      >= 1.1.23-r1

Description

The Decrypt::makeFileKey2 function in Xpdf’s Decrypt.cc
insufficiently checks boundaries when processing /Encrypt /Length
tags in PDF files (GLSA 200501-28).

Impact

This issue could be exploited by a remote attacker to execute
arbitrary code by sending a malicious print job to a CUPS
spooler.

Workaround

There is no known workaround at this time.

Resolution

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r1"

References

[ 1 ] CAN-2005-0064

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

[ 2 ] GLSA 200501-28

http://www.gentoo.org/security/en/glsa/glsa-200501-28.xml

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-30.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-28


http://security.gentoo.org/


Severity: Normal
Title: Xpdf, GPdf: Stack overflow in Decrypt::makeFileKey2
Date: January 21, 2005
Bugs: #77888, #78128
ID: 200501-28


Synopsis

A stack overflow was discovered in Xpdf, potentially resulting
in the execution of arbitrary code. GPdf includes Xpdf code and
therefore is vulnerable to the same issue.

Background

Xpdf is an open source viewer for Portable Document Format (PDF)
files. GPdf is a Gnome-based PDF viewer that includes some Xpdf
code.

Affected packages


     Package        /  Vulnerable  /                        Unaffected

  1  app-text/xpdf     <= 3.00-r7                           >= 3.00-r8
  2  app-text/gpdf       < 2.8.2                              >= 2.8.2
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

iDEFENSE reports that the Decrypt::makeFileKey2 function in
Xpdf’s Decrypt.cc insufficiently checks boundaries when processing
/Encrypt /Length tags in PDF files.

Impact

An attacker could entice an user to open a specially-crafted PDF
file which would trigger a stack overflow, potentially resulting in
execution of arbitrary code with the rights of the user running
Xpdf or GPdf.

Workaround

There is no known workaround at this time.

Resolution

All Xpdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.00-r8"

All GPdf users should also upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.8.2"

References

[ 1 ] CAN-2005-0064

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

[ 2 ] iDEFENSE Advisory


http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities&flashstatus=true

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-28.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-26


http://security.gentoo.org/


Severity: Normal
Title: ImageMagick: PSD decoding heap overflow
Date: January 20, 2005
Bugs: #77932
ID: 200501-26


Synopsis

ImageMagick is vulnerable to a heap overflow when decoding
Photoshop Document (PSD) files, which could lead to arbitrary code
execution.

Background

ImageMagick is a collection of tools to read, write and
manipulate images in many formats.

Affected packages


     Package                /  Vulnerable  /                Unaffected

  1  media-gfx/imagemagick      < 6.1.8.8                   >= 6.1.8.8

Description

Andrei Nigmatulin discovered that a Photoshop Document (PSD)
file with more than 24 layers could trigger a heap overflow.

Impact

An attacker could potentially design a mailicous PSD image file
to cause arbitrary code execution with the permissions of the user
running ImageMagick.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.1.8.8"

References

[ 1 ] CAN-2005-0005

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005

[ 2 ] iDEFENSE Advisory


http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-26.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-29


http://security.gentoo.org/


Severity: Low
Title: Mailman: Cross-site scripting vulnerability
Date: January 22, 2005
Bugs: #77524
ID: 200501-29


Synopsis

Mailman is vulnerable to cross-site scripting attacks.

Background

Mailman is a Python-based mailing list server with an extensive
web interface.

Affected packages


     Package           /  Vulnerable  /                     Unaffected

  1  net-mail/mailman     < 2.1.5-r3                       >= 2.1.5-r3

Description

Florian Weimer has discovered a cross-site scripting
vulnerability in the error messages that are produced by
Mailman.

Impact

By enticing a user to visiting a specially-crafted URL, an
attacker can execute arbitrary script code running in the context
of the victim’s browser.

Workaround

There is no known workaround at this time.

Resolution

All Mailman users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.5-r3"

References

[ 1 ] CAN-2004-1177

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1177

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-29.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-27


http://security.gentoo.org/


Severity: High
Title: Ethereal: Multiple vulnerabilities
Date: January 20, 2005
Bugs: #78559
ID: 200501-27


Synopsis

Multiple vulnerabilities exist in Ethereal, which may allow an
attacker to run arbitrary code, crash the program or perform DoS by
CPU and disk utilization.

Background

Ethereal is a feature rich network protocol analyzer.

Affected packages


     Package                /  Vulnerable  /                Unaffected

  1  net-analyzer/ethereal      < 0.10.9                     >= 0.10.9

Description

There are multiple vulnerabilities in versions of Ethereal
earlier than 0.10.9, including:

  • The COPS dissector could go into an infinite loop
    (CAN-2005-0006).
  • The DLSw dissector could cause an assertion, making Ethereal
    exit prematurely (CAN-2005-0007).
  • The DNP dissector could cause memory corruption
    (CAN-2005-0008).
  • The Gnutella dissector could cause an assertion, making
    Ethereal exit prematurely (CAN-2005-0009).
  • The MMSE dissector could free statically-allocated memory
    (CAN-2005-0010).
  • The X11 dissector is vulnerable to a string buffer overflow
    (CAN-2005-0084).

Impact

An attacker might be able to use these vulnerabilities to crash
Ethereal, perform DoS by CPU and disk space utilization or even
execute arbitrary code with the permissions of the user running
Ethereal, which could be the root user.

Workaround

For a temporary workaround you can disable all affected protocol
dissectors by selecting Analyze->Enabled Protocols… and
deselecting them from the list. However, it is strongly recommended
to upgrade to the latest stable version.

Resolution

All Ethereal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.9"

References

[ 1 ] CAN-2005-0006

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0006

[ 2 ] CAN-2005-0007

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0007

[ 3 ] CAN-2005-0008

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0008

[ 4 ] CAN-2005-0009

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0009

[ 5 ] CAN-2005-0010

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0010

[ 6 ] CAN-2005-0084

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0084

[ 7 ] Ethereal Release Notes

http://www.ethereal.com/news/item_20050120_01.html

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-27.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

KDE

KDE Security Advisory: KOffice PDF Import Filter
Vulnerability
Original Release Date: 2005-01-20
URL: http://www.kde.org/info/security/advisory-20050120-1.txt

0. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0064


http://www.idefense.com/application/poi/display?id=3D186&type=3Dvulnerab
=
ilities

1. Systems affected:

KOffice 1.3 up to including KOffice 1.3.5

2. Overview:

The KOffice PDF Import Filter shares code with xpdf. xpdf
contains a buffer overflow that can be triggered by a specially
crafted PDF file.

3. Impact:

Remotely supplied pdf files can be used to execute arbitrary
code on the client machine when the user opens such file in
KOffice.

4. Solution:

Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.

5. Patch:

Patch for KOffice 1.3.5 is available from=20 ftp://ftp.kde.org/pub/kde/security_patches
:
0e6194cbfe3f6d3b3c848c2c76ef5bfb post-1.3.5-koffice.diff

6. Time line and credits:

19/01/2005 KDE Security Team alerted by Carsten Lohrke
19/01/2005 Patches from xpdf 3.00pl3 applied to KDE CVS and patches
prepared.
20/01/2005 Public disclosure.


KDE Security Advisory: Multiple vulnerabilities in
Konversation
Original Release Date: 20050121
URL: http://www.kde.org/info/security/advisory-20050121-1.txt

0. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0129

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0130

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0131


http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html

1. Systems affected:

All Konversation versions up to and including 0.15

2. Overview:

Multiple vulnerabilities have been discovered in Konversation,
an IRC client for KDE. A flaw in the expansion of %-escaped
variables makes that %-escaped variables in certain input strings
will be inadvertently expanded too. The Common Vulnerabilities and
Exposures project (cve.mitre.org
has assigned the name CAN-2005-0129 to this issue. Several perl
scripts included with Konversation fail to properly handle command
line arguments causing a command line injection vulnerability. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-0130 to this issue. Nick and password are confused in the
quick connection dialog,=20 so connecting with that dialog and
filling in a password, would use that password as nick, and may
inadvertently expose the password to others. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-0131 to this issue.

3. Impact:

A user might be tricked to join a channel with a specially
crafted channel name containing shell commands. If user runs a
script in that channel it will result in an arbitrary command
execution.

If quick connect is used with a password, the password is used
as nickname instead. As a result the password may be exposed to
others.

4. Solution:

Upgrade to Konversation 0.15.1 available from
http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2

5. Patch:

A patch for Konversation 0.15 is available from ftp://ftp.kde.org/pub/kde/security_patches

36f8b6beac18a9d173339388d13e2335 post-0.15-konversation.diff

6. Time line and credits:

18/01/2005 Konversation developers informed by Wouter
Coekaerts
19/01/2005 Patches applied to KDE CVS.
19/01/2005 Konversation 0.15.1 released.
21/01/2005 KDE Security Advisory released.

LBA-Linux


LBA-Linux Security Advisory

Subject: Updated cups package for LBA-Linux R2
Advisory ID: LBASA-2004:59
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2004-1267
Buffer overflow in the ParseCommand function in hpgl-input.c in the
hpgltops program for CUPS 1.1.22 allows remote attackers to execute
arbitrary code via a crafted HPGL file.

CAN-2004-1268
lppasswd in CUPS 1.1.22 ignores write errors when modifying the
CUPS passwd file, which allows local users to corrupt the file by
filling the associated file system and triggering the write
errors.

CAN-2004-1269
lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it
encounters a file-size resource limit while writing to passwd.new,
which causes subsequent invocations of lppasswd to fail.

CAN-2004-1270
lppasswd in CUPS 1.1.22, when run in environments that do not
ensure that file descriptors 0, 1, and 2 are open when lppasswd is
called, does not verify that the passwd.new file is different from
STDERR, which allows local users to control output to passwd.new
via certain user input that triggers an error message.

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute
arbitrary code via a PDF file with a large /Encrypt /Length
keyLength value.

Updated packages:

LBA-Linux R2:

i386:

ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/cups-1.1.20-4.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/cups-libs-1.1.20-4.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/cups-devel-1.1.20-4.lba.4.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the
Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and
    select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named cups to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the
    UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater’s
    main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1267

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1268

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1269

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1270

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated kdegraphics package for LBA-Linux R2
Advisory ID: LBASA-2004:60
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute
arbitrary code via a PDF file with a large /Encrypt /Length
keyLength value.

Updated packages:

LBA-Linux R2:

i386:

ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/kdegraphics-3.2.0-1.3.lba.7.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/kdegraphics-devel-3.2.0-1.3.lba.7.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the
Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and
    select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named kdegraphics to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the
    UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater’s
    main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated tetex package for LBA-Linux R2
Advisory ID: LBASA-2004:61
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute
arbitrary code via a PDF file with a large /Encrypt /Length
keyLength value.

Updated packages:

LBA-Linux R2:

i386:

ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-2.0.2-12.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-afm-2.0.2-12.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-doc-2.0.2-12.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-dvips-2.0.2-12.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-fonts-2.0.2-12.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-latex-2.0.2-12.lba.4.i386.rpm


ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/tetex-xdvi-2.0.2-12.lba.4.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the
Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and
    select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named tetex to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the
    UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater’s
    main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated xpdf package for LBA-Linux R2
Advisory ID: LBASA-2004:58
Date: Friday, January 21, 2005
Product: LBA-Linux R2


Problem description:

CAN-2005-0064
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute
arbitrary code via a PDF file with a large /Encrypt /Length
keyLength value.

Updated packages:

LBA-Linux R2:

i386:

ftp://ftp.sot.com/lba-linux_r2/apt/RPMS.updates/xpdf-3.00-3.lba.8.i386.rpm

U

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis