Gentoo Linux
Gentoo Linux Security Advisory GLSA 200501-32
Severity: Normal
Title: KPdf, KOffice: Stack overflow in included Xpdf code
Date: January 23, 2005
Bugs: #78619, #78620
ID: 200501-32
Synopsis
KPdf and KOffice both include vulnerable Xpdf code to handle PDF
files, making them vulnerable to the execution of arbitrary
code.
Background
KPdf is a KDE-based PDF viewer included in the kdegraphics
package. KOffice is an integrated office suite for KDE.
Affected packages
Package / Vulnerable / Unaffected
1 app-office/koffice < 1.3.5-r2 >= 1.3.5-r2 2 kde-base/kdegraphics < 3.3.2-r2 >= 3.3.2-r2 *>= 3.2.3-r4 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.
Description
KPdf and KOffice both include Xpdf code to handle PDF files.
Xpdf is vulnerable to a new stack overflow, as described in GLSA
200501-28.
Impact
An attacker could entice a user to open a specially-crafted PDF
file, potentially resulting in the execution of arbitrary code with
the rights of the user running the affected application.
Workaround
There is no known workaround at this time.
Resolution
All KPdf users should upgrade to the latest version of
kdegraphics:
# emerge --sync # emerge --ask --oneshot --verbose kde-base/kdegraphics
All KOffice users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose app-office/koffice
References
[ 1 ] GLSA 200501-18
http://www.gentoo.org/security/en/glsa/glsa-200501-28.xml
[ 2 ] CAN-2005-0064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
[ 3 ] KDE Security Advisory: kpdf Buffer Overflow
Vulnerability
http://www.kde.org/info/security/advisory-20050119-1.txt
[ 4 ] KDE Security Advisory: KOffice PDF Import Filter
Vulnerability
http://www.kde.org/info/security/advisory-20050120-1.txt
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200501-32.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Gentoo Linux Security Advisory GLSA 200501-33
Severity: Normal
Title: MySQL: Insecure temporary file creation
Date: January 23, 2005
Bugs: #77805
ID: 200501-33
Synopsis
MySQL is vulnerable to symlink attacks, potentially allowing a
local user to overwrite arbitrary files.
Background
MySQL is a fast, multi-threaded, multi-user SQL database
server.
Affected packages
Package / Vulnerable / Unaffected
1 dev-db/mysql < 4.0.22-r2 >= 4.0.22-r2
Description
Javier Fernandez-Sanguino Pena from the Debian Security Audit
Project discovered that the ‘mysqlaccess’ script creates temporary
files in world-writeable directories with predictable names.
Impact
A local attacker could create symbolic links in the temporary
files directory, pointing to a valid file somewhere on the
filesystem. When the mysqlaccess script is executed, this would
result in the file being overwritten with the rights of the user
running the software, which could be the root user.
Workaround
There is no known workaround at this time.
Resolution
All MySQL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.0.22-r2"
References
[ 1 ] CAN-2005-0004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
[ 2 ] Secunia Advisory SA13867
http://secunia.com/advisories/13867/
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200501-33.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
KDE
KDE Security Advisory: kpdf Buffer Overflow Vulnerability
Original Release Date: 2005-01-19
URL: http://www.kde.org/info/security/advisory-20050119-1.txt
0. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
- Systems affected:
KDE 3.2 up to including KDE 3.2.3.
KDE 3.3 up to including KDE 3.3.2.
2. Overview:
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a
buffer overflow that can be triggered by a specially crafted PDF
file.
3. Impact:
Remotely supplied pdf files can be used to execute arbitrary
code on the client machine.
4. Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
5. Patch:
Patch for KDE 3.2.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches
:
fc6fc7fa6886d6ff19037e7547846990 post-3.2.3-kdegraphics-3.diff
Patch for KDE 3.3.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches
:
fc6fc7fa6886d6ff19037e7547846990 post-3.3.2-kdegraphics-3.diff
6. Time line and credits:
19/01/2005 KDE Security Team alerted by Carsten Lohrke
19/01/2005 Patches from xpdf 3.00pl3 applied to KDE CVS and patches
prepared.
19/01/2005 Public disclosure.
Mandrakelinux
Mandrakelinux Security Update Advisory
Package name: zhcon
Advisory ID: MDKSA-2005:012
Date: January 24th, 2005
Affected versions: 10.0, 10.1
Problem Description:
Erik Sjolund discovered that zhcon accesses a user-controlled
configuration file with elevated privileges which could make it
possible to read arbitrary files.
The updated packages have been patched to prevent these
problems.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0072
Updated Packages:
Mandrakelinux 10.0:
c60dda48d225773739aa51a48a762c6f
10.0/RPMS/zhcon-0.2.3-6.2.100mdk.i586.rpm
dafea6b3edd1bd776bc4f0a310b4f8e3
10.0/SRPMS/zhcon-0.2.3-6.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
3f4dc81c833c5bd43e0538de331e289b
amd64/10.0/RPMS/zhcon-0.2.3-6.2.100mdk.amd64.rpm
dafea6b3edd1bd776bc4f0a310b4f8e3
amd64/10.0/SRPMS/zhcon-0.2.3-6.2.100mdk.src.rpm
Mandrakelinux 10.1:
717d22a4dc7252b63bea66a955d75567
10.1/RPMS/zhcon-0.2.3-6.2.101mdk.i586.rpm
96a864157fc70decb911a34a8dbe21eb
10.1/SRPMS/zhcon-0.2.3-6.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
bb8c2f25db11d57105a083744b0f55f0
x86_64/10.1/RPMS/zhcon-0.2.3-6.2.101mdk.x86_64.rpm
96a864157fc70decb911a34a8dbe21eb
x86_64/10.1/SRPMS/zhcon-0.2.3-6.2.101mdk.src.rpm
To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.
All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:
gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
Mandrakelinux Security Update Advisory
Package name: ethereal
Advisory ID: MDKSA-2005:013
Date: January 24th, 2005
Affected versions: 10.0, 10.1
Problem Description:
A number of vulnerabilities were found in Ethereal, all of which
are fixed in version 0.10.9: The COPS dissector could go into an
infinite loop (CAN-2005-0006); the DLSw dissector could cause an
assertion, making Ethereal exit prematurely (CAN-2005-0007); the
DNP dissector could cause memory corruption (CAN-2005-0008); the
Gnutella dissector could cause an assertion, making Ethereal exit
prematurely (CAN-2005-0009); the MMSE dissector could free static
memory (CAN-2005-0010); and the X11 protocol dissector is
vulnerable to a string buffer overflow (CAN-2005-0084).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0084
http://www.ethereal.com/appnotes/enpa-sa-00017.html
Updated Packages:
Mandrakelinux 10.0:
c74b93a5f05c68eb7845c6d3a05d7ab5
10.0/RPMS/ethereal-0.10.9-0.1.100mdk.i586.rpm
bbdcd41fe80851a0248c8606f0f0ddba
10.0/SRPMS/ethereal-0.10.9-0.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
3ab0b6691827a4d228b2696efda24de1
amd64/10.0/RPMS/ethereal-0.10.9-0.1.100mdk.amd64.rpm
bbdcd41fe80851a0248c8606f0f0ddba
amd64/10.0/SRPMS/ethereal-0.10.9-0.1.100mdk.src.rpm
Mandrakelinux 10.1:
72d299832f7340c675f9cf89aaad555f
10.1/RPMS/ethereal-0.10.9-0.1.101mdk.i586.rpm
646de9ee68b10dba30c6f7f0b9989f7d
10.1/RPMS/ethereal-tools-0.10.9-0.1.101mdk.i586.rpm
48cb5ca4befde405416a9aa7c19b5556
10.1/RPMS/libethereal0-0.10.9-0.1.101mdk.i586.rpm
c3d5c5d06f7afd1e23f06f682188c03e
10.1/RPMS/tethereal-0.10.9-0.1.101mdk.i586.rpm
87e639367056153d74db172ebb8ca897
10.1/SRPMS/ethereal-0.10.9-0.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
f8852108acdeb991a2a2c06e225863d9
x86_64/10.1/RPMS/ethereal-0.10.9-0.1.101mdk.x86_64.rpm
3ee69f3876a7741ddeb8a79ac2229fb7
x86_64/10.1/RPMS/ethereal-tools-0.10.9-0.1.101mdk.x86_64.rpm
edb8a0f7523320df5f30db3e872ef139
x86_64/10.1/RPMS/lib64ethereal0-0.10.9-0.1.101mdk.x86_64.rpm
6cf8367b84d5508cdaaa96e59f973ce8
x86_64/10.1/RPMS/tethereal-0.10.9-0.1.101mdk.x86_64.rpm
87e639367056153d74db172ebb8ca897
x86_64/10.1/SRPMS/ethereal-0.10.9-0.1.101mdk.src.rpm
To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.
All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:
gpg –recv-keys –keyserver pgp.mit.edu/ 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
SUSE Linux
SUSE Security Announcement
Package: realplayer 8
Announcement-ID: SUSE-SA:2005:004
Date: Monday, Jan 24th 2005 16:00 MET
Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Desktop 1.0
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE default package: yes
Cross References: none
Content of this advisory:
- security vulnerability discussed:
- integer overflow problem description
- solution/workaround
- standard appendix (further information)
1) problem description, brief discussion
RealPlayer is a combined audio and video player for RealMedia
formatted streaming data. These formats are very common throughout
the Internet.
eEye Security in October 2004 discovered a flaw in the .rm
RealMovie stream handling routines which allows a remote attacker
to exploit an integer overflow vulnerability using a special .rm
file. This might allow a remote attacker to execute code as the
user running RealPlayer.
Reference URLs for this problems are the Real security
advisory:
http://service.real.com/help/faq/security/040928_player/EN/
and the eEye security advisory:
http://www.eeye.com/html/research/advisories/AD20041001.html
SUSE Linux includes RealPlayer as both standalone player and as
a plugin for web browsers like Mozilla and Konqueror. This might
allow the attacker to just provide a web page or E-Mail linking to
the special exploit .rm file.
We cannot fully evaluate the impact of this problem due to lack
of information and lack of source code to review.
SUSE Linux versions up to 9.1 and the SUSE Linux Desktop 1.0
include RealPlayer version 8 and are affected by this problem.
SUSE Linux 9.2 and the Novell Linux Desktop 9 include RealPlayer
version 10 and are NOT affected by this problem.
Real does not offer a fixed version 8 RealPlayer, but suggests
upgrading RealPlayer to version 10.
However, upgrading Realplayer is not possible for older SUSE
Linux products since Realplayer 10 requires newer dynamic library
versions than the ones to be found in those products. Also some old
Real content is not compatible with the RealPlayer version 10.
For these reasons we cannot offer fixed packages for older SUSE
Linux based products.
2) solution/workaround
We suggest one of the following workarounds:
- De-install RealPlayer
Either use YaST to deinstall RealPlayer, or as root do:
# rpm -e RealPlayer
You will lose the ability to view Real content.
- Remove the RealPlayer plug in
As root, execute the following commands:
# rm /usr/lib/browser-plugins/raclass.zip # rm /usr/lib/browser-plugins/rpnp.so
Content can still be viewed by starting “realplay” and opening
URLs, but automatic exploits via web pages or E-Mails are no longer
possible.
3) standard appendix: authenticity verification, additional
information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:- md5sums as provided in the (cryptographically signed)
announcement. - using the internal gpg signatures of the rpm package.
- execute the command md5sum <name-of-the-file.rpm> after
you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in
the announcement. Since the announcement containing the checksums
is cryptographically signed (usually using the key security@suse.de), the checksums show
proof of the authenticity of the package. We recommend against
subscribing to security lists that cause the e-mail message
containing the announcement to be modified so that the signature
does not match after transport through the mailing list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless. - rpm package signatures provide an easy way to verify the
authenticity of an rpm package. Use the command rpm -v –checksig
<file.rpm> to verify the signature of the package, where
<file.rpm> is the file name of the rpm package that you have
downloaded. Of course, package authenticity verification can only
target an uninstalled rpm
package file. Prerequisites:- gpg is installed
- The package is signed using a certain key. The public part of
this key must be installed by the gpg program in the directory
~/.gnupg/ under the user’s home directory who performs the
signature verification (usually root). You can import the key that
is used by SUSE in rpm packages for SUSE Linux by saving this
announcement to a file (“announcement.txt”) and running the command
(do “su -” to be root): gpg –batch; gpg < announcement.txt |
gpg –import SUSE Linux distributions version 7.1 and thereafter
install the key “build@suse.de”
upon installation or upgrade, provided that the package gpg is
installed. The file containing the public key is placed at the
top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
.
- md5sums as provided in the (cryptographically signed)
- SUSE runs two security mailing lists to which any interested
party may subscribe: - general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list. To
subscribe, send an email to - SUSE’s announce-only mailing list.
Only SUSE’s security announcements are sent to this list. To
subscribe, send an email to
For general information or the frequently asked questions (FAQ)
send mail to:
<suse-security-info@suse.com>
or
<suse-security-faq@suse.com>
respectively.
SUSE’s security contact is <security@suse.com> or
<security@suse.de>.
The <security@suse.de>
public key is listed below.
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>