The OVAL Repository5.42015-09-03T06:45:10.889-04:00DSA-1445 maradns -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1maradnsMichael Krieger and Sam Trenholme discovered a programming error in MaraDNS, a simple security-aware Domain Name Service server, which might lead to denial of service through malformed DNS packets. For the old stable distribution (sarge), this problem has been fixed in version 1.0.27-2. For the stable distribution (etch), this problem has been fixed in version 1.2.12.04-1etch2. For the unstable distribution (sid), this problem has been fixed in version 1.2.12.08-1. We recommend that you upgrade your maradns package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1446 wireshark -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: The RPL dissector could be tricked into an infinite loop. The CIP dissector could be tricked into excessive memory allocation. For the old stable distribution (sarge), these problems have been fixed in version 0.10.10-2sarge11. (In Sarge Wireshark used to be called Ethereal). For the stable distribution (etch), these problems have been fixed in version 0.99.4-5.etch.2. For the unstable distribution (sid), these problems have been fixed in version 0.99.7-1. We recommend that you upgrade your wireshark packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1527 debian-goodies -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1debian-goodiesThomas de Grenier de Latour discovered that the checkrestart tool in the debian-goodies suite of utilities, allowed local users to gain privileges via shell metacharacters in the name of the executable file for a running process.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1515 libnet-dns-perl -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1libnet-dns-perlSeveral remote vulnerabilities have been discovered in libnet-dns-perl. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libnet-dns-perl generates very weak transaction IDs when sending queries (CVE-2007-3377). This update switches transaction ID generation to the Perl random generator, making prediction attacks more difficult. Compression loops in domain names resulted in an infinite loop in the domain name expander written in Perl (CVE-2007-3409). The Debian package uses an expander written in C by default, but this vulnerability has been addressed nevertheless. Decoding malformed A records could lead to a crash (via an uncaught Perl exception) of certain applications using libnet-dns-perl (CVE-2007-6341).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1522 unzip -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1unzipTavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution (CVE-2008-0888).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1448 eggdrop -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1eggdropIt was discovered that eggdrop, an advanced IRC robot, was vulnerable to a buffer overflow which could result in a remote user executing arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1463 postgresql-7.4 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1postgresql-7.4Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at http://www.postgresql.org/about/news.905. For the old stable distribution (sarge), some of these problems have been fixed in version 7.4.7-6sarge6 of the postgresql package. Please note that the fix for CVE-2007-6600 and for the handling of regular expressions haven’t been backported due to the intrusiveness of the fix. We recommend to upgrade to the stable distribution if these vulnerabilities affect your setup. For the stable distribution (etch), these problems have been fixed in version 7.4.19-0etch1. The unstable distribution (sid) no longer contains postgres-7.4. We recommend that you upgrade your postgresql-7.4 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1461 libxml2 -- missing input validationDebian GNU/Linux 4.0Debian GNU/Linux 3.1libxml2Brad Fitzpatrick discovered that the UTF-8 decoding functions of libxml2, the GNOME XML library, validate UTF-8 correctness insufficiently, which may lead to denial of service by forcing libxml2 into an infinite loop. For the old stable distribution (sarge), this problem has been fixed in version 2.6.16-7sarge1. For the stable distribution (etch), this problem has been fixed in version 2.6.27.dfsg-2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libxml2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1508 diatheke -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1diathekeDan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1504 kernel-source-2.6.8 -- several vulnerabilitiesDebian GNU/Linux 3.1kernel-source-2.6.8Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialised stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process umask, which may lead to unintentionally relaxed permissions. Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions, which may allow local users to gain privileges by sending arbitrary signals to suid binaries. Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. Venustech AD-LAB discovered a buffer overflow in the isdn ioctl handling, exploitable by a local user. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update: We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1547 openoffice.org -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1openoffice.orgSeveral security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: Several bugs have been discovered in the way OpenOffice.org parses Quattro Pro files that may lead to a overflow in the heap potentially leading to the execution of arbitrary code. Specially crafted EMF files can trigger a buffer overflow in the heap that may lead to the execution of arbitrary code. A bug has been discovered in the processing of OLE files that can cause a buffer overflow in the heap potentially leading to the execution of arbitrary code. Recently reported problems in the ICU library are fixed in separate libicu packages with DSA 1511 against which OpenOffice.org is linked.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1466 xfree86 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1xfree86The X.org fix for CVE-2007-6429 introduced a regression in the MIT-SHM extension, which prevented the start of a few applications. This update provides updated packages for the xfree86 version included in Debian old stable (sarge) in addition to the fixed packages for Debian stable (etch), which were provided in DSA 1466-2. For reference the original advisory text below: Several local vulnerabilities have been discovered in the X.Org X server. The Common Vulnerabilities and Exposures project identifies the following problems: regenrecht discovered that missing input sanitising within the XFree86-Misc extension may lead to local privilege escalation. It was discovered that error messages of security policy file handling may lead to a minor information leak disclosing the existence of files otherwise inaccessible to the user. regenrecht discovered that missing input sanitising within the XInput-Misc extension may lead to local privilege escalation. regenrecht discovered that missing input sanitising within the TOG-CUP extension may lead to disclosure of memory contents. regenrecht discovered that integer overflows in the EVI and MIT-SHM extensions may lead to local privilege escalation. It was discovered that insufficient validation of PCF fonts could lead to local privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDMaria KedovskayaINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1452 wzdftpd -- denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 3.1wzdftpdk1tk4t discovered that wzdftpd, a portable, modular, small and efficient ftp server, did not correctly handle the receipt of long usernames. This could allow remote users to cause the daemon to exit.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1524 krb5 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1krb5Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identifies the following problems: An unauthenticated remote attacker may cause a krb4-enabled KDC to crash, expose information, or execute arbitrary code. Successful exploitation of this vulnerability could compromise the Kerberos key database and host security on the KDC host. An unauthenticated remote attacker may cause a krb4-enabled KDC to expose information. It is theoretically possible for the exposed information to include secret key data on some platforms. An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. In versions of MIT Kerberos shipped by Debian, this bug can only be triggered in configurations that allow large numbers of open file descriptors in a process.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1450 util-linux -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1util-linuxIt was discovered that util-linux, miscellaneous system utilities, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1487 libexif -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1libexifSeveral vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed image. The Common Vulnerabilities and Exposures project identifies the following problems: Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. Meder Kydyraliev discovered an infinite loop, which may result in denial of service. Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. This update also fixes two potential NULL pointer deferences.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1503 kernel-source-2.4.27 -- several vulnerabilitiesDebian GNU/Linux 3.1kernel-source-2.4.27Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes, which have been marked bad. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitrary code. Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialised stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update: We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1507 turba2 -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1turba2Peter Paul Elfferich discovered that turba2, a contact management component for horde framework, did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1488 phpbb2 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1phpbb2Several remote vulnerabilities have been discovered in phpBB, a web based bulletin board. The Common Vulnerabilities and Exposures project identifies the following problems: Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page. Cross site request forgery enabled an attacker to perform various actions on behalf of a logged in user. (Applies to sarge only.) A negative start parameter could allow an attacker to create invalid output. (Applies to sarge only.) Redirection targets were not fully checked, leaving room for unauthorised external redirections via a phpBB forum. (Applies to sarge only.) An authenticated forum administrator may upload files of any type by using specially crafted filenames. (Applies to sarge only.)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1471 libvorbis -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1libvorbisSeveral vulnerabilities were found in the Vorbis General Audio Compression Codec, which may lead to denial of service or the execution of arbitrary code, if a user is tricked into opening a malformed Ogg Audio file with an application linked against libvorbis.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1505 alsa-driver -- kernel memory leakDebian GNU/Linux 4.0Debian GNU/Linux 3.1alsa-driverTakashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1512 evolution -- format string attackDebian GNU/Linux 4.0Debian GNU/Linux 3.1evolutionUlf Haumlrnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1499 pcre3 -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1pcre3It was discovered that specially crafted regular expressions involving codepoints greater than 255 could cause a buffer overflow in the PCRE library (CVE-2008-0674).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1458 openafs -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1openafsA race condition in the OpenAFS fileserver allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock. For the old stable distribution (sarge), this problem has been fixed in version 1.3.81-3sarge3. For the stable distribution (etch), this problem has been fixed in version 1.4.2-6etch1. We recommend that you upgrade your openafs packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1519 horde3 -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1horde3It was discovered that the Horde web application framework permits arbitrary file inclusion by a remote attacker through the theme preference parameter.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1449 loop-aes-utils -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1loop-aes-utilsIt was discovered that loop-aes-utils, tools for mounting and manipulating filesystems, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1495 nagios-plugins -- buffer overflowsDebian GNU/Linux 4.0Debian GNU/Linux 3.1nagios-pluginsSeveral local/remote vulnerabilities have been discovered in two of the plugins for the Nagios network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow has been discovered in the parser for HTTP Location headers (present in the check_http module). A buffer overflow has been discovered in the check_snmp module.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1491 tk8.4 -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1tk8.4It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1533 exiftags -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1exiftagsChristian Schmid and Meder Kydyraliev (Google Security) discovered a number of vulnerabilities in exiftags, a utility for extracting EXIF metadata from JPEG images. The Common Vulnerabilities and Exposures project identified the following three problems: Inadequate EXIF property validation could lead to invalid memory accesses if executed on a maliciously crafted image, potentially including heap corruption and the execution of arbitrary code. Flawed data validation could lead to integer overflows, causing other invalid memory accesses, also with the potential for memory corruption or arbitrary code execution. Cyclical EXIF image file directory (IFD) references could cause a denial of service (infinite loop).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1493 sdl-image1.2 -- buffer overflowsDebian GNU/Linux 4.0Debian GNU/Linux 3.1sdl-image1.2Several local/remote vulnerabilities have been discovered in the image loading library for the Simple DirectMedia Layer 1.2. The Common Vulnerabilities and Exposures project identifies the following problems: Gynvael Coldwind discovered a buffer overflow in GIF image parsing, which could result in denial of service and potentially the execution of arbitrary code. It was discovered that a buffer overflow in IFF ILBM image parsing could result in denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1520 smarty -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1smartyIt was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1510 gs-esp gs-gpl -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1gs-espgs-gplChris Evans discovered a buffer overflow in the color space handling code of the Ghostscript PostScript/PDF interpreter, which might result in the execution of arbitrary code if a user is tricked into processing a malformed file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1469 flac -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1flacSean de Regge and Greg Linares discovered multiple heap and stack based buffer overflows in FLAC, the Free Lossless Audio Codec, which could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1536 xine-lib -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1xine-libSeveral local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content. The Common Vulnerabilities and Exposures project identifies the following problems: The DMO_VideoDecoder_Open function does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code (applies to sarge only). Array index error in the sdpplin_parse function allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter. Array index vulnerability in libmpdemux/demux_audio.c might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow (applies to etch only). Buffer overflow in the Matroska demuxer allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Matroska file with invalid frame sizes.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1472 xine-lib -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1xine-libLuigi Auriemma discovered that the Xine media player library performed insufficient input sanitising during the handling of RTSP streams, which could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1473 scponly -- design flawDebian GNU/Linux 4.0Debian GNU/Linux 3.1scponlyJoachim Breitner discovered that Subversion support in scponly is inherently insecure, allowing execution of arbitrary commands. Further investigation showed that rsync and Unison support suffer from similar issues. This set of issues has been assigned CVE-2007-6350. In addition, it was discovered that it was possible to invoke scp with certain options that may lead to the execution of arbitrary commands (CVE-2007-6415). This update removes Subversion, rsync and Unison support from the scponly package, and prevents scp from being invoked with the dangerous options.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1518 backup-manager -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1backup-managerMicha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1459 gforge -- insufficient input validationDebian GNU/Linux 4.0Debian GNU/Linux 3.1gforgeIt was discovered that Gforge, a collaborative development tool, did not properly sanitise some CGI parameters, allowing SQL injection in scripts related to RSS exports. For the old stable distribution (sarge), this problem has been fixed in version 3.1-31sarge5. For the stable distribution (etch), this problem has been fixed in version 4.5.14-22etch4. For the unstable distribution (sid), this problem has been fixed in version 4.6.99+svn6330-1. We recommend that you upgrade your gforge packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1467 mantis -- several vulnerabilitiesDebian GNU/Linux 3.1mantisSeveral remote vulnerabilities have been discovered in Mantis, a web based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: Custom fields were not appropriately protected by per-item access control, allowing for sensitive data to be published. Multiple cross site scripting issues allowed a remote attacker to insert malicious HTML or web script into Mantis web pages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1490 tk8.3 -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1tk8.3It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDebian GNU/Linux 3.1 is installedDebian GNU/Linux 3.1Debian GNU/Linux 3.1 (sarge) is installedSecPod TeamDRAFTINTERIMACCEPTEDPreeti SubramanianINTERIMACCEPTEDChandan SINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDebian GNU/Linux 4.0 is installed.Debian GNU/Linux 4.0Debian GNU/Linux 4.0 (etch) is installedSecPod TeamDRAFTINTERIMACCEPTEDPreeti SubramanianINTERIMACCEPTEDChandan SINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDmaradnswiresharkwireshark-devtsharktetherealethereal-commonwireshark-commonetherealethereal-devdebian-goodieslibnet-dns-perlunzipeggdropeggdrop-datapostgresql-pltcl-7.4libpgtclpostgresql-doclibpq3postgresql-client-7.4postgresql-server-dev-7.4libecpg-devpostgresql-devpostgresql-plperl-7.4postgresqlpostgresql-contribpostgresql-plpython-7.4postgresql-7.4libecpg4postgresql-contrib-7.4libpgtcl-devpostgresql-clientpostgresql-doc-7.4libxml2-python2.3python2.3-libxml2python2.2-libxml2python2.4-libxml2python-libxml2libxml2libxml2-doclibxml2-devlibxml2-dbglibxml2-utilslibsword6libsword4libsword-devdiathekekernel-image-2.6.8-4-32-smpkernel-image-2.6.8-4-s390kernel-source-2.6.8kernel-patch-debian-2.6.8kernel-image-2.6.8-4-32kernel-patch-2.6.8-s390kernel-headers-2.6.8-4-32kernel-tree-2.6.8kernel-headers-2.6.8-4-32-smpkernel-image-2.6.8-4-s390-tapekernel-headers-2.6.8-13-em64t-p4kernel-image-2.6.8-4-64kernel-headers-2.6.8-13-em64t-p4-smpkernel-headers-2.6.8-4-64kernel-headers-2.6.8-4kernel-image-2.6.8-4-64-smpkernel-headers-2.6.8-13-amd64-k8kernel-headers-2.6.8-13-amd64-k8-smpkernel-image-2.6.8-13-amd64-generickernel-image-2.6.8-13-amd64-k8-smpkernel-headers-2.6.8-4-64-smpkernel-image-2.6.8-13-em64t-p4kernel-image-2.6.8-13-em64t-p4-smpkernel-image-2.6.8-4-s390xkernel-headers-2.6.8-13kernel-doc-2.6.8kernel-image-2.6.8-13-amd64-k8kernel-headers-2.6.8-13-amd64-genericopenoffice.org-binopenoffice.org-filter-so52openoffice.org-dev-docopenoffice.org-l10n-aropenoffice.org-writeropenoffice.org-help-enopenoffice.org-thesaurus-en-usopenoffice.org-l10n-loopenoffice.org-gtkopenoffice.org-help-en-gbopenoffice.org-gnomeopenoffice.org-l10n-ukopenoffice.org-l10n-neopenoffice.org-help-dzopenoffice.org-l10n-tnopenoffice.org-l10n-as-inopenoffice.org-l10n-eulibmythes-devopenoffice.org-l10n-fiopenoffice.org-l10n-veopenoffice.org-help-fropenoffice.org-officebeanopenoffice.org-dbgopenoffice.org-l10n-nropenoffice.org-l10n-sr-csopenoffice.org-l10n-en-zaopenoffice.org-qa-toolsopenoffice.org-l10n-eoopenoffice.org-help-esopenoffice.org-l10n-itopenoffice.org-l10n-bnopenoffice.org-help-huopenoffice.org-l10n-or-inopenoffice.org-l10n-gu-inopenoffice.org-l10n-svopenoffice.org-help-csopenoffice.org-l10n-hi-inopenoffice.org-l10n-gaopenoffice.org-l10n-zaopenoffice.org-help-zh-twopenoffice.org-l10n-hropenoffice.org-l10n-bropenoffice.org-java-commonopenoffice.org-l10n-zh-cnopenoffice.org-l10n-huopenoffice.org-l10n-hiopenoffice.org-kdeopenoffice.org-filter-mobiledevopenoffice.orgopenoffice.org-l10n-nbopenoffice.org-l10n-kaopenoffice.org-l10n-rwopenoffice.org-l10n-ml-inopenoffice.org-gcjopenoffice.org-l10n-te-inopenoffice.org-help-ruopenoffice.org-l10n-pa-inopenoffice.org-l10n-dzopenoffice.org-impressopenoffice.org-mathopenoffice.org-l10n-bsopenoffice.org-l10n-xhopenoffice.org-l10n-kuopenoffice.org-l10n-thopenoffice.org-help-plopenoffice.org-l10n-cyopenoffice.org-l10n-koopenoffice.org-l10n-stopenoffice.org-l10n-etopenoffice.org-l10n-en-gbopenoffice.org-drawopenoffice.org-help-en-usopenoffice.org-l10n-enopenoffice.org-l10n-lvopenoffice.org-l10n-fropenoffice.org-help-etopenoffice.org-l10n-esopenoffice.org-l10n-elopenoffice.org-l10n-bgopenoffice.org-devopenoffice.org-l10n-ssopenoffice.org-gtk-gnomeopenoffice.org-l10n-tsopenoffice.org-l10n-afopenoffice.org-l10n-nsopenoffice.org-help-nlopenoffice.org-help-koopenoffice.org-evolutionopenoffice.org-baseopenoffice.org-l10n-zh-twopenoffice.org-l10n-ltopenoffice.org-help-daopenoffice.org-l10n-viopenoffice.org-l10n-be-byopenoffice.org-l10n-kmopenoffice.org-l10n-csopenoffice.org-coreopenoffice.org-l10n-heopenoffice.org-help-pt-bropenoffice.org-l10n-tgopenoffice.org-qa-api-testsopenoffice.org-help-zh-cnopenoffice.org-l10n-jaopenoffice.org-l10n-ptopenoffice.org-l10n-knopenoffice.org-commonopenoffice.org-help-kmopenoffice.org-help-slopenoffice.org-l10n-mkopenoffice.org-l10n-pt-bropenoffice.org-dtd-officedocument1.0openoffice.org-l10n-nnopenoffice.org-l10n-zuopenoffice.org-l10n-ta-inopenoffice.org-calcpython-unoopenoffice.org-mimelnkopenoffice.org-l10n-rubroffice.orgopenoffice.org-l10n-caopenoffice.org-l10n-daopenoffice.org-l10n-inopenoffice.org-l10n-slopenoffice.org-l10n-nlopenoffice.org-help-itopenoffice.org-help-jaopenoffice.org-l10n-deopenoffice.org-l10n-glopenoffice.org-l10n-skopenoffice.org-l10n-tropenoffice.org-help-hi-inopenoffice.org-l10n-faopenoffice.org-help-deopenoffice.org-help-svopenoffice.org-l10n-plttf-opensymbollibxmu6x-window-system-devlibxpm4xlibs-dataxserver-commonxdmx-window-system-corexlibmesa-glxlibosmesa4libx11-devlibsm6xlibs-static-devxlibosmesa4-dbgxfonts-75dpi-transcodedxlibmesa-devxmhlibx11-6libxtst6-dbglibxaw6-devxfonts-scalablexfonts-cyrillicxlibmesa-gl-dbgxlibmesa-gl-devxfree86-commonlibsm-devxserver-xephyrxfonts-100dpilibxpm4-dbgx-devtwmlibxft1xdmx-toolsxlibs-devlibxv1-dbgproxymngrxserver-xorg-devlibxt-devxlibmesa-glulibxaw7-dbglibxtst6libxmuu1-dbglibxi-devlibxaw7libxi6-dbglibxp6-dbgxfonts-75dpilibxmu6-dbglibxaw6-dbgpm-devlibxp-devxlibmesa-drixfslibx11-6-dbglibdps1xutilsxfonts-base-transcodedlibxtlibxtrap6libxext6-dbgxlibs-static-picxfwplibxt6-dbglibxaw7-devlibxft1-dbglibxmu-devx-window-systemlibxp6xlibmesa3xvfbxlibmesa-glu-dbglibxmuu-devlibdps-devxfonts-baselibxfont1-dbglibxfont-devxlibs-dbgxnestlibxfont1libxv-devlibxaw6libxpm-devxfonts-100dpi-transcodedxspecsxlibs-piclibxtst-devlibsm6-dbgxlibmesa-dri-dbglibxi6xlibsxtermxserver-xfree86libxrandr2libxtrap6-dbglibxext6libxv1xbase-clientslibxmuu1libdps1-dbglibxext-devxlibosmesa-devlibxrandr-devlibice6xdmxxlibmesa3-dbgxlibmesa-glu-devlibice6-dbglbxproxylibxtrap-devlibxrandr2-dbgxserver-xfree86-dbglibice-devxserver-xorg-corewzdftpd-back-pgsqlwzdftpd-mod-perlwzdftpd-mod-avahiwzdftpd-devwzdftpdwzdftpd-back-mysqlwzdftpd-mod-tclkrb5-clientskrb5-ftpdkrb5-rsh-serverlibkadm55krb5-userlibkrb53krb5-dockrb5-admin-serverlibkrb5-devkrb5-telnetdkrb5-kdclibkrb5-dbgbsdutilsmountutil-linux-localesutil-linuxlibexif10libexif-devlibexif12kernel-image-2.4.27-netwinderkernel-image-2.4.27-lartkernel-image-2.4.27-riscpckernel-image-2.4.27-riscstationkernel-image-2.4.27-bastkernel-image-2.4.27-4-s390kernel-headers-2.4.27-4kernel-image-2.4.27-4-s390xkernel-headers-2.4.27lm-sensors-sourcekernel-source-2.4.27i2c-sourcekernel-headers-2.4-s390systemimager-docsystemimager-serverkernel-patch-2.4-i2csystemimager-boot-ia64-standardkernel-patch-2.4-lm-sensorssystemimager-boot-i386-standardkernel-doc-2.4.27-speakupsystemimager-clientkernel-tree-2.4.27mips-toolssystemimager-commonkernel-doc-2.4.27systemimager-server-flamethrowerdkernel-build-2.4.27kernel-image-2.4-s390kernel-image-2.4.27-4-s390-tapekernel-patch-debian-2.4.27kernel-image-2.4-s390xturba2phpbb2phpbb2-languagesphpbb2-conf-mysqllibvorbisfile3libvorbis-devlibvorbisenc2libvorbis0aalsa-modules-2.4-k6alsa-modules-2.4-k7-smpalsa-modules-2.4-386alsa-sourcealsa-modules-2.4.27-4-k6alsa-modules-2.4.27-4-386alsa-modules-2.4.27-4-586tscalsa-modules-2.4.27-4-k7alsa-modules-2.4.27-4-686alsa-modules-2.4-686-smplinux-sound-basealsa-basealsa-modules-2.4.27-4-k7-smpalsa-headersalsa-modules-2.4.27-4-686-smpalsa-modules-2.4-k7alsa-modules-2.4-686alsa-modules-2.4-586tscevolution-pluginsevolution-plugins-experimentalevolution-devevolutionevolution-commonevolution-dbglibpcrecpp0pgreplibpcre3pcregreplibpcre3-devopenafs-dbgopenafs-doclibopenafs-devopenafs-krb5openafs-kpasswdopenafs-dbserverlibpam-openafs-kaserveropenafs-clientopenafs-fileserveropenafs-modules-sourcehorde3loop-aes-utilsnagios-plugins-standardnagios-plugins-basicnagios-pluginstk8.4-doctk8.4-devtk8.4exiftagslibsdl-image1.2-devlibsdl-image1.2smartygs-gplgs-espgsliboggflac1libflac++4libflac-doclibflac7liboggflac3flacxmms-flaclibflac6libflac++5libflac++-devliboggflac++-devlibflac-devliboggflac-devliboggflac++0c102liboggflac++2libxine1libxine1-dbglibxine-devscponlybackup-managerbackup-manager-docsourceforgegforgegforge-cvsgforge-mta-couriergforge-web-apachegforge-sourceforge-transitiongforge-mta-eximgforge-commongforge-lists-mailmangforge-dns-bind9gforge-ftp-proftpdgforge-mta-postfixgforge-shell-postgresqlgforge-shell-ldapgforge-ldap-openldapgforge-mta-exim4gforge-db-postgresqlmantis/etcdebian_version^(\d\.\d).*$1tk8.3tk8.3-devtk8.3-doc0:1.0.27-20:1.2.12.04-1etch20:0.99.4-5.etch.20:0.10.10-2sarge110:0.23+sarge1-00:0.27+etch1-00:0.48-1sarge10:0.59-1etch10:5.52-1sarge50:5.52-9etch10:1.6.18-1etch10:1.6.17-3sarge10:7.4.7-6sarge60:7.4.19-0etch10:2.6.16-7sarge10:2.6.27.dfsg-20:1.5.9-2etch10:1.5.7-7sarge10:2.6.8-7sarge10:2.6.8-6sarge10:2.6.8-17sarge10:1.1.3-9sarge90:2.0.4.dfsg.2-7etch50:1.2.2-2.etch10:4.3.0.dfsg.1-14sarge70:1.1.1-21etch20:0.8.1-2etch10:0.5.2-1.1sarge30:1.3.6-2sarge60:1.4.4-7etch50:2.12r-19etch10:0.6.9-6sarge20:0.6.13-5etch20:2.9.1-1sarge20:2.9.1-1sarge40:2.4.27-1.1sarge50:2.4.27-10.sarge4.040815-30:3.2.3-6sarge50:2.4.27-2sarge60:2.4.27-10sarge60:2.4.27-1sarge20:2.1.3-1etch10:2.0.2-1sarge10:2.0.21-70:2.0.13-6sarge40:1.1.0-20:1.1.2.dfsg-1.30:1.0.13-5etch10:1.0.8-7sarge10:1.0.8+2sarge2-00:2.0.4-2sarge30:2.6.3-6etch20:6.7+7.4-30:4.5+7.4-20:1.3.81-3sarge30:1.4.2-6etch10:3.0.4-4sarge70:3.1.3-4etch30:2.12r-15+etch10:2.12p-4sarge20:1.4-6sarge10:1.4.5-1etch10:8.4.12-1etch20:8.4.9-1sarge20:0.98-1.1+0sarge1m68k0:0.98-1.1+etch10:1.2.5-2+etch10:1.2.4-1etch10:2.6.14-1etch10:2.6.9-1sarge10:8.01-60:7.07.1-9sarge10:8.15.3.dfsg.1-1etch10:8.54.dfsg.1-5etch10:1.1.1-5sarge10:1.1.2-80:1.0.1-1sarge70:1.1.2+dfsg-6sparc0:1.1.2+dfsg-50:1.0.1-1sarge6mipsppchppamipsels390xarmi686ia64alphax86-640:4.6-1etch10:4.0-1sarge20:0.5.7-1sarge20:0.7.5-40:4.5.14-22etch40:3.1-31sarge50:0.19.2-5sarge53.14.00:8.3.5-4sarge10:8.3.5-6etch2