Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access
package: samba version: 3.0.24-6 severity: serious tags: security , patch hi, the following CVEs were issued for samba. CVE-2009-2906 [0]: | smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 | before 3.4.2 allows remote authenticated users to cause a denial of service | (infinite loop) via an unanticipated oplock break notification reply packet. CVE-2009-2948 [1]: | mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and | 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly | enforce permissions, which allows local users to read part of the credentials file | and obtain the password by specifying the path to the credentials file and | using the --verbose or -v option. these are fixed in unstable. patches are available from [2]. mike [0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2906 [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2948 [2] http://www.samba.org/samba/security/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550424: openexr6: CVE-2009-1720,1721,1722 potential vectors for arbitrary code execution
Package: openexr6 Version: 1.6.1 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for openexr6. CVE-2009-1720[0]: | Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow | context-dependent attackers to cause a denial of service (application | crash) or possibly execute arbitrary code via unspecified vectors that | trigger heap-based buffer overflows, related to (1) the | Imf::PreviewImage::PreviewImage function and (2) compressor | constructors. NOTE: some of these details are obtained from third | party information. CVE-2009-1721[1]: | The decompression implementation in the Imf::hufUncompress function in | OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a | denial of service (application crash) or possibly execute arbitrary | code via vectors that trigger a free of an uninitialized pointer. CVE-2009-1722[2]: | Heap-based buffer overflow in the compression implementation in | OpenEXR 1.2.2 allows context-dependent attackers to cause a denial of | service (application crash) or possibly execute arbitrary code via | unspecified vectors. These issues are already fixed in the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1720 http://security-tracker.debian.net/tracker/CVE-2009-1720 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1721 http://security-tracker.debian.net/tracker/CVE-2009-1721 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1722 http://security-tracker.debian.net/tracker/CVE-2009-1722 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550440: advi: CVE-2009-2295 arbitrary code execution
Package: advi Version: 1.6.0-12 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for camlimages. advi statically links to camlimages, so any issues in that package are also applicable to advi. There were already updates to camlimages for etch an lenny, so advi just needs to be relinked using those new versions. Please coordinate these updates with the security team. CVE-2009-2295[0]: | Multiple integer overflows in CamlImages 2.2 and earlier might allow | context-dependent attackers to execute arbitrary code via a crafted | PNG image with large width and height values that trigger a heap-based | buffer overflow in the (1) read_png_file or (2) read_png_file_as_rgb24 | function. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2295 http://security-tracker.debian.net/tracker/CVE-2009-2295 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization
package: ffmpeg version: 0.cvs20060823-8 severity: serious tags: security hi, ffmpeg has been found to be vulnerable to many crashers [0],[1]. this may enable remote compromise of a system. please coordinate with upstream and the security team to push out updates for these issues. mike [0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 [1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550423: [Pkg-samba-maint] Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access
On Sat, 10 Oct 2009 07:10:51 +0200 Christian Perrier wrote: Version: 3.4.2-1 Quoting Michael S Gilbert (michael.s.gilb...@gmail.com): package: samba version: 3.0.24-6 severity: serious tags: security , patch hi, the following CVEs were issued for samba. Fixed in 3.4.2 Fixes for lenny are on their way. good to know. thanks for the quick response. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550150: cupsys: CVE-2009-2807 issue in usb backend
package: cupsys version: 1.2.7-4 severity: serious tags: security hi, cups may be affected by a security issue in its usb backend [0]. the advisories state that this affects mac os x, but it is unclear if other os'es are affected. i've submitted a bug upstream requesting more info [1]. you can follow the issue there. best wishes, mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2807 [1] http://www.cups.org/str.php?L3368 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#546198: xfs: uninstallable due to logged in debian-xfs user
package: xfs version: 1:1.0.8-4 severity: serious the latest xfs update is currently uninstallable on unstable. the error is: Setting up xfs (1:1.0.8-4) ... Installing new version of config file /etc/init.d/xfs ... usermod: user debian-xfs is currently logged in dpkg: error processing xfs (--configure): subprocess installed post-installation script returned error exit status 8 fyi, the debian-xfs entry in /etc/password is: debian-xfs:x:109:115::/nonexistant:/bin/false i don't think this had existed prior to this xfs update. let me know if you need any more info. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#545501: xfce4-clipman: uninstallable due file conflict with xfce4-clipman-plugin
package: xfce4-clipman severity: serious version: 2:1.1.0-2 hello, both xfce4-clipman and xfce4-clipman-plugin install the file '/usr/share/applications/xfce4-clipman-plugin.desktop', which causes xfce4-clipman's installation to fail: Unpacking xfce4-clipman (from .../xfce4-clipman_2%3a1.1.0-2_amd64.deb) ... dpkg: error processing /var/cache/apt/archives/xfce4-clipman_2%3a1.1.0-2_amd64.deb (--unpack): trying to overwrite '/usr/share/applications/xfce4-clipman-plugin.desktop', which is also in package xfce4-clipman-plugin 2:1.0.2-1 this may only be a problem for upgrades from previous versions of xfce4-clipman-plugin. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524806: RFS: sponsor for poppler stable point release
Hi, A new lenny release is coming soon and there are some open security issues in poppler that I have fixed. Attached is the debdiff of the changes. The package can be found on mentors.debian.net: - URL: http://mentors.debian.net/debian/pool/main/p/poppler - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free - dget http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.dsc I would be glad if someone uploaded this package for me. Kind regards, Michael Gilbert poppler.debdiff Description: Binary data
Bug#542400: bug 542400 suggestion
just a quick suggestion to try: manually remove the problematic file first (i.e. 'sudo rm /usr/lib/fglrx/diversions/libglx.so'), then use apt to remove the package. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542400: reproduced #542400
tag 542400 -moreinfo found 542400 1:9-8-1 thanks fyi, i was just able to reproduce this problem with 1:9-8-1. my suggested workaround does work: $ sudo rm /usr/lib/fglrx/diversions/libglx.so $ sudo apt-get remove fglrx-glx Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: fglrx-glx 0 upgraded, 0 newly installed, 1 to remove and 11 not upgraded. 1 not fully installed or removed. After this operation, 664kB disk space will be freed. Do you want to continue [Y/n]? (Reading database ... 108578 files and directories currently installed.) Removing fglrx-glx ... Removing `diversion of /usr/lib/xorg/modules/extensions/libglx.so to /usr/lib/fglrx/diversions/libglx.so by fglrx-driver' $ it should be fairly straightforward to update the package to do this correctly. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542400: Unable to remove package, post removal script fails
On Sun, 23 Aug 2009 20:49:13 +0200 Bertrand Marc Bertrand wrote: I don't think you should remove /usr/lib/fglrx/diversions/libglx.so by hand. This file belongs to xserver-xorg-core (that's why there is a diversion). agreed. that is just a temporary solution to get the problematic package removed. it would be a *much* better idea to backup the file, remove the package, then restore from the backup. I think it is related to the fact that fglrx-glx.postrm removes fglrx-driver diversions although it shouldn't. Could you test the last revision in svn (278) ? will do. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542400: Unable to remove package, post removal script fails
fixed 542400 1:9-8-2 thanks tested revision 278. your changes have fixed this problem. thanks! mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539699: nmu
dear maintainer, the security team has applied an nmu for xscreensaver in unstable and will soon for experimental also. see attached debdiffs. regards, michael gilbert xscreensaver.debdiff Description: Binary data xscreensaver-experimental.debdiff Description: Binary data
Bug#541483: in progress
forcemerge 541496 541483 thanks the kernel-sec team is aware and tracking the issue. Dann Frazier may be able to update with more info/timeframe. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#541439: ubuntu patches in progress
fyi, ubuntu has patches in progess for older versions, which may be useful for backports to the stable releases: http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=177e7ddb761999cd8b439e14a2bf43590756e230 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540958: libvorbis: CVE-2009-2663 vulnerability
On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote: CVE-2009-2663[0]: | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and | 3.5.x before 3.5.2 and other products, allows context-dependent | attackers to cause a denial of service (memory corruption and | application crash) or possibly execute arbitrary code via a crafted | .ogg file. Thanks, I'll prepare updates for etch, lenny, and sid. I assume the Mozillae in Debian use the system libvorbis, not a separate copy. no, in fact they embed, and i've submitted a bug for that separately. thanks for working this! mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540961: xulrunner: CVE-2009-2663 vulnerability
On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote: On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote: Package: xulrunner Version: 1.9.1.1-2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for xulrunner. CVE-2009-2663[0]: | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and | 3.5.x before 3.5.2 and other products, allows context-dependent | attackers to cause a denial of service (memory corruption and | application crash) or possibly execute arbitrary code via a crafted | .ogg file. This does not affect versions 1.9.0.12 and earlier, so no updates are needed for the stable releases. The summary you pasted suggest that before 3.0.13 is affected, which would mean that xul 1.9.0.12 would be affected too; but OTOH, 1.9 branch didnt have any libvorbis/codec support afaik. So this feels like a typo in the CVE. Anyway. xul should probably be updated to .13 anyway in stable. yes, this is a flaw in the cve text (which often you can't take at face value). i checked the source, and vorbis is not present in 1.9.0.12 or before, and i doubt it will be introduced in 1.9.0.13, but i could be wrong. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#517639: severity
severity 532689 important thanks denial-of-services are not serious. this should probably be fixed with CVE-2009-0642 which is actually serious. please coordinate with the security team to prepare updates for the stable releases on these. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540610: [DRE-maint] Bug#540610: rubygems: integrity violation
On Mon, 10 Aug 2009 08:24:06 -0500, Gunnar Wolf wrote: Michael S. Gilbert dijo [Sun, Aug 09, 2009 at 11:58:04PM -0400]: I tried testgem downloaded from http://bugs.gentoo.org/show_bug.cgi?id=278566. % sudo gem install testgem-0.0.1.gem Successfully installed testgem-0.0.1 1 gem installed Installing ri documentation for testgem-0.0.1... File not found: lib (I think that making document files causes this error.) % ls /var/lib/gems/1.8/bin/less /var/lib/gems/1.8/bin/less So, /usr/bin/less is not overwritten. Debian's RubyGems is patched to replace the upstream's indiscriminate default directory. ok, but when you run 'less', does that run /usr/bin/less or /var/lib/gems/1.8/bin/less? if it is the latter, then there is definately a problem here. No, Debian's path does not include /var/lib/*/bin - The default paths, set by /etc/profile, read: if [ `id -u` -eq 0 ]; then PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin else PATH=/usr/local/bin:/usr/bin:/bin:/usr/games fi Requiring rubygems does not change it, even from within Ruby: $ irb irb(main):001:0 require 'rubygems' = true irb(main):002:0 system 'echo $PATH' /usr/local/bin:/usr/bin:/bin:/usr/games = true So I think this bug does not bite us. ok, sounds like a non-issue to me then. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540958: libvorbis: CVE-2009-2663 vulnerability
Package: libvorbis Version: 1.1.2.dfsg-1.4 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for libvorbis. CVE-2009-2663[0]: | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and | 3.5.x before 3.5.2 and other products, allows context-dependent | attackers to cause a denial of service (memory corruption and | application crash) or possibly execute arbitrary code via a crafted | .ogg file. Please coordinate with the security team to prepare updates for the stable releases. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663 http://security-tracker.debian.net/tracker/CVE-2009-2663 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540961: xulrunner: CVE-2009-2663 vulnerability
Package: xulrunner Version: 1.9.1.1-2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for xulrunner. CVE-2009-2663[0]: | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and | 3.5.x before 3.5.2 and other products, allows context-dependent | attackers to cause a denial of service (memory corruption and | application crash) or possibly execute arbitrary code via a crafted | .ogg file. This does not affect versions 1.9.0.12 and earlier, so no updates are needed for the stable releases. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663 http://security-tracker.debian.net/tracker/CVE-2009-2663 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540610: rubygems: integrity violation
package: rubygems1.9 version: 1.3.1 tags: security severity: serious hello, it has been disclosed thet a specially crafted gem archive could be used to overwrite system files. confirmed for 1.3.x, but older versions may also be affected. please check and help the security team prepare updates for the stable releases. see: http://bugs.gentoo.org/show_bug.cgi?id=278566 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472 http://redmine.ruby-lang.org/issues/show/1800 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540610: rubygems: integrity violation
On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:
Hello Michael,
Michael S. Gilbert wrote:
package: rubygems1.9
version: 1.3.1
tags: security
severity: serious
hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files. confirmed for 1.3.x, but older
versions may also be affected. please check and help the security
team prepare updates for the stable releases. see:
http://bugs.gentoo.org/show_bug.cgi?id=278566
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
http://redmine.ruby-lang.org/issues/show/1800
Thank you for the references. I have just read them.
In Debian, executables from gems install into a particular directory specific
to
RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system directory
/usr/bin. There should be no risk that they talked about.
If you think of any problems in Debian, please let me know; otherwise, please
close this ticket.
what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
i've never used rubygems before, so i'm not sure how paths are
configured. would this override the system 'ls'?
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535909:
On Sun, 9 Aug 2009 11:00:50 +0200 Sylvain Le Gall wrote: Hello, On Sat, Aug 08, 2009 at 11:01:45PM -0400, Michael S. Gilbert wrote: reopen 535909 fixed 535909 1:3.0.1-3 thanks This bug has been solved with 1:3.0.1-2 before the bug was opened. thanks for the update. please coordinate with the security team to prepare updates for the stable releases. For stable and oldstable, already done. lenny: 1:2.2.0-4+lenny1 etch: 2.20-8+etch1 great! thanks for pushing out these updates. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540610: rubygems: integrity violation
On Sun, 09 Aug 2009 17:01:38 +0900 Daigo Moriwaki wrote:
Hello Michael,
Michael S. Gilbert wrote:
In Debian, executables from gems install into a particular directory
specific to
RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system
directory
/usr/bin. There should be no risk that they talked about.
If you think of any problems in Debian, please let me know; otherwise,
please
close this ticket.
what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
i've never used rubygems before, so i'm not sure how paths are
configured. would this override the system 'ls'?
I tried testgem downloaded from http://bugs.gentoo.org/show_bug.cgi?id=278566.
% sudo gem install testgem-0.0.1.gem
Successfully installed testgem-0.0.1
1 gem installed
Installing ri documentation for testgem-0.0.1...
File not found: lib
(I think that making document files causes this error.)
% ls /var/lib/gems/1.8/bin/less
/var/lib/gems/1.8/bin/less
So, /usr/bin/less is not overwritten.
Debian's RubyGems is patched to replace the upstream's indiscriminate default
directory.
ok, but when you run 'less', does that run /usr/bin/less
or /var/lib/gems/1.8/bin/less? if it is the latter, then there is
definately a problem here.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535909:
reopen 535909 fixed 535909 1:3.0.1-3 thanks This bug has been solved with 1:3.0.1-2 before the bug was opened. thanks for the update. please coordinate with the security team to prepare updates for the stable releases. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540605: php5: memory disclosure
package: php5 version: 5.2.0-8+etch13 severity: serious tags: security , patch it has been disclosed that php is potentially vulnerable to remote memory dislosure [0]. patches are available for 5.2.10 and 5.3.0, but older versions are likely affected (as well as php4). please check and coordinate with the security team to prepare updates for the stable releases. thank you. [0] http://securityreason.com/achievement_securityalert/65 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536724: incomplete fix
the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3. see: http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/ http://core.trac.wordpress.org/changeset/11765 http://core.trac.wordpress.org/changeset/11766 http://core.trac.wordpress.org/changeset/11768 http://core.trac.wordpress.org/changeset/11769 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524806: Fwd: etch patch for CVE-2009-0146/147/0166/0799/0800/1179/1180/1181/1182/1183/1187
tag 524806 patch
thanks
derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5. i am fairly certain all of these CVEs are addressed in this one.
note vulnerable code not present in etch for CVE-2009-0755/1188.
please test; i've done some basic testing with existing pdfs on my
system, but have by no means done extensive or robust testing.
hopefully nothings been broken.
this may be useful for the etch r9 point release (if not for a DSA)?
good night,
mike
diff -ur poppler-0.4.5/poppler/CairoOutputDev.cc poppler-0.4.5-new/poppler/CairoOutputDev.cc
--- poppler-0.4.5/poppler/CairoOutputDev.cc 2005-12-12 17:24:01.0 -0500
+++ poppler-0.4.5-new/poppler/CairoOutputDev.cc 2009-08-04 01:27:24.0 -0400
@@ -509,7 +509,7 @@
cairo_matrix_t matrix;
int is_identity_transform;
- buffer = (unsigned char *)gmalloc (width * height * 4);
+ buffer = (unsigned char *)gmallocn (width, height * 4);
/* TODO: Do we want to cache these? */
imgStr = new ImageStream(str, width,
Only in poppler-0.4.5-new/poppler: CairoOutputDev.cc.orig
diff -ur poppler-0.4.5/poppler/JBIG2Stream.cc poppler-0.4.5-new/poppler/JBIG2Stream.cc
--- poppler-0.4.5/poppler/JBIG2Stream.cc 2006-01-10 13:53:54.0 -0500
+++ poppler-0.4.5-new/poppler/JBIG2Stream.cc 2009-08-04 01:26:46.0 -0400
@@ -422,12 +422,14 @@
table[i] = table[len];
// assign prefixes
- i = 0;
- prefix = 0;
- table[i++].prefix = prefix++;
- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
-prefix = table[i].prefixLen - table[i-1].prefixLen;
-table[i].prefix = prefix++;
+ if (table[0].rangeLen != jbig2HuffmanEOT) {
+i = 0;
+prefix = 0;
+table[i++].prefix = prefix++;
+for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
+ prefix = table[i].prefixLen - table[i-1].prefixLen;
+ table[i].prefix = prefix++;
+}
}
}
@@ -491,7 +493,7 @@
}
if (p-bits 0) {
error(str-getPos(), Bad two dim code in JBIG2 MMR stream);
-return 0;
+return EOF;
}
bufLen -= p-bits;
return p-n;
@@ -507,7 +509,7 @@
++nBytesRead;
}
while (1) {
-if (bufLen = 7 ((buf (bufLen - 7)) 0x7f) == 0) {
+if (bufLen = 11 ((buf (bufLen - 7)) 0x7f) == 0) {
if (bufLen = 12) {
code = buf (12 - bufLen);
} else {
@@ -550,14 +552,15 @@
++nBytesRead;
}
while (1) {
-if (bufLen = 6 ((buf (bufLen - 6)) 0x3f) == 0) {
+if (bufLen = 10 ((buf (bufLen - 6)) 0x3f) == 0) {
if (bufLen = 13) {
code = buf (13 - bufLen);
} else {
code = buf (bufLen - 13);
}
p = blackTab1[code 0x7f];
-} else if (bufLen = 4 ((buf (bufLen - 4)) 0x0f) == 0) {
+} else if (bufLen = 7 ((buf (bufLen - 4)) 0x0f) == 0
+ ((buf (bufLen - 6)) 0x03) != 0) {
if (bufLen = 12) {
code = buf (12 - bufLen);
} else {
@@ -667,6 +670,7 @@
void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp);
Guchar *getDataPtr() { return data; }
int getDataSize() { return h * line; }
+ GBool isOk() { return data != NULL; }
private:
@@ -762,6 +766,8 @@
inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
if (y 0 || y = h || x = w) {
ptr-p = NULL;
+ptr-shift = 0; // make gcc happy
+ptr-x = 0; // make gcc happy
} else if (x 0) {
ptr-p = data[y * line];
ptr-shift = 7;
@@ -806,6 +812,10 @@
Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
GBool oneByte;
+ // check for the pathological case where y = -2^31
+ if (y -0x7fff) {
+return;
+ }
if (y 0) {
y0 = -y;
} else {
@@ -1226,6 +1236,7 @@
Guint segNum, segFlags, segType, page, segLength;
Guint refFlags, nRefSegs;
Guint *refSegs;
+ int segDataPos;
int c1, c2, c3;
Guint i;
@@ -1293,6 +1304,16 @@
goto eofError2;
}
+// keep track of the start of the segment data
+segDataPos = getPos();
+
+// check for missing page information segment
+if (!pageBitmap ((segType = 4 segType = 7) ||
+ (segType = 20 segType = 43))) {
+ error(getPos(), First JBIG2 segment associated with a page must be a page information segment);
+ return;
+}
+
// read the segment data
switch (segType) {
case 0:
@@ -1368,6 +1389,45 @@
break;
}
+// Make sure the segment handler read all of the bytes in the
+// segment data, unless this segment is marked as having an
+// unknown length (section 7.2.7 of the JBIG2 Final Committee Draft)
+
+if (segLength != 0x) {
+
+ int segExtraBytes = segDataPos + segLength - getPos();
+ if (segExtraBytes 0) {
+
+ // If we didn't read all of the bytes in the segment data,
+ // indicate an error, and throw away the rest of the data.
+
+ // v.3.1.01.13 of the LuraTech PDF Compressor Server will
+ // sometimes generate an extraneous NULL byte at the end of
+ // arithmetic-coded symbol dictionary segments when numNewSyms
+ // == 0. Segments like this often
Bug#537633: libio-socket-ssl-perl: incorrect validation of hostnames
package: libio-socket-ssl-perl version: 1.01-1 severity: serious tags: security , patch a security issue has been fixed in the latest upstream version of libio-socket-ssl-perl [0]. see patch [1]. please coordinate with the security team to prepare updates for the stable releases. thank you. [0] https://bugzilla.redhat.com/show_bug.cgi?id=509819 [1] http://search.cpan.org/diff?from=IO-Socket-SSL-1.25to=IO-Socket-SSL-1.26w=1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537634: mediawiki: multiple vulnerabilities fixed in new upstreams
package: mediawiki version: 1:1.15.0-1 severity: serious tags: security hello, multiple vulnerabilies have been fixed in upstream mediawiki 1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are not vulnerable) [0]. please update unstable to this version. thanks. [0] http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-July/87.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537637: htmldoc: buffer overflow in util.cxx's set_page_size()
package: htmldoc version: 1.8.27-2 severity: serious tags: security , patch hello, a security advisory has been issued for htmldoc [0]. patches available from gentoo [1]. please coordinate with the security team to prepare updates for the stable releases. thank you. [0] http://secunia.com/advisories/35780/ [1] http://bugs.gentoo.org/show_bug.cgi?id=278186 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537409: info
while this bug is still open, would it make sense to disable the gcc option/optimization/bug/flaw that allows this vulnerability to exist? the -fno-delete-null-pointer-checks flag will completely disable this option kernel-wide [1]. obviously there is a tradeoff here. the null pointer optimization does make the kernel run a bit faster (and maybe that should be quantified to determine the impact), but on the other hand it opens up a slew of vulnerabilities. i think erring on the side of caution/security is the way to go. anyway, just a thought. mike [1] http://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537281: dbus: uninstallable due to missing directory
package: dbus version: 1.2.16-1 severity: grave hello, dbus is currently uninstallable on sid; erroring with the following message: chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No such file or directory this can be fixed with a 'mkdir -p': $ sudo mkdir -p /usr/lib/dbus-1.0/dbus-daemon-launch-help $ sudo apt-get install -f thanks for fixing this. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537299: base: user deletes files without write permission, partition full
On Thu, 16 Jul 2009 21:26:53 +0200, Chiel Kooijman wrote: Package: base Severity: critical Tags: security Justification: root security hole I tried to edit /etc/fstab as user (forgot to use `sudo') but, as I noticed later, the partition that contains the root (/) files was full. After that I tried to edit the file as superuser (I hadn't read the message when I tried to write because I assumed it was complaining about permission). But when I opened the file again it was empty (it did exist; but no text, as if created with touch). are you sure that /etc/fstab was non-empty before you tried to edit it in the first place? it seems rather unlikely that reading a file (that you do not have write permission for) would lead to it getting erased in any situation (full disk or not); although its not impossible. it's more likely that if you didn't resolve the lack of disk beforehand than when you sudo edited the file there was no tmp space for vim's swap file and thus you were looking at an apparently empty file. if you saved that, then you would thus have a permanently empty /etc/fstab. my inclination is that this is not a security problem. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537299: base: user deletes files without write permission, partition full
reassign 537299 vim retitle 537299 vim: potential data loss on saturated disk partitions tag 537299 - security thanks On Thu, 16 Jul 2009 23:26:26 +0200, Chiel Kooijman wrote: Thanks for your reply, I guess you're right. It hadn't occurred to me yet that it could have happened at the moment of opening the second time when I did have writing permission. So this is indeed probably not a security problem. reassigning to vim. it's likely a corner case that's difficult and just not interesting to deal with (user's should know that lack of disk space often leads to unexpected badness). but you can see what they have to say about it. try apt-get clean to recover some space. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537104: iceweasel: critical 0-day remote shellcode injection
package: iceweasel version: 3.5 severity: critical tags: security hello, a remote shellcode injection has been disclosed for firefox [0], [1]. the advisory says that version 3.5 has been verified as vulnerable, but older versions are very likely susseptable as well. i have not checked. this is critical since it is being exploited in the wild. [0] http://secunia.com/advisories/35789 [1] http://milw0rm.com/exploits/9137 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537104: forwarded
forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237 thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536718: apache2: CVE-2009-1890 denial-of-service vulnerability
Package: apache2 Version: 2.2.3-4+etch6 Severity: serious Tags: security , patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for apache2. CVE-2009-1890[0]: | The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy | module in the Apache HTTP Server before 2.3.3, when a reverse proxy is | configured, does not properly handle an amount of streamed data that | exceeds the Content-Length value, which allows remote attackers to | cause a denial of service (CPU consumption) via crafted requests. Patches are available [0]. Please coordinate with the security team to prepare updates for the stable releases. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 http://security-tracker.debian.net/tracker/CVE-2009-1890 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535489: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
reopen 535488 reopen 535489 thanks On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote: Hello Michael, Michael S. Gilbert [2009-07-02 12:35 -0400]: Hi, the following CVE (Common Vulnerabilities Exposures) id was published for cups. CVE-2009-0791[0]: | Multiple integer overflows in the pdftops filter in CUPS 1.1.17, | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service | (application crash) or possibly execute arbitrary code via a crafted | PDF file that triggers a heap-based buffer overflow, possibly related | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the | JBIG2Stream.cxx vector may overlap CVE-2009-1179. This vulnerability does not affect cups. Because xpdf vulnerabilities are so common, the Debian cups package has used the external xpdf-utils or poppler-utils since at least woody. are you sure about this? i've checked the etch cupsys and lenny cups packages and found that the pdftops source is indeed present (and the patches for this are not applied). the only way i see this as not affected is if these packages do not build the pdftops code. i am not that familiar with the package, so i did not check whether this is the case. i've checked the unstable cups package and the pdftops code is in fact removed there. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures
package: wordpress version: 2.0.10-1etch3 severity: serious tags: security an advisory, CORE-2009-0515, has been issued for wordpress. there are issues with unchecked privilidges and many potential information disclosures. see [1]. this is fixed in upstream version 2.8.1. please coordinate with the security team to prepare updates for the stable releases. [1] http://corelabs.coresecurity.com/index.php?module=FrontEndModaction=viewtype=advisoryname=WordPress_Privileges_Unchecked -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534973: stable updates
On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote: version 1:1.5.2-5 that I released to unstable is suitable for stable aswell. Prior to this bugfix unstable and stable both contained version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to build it for stable aswell? Thank you for getting in touch with us. Judging from the context in which this bug manifests itself, I think releasing a DSA for it is overkill. It happens when creating a new X-Face header, which is something you would do rarely, mostly not with any random image you didn't check out before, always as an unprivileged user and what can happen is a crash of the conversion which is harly harmful. The security implications of this are very minor. Normally there's a process to fix minor security issues through a stable point update but I think this one is even too minor for that. It's great that testing and unstable are fixed for the future, but I propose that we just leave it at that and consider this case closed. i would agree. the implications (a user-initiated application crash on invalid input) are so minor that this probably should not have been tagged as a security concern nor given a CVE in the first place. although, has the possibility of code injection been fully ruled out? mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535795: [Secure-testing-team] Bug#535795: nagios3: 3.0.6-5 uninstallable in amd64 due to dependencies
On 7/5/09, Kiko Piris wrote: Can’t upgrade nagios3 to 3.0.6-5, aptitude complains : | The following packages have unmet dependencies: | nagios3: Depends: libltdl3 (= 1.5.2-2) which is a virtual package. And since that version solves DSA-1825-1, setting severity to grave. Regards -- Kiko -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.29.6--std-ipv6-64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nagios3 depends on: ii libc6 2.9-18GNU C Library: Shared libraries ii libgd2-xpm 2.0.36~rc1~dfsg-3 GD Graphics Library version 2 ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii libperl5.105.10.0-23 Shared Perl library ii libpng12-0 1.2.37-1 PNG library - runtime ii nagios3-common 3.0.6-4 support files for nagios3 ii perl 5.10.0-23 Larry Wall's Practical Extraction ii zlib1g 1:1.2.3.3.dfsg-14 compression library - runtime it looks like you have an odd mix of stable and unstable going on; both with pin-priority 500, which should have you running mostly stable packages; however, you still have mostly stable packages installed. your apt is trying to get nagios3 from unstable 3.0.6-5; instead of from stable, which would be version 3.0.6-4~lenny2. you need to sort out your problematic apt config. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532520: forwarded
forwarded 532520 http://lists.gnu.org/archive/html/lynx-dev/2009-07/msg0.html thanks it looks like the lynx situation for this issue isn't so simple. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532520: info
from some of the upstream discussion, it looks like libbsd provides an arc4random cryptographically secure PRNG, which lynx prefers when available. an appropriate fix for this issue thus would be to depend on libbsd0 and make sure lynx makes use of its arc4random. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535795: nagios3: 3.0.6-5 uninstallable in amd64 due to dependencies
On Sun, 5 Jul 2009 08:43:27 +0200 Kiko Piris wrote: | # apt-cache policy nagios3 | nagios3: | Installed: 3.0.6-4+b1 | Candidate: 3.0.6-5 | Version table: | 3.0.6-5 0 | 500 http://mir1.ovh.net unstable/main Packages | *** 3.0.6-4+b1 0 | 100 /var/lib/dpkg/status | # apt-cache show nagios3 | Package: nagios3 | Priority: optional | Section: net | Installed-Size: 4140 | Maintainer: Debian Nagios Maintainer Group pkg-nagios-de...@lists.alioth.debian.org | Architecture: amd64 | Version: 3.0.6-5 | Depends: libc6 (= 2.3.4), libgd2-xpm (= 2.0.36~rc1~dfsg), libglib2.0-0 (= 2.12.0), libjpeg62, libltdl3 (= 1.5.2-2), libperl5.10 (= 5.10.0), libpng12-0 (= 1.2.13-4), zlib1g (= 1:1.1.4), nagios3-common (= 3.0.6-5), perl | Suggests: nagios-nrpe-plugin | Filename: pool/main/n/nagios3/nagios3_3.0.6-5_amd64.deb | Size: 1526226 | MD5sum: 81bd2988c5f90a9ced054c41e7b381ab | SHA1: 82a16ed5b08b2af0e29b83b72ab1461907c61042 | SHA256: 24f688e07fda4274f423a2a8aa58dc09434a11deab169a99a56ce1c68990b5b8 | Description: A host/service/network monitoring and management system | [...] | Package: nagios3 | Status: install ok installed | Priority: optional | Section: net | Installed-Size: 4152 | Maintainer: Debian Nagios Maintainer Group pkg-nagios-de...@lists.alioth.debian.org | Architecture: amd64 | Source: nagios3 (3.0.6-4) | Version: 3.0.6-4+b1 | Depends: libc6 (= 2.3.4), libgd2-noxpm (= 2.0.36~rc1~dfsg) | libgd2-xpm (= 2.0.36~rc1~dfsg), libjpeg62, libperl5.10 (= 5.10.0), libpng12-0 (= 1.2.13-4), zlib1g (= 1:1.1.4), nagios3-common (= 3.0.6-4), perl | Suggests: nagios-nrpe-plugin | Description: A host/service/network monitoring and management system | [...] That dependency on 3.0.6-5: libltdl3 (= 1.5.2-2), is the one that gives me problems: are you sure that http://mir1.ovh.net is up to date (and a trustworthy source)? you should be seeing the availability of 3.0.6-5+b1 for unstable, which, at least for me, has no dependency on lidltdl3 on amd64: $ apt-cache show nagios3 Source: nagios3 (3.0.6-5) Version: 3.0.6-5+b1 Depends: libc6 (= 2.3.4), libgd2-noxpm (= 2.0.36~rc2~dfsg) | libgd2-xpm (= 2.0.36~rc1~dfsg), libjpeg62 , libperl5.10 (= 5.10.0), libpng12-0 (= 1.2.13-4), zlib1g (= 1:1.1.4), nagios3-common (=3.0.6-5), perl Suggests: nagios-nrpe-plugin Filename: pool/main/n/nagios3/nagios3_3.0.6-5+b1_amd64.deb mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535795: nagios3: 3.0.6-5 uninstallable in amd64 due to dependencies
On Sun, 5 Jul 2009 20:25:47 +0200 Kiko Piris wrote: Yes, I can see it now. But, according to the file date on a couple of mirrors I just checked, it seems to have “appeared” this morning at 11:19 CEST (just a couple of hours after my bugreport). fixed in latest unstable upload. closing. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535890: phpmyadmin: remote code injection via xss vulnerability
Package: phpmyadmin Version: 4:2.9.1.1-10 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpmyadmin. CVE-2009-2284[0]: | Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 | allows remote attackers to inject arbitrary web script or HTML via a | crafted SQL bookmark. This is fixed in unstable. Please coordinate with the security team to prepare updates for the stable releases. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2284 http://security-tracker.debian.net/tracker/CVE-2009-2284 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535896: rails: potential password bypass
package: rails version: 1.1.6-3 severity: serious tags: security hello, it has been found that rails is vulnerable to a password bypass [1]. this will be fixed in upstream version 2.3.3. [1] http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535909: camlimages: CVE-2009-2295 several integer overflows
package: camlimages version: 2.20-8 severity: serious tags: security hello, camlimages is vulnerable to several integer overflows [1]. this has not yet been fixed upstream, but has been addressed by redhat [2]. [1] http://www.ocert.org/advisories/ocert-2009-009.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=509531 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534973: stable updates
reopen 534973 fixed 534973 1:1.5.2-5 thanks hello, please assist the security team to prepare updates for this issue in the stable releases. thank you. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#515734: solutions don't work for me
hello, i just encountered this problem after upgrading xorg in unstable as well. i use the dvorak keyboard, but now gdm and x have switched to qwerty by default. i have tried reverting to libxi6 1.1.4 from testing, but that did not solve the problem. i also tried setting up the following in /etc/hal/fdi/policy/10-keymap.fdi: ?xml version=1.0 encoding=ISO-8859-1? !-- -*- SGML -*- -- deviceinfo version=0.2 device match key=info.capabilities containts=input.keys merge key=input.xkb.layout type=stringus/merge merge key=input.xkb.variant type=stringdvorak/merge merge key=input.xkb.options type=stringcompose:lwin/merge /match /device /deviceinfo but it did not make a difference. in the meantime, i've added setxkbmap dvorak as one of my autostart apps, which is a partial solution; however, non-optimal. thanks for any help anyone can provide on this. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532522: forwarded
reopen 532522 forwarded 532522 http://www.dillo.org/bugtrack/Dquery.html thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535788: dillo: CVE-2009-2294 integer overflow vulnerability
package: dillo version: 0.8.5-4 severity: serious tags: security hello, it has been found that dillo is vulnerable to an integer overflow. the text of the problem is: |Dillo, an open source graphical web browser, suffers from an integer |overflow which may lead to a potentially exploitable heap overflow and |result in arbitrary code execution. | |The vulnerability is triggered by HTML pages with embedded PNG images, |the Png_datainfo_callback function does not properly validate the width |and height of the image. Specific PNG images with large width and |height can be crafted to trigger the vulnerability. this is fixed in upstream version 2.2.1. please coordinate with the security team to prepare updates for the etch/lenny. this is CVE-2009-2294 [0]. please make sure to include this number in your changelog if you fix the issue. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2294 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#533347: info
fixed 533347 1.0.8-1 thanks some more info about this issue can be found here [1]. please coordinate with the security team to prepare updated packages for the stable releases. thanks. [1] https://bugzilla.redhat.com/show_bug.cgi?id=501929 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535793: webkit: deluge of security vulnerabilities
package: webkit version: 1.0.1-4 severity: grave tags: security hello, webkit has recently been hit by a deluge of security issues [1],[2]. i've been trying to figure out the state of these problems and where debian is affected, but apple's security announcements have been notoriously sparse. the only definitive information i can figure out at this point is that webkit is possibly affected by the following CVEs. it is unknown which versions are affected and which versions are fixed. i will start a dialog with upstream to try to start to figure this out. | WebKit | CVE-ID: CVE-2006-2783 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to a cross- | site scripting attack | Description: WebKit ignores Unicode byte order mark sequences when | parsing web pages. Certain websites and web content filters attempt | to sanitize input by blocking specific HTML tags. This approach to | filtering may be bypassed and lead to cross-site scripting when | encountering maliciously-crafted HTML tags containing byte order mark | sequences. This update addresses the issue through improved handling | of byte order mark sequences. Credit to Chris Weber of Casaba | Security, LLC for reporting this issue. | | WebKit | CVE-ID: CVE-2008-1588 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Unicode ideographic spaces may be used to spoof a website | Description: When Safari displays the current URL in the address | bar, Unicode ideographic spaces are rendered. This allows a | maliciously crafted website to direct the user to a spoofed site that | visually appears to be a legitimate domain. This update addresses the | issue by not rendering Unicode ideographic spaces in the address bar. | | WebKit | CVE-ID: CVE-2008-2320 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A memory corruption issue exists in WebKit's handling | of invalid color strings in CSS. Visiting a maliciously crafted | website may lead to an unexpected application termination or | arbitrary code execution. This update addresses the issue through | improved handling of color strings. Credit to Thomas Raffetseder of | the International Secure Systems Lab for reporting this issue. | | WebKit | CVE-ID: CVE-2008-3632 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A use-after-free issue exists in WebKit's handling of | '@import' statements within Cascading Style Sheets. Visiting a | maliciously crafted website may lead to an unexpected application | termination or arbitrary code execution. This update addresses the | issue through improved handling of style sheets. Credit to Dean | McNamee of Google Inc. for reporting this issue. | | WebKit | CVE-ID: CVE-2008-4231 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: An uninitialized memory access issue exists in WebKit's | handling of HTML tables. Visiting a maliciously crafted website may | lead to an unexpected application termination or arbitrary code | execution. This update addresses the issue through proper | initialization of the internal representation of HTML tables. Credit | to Haifei Li of Fortinet's FortiGuard Global Security Research Team | for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1681 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Interacting with a maliciously crafted website may result in | unexpected actions on other sites | Description: A design issue exists in the same-origin policy | mechanism used to limit interactions between websites. This policy | allows websites to load pages from third-party websites into a | subframe. This frame may be positioned to entice the user to click a | particular element within the frame, an attack referred to as | clickjacking. A maliciously crafted website may be able to | manipulate a user into taking an unexpected action, such as | initiating a purchase. This update addresses the issue through | adoption of the industry-standard 'X-Frame-Options' extension header, | that allows individual web pages to opt out of being displayed within | a subframe. | | WebKit
Bug#535793: upstream discussion
forwarded 535793 https://bugs.webkit.org/show_bug.cgi?id=26973 thanks i've started a discussion on these issues in the upstream bug report in the above link. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
Package: cupsys Version: 1.2.7-4etch6 Severity: serious Tags: security , patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for cups. CVE-2009-0791[0]: | Multiple integer overflows in the pdftops filter in CUPS 1.1.17, | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service | (application crash) or possibly execute arbitrary code via a crafted | PDF file that triggers a heap-based buffer overflow, possibly related | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the | JBIG2Stream.cxx vector may overlap CVE-2009-1179. See redhat bug for patch [1]. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791 http://security-tracker.debian.net/tracker/CVE-2009-0791 [1] https://bugzilla.redhat.com/show_bug.cgi?id=491840 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535489: cups: CVE-2009-0791 integer overflow vulnerabilities
Package: cups Version: 1.3.8-1+lenny6 Severity: serious Tags: security , patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for cups. CVE-2009-0791[0]: | Multiple integer overflows in the pdftops filter in CUPS 1.1.17, | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service | (application crash) or possibly execute arbitrary code via a crafted | PDF file that triggers a heap-based buffer overflow, possibly related | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the | JBIG2Stream.cxx vector may overlap CVE-2009-1179. See redhat bug for patch [1]. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791 http://security-tracker.debian.net/tracker/CVE-2009-0791 [1] https://bugzilla.redhat.com/show_bug.cgi?id=491840 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532520: predictable random number generator used in web browsers
On Thu, 25 Jun 2009 22:33:10 + Moritz Muehlenhoff wrote: lynx supports neither Javascript nor multipart/form-data, so it's not affected. i am trying to track the deeper cause here (the fact that all of the web browsers use a predictable PRNG), rather than the symptom (this particular exploit in javascript/forms). i would prefer to keep these bugs open and tracked at a low level until this core problem is addressed. since you are triaging the symptom, may i request that you open new bugs specifically for that problem itself rather than overriding my submissions? thanks for understanding. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532689: lenny still affected
reopen 532689 thank you this bug isn't entirely fixed yet since stable is still affected. please coordinate with the security team to prepare updates for lenny. thanks. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#533676: libpng: CVE-2009-2042 out-of-bounds pixels vulnerability
Package: libpng Version: 1.2.15~beta5-1+etch2 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for libpng. CVE-2009-2042[0]: | libpng before 1.2.37 does not properly parse 1-bit interlaced images | with width values that are not divisible by 8, which causes libpng to | include uninitialized bits in certain rows of a PNG file and might | allow remote attackers to read portions of sensitive memory via | out-of-bounds pixels in the file. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. This is already fixed in the version of unstable. Please coordinate with the security team to prepare updates for the stable releases. Thank you. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042 http://security-tracker.debian.net/tracker/CVE-2009-2042 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520052: webkit: CVE-2008-4723 cross-site scripting vulnerability
reopen 520052 found 520052 1.0.1-4 fixed 520052 1.1.7-1 thanks yes, i, as the original reporter, spent a non-insignificant amount of time to determine that webkit is indeed affected. in fact, i believe that my description in the original report is very complete and describes the extent of the problem very accurately. enough so that someone could come along and recheck the status. i don't mean to sound rude, but if you wish to close bugs, please do the requisite testing and background checking first. i spent the time to do a good job before submitting the bug. please respect that by doing a thorough job before closing the bug. also, you could have just asked me to recheck, which i have now done. it appears that the problem is now resolved in unstable; however, lenny is still affected. kind regards, mike [1] http://www.jorgan.users.cg.yu/gc-mf.txt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520052: wrong CVE
CVE-2008-4723 is the wrong CVE, which is for firefox. it should be CVE-2008-4724 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520052: spu candidate
since this is a minor issue, would you be interested in pushing out fixes for this problem in a stable proposed update? if so, please contact the security team. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532720: dbus: CVE-2009-1189 incomplete fix for CVE-2008-3834
Package: dbus Version: 1.2.1-5 Severity: grave Tags: security , patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for dbus. CVE-2009-1189[0]: | The _dbus_validate_signature_with_reason function | (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses | incorrect logic to validate a basic type, which allows remote | attackers to spoof a signature via a crafted key. NOTE: this is due | to an incorrect fix for CVE-2008-3834. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Patches available [1]. Please coordinate with the security team to prepare updates for the stable releases. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1189 http://security-tracker.debian.net/tracker/CVE-2009-1189 [1] http://bugs.freedesktop.org/show_bug.cgi?id=17803 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532720: (no subject)
found 532720 1.0.2-1+etch2 thank you note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#517639: still present in stable releases
reopen 517639 found 517639 1.8.7.72-3 found 517639 1.8.5-4etch4 thank you hi, this bug is still present in the stable releases. please coordinate with the security team (t...@security.debian.org) to prepare updated packages. thanks. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532514: predictable random number generator used in web browsers
package: webkit severity: serious tags: security hello, it has been discovered that all of the major web browsers use a predictable pseudo-random number generator (PRNG). please see reference [0]. the robust solution is to switch to a provably unpredictable PRNG such as Blum Blum Shub [1,2]. [0] http://www.trusteer.com/temporary-user-tracking-in-major-browsers [1] Lenore Blum, Manual Blum, and Michael Shub, A Simple Unpredictable Pseudo-Random Number Generator, SIAM Journal on Computing, volume 15, pages 364-383, May 1986. [2] http://rng.doesntexist.org/gmpbbs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532352: gstreamer0.10-plugins-good: CVE-2009-1932 integer overflows
Package: gstreamer0.10-plugins-good Version: 0.10.8-4.1~lenny1 0.10.4-4 Severity: serious Tags: security patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for gstreamer0.10-plugins-good. CVE-2009-1932[0]: | Multiple integer overflows in the (1) user_info_callback, (2) | user_endrow_callback, and (3) gst_pngdec_task functions | (ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka | gst-plugins-good or gstreamer-plugins-good) 0.10.15 allow remote | attackers to cause a denial of service and possibly execute arbitrary | code via a crafted PNG file, which triggers a buffer overflow. This bug has already been fixed in unstable(http://bugs.debian.org/531631). If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1932 http://security-tracker.debian.net/tracker/CVE-2009-1932 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532372: ecryptfs-utils: CVE-2009-1296 unencrypted passphrase on disk
package: ecryptfs-utils version: 68-1 version: 75-1 severity: serious tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ecryptfs-utils. CVE-2009-1296[0]: |Chris Jones discovered that the eCryptfs support utilities would |report the mount passphrase into installation logs when an eCryptfs |home directory was selected during Ubuntu installation. The logs are |only readable by the root user, but this still left the mount passphrase |unencrypted on disk, potentially leading to a loss of privacy. Please coordinate with the security team (t...@security.debian.org) to prepare fixes for lenny. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1296 http://security-tracker.debian.net/tracker/CVE-2009-1296 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529518: openoffice.org-common: fails to install (need to use mkdir -p to creat missing directory)
package: openoffice.org-common severity: grave version: 1:3.1.0-2 the latest version of openoffice will not install because a mkdir fails: mkdir: cannot create directory '/var/lib/openoffice/share/config': No such file or directory if i manually create the directory, the installation works: $ mkdir -p /var/lib/openoffice/share/config i think your scripts need a '-p' -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528204: CVE-2008-0388
On Mon, 18 May 2009 06:49:48 +0200, Ola Lundqvist wrote: Thanks. However this applies only to the windows version as that functions do not even exist in the linux/unix version. ok, yes, i see that now. thanks. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528204: CVE-2008-0388
this is CVE-2008-0388: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0388 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528778: [Secure-testing-team] Bug#528778: eggdrop: incomplete patch for CVE-2007-2807
On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote: Package: eggdrop Severity: grave Tags: security Justification: user security hole Hi, turns out my patch has a bug in it which opens this up for a buffer overflow again in case strlen(ctcpbuf) returns 0: http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341 Too bad noone noticed that before. I am going to upload a 0-day NMU now to fix this. debdiff available on: http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch (includes the wrong bug number to close as I tried to reopen it fist but it failed because it was already archived). Cheers Nico does this mean that DSA-1448 needs to be reissued? and is that in the works? should the etch fixed version get removed from the DSA list to reindicate that etch is vulnerable? mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528281: closed by Nico Golde n...@debian.org (Re: Bug#528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability)
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the gnutls26 package: #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability does it make sense to close this bug since etch/lenny are still vulnerable? from my perspective, it is better to keep the bug open so that it stays on the maintainer's radar. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528281: closed by Nico Golde n...@debian.org (Re: Bug#528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability)
On Fri, 15 May 2009 20:15:49 +0200, Andreas Metzler wrote: On 2009-05-15 Michael S. Gilbert michael.s.gilb...@gmail.com wrote: On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the gnutls26 package: #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability does it make sense to close this bug since etch/lenny are still vulnerable? from my perspective, it is better to keep the bug open so that it stays on the maintainer's radar. We have version tracking. It is marked fixed in 2.6.6-1. cu andreas yes, i agree that this is useful, but should a message be sent to xx-d...@bugs.debian.org before all affected versions are fixed? i don't consider a bug as being done until all versions are fixed. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528281: closed by Nico Golde n...@debian.org (Re: Bug#528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability)
On Fri, 15 May 2009 20:50:47 +0200, Nico Golde wrote: Hi, * Michael S. Gilbert michael.s.gilb...@gmail.com [2009-05-15 19:45]: On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the gnutls26 package: #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability does it make sense to close this bug since etch/lenny are still vulnerable? from my perspective, it is better to keep the bug open so that it stays on the maintainer's radar. You are aware of the fact that our BTS knows about versions? yes, but closing the bug moves it down to the resolved section of the bug pages, which makes it much more likely to be mistakenly overlooked. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523054: Any likely update for mod_jk?
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote: Hi, I wondered if any fix is likely to be available for CVE-2008-5519 (information disclosure, looks potentially quite severe) any time soon or if any more help is needed? hi, no one has claimed this (that i've seen), and the maintainer has not yet responded, so if you are able to help, please do so. let the security team and maintainer know if you are going to work this so that there isn't duplicated work. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528434: [Secure-testing-team] Bug#528434: cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked)
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote: Package: cron Version: 3.0pl1-105 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu jaunty ubuntu-patch Hi, I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across: https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649 I then reviewed the Ubuntu and Debian packages and found that while the most serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for setgid() and initgroups() were not added. Other distributions (eg Gentoo and RedHat) fixed these calls as well. I was then curious to see when these two calls could fail and found that sys_setgid can fail via LSM and CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID, NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this in our stable releases with the following changelog: * SECURITY UPDATE: cron does not check the return code of setgid() and initgroups(), which under certain circumstances could cause applications to run with elevated group privileges. Note that the more serious issue of not checking the return code of setuid() was fixed in 3.0pl1-64. (LP: #46649) - do_command.c: check return code of setgid() and initgroups() - CVE-2006-2607 We thought you might be interested in doing the same. thanks for submitting this report. this is very helpful and a great step toward better collaboration on security issues! mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524803: ghostscript vulns in stable
hello all, any news on the patches for ghostscript in stable (CVE-2007-6725, CVE-2008-6679, and CVE-2009-0196)? these issues have been sitting unfixed for quite a while now. thanks. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability
Package: gnutls26 Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) ids were published for gnutls26. CVE-2009-1417[0]: | gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and | expiration times of X.509 certificates, which allows remote attackers | to successfully present a certificate that is (1) not yet valid or (2) | no longer valid, related to lack of time checks in the | _gnutls_x509_verify_certificate function in lib/x509/verify.c in | libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup. Note that this is fixed in 2.6.6-1 in unstable. Please coordinate with the security team (t...@security.debian.org) to prepare updates for the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 http://security-tracker.debian.net/tracker/CVE-2009-1417 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#527640: opensc: insecure due to wrong public exponent
Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure rsa key)
| 2.) a PKCS#11 module that accepts that this public exponent and forwards
| it to the card
| 3.) a card that accepts the public exponent and generates the rsa key.
|
| OpenSC is insecure because due to a code bug in pkcs11-tool it had
| the wrong public exponent. But OpenSC PKCS#11 module is secure, it
| ignores the public exponent. So only if you generate your keys with
| pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if
| you used it with sone other vendors PKCS#11 module, and only if the
| card accepted the bogus value too, then your rsa key is unsecure.
|
| you can easily verify keys by looking at the rsa public key or a
| certificate or certificate request, for example the openssl command
| line tools can print the content in plain text. public Exponent = 1
| is bad (3 and higher are accepted values, 65537 or higher is suggested
| by the NIST).
|
| Here is the full security advisory. No CVE included, as I was not able
| to get one from distributions, vendor-sec or mitre.
|
| OpenSC Security Advisory [07-May-2009]
| ==
|
| pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537
|
| OpenSC includes a tool for testing its PKCS#11 module called
| pkcs11-tool. This command line tool includes the ability to ask the
| PKCS#11 module to generate an RSA key pair. The tool used to default to a key
size
| of 768 bits and a public exponent of 3. These values are considered
| small but ok. In december 2008 a change (SVN commit 3602) changed
| these values to more secure default values of 1024 bit key size
| and a public exponent of 65537. A bug in that code however caused
| the default public exponent to be 1. That value is invalid and
| insecure, a message encrypted with it will be unencrypted.
|
| If pkcs11-tool is used with the PKCS#11 module included in OpenSC,
| there is no security issue, as OpenSC PKCS#11 module ignores any
| public exponent passed to it. Only when pkcs11-tool is used with
| other third party PKCS#11 Modules the problem comes up.
|
| Thanks to Miquel Comas Martí, who found and fixed this bug and
| contacted us on May 7th, 2009.
|
| This bug only affects users of OpenSC SVN trunk or OpenSC release
| 0.11.7. Older releases do not contain this problem, and the new
| OpenSC release 0.11.8 fixes this problem. Only users of the command
| line tool pkcs11-tool are affected by this problem, and only the
| generate rsa key pair function is affected (--keypairgen or -k).
| There is no option to configure the public exponent using the
| command line tool, so all such uses are affected.
|
| The command line tool pkcs11-tool can be used with the OpenSC
| PKCS#11 Module opensc-pkcs11.so or opensc-pkcs11.dll or with any
| other PKCS#11 module. Only when used with other PKCS#11 module the
| problem arrises, as the OpenSC PKCS#11 Module ignores the public
| exponent passed to it.
|
| If you use a third party PKCS#11 Module with pkcs11-tool you
| can use openssl with engine_pkcs11 to create a certificate
| signing request and then use openssl to analyze that csr,
| for example
| openssl req -in req.pem -noout -text
| ...
| Exponent: 1 (0x1)
| ...
|
| Would show the problem.
Please coordinate with the security team (t...@security.debian.org)
to prepare updates for the stable releases.
A patch that fixes the problem follows:
--- src/tools/pkcs11-tool.c (Revision 3687)
+++ src/tools/pkcs11-tool.c (Revision 3688)
@@ -1035,7 +1035,7 @@
{
CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR,
0}; CK_ULONG modulusBits = 1024;
- CK_BYTE publicExponent[] = { 65537 };
+ CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in
bytes */ CK_BBOOL _true = TRUE;
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#527474: pango1.0: integer overflow in heap allocation size calculations
package: pango severity: grave tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for pango1.0. CVE-2009-1194[0]: |Pango is a library for laying out and rendering text, with an emphasis |on internationalization. Pango suffers from a multiplicative integer |overflow which may lead to a potentially exploitable, heap overflow |depending on the calling conditions. For example, this vulnerability is |remotely reachable in Firefox by creating an overly large |document.location value but only results in a process-terminating, |allocation error (denial of service). | |The affected function is pango_glyph_string_set_size. An overflow check |when doubling the size neglects the overflow possible on the subsequent |allocation: | | string-glyphs = g_realloc (string-glyphs, string-space * | sizeof (PangoGlyphInfo)); | |Note that other font rendering subsystems suffer from similar issues and |should be cross-checked by maintainers. Please coordinate with the security team (t...@security.debian.org) to prepare updates for the stable releases. See also see USN-773-1 [1]. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194 http://security-tracker.debian.net/tracker/CVE-2009-1194 [1] http://www.ubuntu.com/usn/USN-773-1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510205: buffer overflow in libaudiofile
hi, any news on this one? since this is being tracked with critical severity, it really should be handled as swiftly as possible (it's been six months now since the original disclosure). suse has issued updates for CVE-2008-5824, perhaps their patches may be helpful [1]. thanks. mike [1] http://lists.opensuse.org/opensuse-security-announce/2009-02/msg0.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526041: clamav: CVE-2008-5525 malware detection bypass
Package: clamav Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) ids were published for clamav. CVE-2008-5525[0]: | ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is | used, allows remote attackers to bypass detection of malware in an | HTML document by placing an MZ header (aka EXE info) at the | beginning, and modifying the filename to have (1) no extension, (2) a | .txt extension, or (3) a .jpg extension, as demonstrated by a document | containing a CVE-2006-5745 exploit. Please coordinate with the security team (t...@security.debian.org) to prepare packages for the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5525 http://security-tracker.debian.net/tracker/CVE-2008-5525 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524803: CVE-2008-6679 also fixed
On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote: Hi, turns out CVE-2008-6679 also is fixed since 8.64. The only unfixed issue in this report is CVE-2009-0196. Michael, please better check the code next time, this would have save me a lot of time this evening. I appologize. I have been relying on changelogs, rather than code review. ghostscript doesn't have a changelog, so I had no idea that those CVEs had been fixed. My intent is to get information into the tracker as soon as possible and bug reports submitted. My perception is that once the bug is submitted, it is now the maintainer's responsibility to work with the security team, determine affected versions, and get patches ready. It seems overburdening that the security team does almost all of the work. Shouldn't we rely on the maintainer to do his/her fair share? I mean, it is their package and they should be intimately familiar with it and upstream's changes. If I should be doing more code review, I will try. Do you have any guidelines or workflow that I should follow? It would be good to have this kind of stuff documented for other newbies so that there isn't so much trial-and-error like I'm running in to. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#515104: closed by Josselin Mouette j...@debian.org (Bug#515104: fixed in nautilus 2.26.2-1)
On Sat, 25 Apr 2009 01:15:11 + Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the nautilus package: #515104: nautilus: potential exploits via application launchers awesome! any chance of backporting this to lenny (and perhaps etch), or are the changes too substantial? any info you can provide would be useful so i can keep the security tracker up to date. thanks. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523475: xine-lib: CVE-2009-0385 arbitrary code execution
fyi, see upstream changelog as well: http://sourceforge.net/project/shownotes.php?group_id=9655release_id=673233 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523475: xine-lib: CVE-2009-0385 arbitrary code execution
On Fri, 10 Apr 2009 18:18:00 +0100 Darren Salt wrote: This does not apply to xine-lib. You mean CVE-2009-0698, which is fixed in unstable (and should soon be fixed in, at least, stable too; it probably applies to oldstable too, but I've not looked yet). not that i nor anyone else should trust fedora as infallable, but they do indicate that they made a patch to xine in their security notice for this (CVE-2009-0385) issue. did they make a mistake? it's better to check and make sure rather than to overlook a potential issue. thanks, mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524803: ghostscript: multiple vulnerabilities
package: ghostscript severity: grave tags: security Hi, The following CVE (Common Vulnerabilities Exposures) ids were published for ghostscript. CVE-2007-6725[0]: | The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly | other versions, allows remote attackers to cause a denial of service | (crash) and possibly execute arbitrary code via a crafted PDF file | that triggers a buffer underflow in the cf_decode_2d function. CVE-2008-6679[1]: | Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and | possibly other versions, allows remote attackers to cause a denial of | service (ps2pdf crash) and possibly execute arbitrary code via a | crafted Postscript file. CVE-2009-0196[2]: | Heap-based buffer overflow in the big2_decode_symbol_dict function | (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in | Ghostscript 8.64, and probably earlier versions, allows remote | attackers to execute arbitrary code via a PDF file with a JBIG2 symbol | dictionary segment with a large run length value. Please coordinate with the security team (t...@security.debian.org) to prepare fixes for the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725 http://security-tracker.debian.net/tracker/CVE-2007-6725 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679 http://security-tracker.debian.net/tracker/CVE-2008-6679 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196 http://security-tracker.debian.net/tracker/CVE-2009-0196 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524806: poppler: multiple vulnerabilities
package: poppler severity: grave tags: security hello, ubuntu recently patched the following poppler issues [0]: CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188 these are still reserved in the CVE list, but are disclosed at NVD [1]. [0] http://www.ubuntu.com/usn/usn-759-1 [1] http://web.nvd.nist.gov/view/vuln/detail;jsessionid=13611cd10c249e6f7ffe499725ce?execution=e1s1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524807: cups: multiple vulnerabilities
package: cups severity: grave tags: security hello, redhat recently patched the following cups [0], xpdf [1], and kdegraphics[2] issues: CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182, CVE-2009-1183 these are still reserved in the CVE list, but are disclosed at NVD. [0] https://rhn.redhat.com/errata/RHSA-2009-0429.html [1] https://rhn.redhat.com/errata/RHSA-2009-0430.html [2] https://rhn.redhat.com/errata/RHSA-2009-0431.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524373: linux-2.6: /dev/mem rootkit vulnerability
package: linux-2.6 severity: grave tags: security as seen in recent articles and discussions, the linux kernel is currently vulnerable to rootkit attacks via the /dev/mem device. one article [1] mentions that there is an existing patch for the problem, but does not link to it. perhaps this fix can be found in the kernel mailing lists. [1] http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216500687 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524373: linux-2.6: /dev/mem rootkit vulnerability
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote: On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote: as seen in recent articles and discussions, the linux kernel is currently vulnerable to rootkit attacks via the /dev/mem device. one article [1] mentions that there is an existing patch for the problem, but does not link to it. perhaps this fix can be found in the kernel mailing lists. There's no vulnerability there. /dev/mem is only writable by root. The research (if there's really any research involved) just shows how you could hide files or processes by manipulating /dev/mem. That's been known for ages. That's why you don't let your users write to /dev/mem. If the attacker has root, who cares what means they use to hide their precese, you've already lost. i believe that the if they've got root, you've already lost consensus is a logical fallacy. an aspect of security is being able to detect when you have been compromised. hence, it is a lot worse when the attacker is able to mask their presence. at least when they only have root they leave tracks and you can detect files, configs, and utilities that differ from the norm or are out of place. i think that any flaw that allows an attacker to elevate his pwnage from root to hidden should always be considered a grave security issue. best regards, mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524373: linux-2.6: /dev/mem rootkit vulnerability
reopen 524373 thanks On Thu, 16 Apr 2009 16:53:38 -0400 Noah Meyerhans wrote: On Thu, Apr 16, 2009 at 04:21:10PM -0400, Michael S. Gilbert wrote: i think that any flaw that allows an attacker to elevate his pwnage from root to hidden should always be considered a grave security issue. Your argument sounds like the one used by RIAA, MPAA etc, based on the DMCA's anti-circumvention clause, to keep things like open source dvd players illegal. Just because something can be used for malicious purposes, doesn't mean its existance is a bad thing. There are reasons for /dev/mem to exist, and why you might want to manipulate kernel state through it. Many of these do not involve rootkits. this is a strawman argument. i never said that /dev/mem needed to go away. my point was that it needed to be secured against these newly discovered attacks, and it sounds like CONFIG_STRICT_DEVMEM does this. The support for dynamically loadable kernel modules in Linux can be abuses similarly. Does that make it a grave security issue? probably...at least until someone comes up with a secure way to do it. But as Dann pointed out, we'll have CONFIG_STRICT_DEVMEM in the future to help minimize exposure. this is a very good thing, and i understand that it would cause a lot of hassle to backport this kind of change to stable since it could potentially break compatibility. however, that doesn't mean that the issue shouldn't be tracked. and it certainly doesn't mean that the bug should be closed. i thought that one of debian's tenants was we will not hide problems. If you want to continue this discussion, I propose to do it outside the BTS. why? isn't the bts a perfectly good place for discussion? mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524373: linux-2.6: /dev/mem rootkit vulnerability
btw, redhat-based distros are thought to be invulnerable to these attacks due their incorporation of execshield (in particular, due to address space randomization). perhaps it's high time that debian consider doing the same? i know that execshield is not in the vanilla kernel, but when it comes to security, you have to admit that a lot is missing from the vanilla kernel. the default debian kernel should be hardened. period. you need to protect your users. it's disappointing when researchers can point to vista and say hey, they put an end to a lot of attacks in 2007 (via their address space randomization implementation); while in 2009 the same statement still can't be made for debian-derived distros. why is the linux kernel two years behind the state-of-the-art when it comes to security? why is redhat doing the right thing while debian does nothing? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523475: xine-lib: CVE-2009-0385 arbitrary code execution
Package: xine-lib Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for xine-lib. CVE-2009-0385[0]: | Integer signedness error in the fourxm_read_header function in | libavformat/4xm.c in FFmpeg before revision 16846 allows remote | attackers to execute arbitrary code via a malformed 4X movie file with | a large current_track value, which triggers a NULL pointer | dereference. See fedora security announcement for more details [1]. Please coordinate with the security team to prepare updated packages for the stable releases. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385 http://security-tracker.debian.net/tracker/CVE-2009-0385 [1] http://lwn.net/Articles/328039/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523016: clamav vulnerability
package: clamav severity: grave tags: security hi, ubuntu recently patched a problem in clamav [1]. the description is: It was discovered that ClamAV did not properly verify its input when processing TAR archives. A remote attacker could send a specially crafted TAR file and cause a denial of service via infinite loop. It was discovered that ClamAV did not properly validate Portable Executable (PE) files. A remote attacker could send a crafted PE file and cause a denial of service (divide by zero). i'm not sure if this is CVE-2009-1241 or if it a new issue. [1] http://www.ubuntu.com/usn/usn-754-1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
