Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2005 > Two Mandriva Linux Security Update Advisories: 1. MDKSA-2005:106 - spamassassin 2. MDKSA-2005:107 - ImageMagick

June 2005

Two Mandriva Linux Security Update Advisories: 1. MDKSA-2005:106 - spamassassin 2. MDKSA-2005:107 - ImageMagick

ID: 00526
Ref: 486/2005
Date: 29 June 2005:15:15:12
Version: 1
Title: Two Mandriva Linux Security Update Advisories: 1. MDKSA-2005:106 - spamassassin 2. MDKSA-2005:107 - ImageMagick
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
Title
=====

Two Mandriva Linux Security Update Advisories:
1. MDKSA-2005:106 - spamassassin
2. MDKSA-2005:107 - ImageMagick

Detail
======

1. A Denial of Service bug was discovered in SpamAssassin. An attacker
could construct a particular message that would cause SpamAssassin to
consume CPU resources. If a large number of these messages were sent,
it could lead to a DoS. SpamAssassin 3.0.4 was released to correct
this vulnerability, as well as other minor bug fixes, and is provided
with this update.

2. A heap-based buffer overflow was found in the way that ImageMagick
parses PNM files. If an attacker can trick a victim into opening
a specially crafted PNM file, the attacker could execute arbitrary
code on the victim's machine (CAN-2005-1275).



1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: spamassassin
Advisory ID: MDKSA-2005:106
Date: June 28th, 2005

Affected versions: 10.1, 10.2
______________________________________________________________________

Problem Description:

A Denial of Service bug was discovered in SpamAssassin. An attacker
could construct a particular message that would cause SpamAssassin to
consume CPU resources. If a large number of these messages were sent,
it could lead to a DoS. SpamAssassin 3.0.4 was released to correct
this vulnerability, as well as other minor bug fixes, and is provided
with this update.

For full details on the changes from previous versions of SpamAssassin
to this current version, please refer to the online documentation at
http://wiki.apache.org/spamassassin/NextRelease.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.1:
70c3144fdfc90df050e058e788724af2 10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.101mdk.i586.rpm
a812132eaa7d2f5037b9d813a0ddb2d4 10.1/RPMS/spamassassin-3.0.4-0.1.101mdk.i586.rpm
34ac7694b8a0d4757dc1e9514cb89abe 10.1/RPMS/spamassassin-spamc-3.0.4-0.1.101mdk.i586.rpm
4771bb089113c7fcfe8fc76705c9a1d6 10.1/RPMS/spamassassin-spamd-3.0.4-0.1.101mdk.i586.rpm
3dc5eb25ed5fbaf97126987fa6fef2a0 10.1/RPMS/spamassassin-tools-3.0.4-0.1.101mdk.i586.rpm
5f5e0a9d95abf8a8c914b453a200622f 10.1/SRPMS/spamassassin-3.0.4-0.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
907ae240ba0c1383ffac92b6e44bf9b8 x86_64/10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.101mdk.x86_64.rpm
e4c381dce8549f1dcc0e193492344633 x86_64/10.1/RPMS/spamassassin-3.0.4-0.1.101mdk.x86_64.rpm
e519886d73606721c7d039a781e48bf8 x86_64/10.1/RPMS/spamassassin-spamc-3.0.4-0.1.101mdk.x86_64.rpm
cc9047d8bfc0f7dca47a8d20a4acdaba x86_64/10.1/RPMS/spamassassin-spamd-3.0.4-0.1.101mdk.x86_64.rpm
30a1796d9714c2f97fe18543611861ee x86_64/10.1/RPMS/spamassassin-tools-3.0.4-0.1.101mdk.x86_64.rpm
5f5e0a9d95abf8a8c914b453a200622f x86_64/10.1/SRPMS/spamassassin-3.0.4-0.1.101mdk.src.rpm

Mandrakelinux 10.2:
968684a2cb5837f7b5c807e7cb84ac27 10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.102mdk.i586.rpm
b674284aeb77b560fcabea2e5cb3ea76 10.2/RPMS/spamassassin-3.0.4-0.1.102mdk.i586.rpm
5fe7625fbea7970929efb0d34910d6e8 10.2/RPMS/spamassassin-spamc-3.0.4-0.1.102mdk.i586.rpm
ca728cf0e5e798758c0e3c1a89e52996 10.2/RPMS/spamassassin-spamd-3.0.4-0.1.102mdk.i586.rpm
94b9919c9afba79815ddf391f18ae9e7 10.2/RPMS/spamassassin-tools-3.0.4-0.1.102mdk.i586.rpm
c0f1a6eda5f0e91c5630e81f2ec4a04c 10.2/SRPMS/spamassassin-3.0.4-0.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
e58fbab242a1dbfc66b9a038c9ad31ef x86_64/10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.102mdk.x86_64.rpm
f52acfcca9d854c597462ef96cd0d60e x86_64/10.2/RPMS/spamassassin-3.0.4-0.1.102mdk.x86_64.rpm
434c6842488b18e288ed44e77ae83e9a x86_64/10.2/RPMS/spamassassin-spamc-3.0.4-0.1.102mdk.x86_64.rpm
3e6d8eecb483210d5a7504da27d7c109 x86_64/10.2/RPMS/spamassassin-spamd-3.0.4-0.1.102mdk.x86_64.rpm
14af3895888adfcffd1ea48feeee38b8 x86_64/10.2/RPMS/spamassassin-tools-3.0.4-0.1.102mdk.x86_64.rpm
c0f1a6eda5f0e91c5630e81f2ec4a04c x86_64/10.2/SRPMS/spamassassin-3.0.4-0.1.102mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCwbJwmqjQ0CJFipgRAjI4AJ9oDGjcRP2Z5UUGBpZTH9ldn0iGmgCff8UQ
bK9gcCcIrGT00bRCOv1NinQ=
=Hdy6
- -----END PGP SIGNATURE-----


2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: ImageMagick
Advisory ID: MDKSA-2005:107
Date: June 28th, 2005

Affected versions: 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________

Problem Description:

A heap-based buffer overflow was found in the way that ImageMagick
parses PNM files. If an attacker can trick a victim into opening
a specially crafted PNM file, the attacker could execute arbitrary
code on the victim's machine (CAN-2005-1275).

As well, a Denial of Service vulnerability was found in the way
that ImageMagick parses XWD files. If a user or program executed
ImageMagick to process a malicious XWD file, ImageMagick will enter
info an infinite loop causing a DoS (CAN-2005-1739).

The updated packages have been patched to fix these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1739
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.1:
7204ab3971632313f7ae847da62af4c5 10.1/RPMS/ImageMagick-6.0.4.4-5.3.101mdk.i586.rpm
bff95b521ea8c8e2a159495c25e51efc 10.1/RPMS/ImageMagick-doc-6.0.4.4-5.3.101mdk.i586.rpm
d65c0c50a3d40ceac62bae4fe0088ecb 10.1/RPMS/libMagick6.4.0-6.0.4.4-5.3.101mdk.i586.rpm
878c21b19aa7afebdaa779b9b3ef71d3 10.1/RPMS/libMagick6.4.0-devel-6.0.4.4-5.3.101mdk.i586.rpm
5c5fc0b42c710313e8e6d42628ab70b5 10.1/RPMS/perl-Magick-6.0.4.4-5.3.101mdk.i586.rpm
d68f51a677e771ae20b4ff91d1792773 10.1/SRPMS/ImageMagick-6.0.4.4-5.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
798ffe25847a9c9e0cc3592c9eb01860 x86_64/10.1/RPMS/ImageMagick-6.0.4.4-5.3.101mdk.x86_64.rpm
ef92b2e22fa6ac4c9d39b84412d1f115 x86_64/10.1/RPMS/ImageMagick-doc-6.0.4.4-5.3.101mdk.x86_64.rpm
e5653abbf08119cabba8535b6aa988d9 x86_64/10.1/RPMS/lib64Magick6.4.0-6.0.4.4-5.3.101mdk.x86_64.rpm
c364fae31c3dd29641bda09bccf283fe x86_64/10.1/RPMS/lib64Magick6.4.0-devel-6.0.4.4-5.3.101mdk.x86_64.rpm
0a65d39ff4b976c45ace888f62c6a73e x86_64/10.1/RPMS/perl-Magick-6.0.4.4-5.3.101mdk.x86_64.rpm
d68f51a677e771ae20b4ff91d1792773 x86_64/10.1/SRPMS/ImageMagick-6.0.4.4-5.3.101mdk.src.rpm

Mandrakelinux 10.2:
9a9011f107558829fcb232fd85d556dc 10.2/RPMS/ImageMagick-6.2.0.3-8.1.102mdk.i586.rpm
47c28aa693bd83166100451b958dd3b8 10.2/RPMS/ImageMagick-doc-6.2.0.3-8.1.102mdk.i586.rpm
d0844c92f73aef8e29a12e2cc8c3d946 10.2/RPMS/libMagick8.0.2-6.2.0.3-8.1.102mdk.i586.rpm
5c7640c27cea8164a42d5f3048c4aac3 10.2/RPMS/libMagick8.0.2-devel-6.2.0.3-8.1.102mdk.i586.rpm
eecc10db3e0633056039b7e3b6c0269b 10.2/RPMS/perl-Image-Magick-6.2.0.3-8.1.102mdk.i586.rpm
a0107084465ecdd25a967bc865282c8e 10.2/SRPMS/ImageMagick-6.2.0.3-8.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
6b7cc28d1fdb66d0eda4206f2b47deff x86_64/10.2/RPMS/ImageMagick-6.2.0.3-8.1.102mdk.x86_64.rpm
6864d0102bfb382d997c0325a80ba199 x86_64/10.2/RPMS/ImageMagick-doc-6.2.0.3-8.1.102mdk.x86_64.rpm
5efd08cab8bbb20c4fb736f01d11aab0 x86_64/10.2/RPMS/lib64Magick8.0.2-6.2.0.3-8.1.102mdk.x86_64.rpm
408fd0dd00b46295a7aff30dc5271c43 x86_64/10.2/RPMS/lib64Magick8.0.2-devel-6.2.0.3-8.1.102mdk.x86_64.rpm
d6d790e26c405512a1ab7000cbb8ea02 x86_64/10.2/RPMS/perl-Image-Magick-6.2.0.3-8.1.102mdk.x86_64.rpm
a0107084465ecdd25a967bc865282c8e x86_64/10.2/SRPMS/ImageMagick-6.2.0.3-8.1.102mdk.src.rpm

Corporate Server 2.1:
404ebb17078c3f09a86217afdb958407 corporate/2.1/RPMS/ImageMagick-5.4.8.3-2.4.C21mdk.i586.rpm
7aec358404c3c43708bd171f93abda6a corporate/2.1/RPMS/libMagick5-5.4.8.3-2.4.C21mdk.i586.rpm
d89eef776bb0709fb7834aa2caa9df83 corporate/2.1/RPMS/libMagick5-devel-5.4.8.3-2.4.C21mdk.i586.rpm
b2d796af8410f867f3f02f16b977e646 corporate/2.1/RPMS/perl-Magick-5.4.8.3-2.4.C21mdk.i586.rpm
fc428f61f00a13dab91a583bf7c037b1 corporate/2.1/SRPMS/ImageMagick-5.4.8.3-2.4.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
24db2c7377eeecfcb6bff42835a5408e x86_64/corporate/2.1/RPMS/ImageMagick-5.4.8.3-2.4.C21mdk.x86_64.rpm
aa24822cb61e3013cc231e9b32b7c239 x86_64/corporate/2.1/RPMS/libMagick5-5.4.8.3-2.4.C21mdk.x86_64.rpm
7b7086a467ee0b3ef2db9158b37026c8 x86_64/corporate/2.1/RPMS/libMagick5-devel-5.4.8.3-2.4.C21mdk.x86_64.rpm
ebfffce996bf42b1def96109449da752 x86_64/corporate/2.1/RPMS/perl-Magick-5.4.8.3-2.4.C21mdk.x86_64.rpm
fc428f61f00a13dab91a583bf7c037b1 x86_64/corporate/2.1/SRPMS/ImageMagick-5.4.8.3-2.4.C21mdk.src.rpm

Corporate 3.0:
7c8ac61f65fb056784da754055f29e98 corporate/3.0/RPMS/ImageMagick-5.5.7.15-6.4.C30mdk.i586.rpm
4c353e45b5b324533149042836076e0a corporate/3.0/RPMS/ImageMagick-doc-5.5.7.15-6.4.C30mdk.i586.rpm
1f4a50bf076d4eb0c09130f5e1fb663b corporate/3.0/RPMS/libMagick5.5.7-5.5.7.15-6.4.C30mdk.i586.rpm
56c938c54a8e032a72f38bbdbfce0c6b corporate/3.0/RPMS/libMagick5.5.7-devel-5.5.7.15-6.4.C30mdk.i586.rpm
1a7ef96b56e35e9afbe2b33a02e2eeba corporate/3.0/RPMS/perl-Magick-5.5.7.15-6.4.C30mdk.i586.rpm
478a29a256c3418fe826746f761f9dd0 corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
cb784d42be12ece05ad872a45da61e3d x86_64/corporate/3.0/RPMS/ImageMagick-5.5.7.15-6.4.C30mdk.x86_64.rpm
076932dfe4a0975c14f7f6027ed650dd x86_64/corporate/3.0/RPMS/ImageMagick-doc-5.5.7.15-6.4.C30mdk.x86_64.rpm
4ee3b5ffb7aa2496e1ad6448d23e48db x86_64/corporate/3.0/RPMS/lib64Magick5.5.7-5.5.7.15-6.4.C30mdk.x86_64.rpm
eb7d4c0aa93e759890c906fe3a89f43c x86_64/corporate/3.0/RPMS/lib64Magick5.5.7-devel-5.5.7.15-6.4.C30mdk.x86_64.rpm
a20da02a6fd0d101ff7166c836f5da91 x86_64/corporate/3.0/RPMS/perl-Magick-5.5.7.15-6.4.C30mdk.x86_64.rpm
478a29a256c3418fe826746f761f9dd0 x86_64/corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.4.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCwbOcmqjQ0CJFipgRAo3AAJ4vO8Oy8yjSNJa4XlQTkC3V53TBRACeNzqg
lEQSLcV9DD+pkBjjbWHBLpQ=
=ZDkd
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |