Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2005 > Gentoo

November 2005

Gentoo

ID: 01041
Ref: 976/2005
Date: 23 November 2005:13:49:57
Version: 1
Title: Gentoo
Abstract: Details of several Gentoo security advisories
Vendors affected: Gentoo
Operating systems affected: Gentoo
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GTK+ 2, GdkPixbuf: Multiple XPM decoding vulnerabilities
Date: November 16, 2005
Bugs: #112608
ID: 200511-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The GdkPixbuf library, that is also included in GTK+ 2, contains
vulnerabilities that could lead to a Denial of Service or the
execution of arbitrary code.

Background
==========

GTK+ (the GIMP Toolkit) is a toolkit for creating graphical user
interfaces. The GdkPixbuf library provides facilities for image
handling. It is available as a standalone library and also packaged
with GTK+ 2.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-libs/gtk+ < 2.8.6-r1 >= 2.8.6-r1
*>= 2.6.10-r1
< 2.0
2 media-libs/gdk-pixbuf < 0.22.0-r5 >= 0.22.0-r5
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------

Description
===========

iDEFENSE reported a possible heap overflow in the XPM loader
(CVE-2005-3186). Upon further inspection, Ludwig Nussel discovered two
additional issues in the XPM processing functions : an integer overflow
(CVE-2005-2976) that affects only gdk-pixbuf, and an infinite loop
(CVE-2005-2975).

Impact
======

Using a specially crafted XPM image an attacker could cause an affected
application to enter an infinite loop or trigger the overflows,
potentially allowing the execution of arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GTK+ 2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose x11-libs/gtk+

All GdkPixbuf users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/gdk-pixbuf-0.22.0-r5"

References
==========

[ 1 ] CVE-2005-2975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975
[ 2 ] CVE-2005-2976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976
[ 3 ] CVE-2005-3186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186
[ 4 ] iDefense Security Advisory 11.15.05

http://www.idefense.com/application/poi/display?id=339&type=vulnerabilities

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-14.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Smb4k: Local unauthorized file access
Date: November 18, 2005
Bugs: #111089
ID: 200511-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been identified that allows unauthorized access to
the contents of /etc/sudoers and /etc/super.tab files.

Background
==========

Smb4K is a SMB/CIFS share browser for KDE.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/smb4k < 0.6.4 >= 0.6.4

Description
===========

A vulnerability leading to unauthorized file access has been found. A
pre-existing symlink from /tmp/sudoers and /tmp/super.tab to a textfile
will cause Smb4k to write the contents of these files to the target of
the symlink, as Smb4k does not check for the existence of these files
before writing to them.

Impact
======

An attacker could acquire local privilege escalation by adding
username(s) to the list of sudoers.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All smb4k users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/smb4k-0.6.4"

References
==========

[ 1 ] CVE-2005-2851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2851
[ 2 ] Smb4k Announcement
http://smb4k.berlios.de/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GNUMP3d: Directory traversal and insecure temporary file
creation
Date: November 21, 2005
Bugs: #111990
ID: 200511-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two vulnerabilities have been identified in GNUMP3d allowing for
limited directory traversal and insecure temporary file creation.

Background
==========

GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and
other media formats.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-sound/gnump3d < 2.9.7-r1 >= 2.9.7-r1

Description
===========

Ludwig Nussel from SUSE Linux has identified two vulnerabilities in
GNUMP3d. GNUMP3d fails to properly check for the existence of
/tmp/index.lok before writing to the file, allowing for local
unauthorized access to files owned by the user running GNUMP3d. GNUMP3d
also fails to properly validate the "theme" GET variable from CGI
input, allowing for unauthorized file inclusion.

Impact
======

An attacker could overwrite files owned by the user running GNUMP3d by
symlinking /tmp/index.lok to the file targeted for overwrite. An
attacker could also include arbitrary files by traversing up the
directory tree (at most two times, i.e. "../..") with the "theme" GET
variable.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNUMP3d users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-sound/gnump3d-2.9.7-r1"

References
==========

[ 1 ] CVE-2005-3349
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3349
[ 2 ] CVE-2005-3355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3355
[ 3 ] GNUMP3d Changelog
http://www.gnu.org/software/gnump3d/ChangeLog

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-16.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: FUSE: mtab corruption through fusermount
Date: November 22, 2005
Bugs: #112902
ID: 200511-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The fusermount utility from FUSE can be abused to corrupt the /etc/mtab
file contents, potentially allowing a local attacker to set
unauthorized mount options.

Background
==========

FUSE (Filesystem in Userspace) allows implementation of a fully
functional filesystem in a userspace program. The fusermount utility is
used to mount/unmount FUSE file systems.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-fs/fuse < 2.4.1-r1 >= 2.4.1-r1

Description
===========

Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points.

Impact
======

A local attacker could corrupt the contents of the /etc/mtab file by
mounting over a maliciously-named directory using fusermount,
potentially allowing the attacker to set unauthorized mount options.
This is possible only if fusermount is installed setuid root, which is
the default in Gentoo.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All FUSE users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/fuse-2.4.1-r1"

References
==========

[ 1 ] CVE-2005-3531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3531

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-17.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: phpSysInfo: Multiple vulnerabilities
Date: November 22, 2005
Bugs: #112482
ID: 200511-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

phpSysInfo is vulnerable to multiple issues, including a local file
inclusion leading to information disclosure and the potential
execution of arbitrary code.

Background
==========

phpSysInfo displays various system stats via PHP scripts.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/phpsysinfo < 2.4.1 >= 2.4.1

Description
===========

Christopher Kunz from the Hardened-PHP Project discovered that
phpSysInfo is vulnerable to local file inclusion, cross-site scripting
and a HTTP Response Splitting attacks.

Impact
======

A local attacker may exploit the file inclusion vulnerability by
sending malicious requests, causing the execution of arbitrary code
with the rights of the user running the web server. A remote attacker
could exploit the vulnerability to disclose local file content.
Furthermore, the cross-site scripting issues gives a remote attacker
the ability to inject and execute malicious script code in the user's
browser context or to steal cookie-based authentication credentials.
The HTTP response splitting issue give an attacker the ability to
perform site hijacking and cache poisoning.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All phpSysInfo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/phpsysinfo-2.4.1"

References
==========

[ 1 ] Original advisory
http://www.hardened-php.net/advisory_222005.81.html
[ 2 ] CVE-2005-3347
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3347
[ 3 ] CVE-2005-3348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3348

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-18.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: eix: Insecure temporary file creation
Date: November 22, 2005
Bugs: #112061
ID: 200511-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

eix has an insecure temporary file creation vulnerability, potentially
allowing a local user to overwrite arbitrary files.

Background
==========

eix is a small utility for searching ebuilds with indexing for fast
results.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-portage/eix < 0.5.0_pre2 >= 0.5.0_pre2
*>= 0.3.0-r2

Description
===========

Eric Romang discovered that eix creates a temporary file with a
predictable name. eix creates a temporary file in /tmp/eix.*.sync where
* is the process ID of the shell running eix.

Impact
======

A local attacker can watch the process list and determine the process
ID of the shell running eix while the "emerge --sync" command is
running, then create a link from the corresponding temporary file to a
system file, which would result in the file being overwritten with the
rights of the user running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All eix users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose app-portage/eix

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Low
Title: Horde Application Framework: XSS vulnerability
Date: November 22, 2005
Bugs: #112491
ID: 200511-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The Horde Application Framework is vulnerable to a cross-site scripting
vulnerability which could lead to the compromise of the victim's
browser content.

Background
==========

The Horde Application Framework is a general-purpose web application
framework written in PHP, providing classes for handling preferences,
compression, browser detection, connection tracking, MIME, and more.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/horde < 2.2.9 >= 2.2.9

Description
===========

The Horde Team reported a potential XSS vulnerability. Horde fails to
properly escape error messages which may lead to displaying unsanitized
error messages via Notification_Listener::getMessage()

Impact
======

By enticing a user to read a specially-crafted e-mail or using a
manipulated URL, an attacker can execute arbitrary scripts running in
the context of the victim's browser. This could lead to a compromise of
the user's browser content.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Horde Application Framework users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.9"

References
==========

[ 1 ] CVE-2005-3570
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3570
[ 2 ] Horde Announcement
http://lists.horde.org/archives/announce/2005/000231.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200511-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |