Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2006 > Five Mandriva Linux Security Advisories

July 2006

Five Mandriva Linux Security Advisories

ID: 00479
Ref: 465/2006
Date: 14 July 2006:13:47:49
Version: 1
Title: Five Mandriva Linux Security Advisories
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
Title
=====

Five Mandriva Linux Security Advisories:

1. MDKA-2006:029 - Updated apache2 packages to address logging bug

2. MDKSA-2006:117-1 - Updated libmms packages fix buffer overflow vulnerability

3. MDKSA-2006:121 - Updated xine-lib packages fix buffer overflow vulnerability

4. MDKSA-2006:122 - Updated php packages fix multiple vulnerabilities

5. MDKSA-2006:123 - Updated kernel packages fixes multiple vulnerabilities

Detail
======

1. A patch applied to the build of apache2, when built on x86_64,
can cause various issues in logging. These can include a corrupted
or empty /var/log/httpd/access_log. This affects the Corporate 3
products only.

2. Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause
a denial of service (application crash) and possibly execute arbitrary code
via the (1) send_command, (2) string_utf16, (3) get_data, and (4)
get_media_packet functions, and possibly other functions. Libmms uses the
same vulnerable code.

3. Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause
a denial of service (application crash) and possibly execute arbitrary code
via the (1) send_command, (2) string_utf16, (3) get_data, and (4)
get_media_packet functions, and possibly other functions. Xine-lib contains
an embedded copy of the same vulnerable code.

4. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via
malformed image files that trigger the overflows due to improper calls
to the gdMalloc function. One instance in gd_io_dp.c does not appear to
be corrected in the embedded copy of GD used in php to build the php-gd
package.

5. A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel.




1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Advisory MDKA-2006:029
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache2
Date : July 12, 2006
Affected: Corporate 3.0
_______________________________________________________________________

Problem Description:

A patch applied to the build of apache2, when built on x86_64,
can cause various issues in logging. These can include a corrupted
or empty /var/log/httpd/access_log. This affects the Corporate 3
products only.

Updated packages are provided that correct the issue.
_______________________________________________________________________

References:

http://qa.mandriva.com/show_bug.cgi?id=23667
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
51cdedb4578130c6b43d1cfbbb1802f5 corporate/3.0/RPMS/apache2-2.0.48-6.12.C30mdk.i586.rpm
44b4ecdf2c7a03cd9d1052f48b51e7e5 corporate/3.0/RPMS/apache2-common-2.0.48-6.12.C30mdk.i586.rpm
7716fc52aa3652c85d19885ee8cb5172 corporate/3.0/RPMS/apache2-devel-2.0.48-6.12.C30mdk.i586.rpm
3a88013713acbe76a4435cc63b9146c7 corporate/3.0/RPMS/apache2-manual-2.0.48-6.12.C30mdk.i586.rpm
a96a90cad1bc02d91fa0d916e6722b58 corporate/3.0/RPMS/apache2-mod_cache-2.0.48-6.12.C30mdk.i586.rpm
0e647fb4001850927f632c7c76d13948 corporate/3.0/RPMS/apache2-mod_dav-2.0.48-6.12.C30mdk.i586.rpm
916fdff0c1215ded0605ec38803e383e corporate/3.0/RPMS/apache2-mod_deflate-2.0.48-6.12.C30mdk.i586.rpm
8f439ff8d1f7bfbc9b92413cdeb7a3d7 corporate/3.0/RPMS/apache2-mod_disk_cache-2.0.48-6.12.C30mdk.i586.rpm
dfc7983bc68df51046fe3fa20906c58e corporate/3.0/RPMS/apache2-mod_file_cache-2.0.48-6.12.C30mdk.i586.rpm
5e6638879926641ea3623106c771ff46 corporate/3.0/RPMS/apache2-mod_ldap-2.0.48-6.12.C30mdk.i586.rpm
738ea0c10cd1326348da2fff644c84bd corporate/3.0/RPMS/apache2-mod_mem_cache-2.0.48-6.12.C30mdk.i586.rpm
b7a00da859777a07dd6ca58a95a59efc corporate/3.0/RPMS/apache2-mod_proxy-2.0.48-6.12.C30mdk.i586.rpm
d9805ec08369409ad290c7c76011110a corporate/3.0/RPMS/apache2-mod_ssl-2.0.48-6.12.C30mdk.i586.rpm
623af80df573f7d7c25dfc5d5f03b2a3 corporate/3.0/RPMS/apache2-modules-2.0.48-6.12.C30mdk.i586.rpm
3b48e584bec0e702b780f3c11c04e383 corporate/3.0/RPMS/apache2-source-2.0.48-6.12.C30mdk.i586.rpm
41e1599ad5f70995879f4d25d031d83a corporate/3.0/RPMS/libapr0-2.0.48-6.12.C30mdk.i586.rpm
514190ad2bdb82014ccec55e0958cec1 corporate/3.0/SRPMS/apache2-2.0.48-6.12.C30mdk.src.rpm

Corporate 3.0/X86_64:
946c0e2066bb1927690855698c95da52 x86_64/corporate/3.0/RPMS/apache2-2.0.48-6.12.C30mdk.x86_64.rpm
9972a43b5286cca7d8a9f88411dfdacf x86_64/corporate/3.0/RPMS/apache2-common-2.0.48-6.12.C30mdk.x86_64.rpm
8b555921d87688467b1fd69b65dfe603 x86_64/corporate/3.0/RPMS/apache2-devel-2.0.48-6.12.C30mdk.x86_64.rpm
6a88ccc17a74e86051b756595140dedf x86_64/corporate/3.0/RPMS/apache2-manual-2.0.48-6.12.C30mdk.x86_64.rpm
27995417941e5c13e519e5252b56c444 x86_64/corporate/3.0/RPMS/apache2-mod_cache-2.0.48-6.12.C30mdk.x86_64.rpm
887087d5cd0d6ce2a28a183fab2d00a0 x86_64/corporate/3.0/RPMS/apache2-mod_dav-2.0.48-6.12.C30mdk.x86_64.rpm
f05f0f0d23462ee97bbb2d112b96bdf3 x86_64/corporate/3.0/RPMS/apache2-mod_deflate-2.0.48-6.12.C30mdk.x86_64.rpm
7e2b253ebf6e848d56e58111e366a286 x86_64/corporate/3.0/RPMS/apache2-mod_disk_cache-2.0.48-6.12.C30mdk.x86_64.rpm
b445a2c3c99778c0505e0d9103ae3f64 x86_64/corporate/3.0/RPMS/apache2-mod_file_cache-2.0.48-6.12.C30mdk.x86_64.rpm
b40819c0d77a643af4d76eee29070f4a x86_64/corporate/3.0/RPMS/apache2-mod_ldap-2.0.48-6.12.C30mdk.x86_64.rpm
9f4453463f73825d9e310ca6433103c3 x86_64/corporate/3.0/RPMS/apache2-mod_mem_cache-2.0.48-6.12.C30mdk.x86_64.rpm
3f026ee03c1bd60ca3aa4b3d62e3e483 x86_64/corporate/3.0/RPMS/apache2-mod_proxy-2.0.48-6.12.C30mdk.x86_64.rpm
b70366abe2562674ac95d52031457a17 x86_64/corporate/3.0/RPMS/apache2-mod_ssl-2.0.48-6.12.C30mdk.x86_64.rpm
dc46129090ff199a6faf6708ffd3f3eb x86_64/corporate/3.0/RPMS/apache2-modules-2.0.48-6.12.C30mdk.x86_64.rpm
d570b5078a429be9931e337813fb21a4 x86_64/corporate/3.0/RPMS/apache2-source-2.0.48-6.12.C30mdk.x86_64.rpm
af2986d99748b81bf1f83cbafd5ccba1 x86_64/corporate/3.0/RPMS/lib64apr0-2.0.48-6.12.C30mdk.x86_64.rpm
514190ad2bdb82014ccec55e0958cec1 x86_64/corporate/3.0/SRPMS/apache2-2.0.48-6.12.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtT5FmqjQ0CJFipgRAnVhAJ92yM+wYMC5TI1ZutlgQFBnu+ILigCgolwx
p0f+eDlHu1FvRcV6XDJDuss=
=7CjG
- -----END PGP SIGNATURE-----




2.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:117-1
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libmms
Date : July 12, 2006
Affected: 2006.0
_______________________________________________________________________

Problem Description:

Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause
a denial of service (application crash) and possibly execute arbitrary code
via the (1) send_command, (2) string_utf16, (3) get_data, and (4)
get_media_packet functions, and possibly other functions. Libmms uses the
same vulnerable code.

Update:

The previous update for libmms had an incorrect/incomplete patch. This
update includes a more complete fix for the issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
e9fd0a2b5764917cfaf2e9bf45af2e5d 2006.0/RPMS/libmms0-0.1-1.2.20060mdk.i586.rpm
b556179bdc4842b0cc923346494dadce 2006.0/RPMS/libmms0-devel-0.1-1.2.20060mdk.i586.rpm
a539ad416a9f9b1252fa12e5b2c29b60 2006.0/SRPMS/libmms-0.1-1.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
2a16fb87e7c00d2246f5f0716d6451eb x86_64/2006.0/RPMS/lib64mms0-0.1-1.2.20060mdk.x86_64.rpm
b2775f1f51106cfdb390627a455c3c28 x86_64/2006.0/RPMS/lib64mms0-devel-0.1-1.2.20060mdk.x86_64.rpm
a539ad416a9f9b1252fa12e5b2c29b60 x86_64/2006.0/SRPMS/libmms-0.1-1.2.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtTOwmqjQ0CJFipgRAuL5AJ9bqGCwiEw5NRx9UIlaOQozMi8AZACdG3V/
3fsWvnOjupNxWCtteJZZEb0=
=lbPH
- -----END PGP SIGNATURE-----




3.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:121
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xine-lib
Date : July 12, 2006
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause
a denial of service (application crash) and possibly execute arbitrary code
via the (1) send_command, (2) string_utf16, (3) get_data, and (4)
get_media_packet functions, and possibly other functions. Xine-lib contains
an embedded copy of the same vulnerable code.

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
34c23d8a858d2a2687297e25618c7b04 2006.0/RPMS/libxine1-1.1.0-9.6.20060mdk.i586.rpm
57f9a069b8fc968a12ce24605390c1f1 2006.0/RPMS/libxine1-devel-1.1.0-9.6.20060mdk.i586.rpm
7c2652ce586d087793536649d7da6966 2006.0/RPMS/xine-aa-1.1.0-9.6.20060mdk.i586.rpm
37eff9bda8595acfbaf80e0998db1c9e 2006.0/RPMS/xine-arts-1.1.0-9.6.20060mdk.i586.rpm
e5672e6558978051f6878dea6ba961b5 2006.0/RPMS/xine-dxr3-1.1.0-9.6.20060mdk.i586.rpm
6527706516fb99a53f82d2c8c4b2e5f8 2006.0/RPMS/xine-esd-1.1.0-9.6.20060mdk.i586.rpm
10d172825fdd5dd2dd92dfafd5d60e23 2006.0/RPMS/xine-flac-1.1.0-9.6.20060mdk.i586.rpm
87b9a38b877b67f0ac0ee4f58ed50983 2006.0/RPMS/xine-gnomevfs-1.1.0-9.6.20060mdk.i586.rpm
8656ea92b3fca51e2fad861ea963b14d 2006.0/RPMS/xine-image-1.1.0-9.6.20060mdk.i586.rpm
6a538ee35d785dfc7ea64a03c20060da 2006.0/RPMS/xine-plugins-1.1.0-9.6.20060mdk.i586.rpm
9defa64950f2feebab9dda16d35523cb 2006.0/RPMS/xine-polyp-1.1.0-9.6.20060mdk.i586.rpm
d207307cb338b46edd703797b693ea24 2006.0/RPMS/xine-smb-1.1.0-9.6.20060mdk.i586.rpm
4dc1623162c6092eb10c755ed2c5366a 2006.0/SRPMS/xine-lib-1.1.0-9.6.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
8798915891b79ac134565f8ede0653b1 x86_64/2006.0/RPMS/lib64xine1-1.1.0-9.6.20060mdk.x86_64.rpm
dcd2eb828f921b04206124835eeada8e x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-9.6.20060mdk.x86_64.rpm
a933644c1c56d642a5d576cb217d0356 x86_64/2006.0/RPMS/xine-aa-1.1.0-9.6.20060mdk.x86_64.rpm
238d8526e618dff3aa31e223c14ce432 x86_64/2006.0/RPMS/xine-arts-1.1.0-9.6.20060mdk.x86_64.rpm
d9f0269ae701936ce27b6515e5c73ac1 x86_64/2006.0/RPMS/xine-dxr3-1.1.0-9.6.20060mdk.x86_64.rpm
4683507048ec6535c2c5f63997ec719d x86_64/2006.0/RPMS/xine-esd-1.1.0-9.6.20060mdk.x86_64.rpm
bc649ad82f11c8422f1e9fb711dd4803 x86_64/2006.0/RPMS/xine-flac-1.1.0-9.6.20060mdk.x86_64.rpm
52fe1d4ddeeea6ec91a776ccacf5df19 x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-9.6.20060mdk.x86_64.rpm
348cc9ecf59e378b3d1c6aa12a35f9b9 x86_64/2006.0/RPMS/xine-image-1.1.0-9.6.20060mdk.x86_64.rpm
d2f2300e0bd4e4e210bbfae485c07624 x86_64/2006.0/RPMS/xine-plugins-1.1.0-9.6.20060mdk.x86_64.rpm
afca19bc708fc5964c19fff3a2d16286 x86_64/2006.0/RPMS/xine-polyp-1.1.0-9.6.20060mdk.x86_64.rpm
ba7c60488a4459066ba4ed08046ce48c x86_64/2006.0/RPMS/xine-smb-1.1.0-9.6.20060mdk.x86_64.rpm
4dc1623162c6092eb10c755ed2c5366a x86_64/2006.0/SRPMS/xine-lib-1.1.0-9.6.20060mdk.src.rpm

Corporate 3.0:
1390c15ca893041af1076e6a02d14f47 corporate/3.0/RPMS/libxine1-1-0.rc3.6.12.C30mdk.i586.rpm
ecc53b859629edd48ef27b477332889e corporate/3.0/RPMS/libxine1-devel-1-0.rc3.6.12.C30mdk.i586.rpm
a4d85795d05266793fa61ba6bc986aa6 corporate/3.0/RPMS/xine-aa-1-0.rc3.6.12.C30mdk.i586.rpm
4dd4249d6b1911501ddcfa1ef36470af corporate/3.0/RPMS/xine-arts-1-0.rc3.6.12.C30mdk.i586.rpm
c9a3f82dad17f32a6ab6c0b1926c52c1 corporate/3.0/RPMS/xine-dxr3-1-0.rc3.6.12.C30mdk.i586.rpm
c40b65dd7cde826b8bfa5fb5720d15ed corporate/3.0/RPMS/xine-esd-1-0.rc3.6.12.C30mdk.i586.rpm
2a257f092fe4b304be7e358230aa0361 corporate/3.0/RPMS/xine-flac-1-0.rc3.6.12.C30mdk.i586.rpm
b04b482c8693272f7ead71ac3ce91e7f corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.12.C30mdk.i586.rpm
ae63549d198004056aacacee5b2ccbef corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.12.C30mdk.i586.rpm
d8fe8f9dff1190413e81e82e67762462 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.12.C30mdk.src.rpm

Corporate 3.0/X86_64:
aad2ac9345e05d900910b8beade5ff21 x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.12.C30mdk.x86_64.rpm
b9540819f0250a2924297ce0388f6202 x86_64/corporate/3.0/RPMS/lib64xine1-devel-1-0.rc3.6.12.C30mdk.x86_64.rpm
53cc9dc911be64bf8764d76262df4a44 x86_64/corporate/3.0/RPMS/xine-aa-1-0.rc3.6.12.C30mdk.x86_64.rpm
280b7a7ceb168225d30eb97e95f45fb6 x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.12.C30mdk.x86_64.rpm
4e3811096df50e37e6b10f3eedafb0be x86_64/corporate/3.0/RPMS/xine-esd-1-0.rc3.6.12.C30mdk.x86_64.rpm
e1e703b0f81edc6399225c6652049519 x86_64/corporate/3.0/RPMS/xine-flac-1-0.rc3.6.12.C30mdk.x86_64.rpm
14ce60de521e86ae7755c74a3c845d73 x86_64/corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.12.C30mdk.x86_64.rpm
f95f6a3222ef533ea13637cd8d9ff737 x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.12.C30mdk.x86_64.rpm
d8fe8f9dff1190413e81e82e67762462 x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.12.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtTcXmqjQ0CJFipgRAqSMAKCgYu5Rj5uiU1ZXdDurg4O8HjMRoACcDF4O
gECJMRGglbqZVCVnyNwn7NA=
=E8fg
- -----END PGP SIGNATURE-----



4.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:122
http://www.mandriva.com/security/
_______________________________________________________________________

Package : php
Date : July 13, 2006
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via
malformed image files that trigger the overflows due to improper calls
to the gdMalloc function. One instance in gd_io_dp.c does not appear to
be corrected in the embedded copy of GD used in php to build the php-gd
package. (CVE-2004-0941)

Integer overflows were reported in the GD Graphics Library (libgd)
2.0.28, and possibly other versions. These overflows allow remote
attackers to cause a denial of service and possibly execute arbitrary
code via PNG image files with large image rows values that lead to a
heap-based buffer overflow in the gdImageCreateFromPngCtx() function.
PHP, as packaged in Mandriva Linux, contains an embedded copy of the
GD library, used to build the php-gd package. (CVE-2004-0990)

The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x,
when used in applications that accept user-controlled input for the
mailbox argument to the imap_open function, allow remote attackers to
obtain access to an IMAP stream data structure and conduct unauthorized
IMAP actions. (CVE-2006-1017)

Integer overflow in the wordwrap function in string.c in might allow
context-dependent attackers to execute arbitrary code via certain long
arguments that cause a small buffer to be allocated, which triggers a
heap-based buffer overflow in a memcpy function call, a different
vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update
for this issue did not resolve the issue on 64bit platforms.

The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to
bypass safe mode and read files via a file:// request containing nul
characters. (CVE-2006-2563)

Buffer consumption vulnerability in the tempnam function in PHP 5.1.4
and 4.x before 4.4.3 allows local users to bypass restrictions and
create PHP files with fixed names in other directories via a pathname
argument longer than MAXPATHLEN, which prevents a unique string from
being appended to the filename. (CVE-2006-2660)

The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas
Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote
attackers to cause a denial of service (CPU consumption) via malformed
GIF data that causes an infinite loop. PHP, as packaged in Mandriva
Linux, contains an embedded copy of the GD library, used to build the
php-gd package. (CVE-2006-2906)

The error_log function in PHP allows local users to bypass safe mode
and open_basedir restrictions via a "php://" or other scheme in the
third argument, which disables safe mode. (CVE-2006-3011)

An unspecified vulnerability in session.c in PHP before 5.1.3 has
unknown impact and attack vectors, related to "certain characters in
session names", including special characters that are frequently
associated with CRLF injection, SQL injection, and cross-site scripting
(XSS) vulnerabilities. NOTE: while the nature of the vulnerability is
unspecified, it is likely that this is related to a violation of an
expectation by PHP applications that the session name is alphanumeric,
as implied in the PHP manual for session_name(). (CVE-2006-3016)

An unspecified vulnerability in PHP before 5.1.3 can prevent a variable
from being unset even when the unset function is called, which might
cause the variable's value to be used in security-relevant operations.
(CVE-2006-3017)

An unspecified vulnerability in the session extension functionality in
PHP before 5.1.3 has unkown impact and attack vectors related to heap
corruption. (CVE-2006-3018)

The GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906)
affect only Corporate 3 and Mandrake Network Firewall 2.

The php-curl issue (CVE-2006-2563) affects only Mandriva 2006.0.

Updated packages have been patched to address all these issues. Once
these packages have been installed, you will need to restart Apache
(service httpd restart) in order for the changes to take effect.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3018
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
78c38db9594e6f378a541d8656a348cd 10.2/RPMS/libphp_common432-4.3.10-7.14.102mdk.i586.rpm
20874c0f88c0eabb71227562e7b76d99 10.2/RPMS/php432-devel-4.3.10-7.14.102mdk.i586.rpm
959e27855da01eeda3bce928b81a505e 10.2/RPMS/php-cgi-4.3.10-7.14.102mdk.i586.rpm
af8f5d5d30248a0dceeb5f477f243521 10.2/RPMS/php-cli-4.3.10-7.14.102mdk.i586.rpm
3490de40093a12603e1fa2e52fe44936 10.2/RPMS/php-imap-4.3.10-6.3.102mdk.i586.rpm
ed6c4147816b189ba23131f30246a953 10.2/SRPMS/php-4.3.10-7.14.102mdk.src.rpm
396e14746eb0f291e212b2d53bea520c 10.2/SRPMS/php-imap-4.3.10-6.3.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
aea78fff707fcf9313f8ea705fe49304 x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.14.102mdk.x86_64.rpm
24825f38408b5e17ddb030cb6cafbebc x86_64/10.2/RPMS/php432-devel-4.3.10-7.14.102mdk.x86_64.rpm
c01955be46b9ee3c01f34cd3ff96fdd5 x86_64/10.2/RPMS/php-cgi-4.3.10-7.14.102mdk.x86_64.rpm
7b0ea6ea8a37f89fa00240a88d667a13 x86_64/10.2/RPMS/php-cli-4.3.10-7.14.102mdk.x86_64.rpm
3f2f4c714be10ca1931be7fab5f16ed7 x86_64/10.2/RPMS/php-imap-4.3.10-6.3.102mdk.x86_64.rpm
ed6c4147816b189ba23131f30246a953 x86_64/10.2/SRPMS/php-4.3.10-7.14.102mdk.src.rpm
396e14746eb0f291e212b2d53bea520c x86_64/10.2/SRPMS/php-imap-4.3.10-6.3.102mdk.src.rpm

Mandriva Linux 2006.0:
ac3a35ac0db18fe07aed82c55bc9495c 2006.0/RPMS/libphp5_common5-5.0.4-9.12.20060mdk.i586.rpm
eddf792e9ac30c60ba29967469c94721 2006.0/RPMS/php-cgi-5.0.4-9.12.20060mdk.i586.rpm
7ad40230e703fb0dbddb9b6b864305de 2006.0/RPMS/php-cli-5.0.4-9.12.20060mdk.i586.rpm
847ea3aa279af20470a4e4fc0ccefc7f 2006.0/RPMS/php-curl-5.0.4-1.3.20060mdk.i586.rpm
e81718f6e31cb7aced9d2ff7462c0b80 2006.0/RPMS/php-devel-5.0.4-9.12.20060mdk.i586.rpm
188757b3e34afb445a288f4156232b77 2006.0/RPMS/php-fcgi-5.0.4-9.12.20060mdk.i586.rpm
b8487a338e7c0be6baf08f3231169574 2006.0/RPMS/php-imap-5.0.4-2.3.20060mdk.i586.rpm
cdda5acab01891036e955b4b89509552 2006.0/SRPMS/php-5.0.4-9.12.20060mdk.src.rpm
6f59b73dc4ad989fc1cf82981a78447b 2006.0/SRPMS/php-curl-5.0.4-1.3.20060mdk.src.rpm
1ca1cd0433f93e7a5338d265e5fe31a1 2006.0/SRPMS/php-imap-5.0.4-2.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
91133e3df28354e321a52b868605f5b4 x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.12.20060mdk.x86_64.rpm
348350bfa9bb17ac01b574d1ce53e212 x86_64/2006.0/RPMS/php-cgi-5.0.4-9.12.20060mdk.x86_64.rpm
c33ab51b3b82a33140625c1dda6ed397 x86_64/2006.0/RPMS/php-cli-5.0.4-9.12.20060mdk.x86_64.rpm
070e8e1f3d4a5035cd2ca7b4b9dc6f61 x86_64/2006.0/RPMS/php-curl-5.0.4-1.3.20060mdk.x86_64.rpm
d1cae6289e3625693902b52730dbf95f x86_64/2006.0/RPMS/php-devel-5.0.4-9.12.20060mdk.x86_64.rpm
e8ae1224fab30562d7d66c981893897c x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.12.20060mdk.x86_64.rpm
991c3a4f7cb708aa3c2f9ef4b525017e x86_64/2006.0/RPMS/php-imap-5.0.4-2.3.20060mdk.x86_64.rpm
cdda5acab01891036e955b4b89509552 x86_64/2006.0/SRPMS/php-5.0.4-9.12.20060mdk.src.rpm
6f59b73dc4ad989fc1cf82981a78447b x86_64/2006.0/SRPMS/php-curl-5.0.4-1.3.20060mdk.src.rpm
1ca1cd0433f93e7a5338d265e5fe31a1 x86_64/2006.0/SRPMS/php-imap-5.0.4-2.3.20060mdk.src.rpm

Corporate 3.0:
8bfc40ebf399d5742075eeb33c1a8a72 corporate/3.0/RPMS/libphp_common432-4.3.4-4.18.C30mdk.i586.rpm
ea00cd47c8a866b07c6081a8e1a3475b corporate/3.0/RPMS/php432-devel-4.3.4-4.18.C30mdk.i586.rpm
cfc50d1bc5aaf96760938648d8f30715 corporate/3.0/RPMS/php-cgi-4.3.4-4.18.C30mdk.i586.rpm
66b65fce45465361ead9272a8fc6146d corporate/3.0/RPMS/php-cli-4.3.4-4.18.C30mdk.i586.rpm
219f2fa835442a1b4f3fab1cf9433de7 corporate/3.0/RPMS/php-gd-4.3.4-1.3.C30mdk.i586.rpm
6d3b9ba8bc1dcb77f00308e54dc2ab64 corporate/3.0/RPMS/php-imap-4.3.4-1.3.C30mdk.i586.rpm
6ec95f80b1f1cf3644847b1c83c33a16 corporate/3.0/SRPMS/php-4.3.4-4.18.C30mdk.src.rpm
37bada32aaafa6e85e936543a2a28b9b corporate/3.0/SRPMS/php-gd-4.3.4-1.3.C30mdk.src.rpm
d5b7b08aa1cff8aba9d3e6c011529d33 corporate/3.0/SRPMS/php-imap-4.3.4-1.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
e46dc14256b5ad29c193c9701aed8e71 x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.18.C30mdk.x86_64.rpm
03b90618d19cfe790148a9f2f57985ba x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.18.C30mdk.x86_64.rpm
f9fc560f573ab7911abe22db70decdca x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.18.C30mdk.x86_64.rpm
eb9b7e8f2cc0eea84d0fe599bd93c902 x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.18.C30mdk.x86_64.rpm
338e3f7c9c0a022a0512e7ef8252d37c x86_64/corporate/3.0/RPMS/php-gd-4.3.4-1.3.C30mdk.x86_64.rpm
e054fe6114520c57b5e9f991a362e313 x86_64/corporate/3.0/RPMS/php-imap-4.3.4-1.3.C30mdk.x86_64.rpm
6ec95f80b1f1cf3644847b1c83c33a16 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.18.C30mdk.src.rpm
37bada32aaafa6e85e936543a2a28b9b x86_64/corporate/3.0/SRPMS/php-gd-4.3.4-1.3.C30mdk.src.rpm
d5b7b08aa1cff8aba9d3e6c011529d33 x86_64/corporate/3.0/SRPMS/php-imap-4.3.4-1.3.C30mdk.src.rpm

Multi Network Firewall 2.0:
be0aa10810884606a6378a340b170438 mnf/2.0/RPMS/libphp_common432-4.3.4-4.18.M20mdk.i586.rpm
ef8fac6784866d24b16fb9bbf15069a9 mnf/2.0/RPMS/php432-devel-4.3.4-4.18.M20mdk.i586.rpm
8132b0cdc8bfb94d7e3d4e0712eae5cc mnf/2.0/RPMS/php-cgi-4.3.4-4.18.M20mdk.i586.rpm
5783b1dc5c2f5ac6d3392d284ca5e42e mnf/2.0/RPMS/php-cli-4.3.4-4.18.M20mdk.i586.rpm
d88b4c66f31f707bb46098658497876f mnf/2.0/RPMS/php-gd-4.3.4-1.3.M20mdk.i586.rpm
0b563d4b740e9d5d21d1eb6464fc573b mnf/2.0/SRPMS/php-4.3.4-4.18.M20mdk.src.rpm
05b34d21c7d168fcbb4404dbe08f45ac mnf/2.0/SRPMS/php-gd-4.3.4-1.3.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtlHDmqjQ0CJFipgRAidhAJ0RpMAGr1DLvuROJYgY3bQNtXIxwgCffAhR
MnkXxS1sgstZuFI4yDF/f1Y=
=G9sa
- -----END PGP SIGNATURE-----



5.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:123
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kernel
Date : July 13, 2006
Affected: 2006.0
_______________________________________________________________________

Problem Description:

A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The kernel did not clear sockaddr_in.sin_zero before returning IPv4
socket names for the getsockopt function, which could allow a local
user to obtain portions of potentially sensitive memory if getsockopt()
is called with SO_ORIGINAL_DST (CVE-2006-1343).

Prior to 2.6.16, a buffer overflow in the USB Gadget RNDIS
implementation could allow a remote attacker to cause a Denial of
Service via a remote NDIS response (CVE-2006-1368).

Prior to 2.6.13, local users could cause a Denial of Service (crash)
via a dio transfer from the sg driver to memory mapped IO space
(CVE-2006-1528).

Prior to and including 2.6.16, the kernel did not add the appropriate
LSM file_permission hooks to the readv and writev functions, which
could allow an attacker to bypass intended access restrictions
(CVE-2006-1856).

Prior to 2.6.16.17, a buffer oveflow in SCTP could allow a remote
attacker to cause a DoS (crash) and possibly execute arbitrary code
via a malformed HB-ACK chunk (CVE-2006-1857).

Prior to 2.6.16.17, SCTP could allow a remote attacker to cause a DoS
(crash) and possibly execute arbitrary code via a chunk length that is
inconsistent with the actual length of provided parameters
(CVE-2006-1858).

Prior to 2.6.16.16, a memory leak in fs/locks.c could allow an attacker
to cause a DoS (memory consumption) via unspecified actions
(CVE-2006-1859).

Prior to 2.6.16.16, lease_init in fs/locks.c could allow an attacker to
cause a DoS (fcntl_setlease lockup) via certain actions (CVE-2006-1860).

Prior to 2.6.17, SCTP allowed remote attackers to cause a DoS (infinite
recursion and crash) via a packet that contains two or more DATA
fragments (CVE-2006-2274).

Prior to 2.6.16.21, a race condition in run_posix_cpu timers could allow
a local user to cause a DoS (BUG_ON crash) by causing one CPU to attach
a timer to a process that is exiting (CVE-2006-2445).

Prior to 2.6.17.1, xt_sctp in netfilter could allow an attacker to cause
a DoS (infinite loop) via an SCTP chunk with a 0 length (CVE-2006-3085).

As well, an issue where IPC could hit an unmapped vmalloc page when
near the page boundary has been corrected.

In addition to these security fixes, other fixes have been included
such as:

- avoid automatic update of kernel-source without updating the kernel
- fix USB EHCI handoff code, which made some machines hang while
booting
- disable USB_BANDWIDTH which corrects a known problem in some USB
sound devices
- fix a bluetooth refcounting bug which could hang the machine
- fix a NULL pointer dereference in USB-Serial's serial_open()
function
- add missing wakeup in pl2303 TIOCMIWAIT handling
- fix a possible user-after-free in USB-Serial core
- suspend/resume fixes
- HPET timer fixes
- prevent fixed button event to reach userspace on S3 resume
- add sysfs support in ide-tape
- fix ASUS P5S800 reboot

Finally, a new drbd-utils package is provided that is a required
upgrade with this new kernel due to a logic bug in the previously
shipped version of drbd-utils that could cause a kernel panic on
the master when a slave went offline.

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1859
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1860
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3085
http://qa.mandriva.com/show_bug.cgi?id=22860
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
6deeff1b4604a7423cd0836bb47cf22c 2006.0/RPMS/drbd-utils-0.7.19-2.1.20060mdk.i586.rpm
e0a9422ea0372348d0e7f9bf643321dd 2006.0/RPMS/drbd-utils-heartbeat-0.7.19-2.1.20060mdk.i586.rpm
1f31130ae26f66e224148bcb0afa3b82 2006.0/RPMS/kernel-2.6.12.23mdk-1-1mdk.i586.rpm
c257931ad599d5c3a59a3f5c5444496e 2006.0/RPMS/kernel-BOOT-2.6.12.23mdk-1-1mdk.i586.rpm
5212cd3d7c4dcc8da030fc20bdeecd29 2006.0/RPMS/kernel-i586-up-1GB-2.6.12.23mdk-1-1mdk.i586.rpm
b8a96e33ad5df3198c60f7302c695a1f 2006.0/RPMS/kernel-i686-up-4GB-2.6.12.23mdk-1-1mdk.i586.rpm
ffb0b1c7e4919b28b89d7636b3d27c52 2006.0/RPMS/kernel-smp-2.6.12.23mdk-1-1mdk.i586.rpm
e5caf57af026af95b40151e31206c512 2006.0/RPMS/kernel-source-2.6.12.23mdk-1-1mdk.i586.rpm
27d1b92bd2cb4ca83c543888e4897288 2006.0/RPMS/kernel-source-stripped-2.6.12.23mdk-1-1mdk.i586.rpm
3dae8ba1445aac17ddcba810a1b6d4b3 2006.0/RPMS/kernel-xbox-2.6.12.23mdk-1-1mdk.i586.rpm
94ec749ac32122a16d3af409ee55f257 2006.0/RPMS/kernel-xen0-2.6.12.23mdk-1-1mdk.i586.rpm
867f834703a5699000beffc31de57de4 2006.0/RPMS/kernel-xenU-2.6.12.23mdk-1-1mdk.i586.rpm
291c47123a499c37d927cc18906eef93 2006.0/SRPMS/drbd-utils-0.7.19-2.1.20060mdk.src.rpm
008cf4d555bc98e67b6bb04a1a7fdfd8 2006.0/SRPMS/kernel-2.6.12.23mdk-1-1mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
2665fcbebbbc1b8d3b111e4175b69ca5 x86_64/2006.0/RPMS/drbd-utils-0.7.19-2.1.20060mdk.x86_64.rpm
2b44612405e4424d7775f4c6ce20df6a x86_64/2006.0/RPMS/drbd-utils-heartbeat-0.7.19-2.1.20060mdk.x86_64.rpm
79a0d55afacadebc94f81b14d21f1a5c x86_64/2006.0/RPMS/kernel-2.6.12.23mdk-1-1mdk.x86_64.rpm
2fa6c0023710d65de429dd6d0e759817 x86_64/2006.0/RPMS/kernel-BOOT-2.6.12.23mdk-1-1mdk.x86_64.rpm
de9bef05e34a3e539bcb1aceb8c713bc x86_64/2006.0/RPMS/kernel-smp-2.6.12.23mdk-1-1mdk.x86_64.rpm
ffa4baaa5a96eb88e0655559da2622f7 x86_64/2006.0/RPMS/kernel-source-2.6.12.23mdk-1-1mdk.x86_64.rpm
6b5b62941bf2c34a975b9aaf1a9efa1f x86_64/2006.0/RPMS/kernel-source-stripped-2.6.12.23mdk-1-1mdk.x86_64.rpm
291c47123a499c37d927cc18906eef93 x86_64/2006.0/SRPMS/drbd-utils-0.7.19-2.1.20060mdk.src.rpm
008cf4d555bc98e67b6bb04a1a7fdfd8 x86_64/2006.0/SRPMS/kernel-2.6.12.23mdk-1-1mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtmw/mqjQ0CJFipgRAt2LAJ9eOFAilZ1BDQiGpb4p3YYnuhfSlACgnpC+
ngqd/ZvspcOB9n+Tm3jIC40=
=DPwm
- -----END PGP SIGNATURE-----

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |