August 2006
Two Mandriva Security Advisories: MDKSA-2006:153 binutils; MDKSA-2006:154 lesstiff
ID: 00584
Ref: 559/2006
Date: 30 August 2006:11:47:07
Version: 1
Title: Two Mandriva Security Advisories: MDKSA-2006:153 binutils; MDKSA-2006:154 lesstiff
Abstract: Various issues with Mandriva
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:153
http://www.mandriva.com/security/
_______________________________________________________________________
Package : binutils
Date : August 28, 2006
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________
Problem Description:
A stack-based buffer overflow in messages.c in the GNU as (gas)
assembler in Free Software Foundation GNU Binutils before 20050721
allows attackers to execute arbitrary code via a .c file with crafted
inline assembly code (CVE-2005-4807).
Buffer overflow in getsym in tekhex.c in libbfd in Free Software
Foundation GNU Binutils before 20060423, as used by GNU strings, allows
context-dependent attackers to cause a denial of service (application
crash) and possibly execute arbitrary code via a file with a crafted
Tektronix Hex Format (TekHex?) record in which the length character is
not a valid hexadecimal character (CVE-2006-2362).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2362
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
a514aef8f0aae8017c36c6373c546f1f 2006.0/RPMS/binutils-2.16.91.0.2-3.1.20060mdk.i586.rpm
608c036f1cf3604f70254d834a1be68c 2006.0/RPMS/libbinutils2-2.16.91.0.2-3.1.20060mdk.i586.rpm
3b215ae344eecd901ac81bc72d313dbb 2006.0/RPMS/libbinutils2-devel-2.16.91.0.2-3.1.20060mdk.i586.rpm
cd7e83cac0c468d104c10b402bb21a53 2006.0/SRPMS/binutils-2.16.91.0.2-3.1.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
e52fa90704f954868c4619119e8e833d x86_64/2006.0/RPMS/binutils-2.16.91.0.2-3.1.20060mdk.x86_64.rpm
1117083b22061902fe40d87c1d7b9c22 x86_64/2006.0/RPMS/lib64binutils2-2.16.91.0.2-3.1.20060mdk.x86_64.rpm
6ff27559c550109d9843e034181a0fa4 x86_64/2006.0/RPMS/lib64binutils2-devel-2.16.91.0.2-3.1.20060mdk.x86_64.rpm
cd7e83cac0c468d104c10b402bb21a53 x86_64/2006.0/SRPMS/binutils-2.16.91.0.2-3.1.20060mdk.src.rpm
Corporate 3.0:
84f8aea5d202ba206ca31871047d8a5f corporate/3.0/RPMS/binutils-2.14.90.0.7-2.3.C30mdk.i586.rpm
d72ede02c6410aad9ec98bfc931f2b2b corporate/3.0/RPMS/libbinutils2-2.14.90.0.7-2.3.C30mdk.i586.rpm
647d07675b4eabfa2cfe8933342cf46d corporate/3.0/RPMS/libbinutils2-devel-2.14.90.0.7-2.3.C30mdk.i586.rpm
a0f5c767dcb258960cb0b9004e6f73d3 corporate/3.0/SRPMS/binutils-2.14.90.0.7-2.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
54d559b890d485b7979446499b8dad5a x86_64/corporate/3.0/RPMS/binutils-2.14.90.0.7-2.3.C30mdk.x86_64.rpm
35f8cf549a5a8222e933b150775efdee x86_64/corporate/3.0/RPMS/lib64binutils2-2.14.90.0.7-2.3.C30mdk.x86_64.rpm
0df49c77c9bf02a1b3686387580ad7e3 x86_64/corporate/3.0/RPMS/lib64binutils2-devel-2.14.90.0.7-2.3.C30mdk.x86_64.rpm
a0f5c767dcb258960cb0b9004e6f73d3 x86_64/corporate/3.0/SRPMS/binutils-2.14.90.0.7-2.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE84vRmqjQ0CJFipgRApYkAKDZMyBRi8S7tFQhLu7BBksXEJZ99wCgigBG
KQaiJLXuFtCzHgx664/xGe8=
=ApW9
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:154
http://www.mandriva.com/security/
_______________________________________________________________________
Package : lesstif
Date : August 28, 2006
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________
Problem Description:
The libXm library in LessTif 0.95.0 and earlier allows local users to gain
privileges via the DEBUG_FILE environment variable, which is used to create
world-writable files when libXm is run from a setuid program.
The updated packages have been rebuilt with the --enable-production
configure switch in order to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4124
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
5a2095ef8f223e31d66537eb8f4208e7 2006.0/RPMS/lesstif-0.93.94-4.2.20060mdk.i586.rpm
9f25125b71b97ed2a3e55933170a8c5e 2006.0/RPMS/lesstif-clients-0.93.94-4.2.20060mdk.i586.rpm
dc5645d0866df7c724d6ccd2a6b4551f 2006.0/RPMS/lesstif-devel-0.93.94-4.2.20060mdk.i586.rpm
b8b7e00f812b9a401c2e788eb8b2f25e 2006.0/RPMS/lesstif-mwm-0.93.94-4.2.20060mdk.i586.rpm
d2ff104b736c1353ab938605a2933409 2006.0/RPMS/liblesstif1-0.93.94-4.2.20060mdk.i586.rpm
d8a34a5cf582b928b04a045023855583 2006.0/RPMS/liblesstif2-0.93.94-4.2.20060mdk.i586.rpm
c6d1ccdedfc29596ad3c16d3673ab02e 2006.0/SRPMS/lesstif-0.93.94-4.2.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
0200601fca4f4b46b90ac6ee753a494d x86_64/2006.0/RPMS/lesstif-0.93.94-4.2.20060mdk.x86_64.rpm
9d6303a17d8d96755a4d24632dbfa97b x86_64/2006.0/RPMS/lesstif-clients-0.93.94-4.2.20060mdk.x86_64.rpm
360f72d386d714c965f777aa2271734b x86_64/2006.0/RPMS/lesstif-devel-0.93.94-4.2.20060mdk.x86_64.rpm
0b24f9b55fa69494dbcb06e24be2300b x86_64/2006.0/RPMS/lesstif-mwm-0.93.94-4.2.20060mdk.x86_64.rpm
747cfa1520babbfbbbdbca0efb7fab5e x86_64/2006.0/RPMS/lib64lesstif1-0.93.94-4.2.20060mdk.x86_64.rpm
c816c37d83b85770e1001667ee539d70 x86_64/2006.0/RPMS/lib64lesstif2-0.93.94-4.2.20060mdk.x86_64.rpm
d2ff104b736c1353ab938605a2933409 x86_64/2006.0/RPMS/liblesstif1-0.93.94-4.2.20060mdk.i586.rpm
d8a34a5cf582b928b04a045023855583 x86_64/2006.0/RPMS/liblesstif2-0.93.94-4.2.20060mdk.i586.rpm
c6d1ccdedfc29596ad3c16d3673ab02e x86_64/2006.0/SRPMS/lesstif-0.93.94-4.2.20060mdk.src.rpm
Corporate 3.0:
c7cee6a1237c5c06768232890e5c9b75 corporate/3.0/RPMS/lesstif-0.93.94-1.1.C30mdk.i586.rpm
c49db462160fff3aa6dc9c0690cb7c86 corporate/3.0/RPMS/lesstif-clients-0.93.94-1.1.C30mdk.i586.rpm
bac4c3dc97d33fec236e5f92801c64ca corporate/3.0/RPMS/lesstif-devel-0.93.94-1.1.C30mdk.i586.rpm
3f4cbdbbdfd5d1e83d8236ce37c81f9c corporate/3.0/RPMS/lesstif-mwm-0.93.94-1.1.C30mdk.i586.rpm
c5cfffe6870b88fc12220c2b9a45138b corporate/3.0/SRPMS/lesstif-0.93.94-1.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
eadc97c5094cd92c57d97cbde382fb5f x86_64/corporate/3.0/RPMS/lesstif-0.93.94-1.1.C30mdk.x86_64.rpm
852cb3b36147975aa1a53b371c1b6a86 x86_64/corporate/3.0/RPMS/lesstif-clients-0.93.94-1.1.C30mdk.x86_64.rpm
947c9bcb69de35c3eea430f877452d10 x86_64/corporate/3.0/RPMS/lesstif-devel-0.93.94-1.1.C30mdk.x86_64.rpm
754bc9a74f9b50ddf93e056979f7381e x86_64/corporate/3.0/RPMS/lesstif-mwm-0.93.94-1.1.C30mdk.x86_64.rpm
c5cfffe6870b88fc12220c2b9a45138b x86_64/corporate/3.0/SRPMS/lesstif-0.93.94-1.1.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE84w6mqjQ0CJFipgRArGJAKC4DsiaR+vEoEvJwjVryC8i0VR5vACeIMb7
zMuaXHkPVtRD3ae3/dctbsY=
=6Uev
- -----END PGP SIGNATURE-----