Multiple stack-based buffer overflows in libopensc in OpenSC 0.11.13

and earlier allow physically proximate attackers to execute arbitrary

code via a long serial-number field on a smart card, related to

(1) card-acos5.c, (2) card-atrust-acos.c, and (3) card-starcos.c

(CVE-2010-4523).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Stack-based buffer overflow in the read_1_3_textobject function in

f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject

function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier,

allows remote attackers to execute arbitrary code via a long string

in a malformed .fig file that uses the 1.3 file format. NOTE:

some of these details are obtained from third party information

(CVE-2009-4227).

Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and earlier

allows remote attackers to cause a denial of service (application

crash) via a long string in a malformed .fig file that uses the 1.3

file format, possibly related to the readfp_fig function in f_read.c

(CVE-2009-4228).

Stack-based buffer overflow in Xfig 3.2.4 and 3.2.5 allows remote

attackers to cause a denial of service (crash) and possibly execute

arbitrary code via a FIG image with a crafted color definition

(CVE-2010-4262).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier

might allow context-dependent attackers to execute arbitrary code

via a long command-line argument, as demonstrated by a CGI program

that launches gif2png (CVE-2009-5018).

Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow

context-dependent attackers to cause a denial of service (application

crash) or have unspecified other impact via a GIF file that contains

many images, leading to long extensions such as .p100 for PNG output

files, as demonstrated by a CGI program that launches gif2png,

a different vulnerability than CVE-2009-5018 (CVE-2010-4694).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote

attackers to inject arbitrary HTTP headers and conduct HTTP response

splitting attacks via unknown vectors. NOTE: this issue exists

because of an incomplete fix for CVE-2010-2761 (CVE-2010-4411).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been upgraded to the latest version (3.51)

which is not affected by this issue and in turn also brings many

bugfixes.

Buffer overflow in the MAC-LTE dissector

(epan/dissectors/packet-mac-lte.c) in Wireshark 1.2.0 through 1.2.13

and 1.4.0 through 1.4.2 allows remote attackers to cause a denial

of service (crash) and possibly execute arbitrary code via a large

number of RARs (CVE-2011-0444).

The updated packages have been upgraded to the latest version (1.2.14)

which is not affected by this issue.

The walk function in repos.c in the mod_dav_svn module for the Apache

HTTP Server, as distributed in Apache Subversion before 1.6.15,

allows remote authenticated users to cause a denial of service (NULL

pointer dereference and daemon crash) via vectors that trigger the

walking of SVNParentPath collections (CVE-2010-4539).

Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15

allow remote authenticated users to cause a denial of service (memory

consumption and daemon crash) via the -g option to the blame command

(CVE-2010-4644).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been upgraded to the latest versions (1.5.9,

1.6.15) which is not affected by these issues and in turn contains

many bugfixes as well.

but didn't include a rebuilt openoffice.org-voikko, thus preventing

installation of the update when the openoffice.org Finnish language

package is installed.

This advisory fixes the issue by providing the missing packages.

Array index error in the PK and VF font parser in the dvi-backend

component in Evince 2.32 and earlier allows remote attackers to

cause a denial of service (application crash) or possibly execute

arbitrary code via a crafted font in conjunction with a DVI file that

is processed by the thumbnailer (CVE-2010-2640, CVE-2010-2641).

Heap-based buffer overflow in the AFM font parser in the dvi-backend

component in Evince 2.32 and earlier allows remote attackers to

cause a denial of service (application crash) or possibly execute

arbitrary code via a crafted font in conjunction with a DVI file that

is processed by the thumbnailer (CVE-2010-2642).

Integer overflow in the TFM font parser in the dvi-backend component in

Evince 2.32 and earlier allows remote attackers to execute arbitrary

code via a crafted font in conjunction with a DVI file that is

processed by the thumbnailer (CVE-2010-2643).

The updated packages have been patched to correct these issues.

Multiple format string vulnerabilities in the phar extension in PHP

5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive

information (memory contents) and possibly execute arbitrary code

via a crafted phar:// URI that is not properly handled by the (1)

phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or

(4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)

phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers

errors in the php_stream_wrapper_log_error function (CVE-2010-2094).

The updated packages have been upgraded to the latest version (2.0.0)

and patched to correct this issue.

MHonArc 2.6.16 allows remote attackers to cause a denial of service

(CPU consumption) via start tags that are placed within other start

tags, as demonstrated by a <bo<bo<bo<bo<body>dy>dy>dy>dy> sequence,

a different vulnerability than CVE-2010-4524 (CVE-2010-1677).

Cross-site scripting (XSS) vulnerability in lib/mhtxthtml.pl in

MHonArc 2.6.16 allows remote attackers to inject arbitrary web script

or HTML via a malformed start tag and end tag for a SCRIPT element,

as demonstrated by <scr<body>ipt> and </scr<body>ipt> sequences

(CVE-2010-4524).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been upgraded to the latest version (2.6.18)

which is not vulnerable to these issues.

Buffer overflow in epan/dissectors/packet-enttec.c in Wireshark 1.4.2

allows remote attackers to cause a denial of service (application

crash) or possibly execute arbitrary code via a crafted ENTTEC DMX

packet with Run Length Encoding (RLE) compression (CVE-2010-4538).

The updated packages have been patched to correct this issue.

connection in the MSN code could potentially cause a denial of service.

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update provides pidgin 2.7.8 that has been patched to address

this flaw.

ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover

partnerships, allows remote attackers to cause a denial of service

(communications-interrupted state and DHCP client service loss)

by connecting to a port that is only intended for a failover peer,

as demonstrated by a Nagios check_tcp process check to TCP port 520

(CVE-2010-3616).

The updated packages have been patched to correct this issue.

error.php in PhpMyAdmin 3.3.8.1 and earlier allows remote attackers

to conduct cross-site scripting (XSS) attacks via a crafted BBcode

tag containing @ characters, as demonstrated using [a@url@page]

(CVE-2010-4480).

phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass

authentication and obtain sensitive information via a direct request

to phpinfo.php, which calls the phpinfo function (CVE-2010-4481).

This upgrade provides the latest phpmyadmin version for MES5 (3.3.9)

and patches the version for CS4 to address these vulnerabilities.

to the 3.2.1 version. Additionally a couple of Mandriva reported bugs

has been fixed as described as follows:

Openoffice.org status bar items got hidden whenever using

openoffice.org-kde4 package integration.

Viewing OpenOffice.org documents inside Firefox under 64bits 2010.1

version was not possible.

Additionally OpenOffice.org 3.2.1 requires saxon9 that is also provided

with this advisory.

xulrunner(Firefox, Thunderbird) to crash when trying to print (#61009).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

A double free vulnerability in libxml2 (xpath.c) allows remote

attackers to cause a denial of service or possibly have unspecified

other impact via vectors related to XPath handling (CVE-2010-4494).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

required version of NSPR (4.8.6) when building NSS (#61964).

Additionally the rootcerts package was updated with the latest

certdata.txt file from the mozilla cvs (20101202) and is also provided

with this advisory.

support. This advisory adds partitioning support to the mysql server.

Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that

the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are

vulnerable to XSS attacks due to some characters being converted to

angle brackets when displayed by the rendering engine. Sites using

these character encodings would thus be potentially vulnerable to

script injection attacks if their script filtering code fails to

strip out these specific characters (CVE-2010-3770).

Google security researcher Michal Zalewski reported that when a

window was opened to a site resulting in a network or certificate

error page, the opening site could access the document inside the

opened window and inject arbitrary content. An attacker could use

this bug to spoof the location bar and trick a user into thinking

they were on a different site than they actually were (CVE-2010-3774).

Mozilla security researcher moz_bug_r_a4 reported that the fix for

CVE-2010-0179 could be circumvented permitting the execution of

arbitrary JavaScript with chrome privileges (CVE-2010-3773).

Security researcher regenrecht reported via TippingPoint's Zero

Day Initiative that JavaScript arrays were vulnerable to an integer

overflow vulnerability. The report demonstrated that an array could

be constructed containing a very large number of items such that when

memory was allocated to store the array items, the integer value used

to calculate the buffer size would overflow resulting in too small a

buffer being allocated. Subsequent use of the array object could then

result in data being written past the end of the buffer and causing

memory corruption (CVE-2010-3767).

Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative that a nsDOMAttribute node can be modified without informing

the iterator object responsible for various DOM traversals. This

flaw could lead to a inconsistent state where the iterator points

to an object it believes is part of the DOM but actually points to

some other object. If such an object had been deleted and its memory

reclaimed by the system, then the iterator could be used to call into

attacker-controlled memory (CVE-2010-3766).

Security researcher Gregory Fleischer reported that when a Java

LiveConnect script was loaded via a data: URL which redirects via a

meta refresh, then the resulting plugin object was created with the

wrong security principal and thus received elevated privileges such

as the abilities to read local files, launch processes, and create

network connections (CVE-2010-3775).

Mozilla added the OTS font sanitizing library to prevent downloadable

fonts from exposing vulnerabilities in the underlying OS font

code. This library mitigates against several issues independently

reported by Red Hat Security Response Team member Marc Schoenefeld

and Mozilla security researcher Christoph Diehl (CVE-2010-3768).

Security researcher wushi of team509 reported that when a XUL

tree had an HTML <div> element nested inside a

element then code attempting to display content in the XUL tree would

incorrectly treat the <div> element as a parent node to tree content

underneath it resulting in incorrect indexes being calculated for the

child content. These incorrect indexes were used in subsequent array

operations which resulted in writing data past the end of an allocated

buffer. An attacker could use this issue to crash a victim's browser

and run arbitrary code on their machine (CVE-2010-3772).

Security researcher echo reported that a web page could open a window

with an about:blank location and then inject an element

into that page which upon submission would redirect to a chrome:

document. The effect of this defect was that the original page would

wind up with a reference to a chrome-privileged object, the opened

window, which could be leveraged for privilege escalation attacks

(CVE-2010-3771).

Dirk Heinrich reported that on Windows platforms when document.write()

was called with a very long string a buffer overflow was caused in line

breaking routines attempting to process the string for display. Such

cases triggered an invalid read past the end of an array causing a

crash which an attacker could potentially use to run arbitrary code

on a victim's computer (CVE-2010-3769).

Mozilla developers identified and fixed several memory safety

bugs in the browser engine used in Firefox and other Mozilla-based

products. Some of these bugs showed evidence of memory corruption

under certain circumstances, and we presume that with enough effort

at least some of these could be exploited to run arbitrary code

(CVE-2010-3776, CVE-2010-3777).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

Update:

A mistake was done with the MDVSA-2010:251 and the MDVSA-2010:251-1

advisories where the localization files for firefox software was NOT

updated to the 3.6.13 version. The secteam wishes to apologise for

the unfortunate mistake and also wishes everyone a great christmas.

Regards // Santa Claus

Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that

the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are

vulnerable to XSS attacks due to some characters being converted to

angle brackets when displayed by the rendering engine. Sites using

these character encodings would thus be potentially vulnerable to

script injection attacks if their script filtering code fails to

strip out these specific characters (CVE-2010-3770).

Google security researcher Michal Zalewski reported that when a

window was opened to a site resulting in a network or certificate

error page, the opening site could access the document inside the

opened window and inject arbitrary content. An attacker could use

this bug to spoof the location bar and trick a user into thinking

they were on a different site than they actually were (CVE-2010-3774).

Mozilla security researcher moz_bug_r_a4 reported that the fix for

CVE-2010-0179 could be circumvented permitting the execution of

arbitrary JavaScript with chrome privileges (CVE-2010-3773).

Security researcher regenrecht reported via TippingPoint's Zero

Day Initiative that JavaScript arrays were vulnerable to an integer

overflow vulnerability. The report demonstrated that an array could

be constructed containing a very large number of items such that when

memory was allocated to store the array items, the integer value used

to calculate the buffer size would overflow resulting in too small a

buffer being allocated. Subsequent use of the array object could then

result in data being written past the end of the buffer and causing

memory corruption (CVE-2010-3767).

Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative that a nsDOMAttribute node can be modified without informing

the iterator object responsible for various DOM traversals. This

flaw could lead to a inconsistent state where the iterator points

to an object it believes is part of the DOM but actually points to

some other object. If such an object had been deleted and its memory

reclaimed by the system, then the iterator could be used to call into

attacker-controlled memory (CVE-2010-3766).

Security researcher Gregory Fleischer reported that when a Java

LiveConnect script was loaded via a data: URL which redirects via a

meta refresh, then the resulting plugin object was created with the

wrong security principal and thus received elevated privileges such

as the abilities to read local files, launch processes, and create

network connections (CVE-2010-3775).

Mozilla added the OTS font sanitizing library to prevent downloadable

fonts from exposing vulnerabilities in the underlying OS font

code. This library mitigates against several issues independently

reported by Red Hat Security Response Team member Marc Schoenefeld

and Mozilla security researcher Christoph Diehl (CVE-2010-3768).

Security researcher wushi of team509 reported that when a XUL

tree had an HTML <div> element nested inside a

element then code attempting to display content in the XUL tree would

incorrectly treat the <div> element as a parent node to tree content

underneath it resulting in incorrect indexes being calculated for the

child content. These incorrect indexes were used in subsequent array

operations which resulted in writing data past the end of an allocated

buffer. An attacker could use this issue to crash a victim's browser

and run arbitrary code on their machine (CVE-2010-3772).

Security researcher echo reported that a web page could open a window

with an about:blank location and then inject an element

into that page which upon submission would redirect to a chrome:

document. The effect of this defect was that the original page would

wind up with a reference to a chrome-privileged object, the opened

window, which could be leveraged for privilege escalation attacks

(CVE-2010-3771).

Dirk Heinrich reported that on Windows platforms when document.write()

was called with a very long string a buffer overflow was caused in line

breaking routines attempting to process the string for display. Such

cases triggered an invalid read past the end of an array causing a

crash which an attacker could potentially use to run arbitrary code

on a victim's computer (CVE-2010-3769).

Mozilla developers identified and fixed several memory safety

bugs in the browser engine used in Firefox and other Mozilla-based

products. Some of these bugs showed evidence of memory corruption

under certain circumstances, and we presume that with enough effort

at least some of these could be exploited to run arbitrary code

(CVE-2010-3776, CVE-2010-3777).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

Update:

A mistake was done with the MDVSA-2010:251 advisory where the actual

firefox software was NOT updated to the 3.6.13 version which in

turn lead to that some packages wasn't rebuilt against the correct

version. The secteam wishes to apologise for the misfortunate mistake

and also wishes everyone a great christmas.

Regards // Santa Claus

connection in the MSN code could potentially cause a denial of service.

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update provides pidgin 2.7.8 that has been patched to address

this flaw.

Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird

before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do

not properly validate downloadable fonts before use within an operating

system's font implementation, which allows remote attackers to execute

arbitrary code via vectors related to @font-face Cascading Style Sheets

(CSS) rules (CVE-2010-3768).

The line-breaking implementation in Mozilla Firefox before 3.5.16 and

3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7,

and SeaMonkey before 2.0.11 on Windows does not properly handle long

strings, which allows remote attackers to execute arbitrary code

via a crafted document.write call that triggers a buffer over-read

(CVE-2010-3769).

Multiple unspecified vulnerabilities in the browser engine in Mozilla

Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before

3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 allow

remote attackers to cause a denial of service (memory corruption and

application crash) or possibly execute arbitrary code via unknown

vectors (CVE-2010-3776).

Unspecified vulnerability in Mozilla Firefox 3.6.x before 3.6.13

and Thunderbird 3.1.x before 3.1.7 allows remote attackers to cause

a denial of service (memory corruption and application crash) or

possibly execute arbitrary code via unknown vectors (CVE-2010-3777).

Unspecified vulnerability in Mozilla Firefox 3.5.x before 3.5.16,

Thunderbird before 3.0.11, and SeaMonkey before 2.0.11 allows

remote attackers to cause a denial of service (memory corruption and

application crash) or possibly execute arbitrary code via unknown

vectors (CVE-2010-3778).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

the Mandriva 2010.2 release.

A cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and

previous versions allows remote attackers to inject arbitrary web

script or HTML code via f and fp variables (CVE-2010-3906).

The updated packages have been patched to correct this issue.

Integer overflow in the NumberFormatter::getSymbol (aka

numfmt_get_symbol) function in PHP 5.3.3 and earlier allows

context-dependent attackers to cause a denial of service (application

crash) via an invalid argument (CVE-2010-4409).

The updated packages have been upgraded to php-intl-1.1.2 and patched

to correct this issue.

CS4/MES5/2009.0.

Key enhancements in PHP 5.2.15 include:

* Fixed bug #47643 (array_diff() takes over 3000 times longer than

php 5.2.4).

* Fixed bug #44248 (RFC2616 transgression while HTTPS request through

proxy with SoapClient object).

Additional post 5.2.15 fixes:

* Fixed bug #53516 (Regression in open_basedir handling).

* Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres

is down).

Additionally some of the PECL extensions has been upgraded and/or

rebuilt for the new php version.

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3,

and 9.7.x before 9.7.2-P3 does not properly handle the combination

of signed negative responses and corresponding RRSIG records in the

cache, which allows remote attackers to cause a denial of service

(daemon crash) via a query for cached data (CVE-2010-3613).

named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3,

9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not

properly determine the security status of an NS RRset during a DNSKEY

algorithm rollover, which might allow remote attackers to cause a

denial of service (DNSSEC validation error) by triggering a rollover

(CVE-2010-3614).

ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does

not properly handle certain bad signatures if multiple trust anchors

exist for a single zone, which allows remote attackers to cause a

denial of service (daemon crash) via a DNS query (CVE-2010-3762).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages for Corporate Server 4.0 has been patched to

address these issues.

The updated packages for Mandriva Linux 2009.0, 2010.0 and Mandriva

Linux Enterprise Server 5.1 has been upgraded to bind-9.6.2-P3 and

patched to address the CVE-2010-3762 security issue.

The updated packages for Mandriva Linux 2010.1 has been upgraded to

bind-9.7.2-P3 which is not vulnerable to these issues.

CRLF injection vulnerability in the header function in (1) CGI.pm

before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows

remote attackers to inject arbitrary HTTP headers and conduct HTTP

response splitting attacks via vectors related to non-whitespace

characters preceded by newline characters, a different vulnerability

than CVE-2010-2761 and CVE-2010-3172 (CVE-2010-4410).

The updated packages have been patched to correct this issue.

Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that

the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are

vulnerable to XSS attacks due to some characters being converted to

angle brackets when displayed by the rendering engine. Sites using

these character encodings would thus be potentially vulnerable to

script injection attacks if their script filtering code fails to

strip out these specific characters (CVE-2010-3770).

Google security researcher Michal Zalewski reported that when a

window was opened to a site resulting in a network or certificate

error page, the opening site could access the document inside the

opened window and inject arbitrary content. An attacker could use

this bug to spoof the location bar and trick a user into thinking

they were on a different site than they actually were (CVE-2010-3774).

Mozilla security researcher moz_bug_r_a4 reported that the fix for

CVE-2010-0179 could be circumvented permitting the execution of

arbitrary JavaScript with chrome privileges (CVE-2010-3773).

Security researcher regenrecht reported via TippingPoint's Zero

Day Initiative that JavaScript arrays were vulnerable to an integer

overflow vulnerability. The report demonstrated that an array could

be constructed containing a very large number of items such that when

memory was allocated to store the array items, the integer value used

to calculate the buffer size would overflow resulting in too small a

buffer being allocated. Subsequent use of the array object could then

result in data being written past the end of the buffer and causing

memory corruption (CVE-2010-3767).

Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative that a nsDOMAttribute node can be modified without informing

the iterator object responsible for various DOM traversals. This

flaw could lead to a inconsistent state where the iterator points

to an object it believes is part of the DOM but actually points to

some other object. If such an object had been deleted and its memory

reclaimed by the system, then the iterator could be used to call into

attacker-controlled memory (CVE-2010-3766).

Security researcher Gregory Fleischer reported that when a Java

LiveConnect script was loaded via a data: URL which redirects via a

meta refresh, then the resulting plugin object was created with the

wrong security principal and thus received elevated privileges such

as the abilities to read local files, launch processes, and create

network connections (CVE-2010-3775).

Mozilla added the OTS font sanitizing library to prevent downloadable

fonts from exposing vulnerabilities in the underlying OS font

code. This library mitigates against several issues independently

reported by Red Hat Security Response Team member Marc Schoenefeld

and Mozilla security researcher Christoph Diehl (CVE-2010-3768).

Security researcher wushi of team509 reported that when a XUL

tree had an HTML <div> element nested inside a

element then code attempting to display content in the XUL tree would

incorrectly treat the <div> element as a parent node to tree content

underneath it resulting in incorrect indexes being calculated for the

child content. These incorrect indexes were used in subsequent array

operations which resulted in writing data past the end of an allocated

buffer. An attacker could use this issue to crash a victim's browser

and run arbitrary code on their machine (CVE-2010-3772).

Security researcher echo reported that a web page could open a window

with an about:blank location and then inject an element

into that page which upon submission would redirect to a chrome:

document. The effect of this defect was that the original page would

wind up with a reference to a chrome-privileged object, the opened

window, which could be leveraged for privilege escalation attacks

(CVE-2010-3771).

Dirk Heinrich reported that on Windows platforms when document.write()

was called with a very long string a buffer overflow was caused in line

breaking routines attempting to process the string for display. Such

cases triggered an invalid read past the end of an array causing a

crash which an attacker could potentially use to run arbitrary code

on a victim's computer (CVE-2010-3769).

Mozilla developers identified and fixed several memory safety

bugs in the browser engine used in Firefox and other Mozilla-based

products. Some of these bugs showed evidence of memory corruption

under certain circumstances, and we presume that with enough effort

at least some of these could be exploited to run arbitrary code

(CVE-2010-3776, CVE-2010-3777).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that

the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are

vulnerable to XSS attacks due to some characters being converted to

angle brackets when displayed by the rendering engine. Sites using

these character encodings would thus be potentially vulnerable to

script injection attacks if their script filtering code fails to

strip out these specific characters (CVE-2010-3770).

Google security researcher Michal Zalewski reported that when a

window was opened to a site resulting in a network or certificate

error page, the opening site could access the document inside the

opened window and inject arbitrary content. An attacker could use

this bug to spoof the location bar and trick a user into thinking

they were on a different site than they actually were (CVE-2010-3774).

Mozilla security researcher moz_bug_r_a4 reported that the fix for

CVE-2010-0179 could be circumvented permitting the execution of

arbitrary JavaScript with chrome privileges (CVE-2010-3773).

Security researcher regenrecht reported via TippingPoint's Zero

Day Initiative that JavaScript arrays were vulnerable to an integer

overflow vulnerability. The report demonstrated that an array could

be constructed containing a very large number of items such that when

memory was allocated to store the array items, the integer value used

to calculate the buffer size would overflow resulting in too small a

buffer being allocated. Subsequent use of the array object could then

result in data being written past the end of the buffer and causing

memory corruption (CVE-2010-3767).

Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative that a nsDOMAttribute node can be modified without informing

the iterator object responsible for various DOM traversals. This

flaw could lead to a inconsistent state where the iterator points

to an object it believes is part of the DOM but actually points to

some other object. If such an object had been deleted and its memory

reclaimed by the system, then the iterator could be used to call into

attacker-controlled memory (CVE-2010-3766).

Security researcher Gregory Fleischer reported that when a Java

LiveConnect script was loaded via a data: URL which redirects via a

meta refresh, then the resulting plugin object was created with the

wrong security principal and thus received elevated privileges such

as the abilities to read local files, launch processes, and create

network connections (CVE-2010-3775).

Mozilla added the OTS font sanitizing library to prevent downloadable

fonts from exposing vulnerabilities in the underlying OS font

code. This library mitigates against several issues independently

reported by Red Hat Security Response Team member Marc Schoenefeld

and Mozilla security researcher Christoph Diehl (CVE-2010-3768).

Security researcher wushi of team509 reported that when a XUL tree

had an HTML <div> element nested inside a element then

code attempting to display content in the XUL tree would incorrectly

treat the <div> element as a parent node to tree content underneath

it resulting in incorrect indexes being calculated for the child

content. These incorrect indexes were used in subsequent array

operations which resulted in writing data past the end of an allocated

buffer. An attacker could use this issue to crash a victim's browser

and run arbitrary code on their machine (CVE-2010-3772).

Security researcher echo reported that a web page could open a window

with an about:blank location and then inject an element

into that page which upon submission would redirect to a chrome:

document. The effect of this defect was that the original page would

wind up with a reference to a chrome-privileged object, the opened

window, which could be leveraged for privilege escalation attacks

(CVE-2010-3771).

Dirk Heinrich reported that on Windows platforms when document.write()

was called with a very long string a buffer overflow was caused in line

breaking routines attempting to process the string for display. Such

cases triggered an invalid read past the end of an array causing a

crash which an attacker could potentially use to run arbitrary code

on a victim's computer (CVE-2010-3769).

Mozilla developers identified and fixed several memory safety

bugs in the browser engine used in Firefox and other Mozilla-based

products. Some of these bugs showed evidence of memory corruption

under certain circumstances, and we presume that with enough effort

at least some of these could be exploited to run arbitrary code

(CVE-2010-3776, CVE-2010-3777).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm

in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME

boundary string in multipart/x-mixed-replace content, which allows

remote attackers to inject arbitrary HTTP headers and conduct HTTP

response splitting attacks via crafted input that contains this value,

a different vulnerability than CVE-2010-3172 (CVE-2010-2761).

The updated packages have been patched to correct this issue.

looking for them, which makes simple apps like xmessage and xcalc

take almost 10 seconds to start on systems with a lot of fonts. This

update makes the application startup time go back to normal.

package wich require it (ie: heartbeat-stonith).

telnet was previously provided by telnet-client-krb5.

used, this caused the Qt4 ssh-askpass dialogue to get loaded before a

window manager was fully-started, preventing the user from entering the

passphrase as the dialogue never gets focus without a window manager

running. This update fixes this issue by insuring the '--noask'

option is used when logging into a DE (the Qt4 ssh-askpass dialogue

is only shown when the user opens a new terminal emulator window).

Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV

before 0.96.5 allow remote attackers to cause a denial of service

(application crash) or possibly execute arbitrary code via a crafted

PDF document (CVE-2010-4260, (CVE-2010-4479).

Off-by-one error in the icon_cb function in pe_icons.c in libclamav

in ClamAV before 0.96.5 allows remote attackers to cause a denial of

service (memory corruption and application crash) or possibly execute

arbitrary code via unspecified vectors. NOTE: some of these details

are obtained from third party information (CVE-2010-4261).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated clamav packages have been upgraded to the 0.96.5 version

that is not vulnerable to these issues.

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when

SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly

prevent modification of the ciphersuite in the session cache, which

allows remote attackers to force the use of an unintended cipher

via vectors involving sniffing network traffic to discover a session

identifier (CVE-2010-4180).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

The compat_alloc_user_space functions in include/asm/compat.h files

in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do

not properly allocate the userspace memory required for the 32-bit

compatibility layer, which allows local users to gain privileges by

leveraging the ability of the compat_mc_getsockopt function (aka the

MCAST_MSFILTER getsockopt support) to control a certain length value,

related to a stack pointer underflow issue, as exploited in the wild

in September 2010. (CVE-2010-3081)

The IA32 system call emulation functionality in

arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2

on the x86_64 platform does not zero extend the %eax register after

the 32-bit entry path to ptrace is used, which allows local users to

gain privileges by triggering an out-of-bounds access to the system

call table using the %rax register. NOTE: this vulnerability exists

because of a CVE-2007-4573 regression. (CVE-2010-3301)

Integer overflow in the ext4_ext_get_blocks function in

fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local

users to cause a denial of service (BUG and system crash) via a

write operation on the last block of a large file, followed by a sync

operation. (CVE-2010-3015)

Additionally, the kernel has been updated to the stable version

2.6.31.14. A timeout bug in bnx2 has been fixed. Muting and unmuting

on VT1812/VT2002P now should work correctly. A fix for ACL decoding

on NFS was added. Rebooting on Dell Precision WorkStation T7400 was

corrected. Read balancing with RAID0 and RAID1 on drives larger then

2TB was also fixed. A more detailed description is available in the

package changelog and related tickets.

Thanks to Thomas Backlund and Herton Ronaldo Krzesinski for

contributions in this update.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

when started. Their appearance was also slightly different from

the expected. This update stops the error messages and fixes their

appearance.

* The libXaw package had a poor description. This updates improves

the package description and summary.

the right linking flags corrects the problem.

An unauthenticated remote attacker could alter a SAM-2 challenge,

affecting the prompt text seen by the user or the kind of response

sent to the KDC. Under some circumstances, this can negate the

incremental security benefit of using a single-use authentication

mechanism token. An unauthenticated remote attacker has a 1/256

chance of forging KRB-SAFE messages in an application protocol if the

targeted pre-existing session uses an RC4 session key. Few application

protocols use KRB-SAFE messages (CVE-2010-1323).

An unauthenticated remote attacker can forge GSS tokens that

are intended to be integrity-protected but unencrypted, if the

targeted pre-existing application session uses a DES session key. An

authenticated remote attacker can forge PACs if using a KDC that does

not filter client-provided PAC data. This can result in privilege

escalation against a service that relies on PAC contents to make

authorization decisions. An unauthenticated remote attacker has a 1/256

chance of swapping a client-issued KrbFastReq into a different KDC-REQ,

if the armor key is RC4. The consequences are believed to be minor

(CVE-2010-1324).

An authenticated remote attacker that controls a legitimate service

principal has a 1/256 chance of forging the AD-SIGNEDPATH signature

if the TGT key is RC4, allowing it to use self-generated evidence

tickets for S4U2Proxy, instead of tickets obtained from the user or

with S4U2Self. Configurations using RC4 for the TGT key are believed

to be rare. An authenticated remote attacker has a 1/256 chance of

forging AD-KDC-ISSUED signatures on authdata elements in tickets

having an RC4 service key, resulting in privilege escalation against

a service that relies on these signatures. There are no known uses

of the KDC-ISSUED authdata container at this time (CVE-2010-4020.

An authenticated remote attacker that controls a legitimate service

principal could obtain a valid service ticket to itself containing

valid KDC-generated authorization data for a client whose TGS-REQ

it has intercepted. The attacker could then use this ticket for

S4U2Proxy to impersonate the targeted client even if the client never

authenticated to the subverted service. The vulnerable configuration

is believed to be rare (CVE-2010-4021).

The updated packages have been patched to correct this issue.

An unauthenticated remote attacker could alter a SAM-2 challenge,

affecting the prompt text seen by the user or the kind of response

sent to the KDC. Under some circumstances, this can negate the

incremental security benefit of using a single-use authentication

mechanism token. An unauthenticated remote attacker has a 1/256

chance of forging KRB-SAFE messages in an application protocol if the

targeted pre-existing session uses an RC4 session key. Few application

protocols use KRB-SAFE messages (CVE-2010-1323).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

It was possible to conduct a XSS attack using spoofed request on the

db search script (CVE-2010-4329).

This upgrade provides the latest phpmyadmin versions which is not

vulnerable to this security issue.

libxml2 before 2.7.8 reads from invalid memory locations

during processing of malformed XPath expressions, which allows

context-dependent attackers to cause a denial of service (application

crash) via a crafted XML document (CVE-2010-4008).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

fixing one security issue:

Heap-based buffer overflow in the dissect_ldss_transfer function

(epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark

1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers

to cause a denial of service (crash) and possibly execute arbitrary

code via an LDSS packet with a long digest line that triggers memory

corruption (CVE-2010-4300).

latest version (2.7.7) that addresses various issues with upstream

service providers (icq, msn).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Binary Interface) was too old. The new version contains the necessary

ABI updates, so the driver can now work correctly.

gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length

directory name in the LD_LIBRARY_PATH, which allows local users to

gain privileges via a Trojan horse shared library in the current

working directory (CVE-2010-3999).

The affected /usr/bin/gnc-test-env file has been removed to mitigate

the CVE-2010-3999 vulnerability as gnc-test-env is only used for

tests and while building gnucash.

Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible

with guile. This update adapts gnucash to the new API of guile.

Untrusted search path vulnerability in metadata/loader.c in Mono 2.8

and earlier allows local users to gain privileges via a Trojan horse

shared library in the current working directory (CVE-2010-4159).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

on kolab web interface, this update fixes this issue.