-
Content Count
5599 -
Joined
-
Last visited
-
Days Won
6
Posts posted by paul
-
-
Multiple vulnerabilities were discovered and corrected in freetype2:
An error exists in the "ft_var_readpackedpoints()" function in
src/truetype/ttgxvar.c when processing TrueType GX fonts and can
be exploited to cause a heap-based buffer overflow via a specially
crafted font (CVE-2010-3855).
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in cups:
Cross-site request forgery (CSRF) vulnerability in the web interface
in CUPS, allows remote attackers to hijack the authentication of
administrators for requests that change settings (CVE-2010-0540).
The _WriteProlog function in texttops.c in texttops in the Text Filter
subsystem in CUPS before 1.4.4 does not check the return values
of certain calloc calls, which allows remote attackers to cause a
denial of service (NULL pointer dereference or heap memory corruption)
or possibly execute arbitrary code via a crafted file (CVE-2010-0542).
The web interface in CUPS, reads uninitialized memory during handling
of form variables, which allows context-dependent attackers to obtain
sensitive information from cupsd process memory via unspecified vectors
(CVE-2010-1748).
The cupsFileOpen function in CUPS before 1.4.4 allows local users,
with lp group membership, to overwrite arbitrary files via a
symlink attack on the (1) /var/cache/cups/remote.cache or (2)
/var/cache/cups/job.cache file (CVE-2010-2431).
ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate
memory for attribute values with invalid string data types, which
allows remote attackers to cause a denial of service (use-after-free
and application crash) or possibly execute arbitrary code via a
crafted IPP request (CVE-2010-2941).
The updated packages have been upgraded to cups 1.3.10 and patched
to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in cups:
Cross-site request forgery (CSRF) vulnerability in the web interface
in CUPS, allows remote attackers to hijack the authentication of
administrators for requests that change settings (CVE-2010-0540).
The _WriteProlog function in texttops.c in texttops in the Text Filter
subsystem in CUPS before 1.4.4 does not check the return values
of certain calloc calls, which allows remote attackers to cause a
denial of service (NULL pointer dereference or heap memory corruption)
or possibly execute arbitrary code via a crafted file (CVE-2010-0542).
The web interface in CUPS, reads uninitialized memory during handling
of form variables, which allows context-dependent attackers to obtain
sensitive information from cupsd process memory via unspecified vectors
(CVE-2010-1748).
The cupsFileOpen function in CUPS before 1.4.4 allows local users,
with lp group membership, to overwrite arbitrary files via a
symlink attack on the (1) /var/cache/cups/remote.cache or (2)
/var/cache/cups/job.cache file (CVE-2010-2431).
ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate
memory for attribute values with invalid string data types, which
allows remote attackers to cause a denial of service (use-after-free
and application crash) or possibly execute arbitrary code via a
crafted IPP request (CVE-2010-2941).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in cups:
Cross-site request forgery (CSRF) vulnerability in the web interface
in CUPS, allows remote attackers to hijack the authentication of
administrators for requests that change settings (CVE-2010-0540).
ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate
memory for attribute values with invalid string data types, which
allows remote attackers to cause a denial of service (use-after-free
and application crash) or possibly execute arbitrary code via a
crafted IPP request (CVE-2010-2941).
The updated packages have been patched to correct these issues.
-
This updates fixes one bug:
In file
/usr/lib/perl5/vendor_perl/5.10.0/Ocsinventory/LoggerBackend/Syslog.pm
the third argument ({'USER'}) doesn't respect the
syslog protocol RFC 5424. It should be one listed in
http://perldoc.perl.org/Sys/Syslog.html#Facilities, in our case
LOG_USER.
-
Multiple vulnerabilities were discovered and corrected in poppler:
The Gfx::getPos function in the PDF parser in poppler, allows
context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The PostScriptFunction::PostScriptFunction function in
poppler/Function.cc in the PDF parser in poppler, allows
context-dependent attackers to cause a denial of service (crash)
via a PDF file that triggers an uninitialized pointer dereference
(CVE-2010-3703).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in poppler, allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in poppler:
The Gfx::getPos function in the PDF parser in poppler, allows
context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in poppler, allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in kdegraphics:
The Gfx::getPos function in the PDF parser in kdegraphics, allows
context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in kdegraphics, allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in xpdf:
The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5,
allows context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in xpdf before 3.02pl5, allows context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
-
Due to bug in nss_updatedb package old BDB transaction logs were
not removed from /var/lib/misc directory, possibly filling the /var
filesystem. The fixed package corrects this bug, and will also remove
all leftover transaction logs from the system.
-
Thus is a bug and maintenance release of snort that fixes numerous
of issues such as:
* Fix installer packages to include correct version of sensitive data
preprocessor for linux and Windows
* Eliminate false positives when using fast_pattern:only and having
only one http content in the pattern matcher.
* Address false positives in FTP preprocessor with string format
verification.
This advisory provides snort v2.8.6.1 where these problems has been
resolved.
-
This updates fixes two major bugs:
- applog subcription/unsubscription needed to get a thread safe usage
of applog were buggy and not thread safe themselves.
- disabling slog usage form printout level > error was not respected.
-
Multiple vulnerabilities were discovered and corrected in proftpd:
Multiple directory traversal vulnerabilities in the mod_site_misc
module in ProFTPD before 1.3.3c allow remote authenticated users to
create directories, delete directories, create symlinks, and modify
file timestamps via directory traversal sequences in a (1) SITE
MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command
(CVE-2010-3867).
Multiple stack-based buffer overflows in the pr_netio_telnet_gets
function in netio.c in ProFTPD before 1.3.3c allow remote attackers
to execute arbitrary code via vectors involving a TELNET IAC escape
character to a (1) FTP or (2) FTPS server (CVE-2010-4221).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
-
Users who have migrated from gnote to tomboy and use online note
syncing could lose their notes. This update fixes the note parsing
to prevent data loss.
-
A dependency problem with the postgresql packages was discovered
which under certain circumstances prevented a smooth upgrade. This
advisory addresses this problem.
-
A vulnerability was discovered and corrected in ISC dhcp:
ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before
4.2.0-P1 allows remote attackers to cause a denial of service (crash)
via a DHCPv6 packet containing a Relay-Forward message without an
address in the Relay-Forward link-address field (CVE-2010-3611).
The updated packages have been upgraded to 4.1.2 which is not
vulnerable to this issue.
-
A vulnerability was discovered and corrected in libmbfl (php):
* Fix bug #53273 (mb_strcut() returns garbage with the excessive
length parameter) (CVE-2010-4156).
The updated packages have been patched to correct these issues.
Update:
The MDVSA-2010:225 advisory used the wrong patch to address the
problem, however it did fix the issue. This advisory provides the
correct upstream patch.
-
A vulnerability was discovered and corrected in libmbfl (php):
* Fix bug #53273 (mb_strcut() returns garbage with the excessive
length parameter) (CVE-2010-4156).
The updated packages have been patched to correct these issues.
Update:
The MDVSA-2010:225 advisory used the wrong patch to address the
problem, however it did fix the issue. This advisory provides the
corect upstream patch.
-
A vulnerability was discovered and corrected in libmbfl (php):
* Fix bug #53273 (mb_strcut() returns garbage with the excessive
length parameter) (CVE-2010-4156).
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in mysql:
* During evaluation of arguments to extreme-value functions (such
as LEAST() and GREATEST()), type errors did not propagate properly,
causing the server to crash (CVE-2010-3833).
* The server could crash after materializing a derived table that
required a temporary table for grouping (CVE-2010-3834).
* A user-variable assignment expression that is evaluated in a logical
expression context can be precalculated in a temporary table for GROUP
BY. However, when the expression value is used after creation of the
temporary table, it was re-evaluated, not read from the table and a
server crash resulted (CVE-2010-3835).
* Pre-evaluation of LIKE predicates during view preparation could
cause a server crash (CVE-2010-3836).
* GROUP_CONCAT() and WITH ROLLUP together could cause a server crash
(CVE-2010-3837).
* Queries could cause a server crash if the GREATEST() or LEAST()
function had a mixed list of numeric and LONGBLOB arguments, and
the result of such a function was processed using an intermediate
temporary table (CVE-2010-3838).
* Queries with nested joins could cause an infinite loop in the
server when used from stored procedures and prepared statements
(CVE-2010-3839).
* The PolyFromWKB() function could crash the server when improper
WKB data was passed to the function (CVE-2010-3840).
The updated packages have been patched to correct these issues.
-
A vulnerability was discovered and corrected in php:
A flaw in ext/xml/xml.c could cause a cross-site scripting (XSS)
vulnerability (CVE-2010-3870).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
-
Multiple vulnerabilities were discovered and corrected in mysql:
* Joins involving a table with with a unique SET column could cause
a server crash (CVE-2010-3677).
* Use of TEMPORARY InnoDB tables with nullable columns could cause
a server crash (CVE-2010-3680).
* The server could crash if there were alternate reads from two
indexes on a table using the HANDLER interface (CVE-2010-3681).
* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY
(SELECT ... WHERE ...) could cause a server crash (CVE-2010-3682).
* During evaluation of arguments to extreme-value functions (such
as LEAST() and GREATEST()), type errors did not propagate properly,
causing the server to crash (CVE-2010-3833).
* The server could crash after materializing a derived table that
required a temporary table for grouping (CVE-2010-3834).
* A user-variable assignment expression that is evaluated in a logical
expression context can be precalculated in a temporary table for GROUP
BY. However, when the expression value is used after creation of the
temporary table, it was re-evaluated, not read from the table and a
server crash resulted (CVE-2010-3835).
* Pre-evaluation of LIKE predicates during view preparation could
cause a server crash (CVE-2010-3836).
* GROUP_CONCAT() and WITH ROLLUP together could cause a server crash
(CVE-2010-3837).
* Queries could cause a server crash if the GREATEST() or LEAST()
function had a mixed list of numeric and LONGBLOB arguments, and
the result of such a function was processed using an intermediate
temporary table (CVE-2010-3838).
* Queries with nested joins could cause an infinite loop in the
server when used from stored procedures and prepared statements
(CVE-2010-3839).
* The PolyFromWKB() function could crash the server when improper
WKB data was passed to the function (CVE-2010-3840).
Additionally the default behaviour of using the mysqlmanager instead
of the mysqld_safe script has been reverted in the SysV init script
because of instability issues with the mysqlmanager.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been upgraded to mysql 5.0.91 and patched
to correct these issues.
-
Multiple vulnerabilities has been found and corrected in mysql:
MySQL before 5.1.48 allows remote authenticated users with alter
database privileges to cause a denial of service (server crash
and database loss) via an ALTER DATABASE command with a #mysql50#
string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or
similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which
causes MySQL to move certain directories to the server data directory
(CVE-2010-2008).
Additionally many security issues noted in the 5.1.49 release notes
has been addressed with this advisory as well, such as:
* LOAD DATA INFILE did not check for SQL errors and sent an OK packet
even when errors were already reported. Also, an assert related to
client-server protocol checking in debug servers sometimes was raised
when it should not have been. (Bug#52512) (CVE-2010-3683)
* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER
BY (SELECT ... WHERE ...) could cause a server crash. (Bug#52711)
(CVE-2010-3682)
* The server could crash if there were alternate reads from two indexes
on a table using the HANDLER interface. (Bug#54007) (CVE-2010-3681)
* A malformed argument to the BINLOG statement could result in Valgrind
warnings or a server crash. (Bug#54393) (CVE-2010-3679)
* Incorrect handling of NULL arguments could lead to a crash for IN()
or CASE operations when NULL arguments were either passed explicitly
as arguments (for IN()) or implicitly generated by the WITH ROLLUP
modifier (for IN() and CASE). (Bug#54477) (CVE-2010-3678)
* Joins involving a table with with a unique SET column could cause
a server crash. (Bug#54575) (CVE-2010-3677)
* Use of TEMPORARY InnoDB tables with nullable columns could cause
a server crash. (Bug#54044) (CVE-2010-3680)
The updated packages have been patched to correct these issues.
Update:
Packages for 2009.1 was not provided with the MDVSA-2010:155
advisory. This advisory provides the missing packages.
-
Multiple vulnerabilities was discovered and corrected in the
OpenOffice.org:
Integer overflow allows remote attackers to execute arbitrary code
via a crafted XPM file that triggers a heap-based buffer overflow
(CVE-2009-2949).
Heap-based buffer overflow allows remote attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via a crafted GIF file, related to LZW decompression (CVE-2009-2950).
Integer underflow allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via
a crafted sprmTDefTable table property modifier in a Word document
(CVE-2009-3301).
boundary error flaw allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via
a crafted sprmTSetBrc table property modifier in a Word document
(CVE-2009-3302).
Lack of properly enforcing Visual Basic for Applications (VBA) macro
security settings, which allows remote attackers to run arbitrary
macros via a crafted document (CVE-2010-0136).
User-assisted remote attackers are able to bypass Python macro
security restrictions and execute arbitrary Python code via a crafted
OpenDocument Text (ODT) file that triggers code execution when the
macro directory structure is previewed (CVE-2010-0395).
Impress module does not properly handle integer values associated
with dictionary property items, which allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted PowerPoint document that triggers a
heap-based buffer overflow, related to an integer truncation error
(CVE-2010-2935).
Integer overflow in the Impress allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via crafted polygons in a PowerPoint document that triggers a
heap-based buffer overflow (CVE-2010-2936).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update provides OpenOffice.org packages have been patched to
correct these issues and additional dependent packages.
Advisories MDVSA-2010:236: freetype2
in Mandriva Security Advisories
Posted · Report reply
Multiple vulnerabilities were discovered and corrected in freetype2:
An error within the "Ins_SHZ()" function in src/truetype/ttinterp.c
when handling the "SHZ" bytecode instruction can be exploited to
cause a crash and potentially execute arbitrary code via a specially
crafted font (CVE-2010-3814).
An error exists in the "ft_var_readpackedpoints()" function in
src/truetype/ttgxvar.c when processing TrueType GX fonts and can
be exploited to cause a heap-based buffer overflow via a specially
crafted font (CVE-2010-3855).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.