-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:028
Date: Fri, 08 Dec 2006 17:00:00 +0000
Cross-References: CVE-2006-3334, CVE-2006-4513, CVE-2006-4810
CVE-2006-5793, CVE-2006-5864, CVE-2006-6172
CVE-2006-6235, CVE-2006-6332
Content of this advisory:
1) Solved Security Vulnerabilities:
- xine-lib realmedia overflow problem
- texinfo buffer overflows
- wv overflows
- libpng 2 denial of service
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- madwifi remote exploit
- next kernel update
- gpg stack corruption
- evince code execution
- koffice PPT document denial of service
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- xine-lib realmedia overflow problem
A bug in the XINE libraries that could have caused a buffer overflow
in the real media plugin has been fixed. (CVE-2006-6172)
It is not clear to us how exploitable this problem is.
All SUSE Linux based products including xine-lib were affected.
- texinfo buffer overflows
Specially crafted texinfo files could crash the texinfo
utilities. (CVE-2006-4810)
This problem affected all SUSE Linux based distributions.
- wv overflows
Two integer overflows were found in the Microsoft Word converter
library "wv", which could potentially be used to crash programs
using this library or to even execute code.
- A LVL Count Integer Overflow Vulnerability was fixed.
- A LFO Count Integer Overflow Vulnerability was fixed.
Both problems have been assigned the Mitre CVE ID CVE-2006-4513
and affect all SUSE Linux based products containing the "wv" package.
- libpng 2 denial of service
The sPLT chunk handling in libpng was incorrect and a handcrafted
PNG file could be use to cause an out-of-bounds read, effectively
crashing the PNG viewer or web browser. (CVE-2006-5793)
Additionally a 2 byte stack overflow was fixed which we do not
believe to be exploitable. It will cause an abort of the viewer
or web browser in SUSE Linux 10.0 and newer due to string overflow
checking. (CVE-2006-3334)
These problems were fixed for all SUSE Linux based distributions.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- madwifi remote exploit
A remote exploitable vulnerability was found in the Atheros madwifi
driver.
On the version on SUSE Linux Enterprise Desktop 10 it is possible
for a attacker physically close (WLAN range) to the machine to
overflow a kernel stack buffer and execute code.
On SUSE Linux 9.3 and 10.0 it is possible for a physically close
attacker to cause a kernel crash, but no code execution.
SUSE Linux Enterprise Server 9 contains the Atheros driver, but is
not vulnerable to the problem due to the age of the driver.
Other SUSE Linux and openSUSE versions do not contain the Atheros
driver.
This issue is tracked by the Mitre CVE ID CVE-2006-6332.
We are currently preparing fixed packages.
- Next kernel update
We are currently preparing the next kernel update round of our 2.6
kernels, scheduled to be delivered before Christmas.
There are no outstanding critical security problems, the release
target is mostly rolling in local denial of service problems and
other bugfixes.
- gpg stack corruption
A stack corruption which potentially can lead to code execution
was found in the GNU Privacy Guard, versions 1 and 2. This issue
is tracked by the Mitre CVE ID CVE-2006-6235.
Updates are currently in QA.
- evince code execution
The PDF and Postscript viewer evince is also affected by the
postscript triggered stack overflow found in "gv", tracked by the
Mitre CVE ID CVE-2006-5864.
Updated packages for this problem are currently in QA.
- koffice PPT document denial of service
A denial of service (crash) with PPT documents was reported in the
Laola import filters of koffice.
QA found that those problems are not fully fixed yet and we are
currently reviewing and fixing the rest of them.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team