-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2007:015
Date: Fri, 03 Aug 2007 15:00:00 +0000
Cross-References: CVE-2007-0450, CVE-2007-1002, CVE-2007-1429
CVE-2007-2727, CVE-2007-2728, CVE-2007-2748
CVE-2007-2949, CVE-2007-2951, CVE-2007-3142
CVE-2007-3387, CVE-2007-3389, CVE-2007-3390
CVE-2007-3391, CVE-2007-3392, CVE-2007-3393
CVE-2007-3472, CVE-2007-3475, CVE-2007-3476
CVE-2007-3477, CVE-2007-3478, CVE-2007-3641
CVE-2007-3644, CVE-2007-3645, CVE-2007-3725
CVE-2007-3762, CVE-2007-3763, CVE-2007-3764
CVE-2007-3799, CVE-2007-3819, CVE-2007-3929
CVE-2007-3946, CVE-2007-3947, CVE-2007-3948
CVE-2007-3949, CVE-2007-3950
Content of this advisory:
1) Solved Security Vulnerabilities:
- PHP security problems
- moodle remote file inclusion
- tomcat5 directory traversal
- lighttpd various security problems
- asterisk various security problems
- libarchive security problems
- xpdf buffer overflow
- evolution format string problem in memo viewer
- kvirc command execution
- wireshark / ethereal security problems
- gd various integer overflows
- opera 9.22 release
- clamav 0.91.1 release
- gimp integer overflow in PSD handling
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- Mozilla Firefox 2.0.0.6
- Kernel Update
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- PHP security problems
Multiple security bugs were fixed in PHP:
- Predictable generation of an initialization vector (IV) in the
mcrypt extension (CVE-2007-2727)
- Additional cookie attributes could be injected via a session id
(CVE-2007-3799)
- Specially crafted files could cause integer overflows in gd and
leverage them to at least crash gd based applications
(CVE-2007-3472, CVE-2007-3475, CVE-2007-3476, CVE-2007-3477,
CVE-2007-3478)
These GD fixes apply to a copy of the GD library in the PHP sources.
- Insufficient validation of parameters in the substr_count function
(CVE-2007-2748).
- Predictable generating of an initialization vector (IV) in the
soap extension (CVE-2007-2728)
PHP4 and PHP5 packages were updated for all SUSE Linux distributions.
- moodle remote file inclusion
Moodle was updated to 1.7.2 to fix several problems, including a
remote file inclusion (CVE-2007-1429).
Moodle is only on openSUSE 10.2 and was fixed there.
- Tomcat5 directory traversal
Tomcat5 was updated to fix a problem, where certain characters of
the URL were not properly filtered. This allowed directory reverse
traversal attacks to access the web-root of tomcat. (CVE-2007-0450)
This affected all our distributions containing tomcat5.
- lighttpd various security problems
Multiple bugs in lighttpd allowed remote attackers to crash lighttpd,
circumvent access restrictions or even execute code.
These issues are tracked by the Mitre CVE ids:
CVE-2007-3946, CVE-2007-3947, CVE-2007-3948, CVE-2007-3949,
CVE-2007-3950
and have been fixed for SUSE Linux Enterprise 10, SUSE Linux 10.1
and openSUSE 10.2.
- Asterisk various security problems
The Open Source PBS Asterisk was updated to fix multiple bugs
that allowed remote attackers to crash the asterisk server or even
execute arbitrary code depending on configuration (CVE-2007-3762,
CVE-2007-3763, CVE-2007-3764).
Asterisk was fixed for SUSE Linux 10.0, SUSE Linux 10.1 and
openSUSE 10.2.
- libarchive security problems
Several problems in libarchive were fixed.
Specially crafted tar-archives could cause programs based on
libarchive to crash, to run into an endless loop or potentially
to even execute arbitrary code (CVE-2007-3641, CVE-2007-3644,
CVE-2007-3645).
- xpdf buffer overflow
A buffer overflow in xpdf could be exploited by attackers to
potentially execute arbitrary code (CVE-2007-3387).
Various other tools contain copies of the xpdf code and are also
being updated. (poppler, libextractor, kdegraphics3-pdf, etc.)
We have released some of those packages (xpdf, kdegraphics3-pdf)
already and will release the others soon.
- evolution format string problem in memo viewer
Format string problems in the Memo Viewer of evolution could
be used to potentially execute code when viewing shared memos.
(CVE-2007-1002)
Affected are evolution of SLE 10, SUSE Linux 10.1 and openSUSE 10.2.
For SLE10 the fix was released with Service Pack 1 already, the
others have received their update now.
- kvirc command execution
A bug in the IRC-URI parser allowed attackers to execute arbitrary
commands by tricking a user into opening a specially crafted URI
in kvirc (CVE-2007-2951).
Updated packages have been released for SUSE Linux 10.0 - 10.2.
- wireshark / ethereal security problems
Various security problems were fixed in the wireshark 0.99.6 release,
which were back-ported to wireshark / ethereal:
CVE-2007-3389: Wireshark allowed remote attackers to cause a
denial of service (crash) via a crafted chunked encoding in an HTTP
response, possibly related to a zero-length payload.
CVE-2007-3390: Wireshark when running on certain systems, allowed
remote attackers to cause a denial of service (crash) via crafted
iSeries capture files that trigger a SIGTRAP.
CVE-2007-3391: Wireshark allowed remote attackers to cause a denial
of service (memory consumption) via a malformed DCP ETSI packet
that triggers an infinite loop.
CVE-2007-3392: Wireshark allowed remote attackers to cause a denial
of service via malformed (1) SSL or (2) MMS packets that trigger
an infinite loop.
CVE-2007-3393: Off-by-one error in the DHCP/BOOTP dissector in
Wireshark allowed remote attackers to cause a denial of service
(crash) via crafted DHCP-over-DOCSIS packets.
- gd various integer overflows
This update fixes multiple integer overflows in the gd library.
Specially crafted files could leverage them to at least crash gd
based applications (CVE-2007-3472, CVE-2007-3475, CVE-2007-3476,
CVE-2007-3477, CVE-2007-3478).
GD was updated for all SUSE Linux products, the update was released
on July 24th.
- Opera 9.22 release
Opera was updated to version 9.22 on July 24 to fix numerous defects
including some security problems. (CVE-2007-3929, CVE-2007-3819,
CVE-2007-3142)
- Clamav 0.91.1 release
This clamav version update to 0.91.1 fixes among other things the
long startup time of version 0.90.3 as well as a possibility to
crash clamav with specially crafted rar archives (CVE-2007-3725).
clamav was updated for all SUSE Linux based products that contain
clamav.
- gimp integer overflow in PSD handling
The image editor GIMP was updated to fix a integer overflow in the
handling of PSD files. By providing a crafted PSD file and tricking
the user to open it an attacker could execute code. (CVE-2007-2949)
GIMP was updated for all affected SUSE Linux products.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- Mozilla Firefox 2.0.0.6
We will likely skip the Firefox 2.0.0.6 update and roll the fixes
into the 2.0.0.7 release in some weeks, since most problems fixed
are Windows only.
- Kernel Update
We are currently preparing a kernel update for SUSE Linux Enterprise
10 and SUSE Linux 10.1. A release date is not yet set.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team