-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2008:014
Date: Fri, 04 Jul 2008 15:00:00 +0000
Cross-References: CVE-2004-0918, CVE-2008-0887, CVE-2008-1096
CVE-2008-1097, CVE-2008-1384, CVE-2008-1806
CVE-2008-1807, CVE-2008-1808, CVE-2008-1947
CVE-2008-2050, CVE-2008-2051, CVE-2008-2107
CVE-2008-2357, CVE-2008-2371, CVE-2008-2667
CVE-2008-2713
Content of this advisory:
1) Solved Security Vulnerabilities:
- sudo not flushing stdin
- courier-authlib SQL injection possibility
- gnome-screensaver
- clamav 0.93.1
- php5 security update
- ImageMagick, GraphicsMagick security problems
- mtr potential remote overflow
- bind root zone update
- pcre buffer overflow
- tomcat55 and tomcat6 cross site scripting problem
- squid denial of service problem in ASN.1 parsing
- freetype2 various integer overflows
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
None listed this week.
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- sudo not flushing stdin
This update of sudo flushes the stdin buffer on password
timeout. Unflushed buffers can lead to leaking the password via a
parent process reading stdin after sudo exits.
This issue only affects openSUSE 10.3 and was fixed there.
- courier-authlib SQL injection possibility
courier-authlib was updated to fix a bug that allowed SQL
injections. (CVE-2008-2667)
Only openSUSE 10.3 and 11.0 were affected.
- gnome-screensaver
Using gnome-screensaver an attacker could log in without a valid
password if the NIS server is down. (CVE-2008-0887)
gnome-screensaver was affected on SUSE Linux Enterprise 10, SUSE
Linux 10.1, openSUSE 10.2 and 10.3 and was fixed there.
- clamav 0.93.1
Clamav was updated to version 0.93.1. It fixes various bugs and
one minor security issue:
CVE-2008-2713: libclamav/petite.c in ClamAV before 0.93.1 allows
remote attackers to cause a denial of service via a crafted Petite
file that triggers an out-of-bounds read.
clamav was updated on all products containing clamav.
- PHP 5 security update
php5 was updated to fix various bugs and security problems:
- possible stack-based buffer overflow CVE-2008-2050
- incomplete escapeshellcmd() CVE-2008-2051
- printf() integer overflow CVE-2008-1384
- insecure GENERATE_SEED macro CVE-2008-2107
- timezone update for DST in Pakistan
On openSUSE 10.2 up to 11.0 php5 was updated to 5.2.6. For SUSE
Linux Enterprise 10 SP1 and SP2 the fixes were backported.
- ImageMagick, GraphicsMagick security problems
ImageMagick and GraphicsMagick were affected by two security problems:
CVE-2008-1096: Buffer overflow in the handling of XCF files
CVE-2008-1097: Heap buffer overflow in the handling of PCX files
ImageMagick was updated on all products. GraphicsMagick is only
found on openSUSE 10.3 and 11.0 and was updated there.
- mtr potential remote overflow
MTR was updated to fix a stack based buffer overflow which could
potentially be exploited by a remote attacker to execute arbitrary
code (CVE-2008-2357).
mtr was updated on all SUSE Linux based products.
- bind root zone update
The IP number for the "L" root DNS server changed.
This patch updates the root.hint zone file to get the new IP number.
This is only security related and not a true vulnerability since the
old server is still operating correctly.
- pcre buffer overflow
Specially crafted regular expressions could lead to a buffer overflow
in the pcre library. Applications using pcre to process regular
expressions from untrusted sources could therefore potentially be
exploited by attackers to execute arbitrary code (CVE-2008-2371).
Only the pcre version on openSUSE 10.3 was affected by this problem
and received fixed packages.
- tomcat55 and tomcat6 cross site scripting problem
tomcat was updated to fix a cross-site-scripting vulnerability in
the host-manager. (CVE-2008-1947)
Since the problem only affects tomcat 5.5 and tomcat 6 only those
were fixed in openSUSE 10.3 and 11.0. Other products were not
affected.
- squid denial of service problem in ASN.1 parsing
Squid was updated to fix an old denial-of-service bug that can
occur while parsing ASN.1 data. (CVE-2004-0918)
More details can be found on:
http://www.squid-cache.org/Advisories/SQUID-2008_1.txt
Only Squid 3.0 was affected, which is only on openSUSE 11.0 and
was fixed there.
- freetype2 various integer overflows
This update of freetype2 fixes several potential vulnerabilities
reported by iDefense.
CVE-2008-1806: Integer overflow in FreeType2 allows context-dependent
attackers to execute arbitrary code via a crafted set of 16-bit
length values within the Private dictionary table in a Printer Font
Binary (PFB) file, which triggers a heap-based buffer overflow.
CVE-2008-1807: FreeType2 allow context-dependent attackers to execute
arbitrary code via an invalid "number of axes" field in a Printer
Font Binary (PFB) file, which triggers a free of arbitrary memory
locations, leading to memory corruption.
CVE-2008-1808: Multiple off-by-one errors in FreeType2 before 2.3.6
allow context-dependent attackers to execute arbitrary code via
(1) a crafted table in a Printer Font Binary (PFB) file or (2)
a crafted SHC instruction in a TrueType Font (TTF) file, which
triggers a heap-based buffer overflow.
Freetype2 was updated on all distributions.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
None listed this week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team