[security-announce] SUSE Security Summary Report SUSE-SR:2007:014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2007:014
Date: Fri, 20 Jul 2007 12:00:00 +0000
Cross-References: CVE-2005-4835, CVE-2006-4168, CVE-2006-7177
CVE-2006-7178, CVE-2006-7179, CVE-2006-7180
CVE-2007-0720, CVE-2007-1558, CVE-2007-2447
CVE-2007-2645, CVE-2007-2829, CVE-2007-2830
CVE-2007-2831, CVE-2007-2948, CVE-2007-3257,
CVE-2007-3372
Content of this advisory:
1) Solved Security Vulnerabilities:
- MPlayer CDDB handling buffer overflow
- madwifi site remote denial of service problems
- samba bugfix regression update
- cups denial of service regression fix
- libexif denial of service problems
- evolution IMAP SEQUENCE buffer overflow
- mutt APOP password disclosure problem
- avahi local denial of service
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- Mozilla Firefox/Thunderbird/Seamonkey update
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- MPlayer CDDB handling buffer overflow
A buffer overflow in parsing of CDDB entries was fixed in MPlayer.
This could be exploited by malicious CDDB servers to inject
code. (CVE-2007-2948)
MPlayer is only SUSE Linux Desktop 1.0 and an update was released
for this product.
- Madwifi site remote denial of service problems
The madwifi driver and userland packages were updated to 0.9.3.1
to fix several denial of service problems.
Due to versioning problems that would have caused the madwifi KMP
RPMs not to be installed the RPM version still says "0.9.3", the
content is the 0.9.3.1 version.
This update fixes following security problems:
CVE-2007-2829: The 802.11 network stack in net80211/ieee80211_input.c
in Madwifi before 0.9.3.1 allows remote attackers to cause a denial
of service (system hang) via a crafted length field in nested
802.3 Ethernet frames in Fast Frame packets, which results in a
NULL pointer dereference.
CVE-2007-2830: The ath_beacon_config function in if_ath.c in Madwifi
before 0.9.3.1 allows remote attackers to cause a denial of service
(system crash) via crafted beacon interval information when scanning
for access points, which triggers a divide-by-zero error.
CVE-2007-2831: Array index error in the (1) ieee80211_ioctl_getwmmparams
and (2) ieee80211_ioctl_setwmmparams functions in
net80211/ieee80211_wireless.c in Madwifi before 0.9.3.1 allows local
users to cause a denial of service (system crash), possibly obtain
kernel memory contents, and possibly execute arbitrary code via a
large negative array index value.
"remote attackers" for this problem are attackers within range of
the WiFi reception of the card.
Please note that the problems fixed in 0.9.3 were fixed by the
madwifi Version upgrade to 0.9.3 in the SUSE Linux Enterprise Desktop
Service Pack 1 already but not listed in a separate advisory.
(CVE-2005-4835, CVE-2006-7177, CVE-2006-7178, CVE-2006-7179,
CVE-2006-7180).
Only SUSE Linux Desktop 10 contains the affected madwifi driver.
- Samba bugfix regression update
A samba update was released that fixes several regressions introduced
by an earlier security update.
The previous security fix for CVE-2007-2447 missed one character
in the shell escape handling.
Also fixed were some non-security related regressions introduced by the
previous update.
- cups denial of service regression fix
CUPS packages were released to fix another denial of service problem
introduced by the previous Denial of Service Fix for CVE-2007-0720, which was
incomplete.
All SUSE Linux based products were affected.
- libexif denial of service problems
Two security problems were fixed in libexif.
CVE-2007-2645: A denial of service problem (crash) was fixed in the
EXIF Loader of libexif, which could be used to crash the browser or
image viewer when it interprets the EXIF tags in prepared JPEG files.
CVE-2006-4168: An integer overflow during loading EXIF entries was
fixed that could lead to a denial of service (crash) or potential
code execution.
All SUSE Linux based products containing libexif and libexif5 were affected.
- evolution IMAP SEQUENCE buffer overflow
A security problem was fixed in the evolution / evolution-data-server
package, where a malicious IMAP server could execute code
within evolution by sending a malformed response to a SEQUENCE
command. (CVE-2007-3257)
This affects all SUSE Linux based products containing evolution.
- mutt APOP password disclosure problem
This update of mutt fixes a vulnerability in the APOP implementation
that allows an active attacker to guess three bytes of the password.
(CVE-2007-1558)
All SUSE Linux based products containing mutt were affected and fixed.
- avahi local denial of service
A security problem was fixed in avahi, where local attackers could
send empty TXT data via D-BUS, causing the avahi daemon to exit.
This issue has been assigned the Mitre CVE ID CVE-2007-3372 and
it was fixed for SUSE Linux Enterprise 10, SUSE Linux 10.1 and
openSUSE 10.2.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- Mozilla Firefox/Thunderbird/Seamonkey update
Mozilla Firefox and Thunderbird 2.0.0.5 have been released and fix
various security issues.
We are currently preparing updates.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team
participants (1)
-
Marcus Meissner