Steve Kemp from the Debian Security Audit project discovered a buffer overflow in petris, a clone of the Tetris game, which may be exploited to execute arbitary code with group games privileges.

http://www.linuxsecurity.com/content/view/121285

The unzip update in DSA 903 contained a regression so that symbolic links that are resolved later in a zip archive aren't supported anymore. This update corrects this behaviour.

http://www.linuxsecurity.com/content/view/121286

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in tetex-bin, the binary files of teTeX, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121287

"infamous41md" and chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in koffice, the KDE Office Suite, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121288

Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers.

http://www.linuxsecurity.com/content/view/121289

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in gpdf, the GNOME version of the Portable Document Format viewer, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121290

Javier Fern�ndez-Sanguino Pe�a from the Debian Security Audit project discovered that a script in tuxpaint, a paint program for young children, creates a temporary file in an insecure fashion.

http://www.linuxsecurity.com/content/view/121291

A design error has been discovered in the Albatross web application toolkit that causes user supplied data to be used as part of template execution and hence arbitrary code execution.

http://www.linuxsecurity.com/content/view/121292

Jack Louis discovered an integer overflow in Perl, Larry Wall's Practical Extraction and Report Language, that allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via specially crafted content that is passed to vulnerable format strings of third party software.

http://www.linuxsecurity.com/content/view/121293

Several security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems:

http://www.linuxsecurity.com/content/view/121294

Javier Fern�ndez-Sanguino Pe�a from the Debian Security Audit project discovered that two scripts in antiword, utilities to convert Word files to text and Postscript, create a temporary file in an insecure fashion.

http://www.linuxsecurity.com/content/view/121295

Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges.

http://www.linuxsecurity.com/content/view/121296

It has been discovered that sudo, a privileged program, that provides limited super user privileges to specific users, passes several environment variables to the program that runs with elevated privileges. In the case of include paths (e.g. for Perl, Python, Ruby or other scripting languages) this can cause arbitrary code to be executed as privileged user if the attacker points to a manipulated version of a system library.

http://www.linuxsecurity.com/content/view/121297

A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected.

http://www.linuxsecurity.com/content/view/121298

Maksim Orlovich discovered that the kjs Javascript interpreter, used in the Konqueror web browser and in other parts of KDE, performs insufficient bounds checking when parsing UTF-8 encoded Uniform Resource Identifiers, which may lead to a heap based buffer overflow and the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121299

Steve Kemp from the Debian Security Audit project discovered a security related problem in crawl, another console based dungeon exploration game in the vein of nethack and rogue. The program executes commands insecurely when saving or loading games which can allow local attackers to gain group games privileges.

http://www.linuxsecurity.com/content/view/121300

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf which are also present in CUPS, the Common UNIX Printing System, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121301

Several vulnerabilies have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems:

http://www.linuxsecurity.com/content/view/121302

"Seregorn" discovered a format string vulnerability in the logging function of libapache-auth-ldap, an LDAP authentication module for the Apache webserver, that can lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121303

Several cross-site scripting vulnerabilities have been discovered in flyspray, a lightweight bug tracking system, which allows attackers to insert arbitary script code into the index page.

http://www.linuxsecurity.com/content/view/121304

H D Moore that discovered that Wine, a free implemention of the Microsoft Windows APIs, inherits a design flaw from the Windows GDI API, which may lead to the execution of code through GDI escape functions in WMF files.

http://www.linuxsecurity.com/content/view/121305

A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected.

http://www.linuxsecurity.com/content/view/121306

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121307

Two denial of service bugs were found in the mailman list server. In one, attachment filenames containing UTF8 strings were not properly parsed, which could cause the server to crash. In another, a message containing a bad date string could cause a server crash.

http://www.linuxsecurity.com/content/view/121308

Stefan Pfetzing discovered that lshd, a Secure Shell v2 (SSH2) protocol server, leaks a couple of file descriptors, related to the randomness generator, to user shells which are started by lshd. A local attacker can truncate the server's seed file, which may prevent the server from starting, and with some more effort, maybe also crack session keys.

http://www.linuxsecurity.com/content/view/121309

Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names. This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird.

http://www.linuxsecurity.com/content/view/121310

Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

http://www.linuxsecurity.com/content/view/121311

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. The same code is present in kpdf which is part of the kdegraphics package.

http://www.linuxsecurity.com/content/view/121312

Patrice Fournier found that hylafax passes unsanitized user data in the notify script, allowing users with the ability to submit jobs to run arbitrary commands with the privileges of the hylafax server.

http://www.linuxsecurity.com/content/view/121313

Two vulnerabilities have been discovered in Pound, a reverse proxy and load balancer for HTTP. The Common Vulnerabilities and Exposures project identifies the following problems:

http://www.linuxsecurity.com/content/view/121314

Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges.

http://www.linuxsecurity.com/content/view/121315

iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a library used to authenticate web users against a PostgreSQL database, could be used to execute arbitrary code with the privileges of the httpd user.

http://www.linuxsecurity.com/content/view/121316

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in libextractor, a library to extract arbitrary meta-data from files, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121317

This update corrects the search feature in trac, an enhanced wiki and issue tracking system for software development projects, which broke with the last security update.

http://www.linuxsecurity.com/content/view/121444

Ulf H�rnhammer from the Debian Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive.

http://www.linuxsecurity.com/content/view/121446

Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names. This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. This update filters out the '$' character as well, which was forgotton in the former update.

http://www.linuxsecurity.com/content/view/121451

Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on, which is not the case by default.

http://www.linuxsecurity.com/content/view/121452

Updated package.

http://www.linuxsecurity.com/content/view/121461

Updated package.

http://www.linuxsecurity.com/content/view/121462

Updated package.

http://www.linuxsecurity.com/content/view/121463

Updated package.

http://www.linuxsecurity.com/content/view/121475

This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627.

http://www.linuxsecurity.com/content/view/121373

This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627.

http://www.linuxsecurity.com/content/view/121374

This update fixes several low-priority security problems that were discovered during the development of 2.6.15, and backported. Notably, CVE-2005-4605.

http://www.linuxsecurity.com/content/view/121377

Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. Red Hat would like to thank iDefense for reporting this issue.

http://www.linuxsecurity.com/content/view/121378

Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. Red Hat would like to thank iDefense for reporting this issue.

http://www.linuxsecurity.com/content/view/121379

Chris Evans discovered several flaws in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues.

http://www.linuxsecurity.com/content/view/121392

Chris Evans discovered several flaws in the way poppler processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues.

http://www.linuxsecurity.com/content/view/121393

Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues. Users of xpdf should upgrade to this updated package, which contains a patch to resolve these issues.

http://www.linuxsecurity.com/content/view/121395

Several flaws were discovered in the way teTeX processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. This package also updates bindings in texdoc and causes the local texmf tree to be searched first.

http://www.linuxsecurity.com/content/view/121396

Several flaws were discovered in the way teTeX processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues.

http://www.linuxsecurity.com/content/view/121397

Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues. Users of kdegraphics should upgrade to this updated package, which contains a patch to resolve these issues.

http://www.linuxsecurity.com/content/view/121404

This update fixes a DoS in Ethereal.

http://www.linuxsecurity.com/content/view/121408

A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. Users of KDE should upgrade to these updated packages, which contain a backported patch from the KDE security team correcting this issue

http://www.linuxsecurity.com/content/view/121415

This update includes fixes for three security issues in the Apache HTTP Server.

http://www.linuxsecurity.com/content/view/121420

This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues.

http://www.linuxsecurity.com/content/view/121421

Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Mozilla to execute arbitrary JavaScript when a user runs Mozilla. (CVE-2006-0296) A denial of service bug was found in the way Mozilla saves history information. If a user visits a web page with a very long title, it is possible Mozilla will crash or take a very long time to start the next time it is run. (CVE-2005-4134)

http://www.linuxsecurity.com/content/view/121496

Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Firefox's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Firefox to execute arbitrary JavaScript when a user runs Firefox. (CVE-2006-0296) A denial of service bug was found in the way Firefox saves history information. If a user visits a web page with a very long title, it is possible Firefox will crash or take a very long time to start the next time it is run. (CVE-2005-4134)

http://www.linuxsecurity.com/content/view/121497

HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities.

http://www.linuxsecurity.com/content/view/121318

KPdf and KWord both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121319

xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121320

ClamAV is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121321

HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities.

http://www.linuxsecurity.com/content/view/121322

Blender is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121323

Fixed packages were issued to fix this vulnerability in Wine, but some of the fixed packages were missing the correct patch. All Wine users should re-emerge Wine to make sure they are safe. The corrected sections appear below.

http://www.linuxsecurity.com/content/view/121324

KDE fails to properly validate URIs when handling javascript, potentially resulting in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121325

Trac is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.

http://www.linuxsecurity.com/content/view/121326

Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.

http://www.linuxsecurity.com/content/view/121327

Format string vulnerabilities in mod_auth_pgsql may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121328

xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121329

VMware guest operating systems can execute arbitrary code with elevated privileges on the host operating system through a flaw in NAT networking.

http://www.linuxsecurity.com/content/view/121330

ClamAV is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121331

Blender is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121332

There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, which could possibly result in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121333

Sun's and Blackdown's JDK or JRE may allow untrusted applets to elevate their privileges.

http://www.linuxsecurity.com/content/view/121334

There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, which could possibly result in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121335

A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges.

http://www.linuxsecurity.com/content/view/121434

Paros's database component is installed without a password, allowing execution of arbitrary system commands.

http://www.linuxsecurity.com/content/view/121435

MyDNS contains a vulnerability that may lead to a Denial of Service attack.

http://www.linuxsecurity.com/content/view/121447

Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121449

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121337

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121338

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121340

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121341

Issues have been reported with display corruption for various cards, including several ATI and Nvidia cards when using the free drivers. There was also an issue with the Greek keyboard layout. These should be corrected by the upstream 6.9.0 final, which this package is based on. Updated packages should correct these issues.

http://www.linuxsecurity.com/content/view/121342

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121343

A problem exists in how the Kolab Server transports emails bigger than 8KB in size and if a dot (".") character exists in the wrong place. If these conditions are met, kolabfilter will double this dot and a modified email will be delivered, which could lead to broken clear-text signatures or broken attachments. The updated packages have been patched to correct these problems.

http://www.linuxsecurity.com/content/view/121344

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121345

A vulnerability was discovered by H D Moore in Wine which implements the SETABORTPROC GDI Escape function for Windows Metafile (WMF) files. This could be abused by an attacker who is able to entice a user to open a specially crafted WMF file from within a Wine-execute Windows application, possibly resulting in the execution of arbitrary code with the privileges of the user runing Wine. The updated packages have been patched to correct these problems.

http://www.linuxsecurity.com/content/view/121346

Patrice Fournier discovered the faxrcvd/notify scripts (executed as the uucp/fax user) run user-supplied input through eval without any attempt at sanitising it first. This would allow any user who could submit jobs to HylaFAX, or through telco manipulation control the representation of callid information presented to HylaFAX to run arbitrary commands as the uucp/fax user. (CVE-2005-3539, only 'notify' in the covered versions) Updated packages were also reviewed for vulnerability to an issue where if PAM is disabled, a user could log in with no password. (CVE-2005-3538) In addition, some fixes to the packages for permissions, and the %pre/%post scripts were backported from cooker. (#19679) The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/121348

A heap-based buffer overflow was discovered in ClamAV versions prior to 0.88 which allows remote attackers to cause a crash and possibly execute arbitrary code via specially crafted UPX files. This update provides ClamAV 0.88 which corrects this issue and also fixes some other bugs.

http://www.linuxsecurity.com/content/view/121349

A format string flaw was discovered in the way that auth_ldap logs information which may allow a remote attacker to execute arbitrary code as the apache user if auth_ldap is used for authentication. This update provides version 1.6.1 of auth_ldap which corrects the problem. Only Corporate Server 2.1 shipped with a supported auth_ldap package.

http://www.linuxsecurity.com/content/view/121355

A number of vulnerabilites have been corrected in the Linux kernel.

http://www.linuxsecurity.com/content/view/121356

A heap overflow vulnerability was discovered in kjs, the KDE JavaScript interpretter engine. An attacker could create a malicious web site that contained carefully crafted JavaScript code that could trigger the flaw and potentially lead to the arbitrary execution of code as the user visiting the site. The updated packages have been patched to correct this problem.

http://www.linuxsecurity.com/content/view/121357

The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in ipsec-tools racoon before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. The updated packages have been patched to correct this problem.

http://www.linuxsecurity.com/content/view/121359

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121360

GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-complicit attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. The updated packages have been patched to correct this problem.

http://www.linuxsecurity.com/content/view/121361

A buffer overflow was discovered in the perl Convert::UUlib module in versions prior to 1.051, which could allow remote attackers to execute arbitrary code via a malformed parameter to a read operation. This update provides version 1.051 which is not vulnerable to this flaw.

http://www.linuxsecurity.com/content/view/121362

Javier Fernandez-Sanguino Pena discovered that the perl Net::SSLeay module used the file /tmp/entropy as a fallback entropy source if a proper source was not set via the environment variable EGD_PATH. This could potentially lead to weakened cryptographic operations if an attacker was able to provide a /tmp/entropy file with known content. The updated packages have been patched to correct this problem.

http://www.linuxsecurity.com/content/view/121363

The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. (CVE-2005-4601) A format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. (CVE-2006-0082) The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/121364

The mdkonline package for MNF2 was incorrectly connecting to mandrivaonline.net rather than mandrivaonline.com. This update corrects the problem.

http://www.linuxsecurity.com/content/view/121365

Dynamic was not calling scripts correctly when hardware was plugged/unplugged. Plugging a digital camera (not usb mass storage, like a Canon camera) was not creating an icon on Desktop (for GNOME) or in the Devices window (for KDE). Dynamic was also creating a "pilot" symlink in / (in addition to /dev/pilot) when a Palm was connected, and this file was not removed when the Palm was unplugged. Now, this file is not longer created. If the symlink is already on the user's system, it can safely be removed manually. Updated packages have been patched to correct the issue.

http://www.linuxsecurity.com/content/view/121366

A bug was discovered in gthumb were the UI (User Interface) can get corrupted when importing photos in some non-UTF8 locales (such as French). Some text strings (returned from libgphoto) where not converted into UTF-8 before being used by GTK+. Updated packages have been patched to correct the issue.

http://www.linuxsecurity.com/content/view/121367

A bug was discovered with libgphoto which was preventing the removal of icons on the desktop (in GNOME) or in the Devices window (in KDE) when a digital camera was unplugged. Updated packages have been patched to correct the issue.

http://www.linuxsecurity.com/content/view/121368

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

http://www.linuxsecurity.com/content/view/121369

The fixproc application in Net-SNMP creates temporary files with predictable file names which could allow a malicious local attacker to change the contents of the temporary file by exploiting a race condition, which could possibly lead to the execution of arbitrary code. As well, a local attacker could create symbolic links in the /tmp directory that point to a valid file that would then be overwritten when fixproc is executed (CVE-2005-1740). A remote Denial of Service vulnerability was also discovered in the SNMP library that could be exploited by a malicious SNMP server to crash the agent, if the agent uses TCP sockets for communication (CVE-2005-2177). The updated packages have been patched to correct these problems.

http://www.linuxsecurity.com/content/view/121370

A flaw was discovered in mod_imap when using the Referer directive with image maps that could be used by a remote attacker to perform a cross- site scripting attack, in certain site configurations, if a victim could be forced to visit a malicious URL using certain web browsers (CVE-2005-3352). Also, a NULL pointer dereference flaw was found in mod_ssl that affects server configurations where an SSL virtual host was configured with access controls and a custom 400 error document. This could allow a remote attacker to send a carefully crafted request to trigger the issue and cause a crash, but only with the non-default worker MPM (CVE-2005-3357). The provided packages have been patched to prevent these problems.

http://www.linuxsecurity.com/content/view/121371

Recent security updates to mozilla-thunderbird did not include some changes made to the build from the community branch of 2006.0. The changes include corrections to the packaging of language files and some corrections to the uninstall scripts. New builds of the enigmail-es and enigmail-it packages are also included. Updated packages merge both of these builds.

http://www.linuxsecurity.com/content/view/121433

A bug was found in the way that bzgrep processed file names. If a user could be tricked into running bzgrep on a file with a special file name, it would be possible to execute arbitrary code with the privileges of the user running bzgrep. As well, the bzip2 package provided with Mandriva Linux 2006 did not the patch applied to correct CVE-2005-0953 which was previously fixed by MDKSA-2005:091; those packages are now properly patched. The updated packages have been patched to correct these problems.

http://www.linuxsecurity.com/content/view/121448

Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. This was previously corrected in MDKSA-2005:092, however the fix was incomplete. These updated packages provide a more comprehensive fix to the problem.

http://www.linuxsecurity.com/content/view/121450

Multiple response splitting vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers via unknown attack vectors, possibly involving a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. (CVE-2006-0207) Multiple cross-site scripting (XSS) vulnerabilities in PHP allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in "certain error conditions." (CVE-2006-0208).

http://www.linuxsecurity.com/content/view/121474

Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/121491