SuSE: Weekly Summary 2010:013
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2010:013
Date: Mon, 14 Jun 2010 13:00:00 +0000
Cross-References: CVE-2008-4546, CVE-2009-0689, CVE-2009-2463
CVE-2009-2625, CVE-2009-3072, CVE-2009-3075
CVE-2009-3077, CVE-2009-3245, CVE-2009-3376
CVE-2009-3385, CVE-2009-3389, CVE-2009-3555
CVE-2009-3560, CVE-2009-3720, CVE-2009-3793
CVE-2009-3983, CVE-2010-0156, CVE-2010-0161
CVE-2010-0163, CVE-2010-0173, CVE-2010-0174
CVE-2010-0175, CVE-2010-0176, CVE-2010-0177
CVE-2010-0178, CVE-2010-0179, CVE-2010-0181
CVE-2010-0182, CVE-2010-0205, CVE-2010-0397
CVE-2010-0421, CVE-2010-0739, CVE-2010-0788
CVE-2010-0789, CVE-2010-0790, CVE-2010-0791
CVE-2010-0827, CVE-2010-0829, CVE-2010-1152
CVE-2010-1297, CVE-2010-1321, CVE-2010-1440
CVE-2010-2160, CVE-2010-2161, CVE-2010-2162
CVE-2010-2163, CVE-2010-2164, CVE-2010-2165
CVE-2010-2166, CVE-2010-2167, CVE-2010-2169
CVE-2010-2170, CVE-2010-2171, CVE-2010-2172
CVE-2010-2173, CVE-2010-2174, CVE-2010-2175
CVE-2010-2176, CVE-2010-2177, CVE-2010-2178
CVE-2010-2179, CVE-2010-2180, CVE-2010-2181
CVE-2010-2182, CVE-2010-2183, CVE-2010-2184
CVE-2010-2185, CVE-2010-2186, CVE-2010-2187
CVE-2010-2188, CVE-2010-2189
Content of this advisory:
1) Solved Security Vulnerabilities:
- apache2-mod_php5/php5
- bytefx-data-mysql/mono
- flash-player
- fuse
- java-1_4_2-ibm
- krb5
- libcmpiutil/libvirt
- libmozhelper-1_0-0/mozilla-xulrunner190
- libopenssl-devel
- libpng12-0
- libpython2_6-1_0
- libtheora
- memcached
- ncpfs
- pango
- puppet
- python
- seamonkey
- te_ams
- texlive
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- apache2-mod_php5/php5
Incomplete XML RPC requests could crash the php interpreter (CVE-2010-0397).
PHP was updated to version 5.2.12 to fix the problem.
Affected Products: openSUSE 11.1-11.2
- bytefx-data-mysql
Mono's ASP.NET implementation did not set the 'EnableViewStateMac'
property by default. Attackers could exploit that to conduct
cross-site-scripting (XSS) attacks.
Affected Products: SLE11, SLE11-SP1
- flash-player
This update fixes multiple critical security vulnerabilities which allow
an attacker to remotely execute arbitrary code or to cause a denial of
service. The following CVE numbers have been assigned:
CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160,
CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164,
CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169,
CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173,
CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177,
CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181,
CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185,
CVE-2010-2186, CVE-2010-2187, CVE-2010-2188, CVE-2010-2189
Affected Products: openSUSE 11.0-11.2, SLE10-SP3, SLE11-SP1
- fuse
A race condition in fusermount allows non-privileged
users to umount any file system (CVE-2010-0789).
Note: this is a re-release of the previous update with a better patch.
Affected Products: Moblin 2.0-2.1
- java-1_4_2-ibm
IBM Java 1.4.2 was updated to Version U13 FP 4 iFixes, to fix
the SSL renegotiation flaw reported via CVE-2009-3555.
There were also some SAP installer related bugs fixed.
Affected Products: SLE11, SLE11-SP1
- krb5
This update fixes a denial-of-service vulnerability in kadmind.
A remote attacker can send a malformed GSS-API token that triggers a
NULL pointer dereference.
(CVE-2010-1321: CVSS v2 Base Score: 6.8 (MEDIUM)
(AV:N/AC:L/Au:S/C:N/I:N/A:C))
Affected Products: openSUSE 11.0-11.2, SLE10-SP3, SLE11
- libcmpiutil/libvirt
Collective Xen 2010/04 Update, containing fixes for the following issues:
- pygrub, reiserfs: Fix on-disk structure definition
- Xen on SLES 11 does not boot - endless loop in ATA detection
- xend leaks memory
- Keyboard Caps Lock key works abnormal under SLES11 xen guest OS.
- keymap setting not preserved
- "NAME" column in xentop (SLES11) output limited to 10 characters unlike SLES10
- L3: diskpart will not run on windows 2008
- DL585G2 - plug-in PCI cards fail in IO-APIC mode
- xend: disallow ! as a sxp separator
- xend: bootable flag of VBD not always of type int
- Xen vifname parameter is ignored when using type=ioemu in guest
configuration file
- xm create -x command does not work in SLES 10 SP2 or SLES 11
- VUL-1: xen pygrub vulnerability
- Virtual machines are not able to boot from CD to allow upgrade to
OES2SP1 (sle10 bug)
- Update breaks menu access keys in virt-viewer and still misses some
key sequences. (sle10 bug)
- xen: virt-manager cdrom handling.
- L3: virt-manager is unable of displaying VNC console on remote hosts
- libvird segfaults when trying to create a kvm guest
- L3: Virsh gives error Device 51712 not connected after updating
libvirt modules
- libcmpiutil / libvirt-cim does not properly handle CIM_ prefixed
- Xen doesn't work get an eror when starting the install processes
or starting a pervious installed DomU
- Cannot set MAC address for PV guest in vm-install
Affected Products: openSUSE 11.1, SLE11
- libmozhelper-1_0-0/mozilla-xulrunner190
The Moblin web browser engine was updated to the Firefox equivalent
version 3.5.9.
Following security issues were fixed in 3.5.9:
MFSA 2010-16: Mozilla developers identified and fixed several stability
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.
References
Martijn Wargers, Josh Soref, and Jesse Ruderman reported crashes in the
browser engine that affected Firefox 3.5 and Firefox 3.6. (CVE-2010-0173)
Jesse Ruderman and Ehsan Akhgari reported crashes that affected all
supported versions of the browser engine. (CVE-2010-0174)
MFSA 2010-17 / CVE-2010-0175:
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be called
after the tree item was deleted. This results in the execution of
previously freed memory which an attacker could use to crash a victim's
browser and run arbitrary code on the victim's computer.
MFSA 2010-18 / CVE-2010-0176: Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the way elements are
inserted into a XUL tree optgroup. In certain cases, the number of
references to an element is under-counted so that when the element is
deleted, a live pointer to its old location is kept around and may later
be used. An attacker could potentially use these conditions to run
arbitrary code on a victim's computer.
MFSA 2010-19 / CVE-2010-0177: Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the implementation of the
window.navigator.plugins object. When a page reloads, the plugins array
would reallocate all of its members without checking for existing
references to each member. This could result in the deletion of objects
for which valid pointers still exist. An attacker could use this
vulnerability to crash a victim's browser and run arbitrary code on the
victim's machine.
MFSA 2010-20 / CVE-2010-0178: Security researcher Paul Stone reported
that a browser applet could be used to turn a simple mouse click into a
drag-and-drop action, potentially resulting in the unintended loading of
resources in a user's browser. This behavior could be used twice in
succession to first load a privileged chrome: URL in a victim's browser,
then load a malicious javascript: URL on top of the same document
resulting in arbitrary script execution with chrome privileges.
MFSA 2010-21 / CVE-2010-0179: Mozilla security researcher moz_bug_r_a4
reported that the XMLHttpRequestSpy module in the Firebug add-on was
exposing an underlying chrome privilege escalation vulnerability. When
the XMLHttpRequestSpy object was created, it would attach various
properties of itself to objects defined in web content, which were not
being properly wrapped to prevent their exposure to chrome privileged
objects. This could result in an attacker running arbitrary JavaScript
on a victim's machine, though it required the victim to have Firebug
installed, so the overall severity of the issue was determined to be
High.
MFSA 2010-22 / CVE-2009-3555: Mozilla developers added support in the
Network Security Services module for preventing a type of
man-in-the-middle attack against TLS using forced renegotiation.
Note that to benefit from the fix, Firefox 3.6 and Firefox 3.5 users
will need to set their security.ssl.require_safe_negotiation preference
to true. Firefox 3 does not contain the fix for this issue.
MFSA 2010-23 / CVE-2010-0181: phpBB developer Henry Sudhof reported that
when an image tag points to a resource that redirects to a mailto: URL,
the external mail handler application is launched. This issue poses no
security threat to users but could create an annoyance when browsing a
site that allows users to post arbitrary images.
MFSA 2010-24 / CVE-2010-0182: Mozilla community member Wladimir Palant
reported that XML documents were failing to call certain security checks
when loading new content. This could result in certain resources being
loaded that would otherwise violate security policies set by the browser
or installed add-ons.
Affected Products: SUSE Moblin 2.1
- libopenssl-devel
This update adds support for RFC5746 TLS renegotiations to address
vulnerabilities tracked as (CVE-2009-3555).
It also fixes a mishandling of OOM conditions in bn_wexpand
(CVE-2009-3245).
Affected Products: SUSE Moblin
- libpng12-0
Denial of service while decompressing a highly compressed huge ancillary
chunk has been fixed in libpng (CVE-2010-0205).
Affected Products: SLE 11 SP1
- libpython2_6-1_0
This update of python has a copy of libxmlrpc that is vulnerable to
denial of service bugs that can occur while processing malformed XML
input.
CVE-2009-2625: CVSS v2 Base Score: 5.0 (moderate)
(AV:N/AC:L/Au:N/C:N/I:N/A:P): Permissions, Privileges, and Access Control
(CWE-264)
CVE-2009-3720: CVSS v2 Base Score: 5.0 (MEDIUM)
(AV:N/AC:L/Au:N/C:N/I:N/A:P): Insufficient Information (CWE-noinfo)
CVE-2009-3560: CVSS v2 Base Score: 5.0 (MEDIUM)
(AV:N/AC:L/Au:N/C:N/I:N/A:P): Buffer Errors (CWE-119)
Affected Products: openSUSE 11.0-11.2, SLE 11
- libtheora
An integer overflow was fixed in libtheora. It could be exploited
remotely to execute arbitrary code.
CVE-2009-3389: CVSS v2 Base Score: 9.3 (HIGH)
(AV:N/AC:M/Au:N/C:C/I:C/A:C): Numeric Errors (CWE-189)
Affected Products: SUSE Moblin 2.0
- memcached
Remote attackers that are allowed to connect to memcached could crash
memcached by sending invalid input (CVE-2010-1152).
Affected Products: SLE 11 SP1
- ncpfs
This update fixes three security issues in ncpfs:
Fixed a information leakage on mount (CVE-2010-0790 / bnc#583536)
Fixed a mtab locking problem (CVE-2010-0791 / bnc#583536)
Fixed a race condition in ncpfs mounts (CVE-2010-0788 / bnc#550004)
Affected Products: SLE 11 SP1
- pango
Specially crafted font files could cause a memory corruption in pango.
Attackers could potentially exploit that to execute arbitrary code
(CVE-2010-0421).
Affected Products: Novell Linux POS 9, OES, SLES9
- puppet
pupped created temporary files with fixed names. Local attacks could
exploit that to install symlinks that overwrite files of the victim
(CVE-2010-0156).
Affected Products: openSUSE 11.1-11.2, SLE 11
- python
This update of python has a copy of libxmlrpc that is vulnerable to
denial of service bugs that can occur while processing malformed XML
input.
CVE-2009-2625: CVSS v2 Base Score: 5.0 (moderate)
(AV:N/AC:L/Au:N/C:N/I:N/A:P): Permissions, Privileges, and Access Control
(CWE-264)
CVE-2009-3720: CVSS v2 Base Score: 5.0 (MEDIUM)
(AV:N/AC:L/Au:N/C:N/I:N/A:P): Insufficient Information (CWE-noinfo)
CVE-2009-3560: CVSS v2 Base Score: 5.0 (MEDIUM)
(AV:N/AC:L/Au:N/C:N/I:N/A:P): Buffer Errors (CWE-119)
Affected Products: SLE 10-SP3
- seamonkey
This update brings Mozilla Seamonkey to 1.1.19 fixing various bugs and
security issues.
Following security issues are fixed:
MFSA 2010-07:
Mozilla developers took fixes from previously fixed memory safety bugs in
newer Mozilla-based products and ported them to the Mozilla 1.8.1 branch
so they can be utilized by Thunderbird 2 and SeaMonkey 1.1.
Paul Fisher reported a crash when joined to an Active Directory server
under Vista or Windows 7 and using SSPI authentication.
(CVE-2010-0161)
Ludovic Hirlimann reported a crash indexing some messages with
attachments
(CVE-2010-0163)
Carsten Book reported a crash in the JavaScript engine
(CVE-2009-3075)
Josh Soref reported a crash in the BinHex decoder used on non-Mac
platforms.
(CVE-2009-3072)
monarch2000 reported an integer overflow in a base64 decoding function
(CVE-2009-2463)
MFSA 2009-68 / CVE-2009-3983: Security researcher Takehiro Takahashi of
the IBM
X-Force reported that Mozilla's NTLM implementation was vulnerable to
reflection attacks in which NTLM credentials from one application could be
forwarded to another arbitary application via the browser. If an attacker
could get a user to visit a web page he controlled he could force NTLM
authenticated requests to be forwarded to another application on behalf
of the user.
MFSA 2009-62 / CVE-2009-3376:
Mozilla security researchers Jesse Ruderman and Sid Stamm reported that
when downloading a file containing a right-to-left override character
(RTL) in the filename, the name displayed in the dialog title bar
conflicts with the name of the file shown in the dialog body. An attacker
could use this vulnerability to obfuscate the name and file extension of
a file to be downloaded and opened, potentially causing a user to run an
executable file when they expected to open a non-executable file.
MFSA 2009-59 / CVE-2009-0689:
Security researcher Alin Rad Pop of Secunia Research reported a heap-based
buffer overflow in Mozilla's string to floating point number conversion
routines. Using this vulnerability an attacker could craft some malicious
JavaScript code containing a very long string to be converted to a floating
point number which would result in improper memory allocation and the
execution of an arbitrary memory location. This vulnerability could thus
be leveraged by the attacker to run arbitrary code on a victim's computer.
Update: The underlying flaw in the dtoa routines used by Mozilla appears to
be essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz.
MFSA 2010-06 / CVE-2009-3385:
Security researcher Georgi Guninski reported that scriptable plugin
content, such as Flash objects, could be loaded and executed in SeaMonkey
mail messages by embedding the content in an iframe inside the message.
If a user were to reply to or forward such a message, malicious
JavaScript embedded in the plugin content could potentially steal the
contents of the message or files from the local filesystem.
MFSA 2009-49 / CVE-2009-3077:
An anonymous security researcher, via TippingPoint's Zero Day Initiative,
reported that the columns of a XUL tree element could be manipulated in a
particular way which would leave a pointer owned by the column pointing
to freed memory. An attacker could potentially use this vulnerability to
crash a victim's browser and run arbitrary code on the victim's computer.
Please see
https://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey-1.1/
Affected Products: openSUSE 11.0, openSUSE 11.1
- te_ams
Specially crafted dvi files could cause buffer overflows in dvips and
dvipng (CVE-2010-0827, CVE-2010-0829, CVE-2010-0739, CVE-2010-1440).
Affected Products: SLE 10-SP3
- texlive
Specially crafted dvi files could cause buffer overflows in dvips and
dvipng (CVE-2010-0827, CVE-2010-0829, CVE-2010-0739, CVE-2010-1440).
openSUSE 11.0-11.2, SLE 11
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
none
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
References
