Mandriva Security

MDVSA-2012:079: sudo

A vulnerability has been found and corrected in sudo:

A flaw exists in the IP network matching code in sudo versions 1.6.9p3
through 1.8.4p4 that may result in the local host being matched
even though it is not actually part of the network described by the
IP address and associated netmask listed in the sudoers file or in
LDAP. As a result, users authorized to run commands on certain IP
networks may be able to run commands on hosts that belong to other
networks not explicitly listed in sudoers (CVE-2012-2337

The updated packages have been patched to correct this issue.

MDVSA-2012:078: imagemagick

Multiple vulnerabilities has been found and corrected in imagemagick:

A flaw was found in the way ImageMagick processed images with malformed
Exchangeable image file format (Exif) metadata. An attacker could
create a specially-crafted image file that, when opened by a victim,
would cause ImageMagick to crash or, potentially, execute arbitrary
code (CVE-2012-0247).

A denial of service flaw was found in the way ImageMagick processed
images with malformed Exif metadata. An attacker could create a
specially-crafted image file that, when opened by a victim, could
cause ImageMagick to enter an infinite loop (CVE-2012-0248).

The original fix for CVE-2012-0247 failed to check for the possibility
of an integer overflow when computing the sum of number_bytes and
offset. This resulted in a wrap around into a value smaller than
length, making original CVE-2012-0247 introduced length check still
to be possible to bypass, leading to memory corruption (CVE-2012-1185).

An integer overflow flaw was found in the way ImageMagick processed
certain Exif tags with a large components count. An attacker
could create a specially-crafted image file that, when opened by a
victim, could cause ImageMagick to access invalid memory and crash
(CVE-2012-0259).

A denial of service flaw was found in the way ImageMagick decoded
certain JPEG images. A remote attacker could provide a JPEG image with
specially-crafted sequences of RST0 up to RST7 restart markers (used
to indicate the input stream to be corrupted), which once processed
by ImageMagick, would cause it to consume excessive amounts of memory
and CPU time (CVE-2012-0260).

An out-of-bounds buffer read flaw was found in the way ImageMagick
processed certain TIFF image files. A remote attacker could provide
a TIFF image with a specially-crafted Exif IFD value (the set of tags
for recording Exif-specific attribute information), which once opened
by ImageMagick, would cause it to crash (CVE-2012-1798).

The updated packages have been patched to correct these issues.

MDVSA-2012:077: imagemagick

Multiple vulnerabilities has been found and corrected in imagemagick:

Untrusted search path vulnerability in configure.c in ImageMagick
before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows
local users to gain privileges via a Trojan horse configuration file
in the current working directory (CVE-2010-4167).

A flaw was found in the way ImageMagick processed images with malformed
Exchangeable image file format (Exif) metadata. An attacker could
create a specially-crafted image file that, when opened by a victim,
would cause ImageMagick to crash or, potentially, execute arbitrary
code (CVE-2012-0247).

A denial of service flaw was found in the way ImageMagick processed
images with malformed Exif metadata. An attacker could create a
specially-crafted image file that, when opened by a victim, could
cause ImageMagick to enter an infinite loop (CVE-2012-0248).

The original fix for CVE-2012-0247 failed to check for the possibility
of an integer overflow when computing the sum of number_bytes and
offset. This resulted in a wrap around into a value smaller than
length, making original CVE-2012-0247 introduced length check still
to be possible to bypass, leading to memory corruption (CVE-2012-1185).

An integer overflow flaw was found in the way ImageMagick processed
certain Exif tags with a large components count. An attacker
could create a specially-crafted image file that, when opened by a
victim, could cause ImageMagick to access invalid memory and crash
(CVE-2012-0259).

A denial of service flaw was found in the way ImageMagick decoded
certain JPEG images. A remote attacker could provide a JPEG image with
specially-crafted sequences of RST0 up to RST7 restart markers (used
to indicate the input stream to be corrupted), which once processed
by ImageMagick, would cause it to consume excessive amounts of memory
and CPU time (CVE-2012-0260).

An out-of-bounds buffer read flaw was found in the way ImageMagick
processed certain TIFF image files. A remote attacker could provide
a TIFF image with a specially-crafted Exif IFD value (the set of tags
for recording Exif-specific attribute information), which once opened
by ImageMagick, would cause it to crash (CVE-2012-1798).

The updated packages have been patched to correct these issues.

MDVSA-2012:076: ffmpeg

Multiple vulnerabilities has been found and corrected in ffmpeg:

The Matroska format decoder in FFmpeg does not properly allocate
memory, which allows remote attackers to execute arbitrary code via
a crafted file (CVE-2011-3362, CVE-2011-3504).

cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause
a denial of service (incorrect write operation and application
crash) via an invalid bitstream in a Chinese AVS video (aka CAVS)
file, related to the decode_residual_block, check_for_slice,
and cavs_decode_frame functions, a different vulnerability than
CVE-2011-3362 (CVE-2011-3973).

Integer signedness error in the decode_residual_inter function in
cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a
denial of service (incorrect write operation and application crash)
via an invalid bitstream in a Chinese AVS video (aka CAVS) file,
a different vulnerability than CVE-2011-3362 (CVE-2011-3974).

Double free vulnerability in the Theora decoder in FFmpeg allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via a crafted stream (CVE-2011-3892).

FFmpeg does not properly implement the MKV and Vorbis media
handlers, which allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors (CVE-2011-3893).

Heap-based buffer overflow in the Vorbis decoder in FFmpeg allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted stream (CVE-2011-3895).

An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited
to cause a buffer overflow (CVE-2011-4351).

An integer overflow error within the "vp3_dequant()" function
(libavcodec/vp3.c) can be exploited to cause a buffer overflow
(CVE-2011-4352).

Errors within the "av_image_fill_pointers()", the "vp5_parse_coeff()",
and the "vp6_parse_coeff()" functions can be exploited to trigger
out-of-bounds reads (CVE-2011-4353).

It was discovered that Libav incorrectly handled certain malformed
VMD files. If a user were tricked into opening a crafted VMD file,
an attacker could cause a denial of service via application crash,
or possibly execute arbitrary code with the privileges of the user
invoking the program (CVE-2011-4364).

It was discovered that Libav incorrectly handled certain malformed SVQ1
streams. If a user were tricked into opening a crafted SVQ1 stream
file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the
user invoking the program (CVE-2011-4579).

Multiple input validations in the decoders/ demuxers for Westwood
Studios VQA, Apple MJPEG-B, Theora, Matroska, Vorbis, Sony ATRAC3,
DV, NSV, files could lead to the execution of arbitrary code
(CVE-2011-3929, CVE-2011-3936, CVE-2011-3937, CVE-2011-3940,
CVE-2011-3945, CVE-2011-3947, CVE-2012-0853, CVE-2012-0858).

The updated packages have been upgraded to the 0.7.12 version where
these issues has been corrected.

MDVSA-2012:075: ffmpeg

Multiple vulnerabilities has been found and corrected in ffmpeg:

The Matroska format decoder in FFmpeg does not properly allocate
memory, which allows remote attackers to execute arbitrary code via
a crafted file (CVE-2011-3362, CVE-2011-3504).

cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause
a denial of service (incorrect write operation and application
crash) via an invalid bitstream in a Chinese AVS video (aka CAVS)
file, related to the decode_residual_block, check_for_slice,
and cavs_decode_frame functions, a different vulnerability than
CVE-2011-3362 (CVE-2011-3973).

Integer signedness error in the decode_residual_inter function in
cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a
denial of service (incorrect write operation and application crash)
via an invalid bitstream in a Chinese AVS video (aka CAVS) file,
a different vulnerability than CVE-2011-3362 (CVE-2011-3974).

Double free vulnerability in the Theora decoder in FFmpeg allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via a crafted stream (CVE-2011-3892).

FFmpeg does not properly implement the MKV and Vorbis media
handlers, which allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors (CVE-2011-3893).

Heap-based buffer overflow in the Vorbis decoder in FFmpeg allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted stream (CVE-2011-3895).

An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited
to cause a buffer overflow (CVE-2011-4351).

An integer overflow error within the "vp3_dequant()" function
(libavcodec/vp3.c) can be exploited to cause a buffer overflow
(CVE-2011-4352).

Errors within the "av_image_fill_pointers()", the "vp5_parse_coeff()",
and the "vp6_parse_coeff()" functions can be exploited to trigger
out-of-bounds reads (CVE-2011-4353).

It was discovered that Libav incorrectly handled certain malformed
VMD files. If a user were tricked into opening a crafted VMD file,
an attacker could cause a denial of service via application crash,
or possibly execute arbitrary code with the privileges of the user
invoking the program (CVE-2011-4364).

It was discovered that Libav incorrectly handled certain malformed SVQ1
streams. If a user were tricked into opening a crafted SVQ1 stream
file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the
user invoking the program (CVE-2011-4579).

The updated packages have been upgraded to the 0.6.5 version where
these issues has been corrected.

MDVA-2012:042: libdc1394

It was discovered a linker namespace conflict caused Digikam to
crash. This advisory resolves this problem.

MDVSA-2012:074: ffmpeg

Multiple vulnerabilities has been found and corrected in ffmpeg:

The Matroska format decoder in FFmpeg does not properly allocate
memory, which allows remote attackers to execute arbitrary code via
a crafted file (CVE-2011-3362, CVE-2011-3504).

cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause
a denial of service (incorrect write operation and application
crash) via an invalid bitstream in a Chinese AVS video (aka CAVS)
file, related to the decode_residual_block, check_for_slice,
and cavs_decode_frame functions, a different vulnerability than
CVE-2011-3362 (CVE-2011-3973).

Integer signedness error in the decode_residual_inter function in
cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a
denial of service (incorrect write operation and application crash)
via an invalid bitstream in a Chinese AVS video (aka CAVS) file,
a different vulnerability than CVE-2011-3362 (CVE-2011-3974).

FFmpeg does not properly implement the MKV and Vorbis media
handlers, which allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors (CVE-2011-3893).

Heap-based buffer overflow in the Vorbis decoder in FFmpeg allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted stream (CVE-2011-3895).

An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited
to cause a buffer overflow (CVE-2011-4351).

An integer overflow error within the "vp3_dequant()" function
(libavcodec/vp3.c) can be exploited to cause a buffer overflow
(CVE-2011-4352).

Errors within the "av_image_fill_pointers()", the "vp5_parse_coeff()",
and the "vp6_parse_coeff()" functions can be exploited to trigger
out-of-bounds reads (CVE-2011-4353).

It was discovered that Libav incorrectly handled certain malformed
VMD files. If a user were tricked into opening a crafted VMD file,
an attacker could cause a denial of service via application crash,
or possibly execute arbitrary code with the privileges of the user
invoking the program (CVE-2011-4364).

It was discovered that Libav incorrectly handled certain malformed SVQ1
streams. If a user were tricked into opening a crafted SVQ1 stream
file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the
user invoking the program (CVE-2011-4579).

The updated packages have been upgraded to the 0.5.9 version where
these issues has been corrected.

Additionally a couple of packages needed to be rebuilt for the new
ffmpeg version and is also being provided with this advisory.

MDVA-2012:041: mysql

This is a maintenance and bugfix release that upgrades mysql to the
latest version which resolves various upstream bugs.

MDVSA-2012:073: openssl

A vulnerability has been found and corrected in openssl:

A flaw in the OpenSSL handling of CBC mode ciphersuites in DTLS can
be exploited in a denial of service attack on both clients and servers
(CVE-2012-2333).

The updated packages have been patched to correct this issue.

MDVSA-2012:072: roundcubemail

Multiple vulnerabilities has been found and corrected in roundcubemail:

The login form in Roundcube Webmail before 0.5.1 does not properly
handle a correctly authenticated but unintended login attempt, which
makes it easier for remote authenticated users to obtain sensitive
information by arranging for a victim to login to the attacker's
account and then compose an e-mail message, related to a login CSRF
issue (CVE-2011-1491).

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does
not properly verify that a request is an expected request for an
external Cascading Style Sheets (CSS) stylesheet, which allows remote
authenticated users to trigger arbitrary outbound TCP connections
from the server, and possibly obtain sensitive information, via a
crafted request (CVE-2011-1492).

Cross-site scripting (XSS) vulnerability in the UI messages
functionality in Roundcube Webmail before 0.5.4 allows remote attackers
to inject arbitrary web script or HTML via the _mbox parameter to
the default URI (CVE-2011-2937).

include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP
5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET
request for an arbitrary URL, and cause a denial of service (resource
consumption and inbox outage), via a Subject header containing only
a URL, a related issue to CVE-2011-3379 (CVE-2011-4078).

The updated packages have been upgraded to the 0.7.2 version which
is not affected by these issues.