iDefense Security Advisory 08.06.09: Microsoft Internet Explorer HTML TIME 'ondatasetcomplete' Use After Free Vulnerability

2009-08-06 Thread iDefense Labs 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

iDefense Security Advisory 07.28.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 28, 2009

I. BACKGROUND

HTML+TIME (HTML Timed Interactive Multimedia Extensions)is a web
standard that was created for Microsoft Corp.'s Internet Explorer (IE)
to allow web page authors to create timed animation content on a web
page. This is accomplished using an XML like markup that makes use of
HTML+TIME properties and elements. Internet Explorer supports this
markup standard, and also exposes a scripting interface for interacting
with the HTML+TIME elements on the page. For more information, please
see the vendor's web page at the following link:

http://technet.microsoft.com/en-us/library/ms533099(VS.85).aspx

II. DESCRIPTION

Remote exploitation of a use after free vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.

The vulnerability occurs when the 'ondatasetcomplete' event method of a
timeChildren object is referenced. If this occurs when the object is in
an inconsistent state, a heap chunk will be freed, and then reused after
being freed. This results in an uninitialized VTABLE being used, which
can result in the execution of arbitrary code when the pointer is
dereferenced.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page. To exploit
this vulnerability, a targeted user must load a malicious web page
created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted
sites. After the user visits the malicious web page, no further user
interaction is needed.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Internet
Explorer versions 6, 7, and 8. Internet Explorer 5 does not appear to
be vulnerable.

V. WORKAROUND

Since this vulnerability is triggered through script code, disabling
Active Scripting will prevent the exploitation of this vulnerability.

VI. VENDOR RESPONSE

Microsoft Corp. has released an Out-Of-Band patch which addresses this
issue. Information about downloadable vendor updates can be found by
clicking on the URLs shown.

http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-1917 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/06/2009  - PoC Requested
06/06/2009  - PoC Sent
06/24/2009  - Tentative disclosure set to August
06/25/2009  - Requested CVE from vendor
06/25/2009  - Received CVE from vendor
07/23/2009  - Received updated disclosure notice for OOB in July
07/28/2009  - Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKe0W1bjs6HoxIfBkRAlQLAKCJHohcKfI8Emv5OfSk7LMotPL/7ACfb4Wa
JyhMGxPvQ4AfdaK6dfmcIlg=
=OPoC
-END PGP SIGNATURE-

[ MDVSA-2009:195-1 ] apr

2009-08-06 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory   MDVSA-2009:195-1
 http://www.mandriva.com/security/
 ___

 Package : apr
 Date: August 6, 2009
 Affected: Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been identified and corrected in apr and apr-util:
 
 Multiple integer overflows in the Apache Portable Runtime (APR)
 library and the Apache Portable Utility library (aka APR-util)
 0.9.x and 1.3.x allow remote attackers to cause a denial of service
 (application crash) or possibly execute arbitrary code via vectors that
 trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc
 function in memory/unix/apr_pools.c in APR; or crafted calls to
 the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc
 function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
 NOTE: some of these details are obtained from third party information
 (CVE-2009-2412).
 
 This update provides fixes for these vulnerabilities.

 Update:

 apr-util packages were missing for Mandriva Enterprise Server 5 i586,
 this has been adressed with this update.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 19ed152f311aaa740e498d204e611c87  
mes5/i586/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.i586.rpm
 1da16e622bc2aa6fac28b0a9a7c36b39  
mes5/i586/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.i586.rpm
 e9e56ac0cbd4316b1687c3e5bf66d3d3  
mes5/i586/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.i586.rpm
 fbfaeb1772eb0b22de4b4562f5601c50  
mes5/i586/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.i586.rpm
 6da57cdbe02238048ea6dc115a1ae744  
mes5/i586/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.i586.rpm
 34beee246bc1206229975aba75776aa2  
mes5/i586/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.i586.rpm
 445b930503e3e8f15b220681e67c74b4  
mes5/i586/libapr-util1-1.3.4-2.3mdvmes5.i586.rpm
 b53ec99a1242f3d0e31e4267090d4d69  
mes5/i586/libapr-util-devel-1.3.4-2.3mdvmes5.i586.rpm 
 ddd3ba83c0f4f0a73954d1ca8b6926c4  mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 02e1b437a1451b205d726a804ecba70a  
mes5/x86_64/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.x86_64.rpm
 daa72432fd3545df890a2aa2ebeacc4e  
mes5/x86_64/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.x86_64.rpm
 5c6b4a74cf6df907a88d1474708ba96c  
mes5/x86_64/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.x86_64.rpm
 8cabe517448ab264870e9b786f58db88  
mes5/x86_64/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.x86_64.rpm
 4f49787251d7fac85d39535c82389a6a  
mes5/x86_64/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.x86_64.rpm
 43c974a3636fd725d100332fd0b4f204  
mes5/x86_64/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.x86_64.rpm
 9f0a37e6b63384f216033c6f35975c09  
mes5/x86_64/lib64apr-util1-1.3.4-2.3mdvmes5.x86_64.rpm
 99d7a7418d4250764773f6cbcc0ebd6c  
mes5/x86_64/lib64apr-util-devel-1.3.4-2.3mdvmes5.x86_64.rpm 
 ddd3ba83c0f4f0a73954d1ca8b6926c4  mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKewWNmqjQ0CJFipgRAl3dAKCBpW6Ccamts0gKMNkDopc+x+QCZACfZ+Ep
WrkXUeLyvhHymK2bJ8xLrXU=
=4/ly
-END PGP SIGNATURE-

iDefense Security Advisory 08.06.09: Adobe Flash Player URL Parsing Heap Overflow Vulnerability

2009-08-06 Thread iDefense Labs 
iDefense Security Advisory 08.06.09
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 06, 2009

I. BACKGROUND

Adobe Flash Player is Flash Player is a cross-platform browser plug-in
that delivers interactive content for Web experiences. For more
information, please visit following page:

http://www.adobe.com/products/flashplayer/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Adobe Systems
Inc's Flash Player could allow an attacker to execute arbitrary code
with the privileges of the current user.

When a specifically crafted URL is passed to Flash Player, a heap
overflow can occur and could result in arbitrary code execution.

III. ANALYSIS

Exploitation of this vulnerability allows the attacker to execute
arbitrary code with the privileges of the current user. To exploit this
vulnerability, a targeted user must load a malicious Web page created by
an attacker. An attacker typically accomplishes this via social
engineering techniques or injecting content into compromised, trusted
sites.

IV. DETECTION

iDefense confirmed the existence of this vulnerability in Flash Player
10.0.22.87. Other versions may also be affected.

V. WORKAROUND

iDefense is unaware of any effective workaround for this vulnerability.

VI. VENDOR RESPONSE

Adobe has released an update which addresses this issue. For more
information, consult their advisory (APSB09-10) at the following URL:

http://www.adobe.com/support/security/bulletins/apsb09-10.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-1868 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/09/2009  - Initial Contact
04/09/2009  - PoC Requested
04/09/2009  - PoC Sent
07/30/2009  - Adobe releases update for Flash
08/05/2009  - iDefense requests clarification
08/06/2009  - Adobe clarifies fixed issue
08/06/2009  - Public disclosure

IX. CREDIT

This vulnerability was discovered by Jun Mao, iDefense Labs

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

iDefense Security Advisory 08.06.09: IBM AIX libC _LIB_INIT_DBG Arbitrary File Creation Vulnerability

2009-08-06 Thread iDefense Labs 
iDefense Security Advisory 08.04.09
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 04, 2009

I. BACKGROUND

IBM's AIX is a Unix operating system based on System V, which runs on
the PowerPC (PPC) architecture. For more information, visit the product
web site at the following URL.

http://www.ibm.com/systems/power/software/aix/index.html

II. DESCRIPTION

Local exploitation of an arbitrary file creation vulnerability in IBM
Corp.'s Advanced Interactive eXecutive (AIX) Operating System allows
attackers to execute arbitrary code with super-user privileges.

This vulnerability exists due to the handling of several environment
variables. The libC.a library will open files as specified by the
"_LIB_INIT_DBG" and "_LIB_INIT_DBG_FILE" variables. The attacker's
"umask" will be honored, allowing them to create world-writable files,
owned by root, in arbitrary locations on the system.

III. ANALYSIS

Exploitation of this vulnerability allows attackers to execute arbitrary
code with super-user privileges. In order to exploit this vulnerability
an attacker must be able to execute a set-uid binary linked with the
"libC.a" library. In default installations, several binaries may be
executed by any user with a local account; no special group membership
is needed.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in IBM
Corp.'s AIX version 5.3. Other versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this
issue.

VI. VENDOR RESPONSE

IBM has released a patch which addresses this issue. For more
information, consult their advisory at the following URL:

http://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

02/25/2009  - Initial Contact
03/03/2009  - Initial Response
08/04/2009  - IBM proposed release date of August 4th, 2009
08/04/2009  - Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Karol Wiesek.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

OpenCms (7.5.0) - Vulnerability: Cross-Site Scripting, Phishing Through Frames, Application Error

2009-08-06 Thread katie . french 
Application: OpenCms



Version: 7.5.0



Hardware: Tomcat/Oracle



Vulnerability: Cross-Site Scripting, Phishing Through Frames,

Application Error





Overview:



Various URL's within the deployed OpenCms application version 7.5.0 are

open to attacks, including Cross-Site Scripting, Phishing Through Frames

and Application Error.  Some of these attacks allow injection of scripts

into a parameter in the request.  The application should filter out such

hazardous characters from user input.



Example follows:

Vulnerable URL (from the OpenCms VFS):

/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/

help_head.jsp?&homelink=>"'>alert("This%20site%20has%20been%20co

mpromised")



Results:

Insertion of the script into the homelink parameter successfully embeds

the script in the response and is executed once the page is loaded into

the user's browser (i.e. vulnerable to Cross-Site Scripting)







Below find the complete list of vulnerable URL's (all paths are relative

to the OpenCms VFS).  All issues are of High risk.







/opencms/opencms/system/modules/org.opencms.workplace.help/elements/sear

ch.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): query



Vulnerability(s): Cross-Site Scripting







/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/

help_head.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): homelink



Vulnerability(s): Cross-Site Scripting, Phishing Through Frames







/opencms/opencms/system/workplace/commons/preferences.jsp



Remediation: Verify that parameter values are in their expected ranges

and types. Do not output debugging error messages and exceptions



Parameter(s): tabdicopyfilemode, tabdicopyfoldermode,

tabdideletefilemode



Vulnerability(s): Application Error







/opencms/opencms/system/workplace/commons/property.jsp



Remediation: Filter out hazardous characters from user input



Parameter: resource



Vulnerability(s): Cross-Site Scripting







/opencms/opencms/system/workplace/commons/publishproject.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): title, cancel, dialogtype, framename, progresskey,

projected, projectname, publishsiblings, relatedresources, subresources



Vulnerability(s): Cross-Site Scripting, Phishing Through Frames, SQL

Injection







/opencms/opencms/system/workplace/commons/publishresource.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s):



Vulnerability(s): Cross-Site Scripting







/opencms/opencms/system/workplace/commons/unlock.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): title



Vulnerability(s): Cross-Site Scripting, Phishing Through Frames







/opencms/opencms/system/workplace/editors/editor.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): resource



Vulnerability(s): Cross-Site Scripting







/opencms/opencms/system/workplace/editors/dialogs/elements.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): elementlanguage, resource, title



Vulnerability(s): Cross-Site Scripting, Phishing Through Frames







/opencms/opencms/system/workplace/locales/en/help/index.html



Remediation: Filter out hazardous characters from user input



Parameter(s): workplaceresource



Vulnerability(s): Phishing Through Frames







/opencms/opencms/system/workplace/views/admin/admin-main.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): path



Vulnerability(s): Cross-Site Scripting







/opencms/opencms/system/workplace/views/explorer/contextmenu.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): acttarget



Vulnerability(s): Cross-Site Scripting, Phishing Through Frames







/opencms/opencms/system/workplace/views/explorer/explorer_files.jsp



Remediation: Filter out hazardous characters from user input



Parameter(s): mode



Vulnerability(s): Cross-Site Scripting











Katie French



CGI Federal



12601 Fair Lakes Circle



Fairfax,VA 22033



FFX: (703) 227-5642



RRB: (202) 564-0475

iDefense Security Advisory 08.06.09: Sun Java Runtime Environment (JRE) Pack200 Decompression Integer Overflow Vulnerability

2009-08-06 Thread iDefense Labs 
iDefense Security Advisory 08.04.09
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 04, 2009

I. BACKGROUND

Pack200 is a compression method introduced by Sun in the 1.5 release of
the JRE. It is used to compress JAR files, and is optimized for the
compression of Java class files. A Java applet can be compressed using
the pack200 tool, and if the browser plug-in supports the pack200-gzip
encoding it will pass the compressed JAR file to the JRE for unpacking.
For more information, see the vendor's site at the following links.

http://www.sun.com/java/

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/pack200.html

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Sun
Microsystems Inc.'s Java Runtime Environment (JRE) could allow an
attacker to execute arbitrary code with the privileges of the current
user.

The vulnerability occurs when reading the header of the Pack200
compressed Jar file during decompression. To calculate the size of a
heap buffer, the code multiplies and adds several 32-bit integers. The
bounds of these values are not checked, and the arithmetic operations
can overflow. This results in an undersized buffer being allocated,
which leads to a heap-based buffer overflow.

This vulnerability is similar to two previous iDefense Exclusives in the
JRE Pack200 code and is due to an incomplete fix of the previous
vulnerabilities.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, a
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Sun
Microsystems Inc.'s JRE version 1.6.0_13 for Windows and Linux. This
vulnerability is different than the two previously reported iDefense
Exclusives in the Pack200 code.

V. WORKAROUND

The library containing the vulnerability can be renamed, which will
prevent it from being loaded. This workaround will prevent users from
loading Pack200 format JAR files and from using the pack/unpack tools
that come with the JRE; however, normal applets and Java applications
will continue to function correctly. The vulnerable library is called
"unpack" and can be found in:

"%SYSTEMDRIVE%\Program Files\Java\JAVA VERSION\bin\unpack.dll"

on Windows and in differing locations, dependent upon the
distribution/platform on Unix systems.

VI. VENDOR RESPONSE

Sun Microsystems Inc. has released a patch which addresses this issue.
For more information, consult their advisory at the following URL:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263488-1

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

04/09/2009  - Initial Contact
04/13/2009  - PoC Requested
04/13/2009  - Clarification Requested
04/13/2009  - PoC Sent
04/21/2009  - Clarification Sent
07/22/2009  - Tentative Disclosure set for July 27, 2009
07/22/2009  - Requested CVE
07/22/2009  - Sun delays disclosures
07/28/2009  - Tentative Disclosure set for August 3rd, 2009
08/04/2009  - Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

[CSS09-01] SlideShowPro Director File Disclosure Vulnerability

2009-08-06 Thread Scott Miles 
CSS09-01: SlideShowPro Director File Disclosure Vulnerability
August 5, 2009

*SUMMARY*
SlideShowPro Director is vulnerable to a file disclosure flaw because it
fails to perform proper validation and handling of input parameters.
Attackers can exploit this vulnerability to read arbitrary files from
the hosting web server.

AFFECTED SOFTWARE
SlideShowPro Director version 1.1 through 1.3.8.

SEVERITY RATING
Rating:  High Risk
Impact:  Unauthorized access to system files
Where:   Remote

SOFTWARE DESCRIPTION
SlideShowPro Director is a complement to SlideShowPro, “a web-based
component designed to be integrated into any web site … for displaying
photos and videos.” Director is “a secure, easy to use application you
install on your own web server...for managing and updating your
slideshow content…” 
(http://slideshowpro.net/products/slideshowpro_director/slideshowpro_director)

SOLUTION
The vendor has released version 1.3.9 to address this issue. Refer to
http://wiki.slideshowpro.net/SSPdir/UP-HowToUpgrade for upgrade
instructions.

REFERENCES:
CVE number not yet assigned.
A copy of this bulletin is located at:
http://www.clearskies.net/documents/css-advisory-css09001-sspdirector.pdf

TECHNICAL DETAILS
The “p.php” file contains logic that is vulnerable to directory
traversal attacks. The “a” parameter to this function includes a file
name parameter that can be changed to any value, including one
containing relative directory paths. The resulting file will be
retrieved and displayed.

The application incorporates scrambling/obfuscation techniques to mask
the vulnerable parameter that is supplied to the application. A
moderately skilled attacker can reverse the obfuscation without any
access to the affected server or source code.

IDENTIFYING VULNERABLE INSTALLATIONS
Vulnerable installations can be identified by the XML data file
generated by SlideShowPro Director and used by the SlideShowPro
component and will have base64-encoded “a” parameters to the “p.php”
function:




http://masked/ssp_director/p.php?a=""http://masked/ssp_director/p.php?a=""http://masked/ssp_director/p.php?a=XF9VXiEyPSoqQFtFPzU2JzM6Iys%2BPiYyKzM5LTM%2BMiU%2BJzE%3D&m=1247688172";>
tn= tnPath=

DETECTING EXPLOITATION
The affected parameter is only accepted as a “GET” variable. The web
server should therefore log any exploitation attempts if basic logging
of the query string is enabled. Identifying actual exploitation is
hindered, since the attacking parameter is scrambled, but the logic to
reverse this data can be extracted the application code and settings if
necessary. Web server error logs may also contain suspicious PHP file
access warnings if a file requested by an attacker is not present.

PROOF OF CONCEPT
A proof-of-concept tool to exploit this vulnerability that accommodates
the parameter scrambling for any site has been created but not
published. Note that even sites that have defined a custom “key” or
“salt” for the scrambling routines are vulnerable.

IMPACT
This issue exposes the confidentiality of any files residing on the same
drive as the component including configuration files with system access
credentials, the source code to application pages, and possibly customer
data files.

THREAT EVALUATION
The issue can be exploited by anyone from the Internet. The ability to
identify/crack the scrambling key would require a moderately skilled
individual, although once the algorithm is published, exploiting the
issue is trivial. This vulnerability can be easily scripted and
automated, placing it within reach of any individual. An attacker must
know the name of desired files.

CREDITS
Scott Miles of Clear Skies Security identified this flaw.
Clear Skies would like to thank the vendor for their openness and
responsiveness in dealing with this issue.

TIME TABLE
2009-07-20: Vendor notified; confirmed vulnerability.
2009-07-22: Vendor provides patch.
2009-08-06: Public disclosure.

--
Scott Miles
Principal Consultant
Clear Skies Security





smime.p7s
Description: S/MIME Cryptographic Signature

[ MDVSA-2009:195 ] apr

2009-08-06 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2009:195
 http://www.mandriva.com/security/
 ___

 Package : apr
 Date: August 6, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
   Enterprise Server 5.0, Multi Network Firewall 2.0
 ___

 Problem Description:

 A vulnerability has been identified and corrected in apr and apr-util:
 
 Fix potential overflow in pools (apr) and rmm (apr-util), where size
 alignment was taking place (CVE-2009-2412).
 
 This update provides fixes for these vulnerabilities.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
 ___

 Updated Packages:

 Mandriva Linux 2008.1:
 bd5757bce0a8299edcf7dcc3e2980964  
2008.1/i586/apr-util-dbd-mysql-1.2.12-4.2mdv2008.1.i586.rpm
 50ba5cc45e1f72e8219addc0df369ca4  
2008.1/i586/apr-util-dbd-pgsql-1.2.12-4.2mdv2008.1.i586.rpm
 1cb0f643e4084741afefb8d25d975062  
2008.1/i586/apr-util-dbd-sqlite3-1.2.12-4.2mdv2008.1.i586.rpm
 23990e6d23f02addecd2d3dcd7d68baf  
2008.1/i586/libapr1-1.2.12-3.1mdv2008.1.i586.rpm
 002cebd9b1e101cc487490fb5e1de4b9  
2008.1/i586/libapr-devel-1.2.12-3.1mdv2008.1.i586.rpm
 178584e4fee60428188b4f8be39e8b22  
2008.1/i586/libapr-util1-1.2.12-4.2mdv2008.1.i586.rpm
 d718e18960ee01edbfc9cf99cb335604  
2008.1/i586/libapr-util-devel-1.2.12-4.2mdv2008.1.i586.rpm 
 bf792d204211369b8c63051f1360fd97  2008.1/SRPMS/apr-1.2.12-3.1mdv2008.1.src.rpm
 dcbd01ea287e6d8efc276dfa074c3930  
2008.1/SRPMS/apr-util-1.2.12-4.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 6a9a81c520c8e30b5f8fbbe54d185dff  
2008.1/x86_64/apr-util-dbd-mysql-1.2.12-4.2mdv2008.1.x86_64.rpm
 cc9d7917d41f5ca317d2942c2d14c859  
2008.1/x86_64/apr-util-dbd-pgsql-1.2.12-4.2mdv2008.1.x86_64.rpm
 016e48025c0fec50db868ba23d20140e  
2008.1/x86_64/apr-util-dbd-sqlite3-1.2.12-4.2mdv2008.1.x86_64.rpm
 6ee3859a30eab3399275b29356df5727  
2008.1/x86_64/lib64apr1-1.2.12-3.1mdv2008.1.x86_64.rpm
 766f74618ab9532eef5ab40f94112579  
2008.1/x86_64/lib64apr-devel-1.2.12-3.1mdv2008.1.x86_64.rpm
 6e57aa1381b9af730eec5f313f8d5d79  
2008.1/x86_64/lib64apr-util1-1.2.12-4.2mdv2008.1.x86_64.rpm
 6fda7ebf5640ad5ad9ba0d2d1169dbc9  
2008.1/x86_64/lib64apr-util-devel-1.2.12-4.2mdv2008.1.x86_64.rpm 
 bf792d204211369b8c63051f1360fd97  2008.1/SRPMS/apr-1.2.12-3.1mdv2008.1.src.rpm
 dcbd01ea287e6d8efc276dfa074c3930  
2008.1/SRPMS/apr-util-1.2.12-4.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 89786c5904cee8d22c5140528d412a1c  
2009.0/i586/apr-util-dbd-freetds-1.3.4-2.2mdv2009.0.i586.rpm
 19df90719d15def384b7aec1efc5dcd8  
2009.0/i586/apr-util-dbd-ldap-1.3.4-2.2mdv2009.0.i586.rpm
 e164acf4668fd239f2801698e3dc9aa4  
2009.0/i586/apr-util-dbd-mysql-1.3.4-2.2mdv2009.0.i586.rpm
 70f55ca514ef15778001082f3c51a9fd  
2009.0/i586/apr-util-dbd-odbc-1.3.4-2.2mdv2009.0.i586.rpm
 85135d9490be22fc56a897cf9d5fba7e  
2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.2mdv2009.0.i586.rpm
 424d3a8896bc70503a69dc8c4d9882a9  
2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.2mdv2009.0.i586.rpm
 586edd704499f119527638f0f1913614  
2009.0/i586/libapr1-1.3.3-2.1mdv2009.0.i586.rpm
 f5065323fca63075434ce1eb850e3c01  
2009.0/i586/libapr-devel-1.3.3-2.1mdv2009.0.i586.rpm
 4aba7262b561a1d67187c799cd06a138  
2009.0/i586/libapr-util1-1.3.4-2.2mdv2009.0.i586.rpm
 a125fa8529bd8dd79ada83747c23f9d4  
2009.0/i586/libapr-util-devel-1.3.4-2.2mdv2009.0.i586.rpm 
 23e454eea7e368502047b85976d1ef88  2009.0/SRPMS/apr-1.3.3-2.1mdv2009.0.src.rpm
 162271ed051fa5de81a973e5adc487dc  
2009.0/SRPMS/apr-util-1.3.4-2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 667ffab851dd6babd31700a5d9c113a7  
2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.2mdv2009.0.x86_64.rpm
 08089224bb9da997752624d85c229251  
2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.2mdv2009.0.x86_64.rpm
 7ce1a16bc3e35fc4a3dcb8a1e148c05b  
2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.2mdv2009.0.x86_64.rpm
 075dbc136d3110952d54f9a85761c1b6  
2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.2mdv2009.0.x86_64.rpm
 90edf3ec758ed79a7973a36141ddc295  
2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.2mdv2009.0.x86_64.rpm
 f15ee7ff2b203c436eab2d7e4c118a1d  
2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.2mdv2009.0.x86_64.rpm
 2b0529a353e38a0eda5f8d08ecf95554  
2009.0/x86_64/lib64apr1-1.3.3-2.1mdv2009.0.x86_64.rpm
 524773745dfeb06cd86e7149723c6cbe  
2009.0/x86_64/lib64apr-devel-1.3.3-2.1mdv2009.0.x86_64.rpm
 3e7bc1d3e713ba5893c34215ee93f932  
2009.0/x86_64/lib64apr-util1-1.3.4-2.2mdv2009.0.x86_64.rpm
 44be6021b3db277a5993f488b02074db  
2009.0/x86_64/lib64apr-util-devel-1.3.4-2.2mdv2009.0.x86_64.rpm 
 23e454eea7e368502047b85976d1ef88  2009.0/SRPMS/apr-1.3.3-2.1mdv2009.0.src.rpm
 162271ed0

[ MDVSA-2009:194 ] wireshark

2009-08-06 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2009:194
 http://www.mandriva.com/security/
 ___

 Package : wireshark
 Date: August 5, 2009
 Affected: 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 Vulnerabilities have been discovered in wireshark package, which could
 lead to application crash via radius, infiniband and afs dissectors
 (CVE-2009-2560, CVE-2009-2562, CVE-2009-2563).
 
 This update provides a fix for those vulnerabilities.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2562
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2563
 http://www.wireshark.org/security/wnpa-sec-2009-04.html
 ___

 Updated Packages:

 Mandriva Linux 2009.0:
 35c44b3ddaf03f0229dffe083690  
2009.0/i586/dumpcap-1.0.8-3.2mdv2009.0.i586.rpm
 32a5a19dbd7d927f04462644fda1a918  
2009.0/i586/libwireshark0-1.0.8-3.2mdv2009.0.i586.rpm
 679abf03eebc9c9790497845a49b92b5  
2009.0/i586/libwireshark-devel-1.0.8-3.2mdv2009.0.i586.rpm
 7fc204402d3ca6c0b89b5aefc58ac243  
2009.0/i586/rawshark-1.0.8-3.2mdv2009.0.i586.rpm
 fc2ceb7dcbd8edaac22fac8ef8020688  
2009.0/i586/tshark-1.0.8-3.2mdv2009.0.i586.rpm
 5e42c96a3f433b845059cc4616b3f1bf  
2009.0/i586/wireshark-1.0.8-3.2mdv2009.0.i586.rpm
 3c70080e2d6962af6cf0c7d48fec8a89  
2009.0/i586/wireshark-tools-1.0.8-3.2mdv2009.0.i586.rpm 
 10dc6eb791beb4db15d7dd9acd20a3b5  
2009.0/SRPMS/wireshark-1.0.8-3.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 0b42122bf6b1a5c3e65b673b19da382e  
2009.0/x86_64/dumpcap-1.0.8-3.2mdv2009.0.x86_64.rpm
 f560c78cf476d2c4bc4758330a933fff  
2009.0/x86_64/lib64wireshark0-1.0.8-3.2mdv2009.0.x86_64.rpm
 3a9a289b9e01b4ce1d89b970b3577a56  
2009.0/x86_64/lib64wireshark-devel-1.0.8-3.2mdv2009.0.x86_64.rpm
 759831cb22ec8a5d5028015a35931087  
2009.0/x86_64/rawshark-1.0.8-3.2mdv2009.0.x86_64.rpm
 e12270bc4129f1c62a6fccba67e80fe0  
2009.0/x86_64/tshark-1.0.8-3.2mdv2009.0.x86_64.rpm
 de928a404ae250eabb93ea05c5e022d4  
2009.0/x86_64/wireshark-1.0.8-3.2mdv2009.0.x86_64.rpm
 05b5ac1f460a049efc36b57785c9d166  
2009.0/x86_64/wireshark-tools-1.0.8-3.2mdv2009.0.x86_64.rpm 
 10dc6eb791beb4db15d7dd9acd20a3b5  
2009.0/SRPMS/wireshark-1.0.8-3.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 5f084d3f4d56462afdeb056d2c63e0b0  
2009.1/i586/dumpcap-1.0.8-3.2mdv2009.1.i586.rpm
 e9137ca3ecf24656a06ae4dd0870137d  
2009.1/i586/libwireshark0-1.0.8-3.2mdv2009.1.i586.rpm
 31e8564ff9ad9a1a4085a23df535a9b7  
2009.1/i586/libwireshark-devel-1.0.8-3.2mdv2009.1.i586.rpm
 d125bcd35a05532acd2bce81bb477278  
2009.1/i586/rawshark-1.0.8-3.2mdv2009.1.i586.rpm
 cd24c453d85fa38cdb95f798af11ada1  
2009.1/i586/tshark-1.0.8-3.2mdv2009.1.i586.rpm
 3853e1197a5f1189ccecace02c664cd9  
2009.1/i586/wireshark-1.0.8-3.2mdv2009.1.i586.rpm
 cd28e512238504a40183ac9053f7ded7  
2009.1/i586/wireshark-tools-1.0.8-3.2mdv2009.1.i586.rpm 
 7772b718900f37402f2205df81027eaf  
2009.1/SRPMS/wireshark-1.0.8-3.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 33fb00d1fe8705f96b68a557df9dc82c  
2009.1/x86_64/dumpcap-1.0.8-3.2mdv2009.1.x86_64.rpm
 fecf1fea37ba80db55b081dada88d92e  
2009.1/x86_64/lib64wireshark0-1.0.8-3.2mdv2009.1.x86_64.rpm
 997814600900d1897d36ec703931107f  
2009.1/x86_64/lib64wireshark-devel-1.0.8-3.2mdv2009.1.x86_64.rpm
 bb03b7ab486159ff2185f28298817ec3  
2009.1/x86_64/rawshark-1.0.8-3.2mdv2009.1.x86_64.rpm
 ddd6af566dd048d7660e6c51407951f5  
2009.1/x86_64/tshark-1.0.8-3.2mdv2009.1.x86_64.rpm
 e380009d79ccf87bcd6dc614af0fcf3a  
2009.1/x86_64/wireshark-1.0.8-3.2mdv2009.1.x86_64.rpm
 416b62662ecb8f00c9b38b67c8bffe68  
2009.1/x86_64/wireshark-tools-1.0.8-3.2mdv2009.1.x86_64.rpm 
 7772b718900f37402f2205df81027eaf  
2009.1/SRPMS/wireshark-1.0.8-3.2mdv2009.1.src.rpm

 Corporate 4.0:
 0edce2e85d953b8ad86d663054e8d556  
corporate/4.0/i586/dumpcap-1.0.8-0.2.20060mlcs4.i586.rpm
 b3b5ff7686d44df6d741213ca4ef5a3f  
corporate/4.0/i586/libwireshark0-1.0.8-0.2.20060mlcs4.i586.rpm
 15af42501657bf3b632faf78ac64b676  
corporate/4.0/i586/libwireshark-devel-1.0.8-0.2.20060mlcs4.i586.rpm
 df9b9c9d6844d09407255585e95363eb  
corporate/4.0/i586/rawshark-1.0.8-0.2.20060mlcs4.i586.rpm
 1e0524ed826663d6c123a25a810229c4  
corporate/4.0/i586/tshark-1.0.8-0.2.20060mlcs4.i586.rpm
 70284837b799f074252a92e36003fa7b  
corporate/4.0/i586/wireshark-1.0.8-0.2.20060mlcs4.i586.rpm
 7770f8370818ed3051849804c5c7832b  
corporate/4.0/i586/wireshark-tools-1.0.8-0.2.20060mlcs4.i586.rpm 
 58357c66e0af1174591ddede8552e9ed  
corporate/4.0/SRPMS/wireshark-1.0.8-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 9e324be1a76546158e

[ MDVSA-2009:193 ] ruby

2009-08-06 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2009:193
 http://www.mandriva.com/security/
 ___

 Package : ruby
 Date: August 5, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
   Enterprise Server 5.0
 ___

 Problem Description:

 ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check
 the return value from the OCSP_basic_verify function, which might allow
 remote attackers to successfully present an invalid X.509 certificate,
 possibly involving a revoked certificate.
 
 This update corrects the problem, including for older ruby versions.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0642
 ___

 Updated Packages:

 Mandriva Linux 2008.1:
 b6713b937acd6177e43d5dd9adf78a92  
2008.1/i586/ruby-1.8.6-9p114.4mdv2008.1.i586.rpm
 09481407505f55b81cade1db95d738c6  
2008.1/i586/ruby-devel-1.8.6-9p114.4mdv2008.1.i586.rpm
 0308ccc0cb62ca9031c654c94cc0e9ee  
2008.1/i586/ruby-doc-1.8.6-9p114.4mdv2008.1.i586.rpm
 a1f5fffec41efe72ce8976c8ef79a660  
2008.1/i586/ruby-tk-1.8.6-9p114.4mdv2008.1.i586.rpm 
 4bbb4018722168d2ced70b7c107c6ea0  
2008.1/SRPMS/ruby-1.8.6-9p114.4mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 6128ad00fe61fe921239487a3a7f9c2a  
2008.1/x86_64/ruby-1.8.6-9p114.4mdv2008.1.x86_64.rpm
 a37e6862e77d34a6b8a511bdfb2a6d24  
2008.1/x86_64/ruby-devel-1.8.6-9p114.4mdv2008.1.x86_64.rpm
 d47b51ac7bd9ce7233e607f1d3d1edc3  
2008.1/x86_64/ruby-doc-1.8.6-9p114.4mdv2008.1.x86_64.rpm
 6b8503f890db07a56a602e5004dcde76  
2008.1/x86_64/ruby-tk-1.8.6-9p114.4mdv2008.1.x86_64.rpm 
 4bbb4018722168d2ced70b7c107c6ea0  
2008.1/SRPMS/ruby-1.8.6-9p114.4mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 a99dca894009b3416c947c9b918ca565  
2009.0/i586/ruby-1.8.7-7p72.2mdv2009.0.i586.rpm
 ffdba0c2d07588a9d03e8b35b2bfdc62  
2009.0/i586/ruby-devel-1.8.7-7p72.2mdv2009.0.i586.rpm
 a87ad8e2b9aa8a12e0d263a51d392abf  
2009.0/i586/ruby-doc-1.8.7-7p72.2mdv2009.0.i586.rpm
 8603163c55d43873154a15f412cf9dc6  
2009.0/i586/ruby-tk-1.8.7-7p72.2mdv2009.0.i586.rpm 
 643988677dc99d19e0f70907745edb64  
2009.0/SRPMS/ruby-1.8.7-7p72.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 07840368d916f0d15f9c00e135f7c307  
2009.0/x86_64/ruby-1.8.7-7p72.2mdv2009.0.x86_64.rpm
 b7e8a14de19e4898e3ee6396f6c2d073  
2009.0/x86_64/ruby-devel-1.8.7-7p72.2mdv2009.0.x86_64.rpm
 ab0cf8b25ac28347827a8c09f1f0a6eb  
2009.0/x86_64/ruby-doc-1.8.7-7p72.2mdv2009.0.x86_64.rpm
 539aecfa8e5cfc78b25551b64144ae44  
2009.0/x86_64/ruby-tk-1.8.7-7p72.2mdv2009.0.x86_64.rpm 
 643988677dc99d19e0f70907745edb64  
2009.0/SRPMS/ruby-1.8.7-7p72.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 8c79d647f56c69f4092db555f76f2fc0  
2009.1/i586/ruby-1.8.7-9p72.2mdv2009.1.i586.rpm
 1de68e2e5913980856e94bb48776ccf6  
2009.1/i586/ruby-devel-1.8.7-9p72.2mdv2009.1.i586.rpm
 2e25f7bee81951aa32c3cb22c235295e  
2009.1/i586/ruby-doc-1.8.7-9p72.2mdv2009.1.i586.rpm
 87808e106da38245199b7fe1ce2df0a0  
2009.1/i586/ruby-tk-1.8.7-9p72.2mdv2009.1.i586.rpm 
 a2d2afc50337c9e59faf07560d524acf  
2009.1/SRPMS/ruby-1.8.7-9p72.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 9fa5300ab40245ffb8a9324b6a508dd1  
2009.1/x86_64/ruby-1.8.7-9p72.2mdv2009.1.x86_64.rpm
 e3d66178e2688a3ffa2474f51f06fdb0  
2009.1/x86_64/ruby-devel-1.8.7-9p72.2mdv2009.1.x86_64.rpm
 f67eb8be42e770f0cab2bc27011cb914  
2009.1/x86_64/ruby-doc-1.8.7-9p72.2mdv2009.1.x86_64.rpm
 daa9e7bdcef05e5184d7330f404aabe6  
2009.1/x86_64/ruby-tk-1.8.7-9p72.2mdv2009.1.x86_64.rpm 
 a2d2afc50337c9e59faf07560d524acf  
2009.1/SRPMS/ruby-1.8.7-9p72.2mdv2009.1.src.rpm

 Corporate 3.0:
 bb6f25ad3053954c969ff74fca117518  
corporate/3.0/i586/ruby-1.8.1-1.13.C30mdk.i586.rpm
 ad4055c50ce8da0372d831e0b488af9c  
corporate/3.0/i586/ruby-devel-1.8.1-1.13.C30mdk.i586.rpm
 13448c01625ca8b1b538aa5162d2c620  
corporate/3.0/i586/ruby-doc-1.8.1-1.13.C30mdk.i586.rpm
 78451cec2892c715ace6ce09b75a4f07  
corporate/3.0/i586/ruby-tk-1.8.1-1.13.C30mdk.i586.rpm 
 a235fb7168b3c327d4d6ae80290bdd6e  
corporate/3.0/SRPMS/ruby-1.8.1-1.13.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 5d315613d9f992d6c4f58c52bd03d627  
corporate/3.0/x86_64/ruby-1.8.1-1.13.C30mdk.x86_64.rpm
 d3b693c92ee4968e6f6d63e3b71e5a90  
corporate/3.0/x86_64/ruby-devel-1.8.1-1.13.C30mdk.x86_64.rpm
 7f0ca0f79a7b9286cd98e2da2ba6c2b4  
corporate/3.0/x86_64/ruby-doc-1.8.1-1.13.C30mdk.x86_64.rpm
 9f4cc39abd6d039223c80dfcc101e51f  
corporate/3.0/x86_64/ruby-tk-1.8.1-1.13.C30mdk.x86_64.rpm 
 a235fb7168b3c327d4d6ae80290bdd6e  
corporate/3.0/SRPMS/ruby-1.8.1-1.13.C30mdk.src.rpm

 Corporate 4.0:
 14eefde3ea5f870005dd4c0fb2025c8c  
corporate/4.0/i586/ruby-1.8.2-7.10.20060mlcs4.

[SECURITY] [DSA 1851-1] New gst-plugins-bad0.10 packages fix arbitrary code execution

2009-08-06 Thread Steffen Joeris 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1851-1  secur...@debian.org
http://www.debian.org/security/  Steffen Joeris
August 06, 2009   http://www.debian.org/security/faq
- 

Package: gst-plugins-bad0.10
Vulnerability  : integer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id : CVE-2009-1438
Debian Bugs: 527075


It was discovered that gst-plugins-bad0.10, the GStreamer plugins from
the "bad" set, is prone to an integer overflow when processing a MED
file with a crafted song comment or song name.


For the stable distribution (lenny), this problem has been fixed in
version 0.10.7-2+lenny2.

For the oldstable distribution (etch), this problem has been fixed in
version 0.10.3-3.1+etch3.

For the testing distribution (squeeze) and the unstable distribution
(sid), gst-plugins-bad0.10 links against libmodplug.


We recommend that you upgrade your gst-plugins-bad0.10 packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3.orig.tar.gz
Size/MD5 checksum:  1377759 6d09962ac9ae6218932578ccc623407f
  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch3.diff.gz
Size/MD5 checksum:10336 5e68af9a67d4b74d0b952ba9a03f458b
  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch3.dsc
Size/MD5 checksum:  820 6789b3d031b8def3dd61b1f27eef238f

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_alpha.deb
Size/MD5 checksum:   720624 173cfe37545979df17cc1ac5f0d87793

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_amd64.deb
Size/MD5 checksum:   550246 cc610896227967b7fb5fda1d2d6e1d3d

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_arm.deb
Size/MD5 checksum:   561456 4d77c24b42bef05f8ac326bd3e7fd6e8

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_hppa.deb
Size/MD5 checksum:   682050 0d51f9a9102f78190870df138d717207

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_i386.deb
Size/MD5 checksum:   552622 e26d89435d4663762f10672078d2382d

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_ia64.deb
Size/MD5 checksum:   832350 4a954aa4a54c18f9323a110d1fff816c

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_mips.deb
Size/MD5 checksum:   605384 de9e5832fcc88c50ed87e09a7e8075a2

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_mipsel.deb
Size/MD5 checksum:   600302 e1dfce03325040d91af0d749820a6325

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_powerpc.deb
Size/MD5 checksum:   609498 708a10fa3924abc1cdd44689dbb54046

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_s390.deb
Size/MD5 checksum:   580896 d597f796dd108c0a4d5fe6649d5d9d36

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_sparc.deb
Size/MD5 checksum:   567240 5ab2f0d96d8249bada46164456067ee5


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd6

fetchmail security announcement fetchmail-SA-2009-01 (CVE-2009-2666)

2009-08-06 Thread ma+bt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

fetchmail-SA-2009-01: Improper SSL certificate subject verification

Topics: Improper SSL certificate subject verification

Author: Matthias Andree
Version:1.0
Announced:  2009-08-06
Type:   Allows undetected Man-in-the-middle attacks against SSL/TLS.
Impact: Credential disclose to eavesdroppers.
Danger: medium
CVSSv2 vectors: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (E:H/RL:OF/RC:C)

CVE Name:   CVE-2009-2666
URL:http://www.fetchmail.info/fetchmail-SA-2009-01.txt
Project URL:http://www.fetchmail.info/

Affects:fetchmail releases up to and including 6.3.10

Not affected:   fetchmail release 6.3.11 and newer

Corrected:  2009-08-04 fetchmail SVN (rev 5389)

References: "Null Prefix Attacks Against SSL/TLS Certificates",
Moxie Marlinspike, 2009-07-29, Defcon 17, Blackhat 09.

CVE-2009-2408, Mozilla Firefox <3.5 and NSS <3.12.3
improper handling of '\0' characters in domain names in
the Subject CN field of X.509 certificates.


0. Release history
==

2009-08-05 0.1  first draft (visible in SVN)
2009-08-06 1.0  first release


1. Background
=

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.


2. Problem description and Impact
=

Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
certificates that contain embedded NUL characters in the Common Name or
subjectAltName fields of ITU-T X.509 certificates.

Applications that would treat such X.509 strings as NUL-terminated C
strings (rather than strings that contain an explicit length field)
would only check the part up to and excluding the NUL character, so that
certificate names such as www.good.example\0www.bad.example.com would be
mistaken as a certificate name for www.good.example.  fetchmail also had
this design and implementation flaw.

Note that fetchmail should always be forced to use strict certificate
validation through either of these option combinations:

--sslcertck --ssl --sslproto ssl3(for service on SSL-wrapped ports)
or
--sslcertck --sslproto tls1  (for STARTTLS-based services)

(These are for the command line, in the rcfile, you will need to omit
the respective leading --).

The default is relaxed checking for compatibility with historic versions.


3. Solution
===

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to
   fetchmail 6.3.10, recompile and reinstall it.

b. Install fetchmail 6.3.11 or newer after it will have become available.
   The fetchmail source code is always available from
   .


4. Workaround
=

Obtain the server fingerprints through a separate secure channel and
configure them with the sslfingerprint option, and enable the sslcertck
option.


A. Copyright, License and Warranty
==

(C) Copyright 2009 by Matthias Andree, .
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to

Creative Commons
171 Second Street
Suite 300
SAN FRANCISCO, CALIFORNIA 94105
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.


B. Patch to remedy the problem
==

Note that when taking this from a GnuPG clearsigned file, the lines 
starting with a "-" character are prefixed by another "- " (dash + 
blank) combination. Either feed this file through GnuPG to strip them, 
or strip them manually.

Whitespace differences can usually be ignored by invoking "patch -l",
so try this if the patch does not apply.


Index: socket.c
===
- --- ./socket.c~
+++ ./socket.c
@@ -632,6 +632,12 @@
report(stderr, GT_("Bad certificate: Subject 
CommonName too long!\n"));
return (0);
}
+   if ((size_t)i > strlen(buf)) {
+   /* Name contains embedded NUL characters, so we 
complain. This is likely
+* a certificate spoofing attack. */
+   report(stderr, GT_("Bad certificate: Subject 
CommonName contains NUL, aborting!\n"));
+   return 0;
+   }
if (_ssl_