SuSE: Weekly Summary 2009:010
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2009:010
Date: Tue, 12 May 2009 08:00:00 +0000
Cross-References: CVE-2008-2086, CVE-2008-3104, CVE-2008-3112
CVE-2008-3113, CVE-2008-3114, CVE-2008-5339
CVE-2008-5340, CVE-2008-5342, CVE-2008-5343
CVE-2008-5344, CVE-2008-5345, CVE-2008-5346
CVE-2008-5348, CVE-2008-5350, CVE-2008-5351
CVE-2008-5353, CVE-2008-5354, CVE-2008-5356
CVE-2008-5357, CVE-2008-5359, CVE-2008-5360
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165
CVE-2009-0166, CVE-2009-0368, CVE-2009-0544
CVE-2009-0582, CVE-2009-0585, CVE-2009-0590
CVE-2009-0591, CVE-2009-0652, CVE-2009-0789
CVE-2009-0799, CVE-2009-0800, CVE-2009-0946
CVE-2009-1086, CVE-2009-1179, CVE-2009-1180
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183
CVE-2009-1295, CVE-2009-1302, CVE-2009-1303
CVE-2009-1304, CVE-2009-1305, CVE-2009-1306
CVE-2009-1307, CVE-2009-1308, CVE-2009-1309
CVE-2009-1310, CVE-2009-1311, CVE-2009-1312
Content of this advisory:
1) Solved Security Vulnerabilities:
- MozillaFirefox
- apport
- evolution
- freetype2
- java-1_4_2-ibm/IBMJava2
- kdegraphics3
- libopenssl-devel/openssl/compat-openssl097g
- libsoup
- mozilla-xulrunner190
- opensc/libopensc2
- python-crypto
- unbound
- xpdf
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- MozillaFirefox/mozilla-xulrunner190
Firefox version upgrade to 3.0.9 to fix various security bugs.
(CVE-2009-1302,CVE-2009-1303,CVE-2009-1304,CVE-2009-1305,CVE-2009-1306,
CVE-2009-1307,CVE-2009-1308,CVE-2009-1309,CVE-2009-1310,CVE-2009-1311,
CVE-2009-1312,CVE-2009-0652)
Affected products: SLES 11, openSUSE 11.0-11.1
- apport
The apport crash watcher / handler suite contains a cron job that
cleanes the world writeable /var/crash directory unsafely, allowing
local attackers to remove random files on the system. (CVE-2009-1295)
This update fixes this.
Affected products: openSUSE 11.1
- evolution
camel's NTLM SASL authentication mechanism as used by evolution
did not properly validate server's challenge packets (CVE-2009-0582).
This update also includes the following non-security fixes:
- Fixes a critical crasher in mailer component.
- Fixes creation of recurrence monthly items in GroupWise.
- Includes fixes for some usability issues.
Affected products: Novell Linux Desktop 9, SLE 11, openSUSE 10.3-11.1
- freetype2
Freetype was updated to fix some integer overflows that can be exploited
remotely in conjunction with programs like a web-browser.
(CVE-2009-0946)
Thanks to Tavis Ormandy who found the bugs.
Affected products: SLE 10, SLE 11, openSUSE 10.3-11.1
- java-1_4_2-ibm/IBMJava2
This update brings IBM Java 1.4.2 to Service Release 13.
It fixes lots of bugs and following security issues:
CVE-2008-3104: Security vulnerabilities in the Java
Runtime Environment may allow an untrusted applet that is
loaded from a remote system to circumvent network access
restrictions and establish socket connections to certain
services running on the local host, as if it were loaded
from the system that the applet is running on. This may
allow the untrusted remote applet the ability to exploit
any security vulnerabilities existing in the services it
has connected to.
CVE-2008-3112: A vulnerability in Java Web Start may
allow an untrusted Java Web Start application downloaded
from a website to create arbitrary files with the
permissions of the user running the untrusted Java Web
Start application.
CVE-2008-3113: A vulnerability in Java Web Start may
allow an untrusted Java Web Start application downloaded
from a website to create or delete arbitrary files with
the permissions of the user running the untrusted Java
Web Start application.
CVE-2008-3114: A vulnerability in Java Web Start may
allow an untrusted Java Web Start application to
determine the location of the Java Web Start cache.
CVE-2008-5350: A security vulnerability in the Java Runtime
Environment (JRE) may allow an untrusted applet or
application to list the contents of the home directory of
the user running the applet or application.
CVE-2008-5346: A security vulnerability in the Java Runtime
Environment (JRE) with parsing zip files may allow an
untrusted applet or application to read arbitrary memory
locations in the process that the applet or application is
running in.
CVE-2008-5343: A vulnerability in Java Web Start and Java
Plug-in may allow hidden code on a host to make network
connections to that host and to hijack HTTP sessions using
cookies stored in the browser.
CVE-2008-5344: A vulnerability in the Java Runtime
Environment (JRE) with applet classloading may allow an
untrusted applet to read arbitrary files on a system that
the applet runs on and make network connections to hosts
other than the host it was loaded from.
CVE-2008-5359: A buffer overflow vulnerability in the Java
Runtime Environment (JRE) image processing code may allow
an untrusted applet or application to escalate privileges.
For example, an untrusted applet may grant itself
permissions to read and write local files or execute local
applications that are accessible to the user running the
untrusted applet.
CVE-2008-5339: A vulnerability in the Java Runtime
Environment (JRE) may allow an untrusted Java Web Start
application to make network connections to hosts other than
the host that the application is downloaded from.
CVE-2008-5340: A vulnerability in the Java Runtime
Environment with launching Java Web Start applications may
allow an untrusted Java Web Start application to escalate
privileges. For example, an untrusted application may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted application.
CVE-2008-5348: A security vulnerability in the Java Runtime
Environment (JRE) with authenticating users through
Kerberos may lead to a Denial of Service (DoS) to the
system as a whole, due to excessive consumption of
operating system resources.
CVE-2008-2086: A vulnerability in Java Web Start may allow
certain trusted operations to be performed, such as
modifying system properties.
CVE-2008-5345: The Java Runtime Environment (JRE) allows
code loaded from the local filesystem to access localhost.
This may allow code that is maliciously placed on the local
filesystem and then subsequently run, to have network
access to localhost that would not otherwise be allowed if
the code were loaded from a remote host. This may be
leveraged to steal cookies and hijack sessions (for domains
that map a name to the localhost).
CVE-2008-5351: The UTF-8 (Unicode Transformation Format-8)
decoder in the Java Runtime Environment (JRE) accepts
encodings that are longer than the "shortest" form. This
behavior is not a vulnerability in Java SE. However, it may
be leveraged to exploit systems running software that
relies on the JRE UTF-8 decoder to reject non-shortest form
sequences. For example, non-shortest form sequences may be
decoded into illegal URIs, which may then allow files that
are not otherwise accessible to be read, if the URIs are
not checked following UTF-8 decoding.
CVE-2008-5360: The Java Runtime Environment creates
temporary files with insufficiently random names. This may
be leveraged to write JAR files which may then be loaded as
untrusted applets and Java Web Start applications to access
and provide services from localhost and hence steal cookies.
CVE-2008-5353: A security vulnerability in the Java Runtime
Environment (JRE) related to deserializing calendar objects
may allow an untrusted applet or application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5356: A buffer vulnerability in the Java Runtime
Environment (JRE) with processing fonts may allow an
untrusted applet or Java Web Start application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5354: A buffer overflow vulnerability in the Java
Runtime Environment (JRE) may allow an untrusted Java
application that is launched through the command line to
escalate privileges. For example, the untrusted Java
application may grant itself permissions to read and write
local files or execute local applications that are
accessible to the user running the untrusted Java
application.
This vulnerability cannot be exploited by an applet or
Java Web Start application.
CVE-2008-5357: A buffer vulnerability in the Java Runtime
Environment (JRE) with processing fonts may allow an
untrusted applet or Java Web Start application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5342: A security vulnerability in the the Java Web
Start BasicService allows untrusted applications that are
downloaded from another system to request local files to be
displayed by the browser of the user running the untrusted
application.
Affected products: SUSE CORE 9, SLE 10
- kdegraphics3
This update fixes security problems while decoding JBIG2.
(CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166,
CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180,
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183)
Affected products: openSUSE 10.3-11.1
- libopenssl-devel/openssl/compat-openssl097g
This update of openssl fixes the following problems:
- CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial
of service
- CVE-2009-0591: CMS_verify() function allows signatures to look valid
- CVE-2009-0789: denial of service due to malformed ASN.1 structures
Affected products: SLES 9, SLE 10, SLE 11, openSUSE 10.3-11.1
- libsoup
Large strings could lead to a heap overflow in the base64 encoding and
decoding functions. Attackers could potentially exploit that to execute
arbitrary code (CVE-2009-0585).
Affected products: Novell Linux Desktop 9, POS 9, OES, SLES 9, SLE 10
- opensc/libopensc2
Private data objects on smartcards initialized with OpenSC could be
accessed without authentication (CVE-2009-0368).
Only blank cards initialized with OpenSC are affected by this
problem. Affected cards need to be manually fixed, updating the
opensc package alone is not sufficient!
Please carefully read and follow the instructions on the following
web site if you are using PIN protected private data objects on
smart cards other than Oberthur, and you have initialized those
cards using OpenSC:
Affected products: SLE 10, SLE 11, openSUSE 10.3-11.1
- python-crypto
Missing checks for the key length in the ARC2 module potentially allowed
attackers to crash applications using python-crypto or potentially even
cause execute arbitrary code (CVE-2009-0544).
Affected products: SLE 11, openSUSE 10.3-11.1
- unbound
This update fixes a heap-based buffer overflow in the
ldns_rr_new_frm_str_internal()
function. This allowed remote attackers to cause a denial of
service and possibly execute arbitrary code via a
DNS resource record (RR) with a long class field and possibly TTL field.
(CVE-2009-1086)
Affected products: openSUSE 11.1
- xpdf
Specially crafted PDF files could lead to crashes, make the viewer
run into an infinite loop or potentially even allow execution of
arbitrary code.
(CVE-2009-0165, CVE-2009-0146, CVE-2009-0147, CVE-2009-0166,
CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180,
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183)
Affected products: SLES SDK 9
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
none
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
References
