Mandriva

A buffer overflow was found by Russell O'Conner in the libsamplerate
library versions prior to 0.1.4 that could possibly lead to the
execution of arbitrary code via a specially crafted audio file
(CVE-2008-5008).

The updated packages have been patched to prevent this issue.

A vulnerability was discovered in the mod_proxy module in Apache where
it did not limit the number of forwarded interim responses, allowing
remote HTTP servers to cause a denial of service (memory consumption)
via a large number of interim responses (CVE-2008-2364).

This update also provides HTTP/1.1 compliance fixes.

The updated packages have been patched to prevent this issue.

The kdewebdev4 package shipped in Mandriva Linux 2009.0 contained
several packaging bugs. One is that kfilereplace and kxsldbg had
file conflicts on icons, and the other was that no meta package
called 'kdewebdev4' was provided. The latter issue would cause
kdewebdev4-devel to be installed when asking to install kdewebdev4.

The updated packages fix these packaging bugs.

Several vulnerabilities were found in the vim editor:

A number of input sanitization flaws were found in various vim
system functions. If a user were to open a specially crafted file,
it would be possible to execute arbitrary code as the user running vim
(CVE-2008-2712).

Ulf Härnhammar of Secunia Research found a format string flaw in
vim's help tags processor. If a user were tricked into executing the
helptags command on malicious data, it could result in the execution
of arbitrary code as the user running vim (CVE-2008-2953).

A flaw was found in how tar.vim handled TAR archive browsing. If a
user were to open a special TAR archive using the plugin, it could
result in the execution of arbitrary code as the user running vim
(CVE-2008-3074).

A flaw was found in how zip.vim handled ZIP archive browsing. If a
user were to open a special ZIP archive using the plugin, it could
result in the execution of arbitrary code as the user running vim
(CVE-2008-3075).

A number of security flaws were found in netrw.vim, the vim plugin
that provides the ability to read and write files over the network.
If a user opened a specially crafted file or directory with the netrw
plugin, it could result in the execution of arbitrary code as the
user running vim (CVE-2008-3076).

A number of input validation flaws were found in vim's keyword and
tag handling. If vim looked up a document's maliciously crafted
tag or keyword, it was possible to execute arbitary code as the user
running vim (CVE-2008-4101).

A vulnerability was found in certain versions of netrw.vim where it
would send FTP credentials stored for an FTP session to subsequent
FTP sessions to servers on different hosts, exposing FTP credentials
to remote hosts (CVE-2008-4677).

This update provides vim 7.2 (patchlevel 65) which corrects all of
these issues and introduces a number of new features and bug fixes.

Several feature bugfixes and stability fixes from GNOME 2.22.3 are
provided by this package update, as well as translation updates.

Outgoing mails sent through the Evolution Exchange plugin were not
always sent properly. Spell checking was not working properly when
two different languages were enabled, causing all words to be detected
as mistyped. Those bugs are fixed by this package updates, as well
as massive performance improvements in IMAP handling, additional
translations and many bug fixes from GNOME 2.24.2.

Update:

The previous update provided Evolution built against the wrong verion
of the libcamel library, which would cause Evolution to segfault
on startup.. This update corrects the problem.

Outgoing mails sent through the Evolution Exchange plugin were not
always sent properly. Spell checking was not working properly when
two different languages were enabled, causing all words to be detected
as mistyped. Those bugs are fixed by this package updates, as well
as massive performance improvements in IMAP handling, additional
translations and many bug fixes from GNOME 2.24.2.

Mandriva Linux 2009.0 shipped with KDE 4.1.2. This update provides
the full KDE 4.1.3 for Mandriva Linux 2009.0 which brings with it
numerous enhancements and bugfixes.

Please note: the package list looks empty in this advisory due to
the fact this update provides over 900 packages. The web advisory
lists all packages with their md5sums.

KDevelop as shipped in Mandriva Linux 2009.0 contains a build time
bug, which led to subversion support not being correctly compiled.
As a result, it was not possible to use subversion as the version
control system for projects in KDevelop. The updated package fixes
this problem.

Live, as shipped with Mandriva Linux 2009.0, was missing the main
executable: live555MediaServer. This update provides the program.

Evince would sometimes crash when searching in a PDF document.
This update fixes the bug.

A bug in the ASF demuxer in gstreamer0.10-plugins-ugly prevented
video players like Totem from seeking in WMV files, causing an error
message Internal data stream error. This updated package contains
a patch fixing this problem.

The cracklib library package was incorrectly providing the development
package, which was preventing the compilation of anything relying on
cracklib-devel. This update fixes the incorrect Provides. It also
corrects an issue when /usr is a separate partition the fails to
mount at start, logging in is impossible because the pam_cracklib
module is linked to /usr/lib/libcrack.so.2.

The graphviz package shipped in Mandriva Linux 2008.1 has a bug in
its builtin ps renderer: included images are displayed as blank area.
An upstream patch fixes the issue.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Buffer overflow in the hfsplus_find_cat function in
fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or
system crash) via an hfsplus filesystem image with an invalid
catalog namelength field, related to the hfsplus_cat_build_key_uni
function. (CVE-2008-4933)

The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the
Linux kernel before 2.6.28-rc1 does not check a certain return value
from the read_mapping_page function before calling kmap, which allows
attackers to cause a denial of service (system crash) via a crafted
hfsplus filesystem image. (CVE-2008-4934)

The __scm_destroy function in net/core/scm.c in the Linux kernel
2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to
itself through calls to the fput function, which allows local users
to cause a denial of service (panic) via vectors related to sending
an SCM_RIGHTS message through a UNIX domain socket and closing file
descriptors. (CVE-2008-5029)

Additionaly, support for a broadcom bluetooth dongle was added to btusb
driver, an eeepc shutdown hang caused by snd-hda-intel was fixed,
a Realtek auto-mute bug was fixed, the pcspkr driver was reenabled,
an acpi brightness setting issue on some laptops was fixed, sata_nv
(NVidia) driver bugs were fixed, horizontal mousewheel scrolling
with Logitech V150 mouse was fixed, and more. Check the changelog
and related bugs for more details.

This kernel also fixes the driver for Intel G45/GM45 video chipsets,
in a way requiring also an updated Xorg driver, which is also being
provided in this update.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Thunderbird program, version 2.0.0.18
(CVE-2008-5012, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017,
CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024,
CVE-2008-5052).

This update provides the latest Thunderbird to correct these issues.

A heap overflow was found in the CDDB retrieval code of libcdaudio,
which could result in the execution of arbitrary code (CVE-2008-5030).

In addition, the fixes for CVE-2005-0706 were not applied to newer
libcdaudio packages as shipped with Mandriva Linux, so the patch to fix
that issue has been applied to 2008.1 and 2009.0 (this was originally
fixed in MDKSA-2005:075). This issue is a buffer overflow flaw found
by Joseph VanAndel. Corporate 3.0 has this fix already applied.

The updated packages have been patched to prevent these issues.

The LIRC packages included with Mandriva Linux 2008 and Mandriva Linux
2008 Spring did not include the 'commandir' module, which is necessary
(along with the 'lirc_cmdir' module) to properly support CommandIR
remote controls.

These updated packages do include the module.

The ACL plugin in dovecot prior to version 1.1.4 treated negative
access rights as though they were positive access rights, which allowed
attackers to bypass intended access restrictions (CVE-2008-4577).

The ACL plugin in dovecot prior to version 1.1.4 allowed attackers to
bypass intended access restrictions by using the 'k' right to create
unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).

In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot's 'deliver' command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message 'Time just moved backwards
by X seconds. This might cause a lot of problems, so I'll just kill
myself now.' The update resolves both these problems. The default
permissions on dovecot.conf now allow the 'deliver' command to read the
file. Note that if you edited dovecot.conf at all prior to installing
the update, the new permissions may not be applied. If you find the
'deliver' command still does not work following the update, please
run these commands as root:

# chmod 0640 /etc/dovecot.conf
# chown root:mail /etc/dovecot.conf

Dovecot's initialization script now configures it to start after the
ntpd service, to ensure ntpd resetting the clock does not interfere
with Dovecot operation.

This package corrects the above-noted bugs and security issues by
upgrading to the latest dovecot 1.1.6, which also provides additional
bug fixes.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The snd_seq_oss_synth_make_info function in
sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux
kernel before 2.6.27-rc2 does not verify that the device number is
within the range defined by max_synthdev before returning certain
data to the caller, which allows local users to obtain sensitive
information. (CVE-2008-3272)

Unspecified vulnerability in the 32-bit and 64-bit emulation in the
Linux kernel 2.6.9, 2.6.18, and probably other versions allows local
users to read uninitialized memory via unknown vectors involving a
crafted binary. (CVE-2008-0598)

The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c
in the vfs implementation in the Linux kernel before 2.6.25.15 does
not prevent creation of a child dentry for a deleted (aka S_DEAD)
directory, which allows local users to cause a denial of service
(overflow of the UBIFS orphan area) via a series of attempted file
creations within deleted directories. (CVE-2008-3275)

Integer overflow in the sctp_setsockopt_auth_key function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows
remote attackers to cause a denial of service (panic) or possibly have
unspecified other impact via a crafted sca_keylength field associated
with the SCTP_AUTH_KEY option. (CVE-2008-3525)

fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23
does not properly zero out the dio struct, which allows local users
to cause a denial of service (OOPS), as demonstrated by a certain
fio test. (CVE-2007-6716)

fs/open.c in the Linux kernel before 2.6.22 does not properly strip
setuid and setgid bits when there is a write to a file, which allows
local users to gain the privileges of a different group, and obtain
sensitive information or possibly have unspecified other impact,
by creating an executable file in a setgid directory through the (1)
truncate or (2) ftruncate function in conjunction with memory-mapped
I/O. (CVE-2008-4210)

Additionaly, support for Intel's ICH9 controller was added, and 'tg3'
driver was updated to version 3.71b.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Update:

Support for Intel's ICH9 controller and the updated 'tg3' driver were
actually missing in the previous update, this new update adds them.