Package name sash
Date April 10th, 2006
Advisory ID MDKSA-2006:070
Affected versions CS3.0, MNF2.0, 10.2, 2006.0
Synopsis Updated sash packages fix vulnerability

Problem Description

Tavis Ormandy of the Gentoo Security Project discovered a vulnerability
in zlib where a certain data stream would cause zlib to corrupt a data
structure, resulting in the linked application to dump core
(CVE-2005-2096).

Markus Oberhumber discovered additional ways that a specially-crafted
compressed stream could trigger an overflow. An attacker could create
such a stream that would cause a linked application to crash if opened
by a user (CVE-2005-1849).

Both of these issues have previously been fixed in zlib, but sash links
statically against zlib and is thus also affected by these issues. New
sash packages are available that link against the updated zlib packages.

Updated Packages

Corporate Server 3.0

 76d84869521a8231bde684d29c909f77  corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.i586.rpm
 5a52429713ca8dabda8fe0462eedbf41  corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 5fdfa411aaa588d14e3f92d877b31e0b  x86_64/corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.x86_64.rpm
 5a52429713ca8dabda8fe0462eedbf41  x86_64/corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm

Multi Network Firewall 2.0

 b1d67ff8736048c8687708ff614d995b  mnf/2.0/RPMS/sash-3.6-5.1.M20mdk.i586.rpm
 df79ea5562d8e2d45f98ead903f1b4c7  mnf/2.0/SRPMS/sash-3.6-5.1.M20mdk.src.rpm

Mandriva Linux LE2005

 290e5d895235afaaa1548d4898c5cde8  10.2/RPMS/sash-3.7-3.1.102mdk.i586.rpm
 6cb36fc925f8793ef0f22a1d0adacb24  10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 4088008711f30343c6ddbd45dd4429f0  x86_64/10.2/RPMS/sash-3.7-3.1.102mdk.x86_64.rpm
 6cb36fc925f8793ef0f22a1d0adacb24  x86_64/10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm

Mandriva Linux 2006

 6a8ef8036ca25661d6e1e18e826b7cf7  2006.0/RPMS/sash-3.7-3.1.20060mdk.i586.rpm
 ebfdd661247a673a536d14b57bd1494f  2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 f3ace9f835ba2bcf3358404ec3b35863  x86_64/2006.0/RPMS/sash-3.7-3.1.20060mdk.x86_64.rpm
 ebfdd661247a673a536d14b57bd1494f  x86_64/2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm
                

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.