Actualizaciones de Seguridad

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Linux kernel before 2.6.22.17, when using certain drivers that register
a fault handler that does not perform range checks, allows local users
to access kernel memory via an out-of-range offset. (CVE-2008-0007)

The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and
2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules;
and (b) the gxsnmp package; does not properly validate length values
during decoding of ASN.1 BER data, which allows remote attackers
to cause a denial of service (crash) or execute arbitrary code via
(1) a length greater than the working buffer, which can lead to an
unspecified overflow; (2) an oid length of zero, which can lead to
an off-by-one error; or (3) an indefinite length for a primitive
encoding. (CVE-2008-1673)

Linux kernel 2.6.18, and possibly other versions, when running on
AMD64 architectures, allows local users to cause a denial of service
(crash) via certain ptrace calls. (CVE-2008-1615)

Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the
Linux kernel before 2.6.25.3 allows remote attackers to cause a
denial of service (memory consumption) via network traffic to a
Simple Internet Transition (SIT) tunnel interface, related to the
pskb_may_pull and kfree_skb functions, and management of an skb
reference count. (CVE-2008-2136)

Integer overflow in the sctp_getsockopt_local_addrs_old function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)

arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on
some AMD64 systems does not erase destination memory locations after
an exception during kernel memory copy, which allows local users to
obtain sensitive information. (CVE-2008-2729)

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Kees Cook of Ubuntu security found a flaw in how poppler prior
to version 0.6 displayed malformed fonts embedded in PDF files.
An attacker could create a malicious PDF file that would cause
applications using poppler to crash, or possibly execute arbitrary
code when opened (CVE-2008-1693).

This vulnerability also affected older versions of kpdf, so the
updated packages have been patched to correct this issue.

A flaw in Amarok prior to 1.4.10 would allow local users to overwrite
arbitrary files via a symlink attack on a temporary file that Amarok
created with a predictable name (CVE-2008-3699).

The updated packages have been patched to correct this issue.

Sebastian Krahmer of the SUSE Security Team discovered a flaw in
the way Postfix dereferenced symbolic links. If a local user had
write access to a mail spool directory without a root mailbox file,
it could be possible for them to append arbitrary data to files that
root had write permissions to (CVE-2008-2936).

The updated packages have been patched to correct this issue.

Thomas Pollet discovered an integer overflow vulnerability in the PNG
image handling filter in CUPS. This could allow a malicious user to
execute arbitrary code with the privileges of the user running CUPS,
or cause a denial of service by sending a specially crafted PNG image
to the print server (CVE-2008-1722).

The updated packages have been patched to correct this issue.

Marc Schoenefeld of the Red Hat Security Response Team discovered a
vulnerability in the hplip alert-mailing functionality that could allow
a local attacker to elevate their privileges by using specially-crafted
packets to trigger alert mails that are sent by the root account
(CVE-2008-2940).

Another vulnerability was discovered by Marc Schoenefeld in the hpssd
message parser that could allow a local attacker to stop the hpssd
process by sending specially-craftd packets, causing a denial of
service (CVE-2008-2941).

The updated packages have been patched to correct these issues.

A vulnerability was found in the OCSP search functionality in stunnel
that could allow a remote attacker to use a revoked certificate that
would be successfully authenticated by stunnel (CVE-2008-2420).
This flaw only concerns users who have enabled OCSP validation
in stunnel.

The updated packages have been patched to correct this issue.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the
Linux kernel before 2.6.25.3 allows remote attackers to cause a
denial of service (memory consumption) via network traffic to a
Simple Internet Transition (SIT) tunnel interface, related to the
pskb_may_pull and kfree_skb functions, and management of an skb
reference count. (CVE-2008-2136)

The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and
other versions before 2.6.25.3 does not check file permissions when
certain UTIME_NOW and UTIME_OMIT combinations are used, which allows
local users to modify file times of arbitrary files, possibly leading
to a denial of service. (CVE-2008-2148)

Integer overflow in the dccp_feat_change function in net/dccp/feat.c
in the Datagram Congestion Control Protocol (DCCP) subsystem in the
Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users
to gain privileges via an invalid feature length, which leads to a
heap-based buffer overflow. (CVE-2008-2358)

The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the
Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause
a denial of service (kernel heap memory corruption and system
crash) and possibly have unspecified other impact via a crafted
PPPOL2TP packet that results in a large value for a certain length
variable. (CVE-2008-2750)

Linux kernel 2.6.18, and possibly other versions, when running on
AMD64 architectures, allows local users to cause a denial of service
(crash) via certain ptrace calls. (CVE-2008-1615)

Integer overflow in the sctp_getsockopt_local_addrs_old function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)

Race condition in the directory notification subsystem (dnotify)
in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1,
allows local users to cause a denial of service (OOPS) and possibly
gain privileges via unspecified vectors. (CVE-2008-1375)

The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in
Linux kernel 2.6.x before 2.6.25.1 does not properly check certain
information related to register size, which has unspecified impact
and local attack vectors, probably related to reading or writing
kernel memory. (CVE-2008-1675)

Linux kernel before 2.6.25.2 does not apply a certain protection
mechanism for fcntl functionality, which allows local users to (1)
execute code in parallel or (2) exploit a race condition to obtain
re-ordered access to the descriptor table. (CVE-2008-1669)

Additionaly, a number of fixes has been included for the rtc driver,
Arima W651DI audio chipset, unionfs, as well as Tomoyolinux has
been updated to 1.6.3, UDF 2.50 support was added, and a few things
more. Check the package changelog for more details.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

An incomplete fix for CVE-2008-2713 resulted in remote attackers being
able to cause a denial of service via a malformed Petite file that
triggered an out-of-bounds memory access (CVE-2008-3215). This issue
is corrected with the 0.93.3 release which is being provided.

The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly
check permissions before performing a chmod, which allows local users
to modify the permissions of arbitrary files via a symlink attack.

The updated packages have been patched to fix this.

Multiple integer overflows in the imageop module in Python prior to
2.5.3 allowed context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via crafted images that
trigger heap-based buffer overflows (CVE-2008-1679). This was due
to an incomplete fix for CVE-2007-4965.

David Remahl of Apple Product Security reported several integer
overflows in a number of core modules (CVE-2008-2315).

Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).

The updated packages have been patched to correct these issues.
As well, Python packages on Corporate Server 4 have been updated to
the latest version 2.4.5.

Multiple integer overflows in the imageop module in Python prior to
2.5.3 allowed context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via crafted images that
trigger heap-based buffer overflows (CVE-2008-1679). This was due
to an incomplete fix for CVE-2007-4965.

David Remahl of Apple Product Security reported several integer
overflows in a number of core modules (CVE-2008-2315). He also
reported an integer overflow in the hashlib module on Python 2.5 that
lead to unreliable cryptographic digest results (CVE-2008-2316).

Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).

The updated packages have been patched to correct these issues.
As well, Python packages on Mandriva Linux 2007.1 and 2008.0 have
been updated to version 2.5.2. Due to slight packaging changes on
Mandriva Linux 2007.1, a new package is available (tkinter-apps) that
contains binary files (such as /usr/bin/idle) that were previously
in the tkinter package.

Multiple vulnerabilities have been found in Qemu.

Multiple heap-based buffer overflows in the cirrus_invalidate_region
function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and
possibly other products, might allow local users to execute arbitrary
code via unspecified vectors related to attempting to mark non-existent
regions as dirty, aka the bitblt heap overflow. (CVE-2007-1320)

Integer signedness error in the NE2000 emulator in QEMU 0.8.2,
as used in Xen and possibly other products, allows local users to
trigger a heap-based buffer overflow via certain register values
that bypass sanity checks, aka QEMU NE2000 receive integer signedness
error. (CVE-2007-1321)

QEMU 0.8.2 allows local users to halt a virtual machine by executing
the icebp instruction. (CVE-2007-1322)

QEMU 0.8.2 allows local users to crash a virtual machine via the
divisor operand to the aam instruction, as demonstrated by aam 0x0,
which triggers a divide-by-zero error. (CVE-2007-1366)

The NE2000 emulator in QEMU 0.8.2 allows local users to execute
arbitrary code by writing Ethernet frames with a size larger than
the MTU to the EN0_TCNT register, which triggers a heap-based
buffer overflow in the slirp library, aka NE2000 mtu heap
overflow. (CVE-2007-5729)

Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly
other products, allows local users to execute arbitrary code via
crafted data in the net socket listen option, aka QEMU net socket
heap overflow. (CVE-2007-5730)

QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating
system to overwrite the TranslationBlock (code_gen_buffer) buffer,
and probably have unspecified other impacts related to an overflow,
via certain Windows executable programs, as demonstrated by
qemu-dos.com. (CVE-2007-6227)

Qemu 0.9.1 and earlier does not perform range checks for block
device read or write requests, which allows guest host users with
root privileges to access arbitrary memory and escape the virtual
machine. (CVE-2008-0928)

Changing removable media in QEMU could trigger a bug similar to
CVE-2008-2004, which would allow local guest users to read arbitrary
files on the host by modifying the header of the image to identify
a different format. (CVE-2008-1945) See the diskformat: parameter to
the -usbdevice option.

The drive_init function in QEMU 0.9.1 determines the format of
a raw disk image based on the header, which allows local guest
users to read arbitrary files on the host by modifying the header
to identify a different format, which is used when the guest is
restarted. (CVE-2008-2004) See the -format option.

The updated packages have been patched to fix these issues.

A vulnerability in rxvt allowed it to open a terminal on :0 if the
environment variable was not set, which could be used by a local user
to hijack X11 connections (CVE-2008-1142).

The updated packages have been patched to correct this issue.

This update fixes an X server crash with multiple indirect rendering
clients and software rendering.

This update of the drakx-net and initscripts packages improves
wireless strength detection and fixes connection with rt61 devices
(using the rt61pci driver). Such connections used to fail when the
wpa_supplicant daemon was used.

This update makes the network tools force a reassociation when the
rt61pci driver is used.

This drakxtools update contains file leaks and automatic disk discovery
fixes. The network driver detection used to leak file descriptors,
meaning that network applications like the wireless tool or the
network center stopped working after extended use. The automatic disk
discovery tool did not correctly mark new media as removable, and
thus they were checked at every boot, which stopped the boot process
if the media was not present. Both problems are fixed in this update.

Chris Evans of the Google Security Team found a vulnerability in the
RC4 processing code in libxslt that did not properly handle corrupted
key information. A remote attacker able to make an application
linked against libxslt process malicious XML input could cause the
application to crash or possibly execute arbitrary code with the
privileges of the application in question (CVE-2008-2935).

The updated packages have been patched to correct this issue.

A flaw was discovered in licq versions prior to 1.3.6 that allowed
a remote attacker to cause a denial of service (crash) via a large
number of connections (CVE-2008-1996).

The updated packages have been patched to correct this issue.

A vulnerability was found in the SILC toolkit before version 1.1.5
that allowed a remote attacker to cause a denial of service (crash),
or possibly execute arbitrary code via long input data (CVE-2008-1227).

A vulnerability was found in the SILC toolkit before version 1.1.7
that allowed a remote attacker to execute arbitrary code via a crafted
PKCS#2 message (CVE-2008-1552).

The updated packages have been patched to correct these issues.