Mandriva Security

A vulnerability in xemacs was found where an attacker could provide
a group of files containing local variable definitions and arbitrary
Lisp code to be executed when one of the provided files is opened by
xemacs (CVE-2008-2142).

The updated packages have been patched to correct this issue.

A vulnerability in emacs was found where an attacker could provide
a group of files containing local variable definitions and arbitrary
Lisp code to be executed when one of the provided files is opened by
emacs (CVE-2008-2142).

The updated packages have been patched to correct this issue.

A number of vulnerabilities were discovered in Wireshark that could
cause it to crash while processing malicious packets (CVE-2008-3137,
CVE-2008-3138, CVE-2008-3139, CVE-2008-3140, CVE-2008-3141,
CVE-2008-3145).

This update provides Wireshark 1.0.2, which is not vulnerable to
these issues.

A buffer overflow vulnerability in libxslt could be exploited via an
XSL style sheet file with a long XLST transformation match condition,
which could possibly lead to the execution of arbitrary code
(CVE-2008-1767).

The updated packages have been patched to correct this issue.

openoffice.org-voikko provides Finnish spellchecker and hyphenator
component for OpenOffice.org.

The package is being updated for the new OpenOffice.org version.

Update:

Due to a build error, the previous update for i586 architecture was
built against the old OpenOffice.org. This update fixes that.

Multiple buffer overflows in yaSSL, which is used in MySQL, allowed
remote attackers to execute arbitrary code (CVE-2008-0226) or cause
a denial of service via a special Hello packet (CVE-2008-0227).

Sergei Golubchik found that MySQL did not properly validate optional
data or index directory paths given in a CREATE TABLE statement; as
well it would not, under certain conditions, prevent two databases
from using the same paths for data or index files. This could allow
an authenticated user with appropriate privilege to create tables in
one database to read and manipulate data in tables later created in
other databases, regardless of GRANT privileges (CVE-2008-2079).

The updated packages have been patched to correct these issues.

Sergei Golubchik found that MySQL did not properly validate optional
data or index directory paths given in a CREATE TABLE statement; as
well it would not, under certain conditions, prevent two databases
from using the same paths for data or index files. This could allow
an authenticated user with appropriate privilege to create tables in
one database to read and manipulate data in tables later created in
other databases, regardless of GRANT privileges (CVE-2008-2079).

The updated packages have been patched to correct this issue.

Security vulnerabilities have been discovered and corrected in the
latest Mozilla Firefox program, version 2.0.0.16 (CVE-2008-2785,
CVE-2008-2933).

This update provides the latest Firefox to correct these issues.

Updated timezone packages are being provided for older Mandriva Linux
systems that do not contain the new Daylight Savings Time information
for 2008 and later for certain time zones. These updated packages
contain the new information.

Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371).

The updated packages have been patched to correct this issue.

A memory management issue was found in libpoppler by Felipe Andres
Manzano that could allow for the execution of arbitrary code with
the privileges of the user running a poppler-based application,
if they opened a specially crafted PDF file (CVE-2008-2950).

The updated packages have been patched to correct this issue.

This x11-sever update disables offscreen pixmaps by default as they
were causing drawing issues with Firefox 3 and other applications.
To re-enable this option, use 'Option XaaOffscreenPixmaps on'
in xorg.conf.

Some thesaurus files of some languages were not properly working
witn Mandriva Linux 2008.1. The thesaurus would not bring out the
meaning and synonym for any searched word for the following languages:
American English, Spanish, French, German, Polish, Czeck, Slovakian,
and Hungarian. This release updates the thesaurus files for these
languages so that they will work with the Mandriva OpenOffice.org
version 2.4.1.5.

An input validation flaw was found in the Bluetooth Session Description
Protocol (SDP) packet parser used in the Bluez bluetooth utilities.
A bluetooth device with an already-trusted relationship, or a local
user registering a service record via a UNIX socket or D-Bus interface,
could cause a crash and potentially execute arbitrary code with the
privileges of the hcid daemon (CVE-2008-2374).

The updated packages have been patched to correct this issue.

A denial of service vulnerability was discovered in the way
the OpenLDAP slapd daemon processed certain network messages.
An unauthenticated remote attacker could send a specially crafted
request that would crash the slapd daemon (CVE-2008-2952).

The updated packages have been patched to correct this issue.

Integer overflow in the rtl_allocateMemory function in
sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4
allows remote attackers to execute arbitrary code via a crafted file
that triggers a heap-based buffer overflow.

The updated packages have been patched to fix the issue.

Update:

The OpenOffice.org package for Mandriva Corporate 3 missed the patch
application due to a build error. This update fixes that.

openoffice.org-voikko provides Finnish spellchecker and hyphenator
component for OpenOffice.org.

The package is being updated for the new OpenOffice.org version.

An integer overflow flaw was found in Pidgin's MSN protocol handler
that could allow for the execution of arbitrary code if a user received
a malicious MSN message (CVE-2008-2927).

In addition, this update provides the ability to use ICQ networks
again on Mandriva Linux 2008.0, as in MDVA-2008:103 (updated pidgin
for 2008.1).

The updated packages have been patched to correct this issue.

A flaw in the locales packages could make the spell checker in
OpenOffice.org and other programs to not work as intended (bug #39789).
This was a side-effect of the locales packges not updating the
_install_langs rpm macro on the system with provided locale variants
for some cases. This update also contains additional fixes for issues
that affect the stable releases of Mandriva 2008.0 and 2008.1.

This update corrects two issues with the evdev driver Xorg. The first
is that button events were not generated for mice with more than
seven buttons (bug #39014); the second is that the pointer did not
cross screens using the evdev driver.

This update corrects both issues.