Mandriva Security Advisory
Updated python-numpy packages fix security vulnerabilities:
f2py insecurely used a temporary file. A local attacker could use this
flaw to perform a symbolic link attack to modify an arbitrary file
accessible to the user running f2py (CVE-2014-1858, CVE-2014-1859).
Updated gnutls packages fix security vulnerabilities:
Suman Jana reported a vulnerability that affects the certificate
verification functions of gnutls 3.1.x and gnutls 3.2.x. A version
1 intermediate certificate will be considered as a CA certificate
by default (something that deviates from the documented behavior)
(CVE-2014-1959).
It was discovered that GnuTLS did not correctly handle certain errors
that could occur during the verification of an X.509 certificate,
causing it to incorrectly report a successful verification. An attacker
could use this flaw to create a specially crafted certificate that
could be accepted by GnuTLS as valid for a site chosen by the attacker
(CVE-2014-0092).
A NULL pointer dereference flaw was discovered in GnuTLS’s
gnutls_x509_dn_oid_name(). The function, when called with the
GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its
caller. However, it could previously return NULL when parsed X.509
certificates included specific OIDs (CVE-2014-3465).
A flaw was found in the way GnuTLS parsed session ids from Server
Hello packets of the TLS/SSL handshake. A malicious server could use
this flaw to send an excessively long session id value and trigger a
buffer overflow in a connecting TLS/SSL client using GnuTLS, causing
it to crash or, possibly, execute arbitrary code (CVE-2014-3466).
An out-of-bounds memory write flaw was found in the way GnuTLS
parsed certain ECC (Elliptic Curve Cryptography) certificates or
certificate signing requests (CSR). A malicious user could create a
specially crafted ECC certificate or a certificate signing request
that, when processed by an application compiled against GnuTLS (for
example, certtool), could cause that application to crash or execute
arbitrary code with the permissions of the user running the application
(CVE-2014-8564).
Multiple vulnerabilities has been discovered and corrected in openldap:
The deref_parseCtrl function in servers/slapd/overlays/deref.c in
OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a
denial of service (NULL pointer dereference and crash) via an empty
attribute list in a deref control in a search request (CVE-2015-1545).
Double free vulnerability in the get_vrFilter function in
servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to
cause a denial of service (crash) via a crafted search query with a
matched values control (CVE-2015-1546).
The updated packages provides a solution for these security issues.
Updated libvirt packages fixes security vulnerabilities:
The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions
in qemu/qemu_driver.c in libvirt do not unlock the domain when an
ACL check fails, which allow local users to cause a denial of service
via unspecified vectors (CVE-2014-8136).
The XML getters for for save images and snapshots objects don’t
check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump
security sensitive information. A remote attacker able to establish
a connection to libvirtd could use this flaw to cause leak certain
limited information from the domain xml file (CVE-2015-0236).
The updated packages provides the latest 1.1.3.9 version whish has
more robust fixes for MDVSA-2015:023 and MDVSA-2015:035.
Updated libpng12 package fixes security vulnerabilities:
The png_do_expand_palette function in libpng before 1.6.8 allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a PLTE chunk of zero bytes or a NULL palette,
related to pngrtran.c and pngset.c (CVE-2013-6954).
An integer overflow leading to a heap-based buffer overflow was found
in the png_set_sPLT() and png_set_text_2() API functions of libpng. An
attacker could create a specially-crafted image file and render it
with an application written to explicitly call png_set_sPLT() or
png_set_text_2() function, could cause libpng to crash or execute
arbitrary code with the permissions of the user running such an
application (CVE-2013-7353).
An integer overflow leading to a heap-based buffer overflow was found
in the png_set_unknown_chunks() API function of libpng. An attacker
could create a specially-crafted image file and render it with an
application written to explicitly call png_set_unknown_chunks()
function, could cause libpng to crash or execute arbitrary code
with the permissions of the user running such an application
(CVE-2013-7354).
Updated e2fsprogs packages fix security vulnerabilities:
The libext2fs library, part of e2fsprogs and utilized by its utilities,
is affected by a boundary check error on block group descriptor
information, leading to a heap based buffer overflow. A specially
crafted filesystem image can be used to trigger the vulnerability
(CVE-2015-0247).
The libext2fs library, part of e2fsprogs and utilized by its utilities,
is affected by a boundary check error on block group descriptor
information, leading to a heap based buffer overflow. A specially
crafted filesystem image can be used to trigger the vulnerability. This
is due to an incomplete fix for CVE-2015-0247 (CVE-2015-1572).
Updated e2fsprogs packages fix security vulnerability:
The libext2fs library, part of e2fsprogs and utilized by its utilities,
is affected by a boundary check error on block group descriptor
information, leading to a heap based buffer overflow. A specially
crafted filesystem image can be used to trigger the vulnerability. This
is due to an incomplete fix for CVE-2015-0247 (CVE-2015-1572).
Multiple vulnerabilities has been discovered and corrected in krb5:
The krb5_gss_process_context_token function in
lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library
in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2,
and 1.13.x before 1.13.1 does not properly maintain security-context
handles, which allows remote authenticated users to cause a denial of
service (use-after-free and double free, and daemon crash) or possibly
execute arbitrary code via crafted GSSAPI traffic, as demonstrated
by traffic to kadmind (CVE-2014-5352).
MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that
a krb5_read_message data field is represented as a string ending
with a ” character, which allows remote attackers to (1) cause a
denial of service (NULL pointer dereference) via a zero-byte version
string or (2) cause a denial of service (out-of-bounds read) by
omitting the ” character, related to appl/user_user/server.c and
lib/krb5/krb/recvauth.c (CVE-2014-5355).
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c
in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2,
and 1.13.x before 1.13.1 does not properly handle partial XDR
deserialization, which allows remote authenticated users to cause
a denial of service (use-after-free and double free, and daemon
crash) or possibly execute arbitrary code via malformed XDR data,
as demonstrated by data sent to kadmind (CVE-2014-9421).
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in
kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through
1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to
bypass a kadmin/* authorization check and obtain administrative access
by leveraging access to a two-component principal with an initial
kadmind substring, as demonstrated by a ka/x principal (CVE-2014-9422).
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c
in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through
1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer
data to clients, which allows remote attackers to obtain sensitive
information from process heap memory by sniffing the network for data
in a handle field (CVE-2014-9423).
The updated packages provides a solution for these security issues.
Multiple vulnerabilities has been discovered and corrected in openssl:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL
servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role, related to the FREAK issue. NOTE: the scope of
this CVE is only client code based on OpenSSL, not EXPORT_RSA issues
associated with servers or other TLS implementations (CVE-2015-0204).
Use-after-free vulnerability in the d2i_ECPrivateKey function in
crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
malformed Elliptic Curve (EC) private-key file that is improperly
handled during import (CVE-2015-0209).
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before
0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
1.0.2a does not properly perform boolean-type comparisons, which allows
remote attackers to cause a denial of service (invalid read operation
and application crash) via a crafted X.509 certificate to an endpoint
that uses the certificate-verification feature (CVE-2015-0286).
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL
before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
before 1.0.2a does not reinitialize CHOICE and ADB data structures,
which might allow attackers to cause a denial of service (invalid
write operation and memory corruption) by leveraging an application
that relies on ASN.1 structure reuse (CVE-2015-0287).
The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL
before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
before 1.0.2a might allow attackers to cause a denial of service
(NULL pointer dereference and application crash) via an invalid
certificate key (CVE-2015-0288).
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not
properly handle a lack of outer ContentInfo, which allows attackers to
cause a denial of service (NULL pointer dereference and application
crash) by leveraging an application that processes arbitrary PKCS#7
data and providing malformed data with ASN.1 encoding, related to
crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289).
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote
attackers to cause a denial of service (s2_lib.c assertion failure and
daemon exit) via a crafted CLIENT-MASTER-KEY message (CVE-2015-0293).
The updated packages have been upgraded to the 1.0.0r version where
these security flaws has been fixed.
Updated cabextract packages fix security vulnerabilities:
Libmspack, a library to provide compression and decompression of
some file formats used by Microsoft, is embedded in cabextract. A
specially crafted cab file can cause cabextract to hang forever. If
cabextract is exposed to any remotely-controlled user input, this
issue can cause a denial-of-service (CVE-2014-9556).
A directory traversal issue in cabextract allows writing to locations
outside of the current working directory, when extracting a crafted cab
file that encodes the filenames in a certain manner (CVE-2015-2060).