Mandriva

Andreas Solberg found a denial of service flaw in how libxml2 processed
certain content. If an application linked against libxml2 processed
such malformed XML content, it could cause the application to stop
responding (CVE-2008-3281).

Update:

The original fix used to correct this issue caused some applications
that used the libxml2 library to crash. These new updated packages
use a different fix that does not cause certain linked applications
to crash as the old packages did.

Andreas Solberg found a denial of service flaw in how libxml2 processed
certain content. If an application linked against libxml2 processed
such malformed XML content, it could cause the application to stop
responding (CVE-2008-3281).

The updated packages have been patched to prevent this issue.

An input validation flaw was found in X.org's MIT-SHM extension.
A client connected to the X.org server could read arbitrary server
memory, resulting in the disclosure of sensitive data of other users
of the X.org server (CVE-2008-1379).

Multiple integer overflows were found in X.org's Render extension.
A malicious authorized client could explot these issues to cause a
denial of service (crash) or possibly execute arbitrary code with
root privileges on the X.org server (CVE-2008-2360, CVE-2008-2361,
CVE-2008-2362).

The Metisse program is likewise affected by these issues; the updated
packages have been patched to prevent them.

Alin Rad Pop found an array index vulnerability in the SDP parser
of xine-lib. If a user or automated system were tricked into opening
a malicious RTSP stream, a remote attacker could possibly execute
arbitrary code with the privileges of the user using the program
(CVE-2008-0073).

The ASF demuxer in xine-lib did not properly check the length of
ASF headers. If a user was tricked into opening a crafted ASF file,
a remote attacker could possibly cause a denial of service or execute
arbitrary code with the privileges of the user using the program
(CVE-2008-1110).

The Matroska demuxer in xine-lib did not properly verify frame sizes,
which could possibly lead to the execution of arbitrary code if a
user opened a crafted ASF file (CVE-2008-1161).

Luigi Auriemma found multiple integer overflows in xine-lib. If a
user was tricked into opening a crafted FLV, MOV, RM, MVE, MKV, or
CAK file, a remote attacker could possibly execute arbitrary code
with the privileges of the user using the program (CVE-2008-1482).

Guido Landi found A stack-based buffer overflow in xine-lib
that could allow a remote attacker to cause a denial of service
(crash) and potentially execute arbitrary code via a long NSF title
(CVE-2008-1878).

The updated packages have been patched to correct this issue.

Guido Landi found A stack-based buffer overflow in xine-lib
that could allow a remote attacker to cause a denial of service
(crash) and potentially execute arbitrary code via a long NSF title
(CVE-2008-1878).

The updated packages have been patched to correct this issue.

A stack-based buffer overflow was found in mtr prior to version 0.73
that allowed remote attackers to execute arbitrary code via a crafted
DNS PTR record, when called with the --split option (CVE-2008-2357).

The updated packages provide mtr 0.73 which corrects this issue.

A format string vulnerability was discovered in yelp after version
2.19.90 and before 2.24 that could allow remote attackers to execute
arbitrary code via format string specifiers in an invalid URI on the
command-line or via URI helpers in Firefox, Evolution, or possibly
other programs (CVE-2008-3533).

The updated packages have been patched to correct this issue.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Linux kernel before 2.6.22.17, when using certain drivers that register
a fault handler that does not perform range checks, allows local users
to access kernel memory via an out-of-range offset. (CVE-2008-0007)

The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and
2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules;
and (b) the gxsnmp package; does not properly validate length values
during decoding of ASN.1 BER data, which allows remote attackers
to cause a denial of service (crash) or execute arbitrary code via
(1) a length greater than the working buffer, which can lead to an
unspecified overflow; (2) an oid length of zero, which can lead to
an off-by-one error; or (3) an indefinite length for a primitive
encoding. (CVE-2008-1673)

Linux kernel 2.6.18, and possibly other versions, when running on
AMD64 architectures, allows local users to cause a denial of service
(crash) via certain ptrace calls. (CVE-2008-1615)

Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the
Linux kernel before 2.6.25.3 allows remote attackers to cause a
denial of service (memory consumption) via network traffic to a
Simple Internet Transition (SIT) tunnel interface, related to the
pskb_may_pull and kfree_skb functions, and management of an skb
reference count. (CVE-2008-2136)

Integer overflow in the sctp_getsockopt_local_addrs_old function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)

arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on
some AMD64 systems does not erase destination memory locations after
an exception during kernel memory copy, which allows local users to
obtain sensitive information. (CVE-2008-2729)

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Kees Cook of Ubuntu security found a flaw in how poppler prior
to version 0.6 displayed malformed fonts embedded in PDF files.
An attacker could create a malicious PDF file that would cause
applications using poppler to crash, or possibly execute arbitrary
code when opened (CVE-2008-1693).

This vulnerability also affected older versions of kpdf, so the
updated packages have been patched to correct this issue.

A flaw in Amarok prior to 1.4.10 would allow local users to overwrite
arbitrary files via a symlink attack on a temporary file that Amarok
created with a predictable name (CVE-2008-3699).

The updated packages have been patched to correct this issue.

The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly
check permissions before performing a chmod, which allows local users
to modify the permissions of arbitrary files via a symlink attack.

The updated packages have been patched to fix this.

Multiple integer overflows in the imageop module in Python prior to
2.5.3 allowed context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via crafted images that
trigger heap-based buffer overflows (CVE-2008-1679). This was due
to an incomplete fix for CVE-2007-4965.

David Remahl of Apple Product Security reported several integer
overflows in a number of core modules (CVE-2008-2315).

Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).

The updated packages have been patched to correct these issues.
As well, Python packages on Corporate Server 4 have been updated to
the latest version 2.4.5.

Multiple integer overflows in the imageop module in Python prior to
2.5.3 allowed context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via crafted images that
trigger heap-based buffer overflows (CVE-2008-1679). This was due
to an incomplete fix for CVE-2007-4965.

David Remahl of Apple Product Security reported several integer
overflows in a number of core modules (CVE-2008-2315). He also
reported an integer overflow in the hashlib module on Python 2.5 that
lead to unreliable cryptographic digest results (CVE-2008-2316).

Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).

The updated packages have been patched to correct these issues.
As well, Python packages on Mandriva Linux 2007.1 and 2008.0 have
been updated to version 2.5.2. Due to slight packaging changes on
Mandriva Linux 2007.1, a new package is available (tkinter-apps) that
contains binary files (such as /usr/bin/idle) that were previously
in the tkinter package.

Multiple vulnerabilities have been found in Qemu.

Multiple heap-based buffer overflows in the cirrus_invalidate_region
function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and
possibly other products, might allow local users to execute arbitrary
code via unspecified vectors related to attempting to mark non-existent
regions as dirty, aka the bitblt heap overflow. (CVE-2007-1320)

Integer signedness error in the NE2000 emulator in QEMU 0.8.2,
as used in Xen and possibly other products, allows local users to
trigger a heap-based buffer overflow via certain register values
that bypass sanity checks, aka QEMU NE2000 receive integer signedness
error. (CVE-2007-1321)

QEMU 0.8.2 allows local users to halt a virtual machine by executing
the icebp instruction. (CVE-2007-1322)

QEMU 0.8.2 allows local users to crash a virtual machine via the
divisor operand to the aam instruction, as demonstrated by aam 0x0,
which triggers a divide-by-zero error. (CVE-2007-1366)

The NE2000 emulator in QEMU 0.8.2 allows local users to execute
arbitrary code by writing Ethernet frames with a size larger than
the MTU to the EN0_TCNT register, which triggers a heap-based
buffer overflow in the slirp library, aka NE2000 mtu heap
overflow. (CVE-2007-5729)

Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly
other products, allows local users to execute arbitrary code via
crafted data in the net socket listen option, aka QEMU net socket
heap overflow. (CVE-2007-5730)

QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating
system to overwrite the TranslationBlock (code_gen_buffer) buffer,
and probably have unspecified other impacts related to an overflow,
via certain Windows executable programs, as demonstrated by
qemu-dos.com. (CVE-2007-6227)

Qemu 0.9.1 and earlier does not perform range checks for block
device read or write requests, which allows guest host users with
root privileges to access arbitrary memory and escape the virtual
machine. (CVE-2008-0928)

Changing removable media in QEMU could trigger a bug similar to
CVE-2008-2004, which would allow local guest users to read arbitrary
files on the host by modifying the header of the image to identify
a different format. (CVE-2008-1945) See the diskformat: parameter to
the -usbdevice option.

The drive_init function in QEMU 0.9.1 determines the format of
a raw disk image based on the header, which allows local guest
users to read arbitrary files on the host by modifying the header
to identify a different format, which is used when the guest is
restarted. (CVE-2008-2004) See the -format option.

The updated packages have been patched to fix these issues.

A vulnerability in rxvt allowed it to open a terminal on :0 if the
environment variable was not set, which could be used by a local user
to hijack X11 connections (CVE-2008-1142).

The updated packages have been patched to correct this issue.

This update fixes an X server crash with multiple indirect rendering
clients and software rendering.

This update of the drakx-net and initscripts packages improves
wireless strength detection and fixes connection with rt61 devices
(using the rt61pci driver). Such connections used to fail when the
wpa_supplicant daemon was used.

This update makes the network tools force a reassociation when the
rt61pci driver is used.

This drakxtools update contains file leaks and automatic disk discovery
fixes. The network driver detection used to leak file descriptors,
meaning that network applications like the wireless tool or the
network center stopped working after extended use. The automatic disk
discovery tool did not correctly mark new media as removable, and
thus they were checked at every boot, which stopped the boot process
if the media was not present. Both problems are fixed in this update.

Chris Evans of the Google Security Team found a vulnerability in the
RC4 processing code in libxslt that did not properly handle corrupted
key information. A remote attacker able to make an application
linked against libxslt process malicious XML input could cause the
application to crash or possibly execute arbitrary code with the
privileges of the application in question (CVE-2008-2935).

The updated packages have been patched to correct this issue.

A flaw was discovered in licq versions prior to 1.3.6 that allowed
a remote attacker to cause a denial of service (crash) via a large
number of connections (CVE-2008-1996).

The updated packages have been patched to correct this issue.