Mandriva

Will Drewry of the Google Security Team reported several
vulnerabilities in how libvorbis processed audio data. An attacker
could create a carefuly crafted OGG audio file in such a way that it
would cause an application linked to libvorbis to crash or possibly
execute arbitray code when opened (CVE-2008-1419, CVE-2008-1420,
CVE-2008-1423).

The updated packages have been patched to correct these issues.

Several vulnerabilities were discovered in rdesktop, a Remote Desktop
Protocol client.

An integer underflow vulnerability allowed attackers to cause a
denial of service (crash) and possibly execute arbitrary code with
the privileges of the logged-in user (CVE-2008-1801).

A buffer overflow vulnerability allowed attackers to execute arbitrary
code with the privileges of the logged-in user (CVE-2008-1802).

An integer signedness vulnerability allowed attackers to
execute arbitrary code with the privileges of the logged-in user
(CVE-2008-1803).

In order for these vulnerabilities to be exploited, an attacker must
persuade a targeted user to connect to a malicious RDP server.

The updated packages have been patched to correct these issues.

The iproute2 package released with mandriva 2008.1 had a problem
which prevented its usage with kernels of versions 2.6.21 and older,
notably the Xen kernel (2.6.18).

This update fixes the issue.

This update fixes a few issues in draksnapshot. It prevents the applet
from crashing if DBUS is not accessible (bug #40031). The applet will
also now ignore the root disc, if it's USB.

The configurator will now prevent to recursively backup the backup
directory (bug #39801).

Last but not least, it will default to /media instead of /home when
offering a backup point. (bug #39802)

This update fixes several minor issues in rpmdrake:

- it prevents crashing if the RPM database is locked when trying to
install some packages (bug #40244)
- it fixes a crash when the default view is unknown (bug #39626)
- it enables searching also with the numeric pad's Enter key (bug
#40659)
- it makes rpmdrake not list backports as (unselected) updates,
like MandrivaUpdate does

It also makes MandrivaUpdate fit in laptops screen (eg when resolution
only has 480 horizontal lines)

A double free vulnerability in Perl 5.8.8 and earlier versions,
allows context-dependent attackers to cause a denial of service
(memory corruption and crash) via a crafted regular expression
containing UTF8 characters.

The updated packages have been patched to prevent this.

This update fixes several minor issues:

- some GUIes (eg: rpmdrake) would crash on clicking on the close
button while they load (bug #35230)

- draksec was crashing if the administrator refused to install
(bug #38911)

- localdrake: After changing the localization language from drakconf
in a high security level, the permissions of /etc/sysconfig/i18n were
changed such that the file was only readable by root. This caused
graphical login via kdm to fail (bug #39027)

This update fixes a minor issue in rpmdrake; it prevents crashing
if the RPM database is locked when trying to install some packages
(bug #40244).

An updated hal-info package fixes resume from suspend to RAM on
HP 6710b systems. It had previously failed with a black screen on
Mandriva Linux 2008.0.

A heap-based buffer overflow vulnerability was found in how ImageMagick
parsed XCF files. If ImageMagick opened a specially-crafted XCF
file, it could be made to overwrite heap memory beyond the bounds
of its allocated memory, potentially allowing an attacker to execute
arbitrary code on the system running ImageMagick (CVE-2008-1096).

Another heap-based buffer overflow vulnerability was found in how
ImageMagick processed certain malformed PCX images. If ImageMagick
opened a specially-crafted PCX image file, an attacker could
possibly execute arbitrary code on the system running ImageMagick
(CVE-2008-1097).

The updated packages have been patched to correct these issues.

An updated XFdrake is available that corrects a number of bugs:

- never write a ModeLine when using the fglrx driver (bug #30934)

- if the EDID gives a valid EISA_ID, a valid 16/10 preferred
resolution, but no HorizSync/VertRefresh, use a generic flat panel
HorizSync/VertRefresh (needed for edid.lcd.Elonex-PR600)

- add 800x480 (used on belinea s.book)

- add 1024x600 (used on Samsung Q1Ultra) (bug #37889)

- if the EDID gives a valid 16/10 preferred resolution (even if
duplicated), but no HorizSync/VertRefresh, use a generic flat panel
HorizSync/VertRefresh (needed for edid.lcd.dell-inspiron-6400,
bug #37971)

A vulnerability in OpenSSH 4.4 through 4.8 allowed local attackers
to bypass intended security restrictions enabling them to execute
commands other than those specified by the ForceCommand directive,
provided they are able to modify to ~/.ssh/rc (CVE-2008-1657).

The updated packages have been patched to correct this issue.

A vulnerability was found in start_kdeinit in KDE 3.5.5 through
3.5.9 where, if it was installed setuid root, it could allow local
users to cause a denial of service or possibly execute arbitrary code
(CVE-2008-1671).

By default, start_kdeinit is not installed setuid root on Mandriva
Linux, however updated packages have been patched to correct this
issue.

Steve Grubb found that the vcdiff script in Emacs create temporary
files insecurely when used with SCCS. A local user could exploit a
race condition to create or overwrite files with the privileges of
the user invoking the program (CVE-2008-1694).

The updated packages have been patched to correct this issue.

This update enhances ndiswrapper drivers support (resolving bugs
#28335, #34660, #37026, #37106), and madwifi driver support (resolving
bugs #33044, #33531). It also fixes the configuration of cellular cards
(bug ##36801). Also, some crashes have been fixed in the net_monitor
tool (bugs #36537, #37635).

A vulnerability in HSQLDB before 1.8.0.9 in OpenOffice.org could
allow user-assisted remote attackers to execute arbitrary Java code
via crafted database documents (CVE-2007-4575).

A heap overflow was discovered in OpenOffice.org's EMF parser.
An attacker could create a carefully crafted EMF file that could
cause OpenOffice.org to crash or potentially execute arbitrary code
if the malicious EMF image was added to a document or if a document
containing such an EMF file was opened (CVE-2007-5746).

Multiple heap overflows and an integer underflow were discovered in the
Quattro Pro(R) import filter. An attacker could create a carefully
crafted Quattro Pro file that could cause OpenOffice.org ro crash or
potentially execute arbitraty code (CVE-2007-5745, CVE-2007-5747).

A heap overflow was discovered in the OLE Structured Storage file
parser, a format used by Microsoft Office documents. An attacker could
create a carefully crafted OLE file that could cause OpenOffice.org
to crash or potentially execute arbitrary code (CVE-2008-0320).

The updated packages have been patched to correct these issues.

Some commercial Windows programs did not run under previous builds of
Wine, producing an error message notifying the user that a debugger
has been detected. This update corrects the issue.

Amazon.com has removed support for the cover image fetching API used
in rhythmbox. This updates to the new API to make cover image support
work again.

Mandriva Linux 2008.1 introduced an improved Finnish default keyboard
layout called Kotoistus. This layout adds altgr-space as a key
combination for non-breaking space. However, that key combination can
be easily hit accidentally when a normal space was intended instead,
especially after typing the pipe character. This update removes the
new key combination. Non-breaking space can still be typed via the
traditional combination altgr-shift-space.

The freeradius package included in Mandriva Linux 2008.1 had hardcoded
the use of the '-y' option in its initscript, which is no longer
a valid option in the new major version of 2.0. As a result, the
initscript was unable to launch the service correctly. As well,
a file name error in the EAP module configuration triggered an error
at launch.

Both issues are corrected with this update package.