Mandriva

A number of vulnerabilities have been discovered in the Apache
Tomcat server:

The default catalina.policy in the JULI logging component did not
restrict certain permissions for web applications which could allow a
remote attacker to modify logging configuration options and overwrite
arbitrary files (CVE-2007-5342).

A cross-site scripting vulnerability was found in the
HttpServletResponse.sendError() method which could allow a remote
attacker to inject arbitrary web script or HTML via forged HTTP headers
(CVE-2008-1232).

A cross-site scripting vulnerability was found in the host manager
application that could allow a remote attacker to inject arbitrary
web script or HTML via the hostname parameter (CVE-2008-1947).

A traversal vulnerability was found when using a RequestDispatcher in
combination with a servlet or JSP that could allow a remote attacker
to utilize a specially-crafted request parameter to access protected
web resources (CVE-2008-2370).

A traversal vulnerability was found when the 'allowLinking' and
'URIencoding' settings were actived which could allow a remote attacker
to use a UTF-8-encoded request to extend their privileges and obtain
local files accessible to the Tomcat process (CVE-2008-2938).

The updated packages have been patched to correct these issues.

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

The Python packages on Corporate 3 have been updated to the latest
version 2.3.7, which corrects this issue.

A cross-site request forgery vulnerability was discovered in Django
that, if exploited, could be used to perform unrequested deletion or
modification of data. Updated versions of Django will now discard
posts from users whose sessions have expired, so data will need to
be re-entered in these cases (CVE-2008-3909).

The versions of Django shipping with Mandriva Linux have been updated
to the latest patched versions that include the fix for this issue.
In addition, they provide other bug fixes.

Drew Yaro of the Apple Product Security Team reported multiple uses of
uninitialized values in libtiff's LZW compression algorithm decoder.
An attacker could create a carefully crafted LZW-encoded TIFF file that
would cause an application linked to libtiff to crash or potentially
execute arbitrary code (CVE-2008-2327).

The updated packages have been patched to prevent this issue.

Chaskiel M Grundman found that OpenSC would initialize smart cards
with the Siemens CardOS M4 card operating system without proper access
rights. This allowed everyone to change the card's PIN without first
having the PIN or PUK, or the superuser's PIN or PUK (CVE-2008-2235).

Please note that this issue can not be used to discover the PIN on
a card. If the PIN on a card is the same that was always there,
it is unlikely that this vulnerability has been exploited. As well,
this issue only affects smart cards and USB crypto tokens based on
Siemens CardOS M4, and then only those devices that were initialized
by OpenSC. Users of other smart cards or USB crypto tokens, or cards
that were not initialized by OpenSC, are not affected.

After applying the update, executing 'pkcs15-tool -T' will indicate
whether the card is fine or vulnerable. If the card is vulnerable, the
security settings need to be updated by executing 'pkcs15-tool -T -U'.

The updated packages have been patched to prevent this issue.

Rob Holland found several programming errors in WordNet which could
lead to the execution or arbitrary code when used with untrusted input
(CVE-2008-2149).

The updated packages have been patched to prevent these issues.

Two denial of service vulnerabilities were discovered in the
ipsec-tools racoon daemon, which could allow a remote attacker to cause
it to consume all available memory (CVE-2008-3651, CVE-2008-3652).

The updated packages have been patched to prevent these issues.

Updated timezone packages are being provided for older Mandriva Linux
systems that do not contain new Daylight Savings Time information
and Time Zone information for some locations. These updated packages
contain the new information.

The video player totem was associated as an autostart application
for audio CDs, but the totem version in Mandriva Linux 2008.1 did not
support CD playback anymore. This update removes totem from the list
of default applications.

Andreas Solberg found a denial of service flaw in how libxml2 processed
certain content. If an application linked against libxml2 processed
such malformed XML content, it could cause the application to stop
responding (CVE-2008-3281).

Update:

The original fix used to correct this issue caused some applications
that used the libxml2 library to crash. These new updated packages
use a different fix that does not cause certain linked applications
to crash as the old packages did.

The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly
check permissions before performing a chmod, which allows local users
to modify the permissions of arbitrary files via a symlink attack.

The updated packages have been patched to fix this.

Multiple integer overflows in the imageop module in Python prior to
2.5.3 allowed context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via crafted images that
trigger heap-based buffer overflows (CVE-2008-1679). This was due
to an incomplete fix for CVE-2007-4965.

David Remahl of Apple Product Security reported several integer
overflows in a number of core modules (CVE-2008-2315).

Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).

The updated packages have been patched to correct these issues.
As well, Python packages on Corporate Server 4 have been updated to
the latest version 2.4.5.

Multiple integer overflows in the imageop module in Python prior to
2.5.3 allowed context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via crafted images that
trigger heap-based buffer overflows (CVE-2008-1679). This was due
to an incomplete fix for CVE-2007-4965.

David Remahl of Apple Product Security reported several integer
overflows in a number of core modules (CVE-2008-2315). He also
reported an integer overflow in the hashlib module on Python 2.5 that
lead to unreliable cryptographic digest results (CVE-2008-2316).

Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).

Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).

Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).

The updated packages have been patched to correct these issues.
As well, Python packages on Mandriva Linux 2007.1 and 2008.0 have
been updated to version 2.5.2. Due to slight packaging changes on
Mandriva Linux 2007.1, a new package is available (tkinter-apps) that
contains binary files (such as /usr/bin/idle) that were previously
in the tkinter package.

Multiple vulnerabilities have been found in Qemu.

Multiple heap-based buffer overflows in the cirrus_invalidate_region
function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and
possibly other products, might allow local users to execute arbitrary
code via unspecified vectors related to attempting to mark non-existent
regions as dirty, aka the bitblt heap overflow. (CVE-2007-1320)

Integer signedness error in the NE2000 emulator in QEMU 0.8.2,
as used in Xen and possibly other products, allows local users to
trigger a heap-based buffer overflow via certain register values
that bypass sanity checks, aka QEMU NE2000 receive integer signedness
error. (CVE-2007-1321)

QEMU 0.8.2 allows local users to halt a virtual machine by executing
the icebp instruction. (CVE-2007-1322)

QEMU 0.8.2 allows local users to crash a virtual machine via the
divisor operand to the aam instruction, as demonstrated by aam 0x0,
which triggers a divide-by-zero error. (CVE-2007-1366)

The NE2000 emulator in QEMU 0.8.2 allows local users to execute
arbitrary code by writing Ethernet frames with a size larger than
the MTU to the EN0_TCNT register, which triggers a heap-based
buffer overflow in the slirp library, aka NE2000 mtu heap
overflow. (CVE-2007-5729)

Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly
other products, allows local users to execute arbitrary code via
crafted data in the net socket listen option, aka QEMU net socket
heap overflow. (CVE-2007-5730)

QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating
system to overwrite the TranslationBlock (code_gen_buffer) buffer,
and probably have unspecified other impacts related to an overflow,
via certain Windows executable programs, as demonstrated by
qemu-dos.com. (CVE-2007-6227)

Qemu 0.9.1 and earlier does not perform range checks for block
device read or write requests, which allows guest host users with
root privileges to access arbitrary memory and escape the virtual
machine. (CVE-2008-0928)

Changing removable media in QEMU could trigger a bug similar to
CVE-2008-2004, which would allow local guest users to read arbitrary
files on the host by modifying the header of the image to identify
a different format. (CVE-2008-1945) See the diskformat: parameter to
the -usbdevice option.

The drive_init function in QEMU 0.9.1 determines the format of
a raw disk image based on the header, which allows local guest
users to read arbitrary files on the host by modifying the header
to identify a different format, which is used when the guest is
restarted. (CVE-2008-2004) See the -format option.

The updated packages have been patched to fix these issues.

A vulnerability in rxvt allowed it to open a terminal on :0 if the
environment variable was not set, which could be used by a local user
to hijack X11 connections (CVE-2008-1142).

The updated packages have been patched to correct this issue.

This update fixes an X server crash with multiple indirect rendering
clients and software rendering.

This update of the drakx-net and initscripts packages improves
wireless strength detection and fixes connection with rt61 devices
(using the rt61pci driver). Such connections used to fail when the
wpa_supplicant daemon was used.

This update makes the network tools force a reassociation when the
rt61pci driver is used.

This drakxtools update contains file leaks and automatic disk discovery
fixes. The network driver detection used to leak file descriptors,
meaning that network applications like the wireless tool or the
network center stopped working after extended use. The automatic disk
discovery tool did not correctly mark new media as removable, and
thus they were checked at every boot, which stopped the boot process
if the media was not present. Both problems are fixed in this update.

Chris Evans of the Google Security Team found a vulnerability in the
RC4 processing code in libxslt that did not properly handle corrupted
key information. A remote attacker able to make an application
linked against libxslt process malicious XML input could cause the
application to crash or possibly execute arbitrary code with the
privileges of the application in question (CVE-2008-2935).

The updated packages have been patched to correct this issue.

A flaw was discovered in licq versions prior to 1.3.6 that allowed
a remote attacker to cause a denial of service (crash) via a large
number of connections (CVE-2008-1996).

The updated packages have been patched to correct this issue.