From security@mandriva.com Thu Apr 21 08:20:46 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Thu, 21 Apr 2005 01:11:05 -0600 Subject: [Full-disclosure] MDKSA-2005:076 - Updated xli packages fix multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: xli Advisory ID: MDKSA-2005:076 Date: April 20th, 2005 Affected versions: 10.1, 10.2, Corporate 3.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A number of vulnerabilities have been found in the xli image viewer. Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a flaw in the handling of compressed images where shell meta-characters are not properly escaped (CAN-2005-0638). It was also found that insufficient validation of image properties could potentially result in buffer management errors (CAN-2005-0639). The updated packages have been patched to correct these problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0639 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.1: f5ad03e5bb1c8b93fc1ebca1d7e2e111 10.1/RPMS/xli-1.17.0-8.1.101mdk.i586.rpm 757220d489a0cbafd393140ea7d5e205 10.1/SRPMS/xli-1.17.0-8.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: e798f226cabe865cd3b0a8f3f9292b6d x86_64/10.1/RPMS/xli-1.17.0-8.1.101mdk.x86_64.rpm 757220d489a0cbafd393140ea7d5e205 x86_64/10.1/SRPMS/xli-1.17.0-8.1.101mdk.src.rpm Mandrakelinux 10.2: 5e5bbac4a40ffc0f7156e671eb920ea0 10.2/RPMS/xli-1.17.0-8.1.102mdk.i586.rpm d6ee5ee583d8415f0028b2854ed19b3b 10.2/SRPMS/xli-1.17.0-8.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: b49c19725cbc2850ead82731758fe8d8 x86_64/10.2/RPMS/xli-1.17.0-8.1.102mdk.x86_64.rpm d6ee5ee583d8415f0028b2854ed19b3b x86_64/10.2/SRPMS/xli-1.17.0-8.1.102mdk.src.rpm Corporate Server 2.1: c89d695075c7117381d50301745bc82e corporate/2.1/RPMS/xli-1.17.0-4.1.C21mdk.i586.rpm c219935cd3fb090af95d6467919faff1 corporate/2.1/SRPMS/xli-1.17.0-4.1.C21mdk.src.rpm Corporate Server 2.1/X86_64: 8b4a39d741f4eb8fde469411359cad5b x86_64/corporate/2.1/RPMS/xli-1.17.0-4.1.C21mdk.x86_64.rpm c219935cd3fb090af95d6467919faff1 x86_64/corporate/2.1/SRPMS/xli-1.17.0-4.1.C21mdk.src.rpm Corporate 3.0: fdbf0745aeb6733d6894afa089ac7dd2 corporate/3.0/RPMS/xli-1.17.0-8.2.C30mdk.i586.rpm 88043776962e4a8bed6b538ae8d28824 corporate/3.0/SRPMS/xli-1.17.0-8.2.C30mdk.src.rpm Corporate 3.0/X86_64: ac33b6d6d9475104bb25c2bde9dfe0c7 x86_64/corporate/3.0/RPMS/xli-1.17.0-8.2.C30mdk.x86_64.rpm 88043776962e4a8bed6b538ae8d28824 x86_64/corporate/3.0/SRPMS/xli-1.17.0-8.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCZ1IJmqjQ0CJFipgRAjuRAKC+hW1sMUuM5yJN5UfSQ4nny/aFmgCeJ5zb 7no1gaq2GPMYobcTEPhHiAU= =NSEJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/