Gentoo 2478 Published by

The following 6 security updates has been released for Gentoo Linux: [ GLSA 201311-22 ] Namazu: Multiple vulnerabilities, [ GLSA 201311-21 ] cpio: Arbitrary code execution, [ GLSA 201311-20 ] Okular: Arbitrary code execution, [ GLSA 201311-19 ] rssh: Access restriction bypass, [ GLSA 201311-18 ] Unbound: Denial of Service, and [ GLSA 201311-17 ] Perl: Multiple vulnerabilities



[ GLSA 201311-22 ] Namazu: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Namazu: Multiple vulnerabilities
Date: November 28, 2013
Bugs: #391259
ID: 201311-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Namazu, worst of which
allows remote attackers to cause a Denial of Service condition.

Background
==========

Namazu is a full-text search engine intended for easy use.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/namazu < 2.0.21 >= 2.0.21

Description
===========

Multiple vulnerabilities have been discovered in Namazu. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could execute arbitrary code or cause a Denial of
Service condition.
Furthermore, a remote attacker may be able to inject arbitrary web
script or HTML via a cookie.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Namazu users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/namazu-2.0.21"

References
==========

[ 1 ] CVE-2009-5028
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5028
[ 2 ] CVE-2011-4345
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4345
[ 3 ] CVE-2011-4711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4711

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201311-22.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201311-21 ] cpio: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: cpio: Arbitrary code execution
Date: November 28, 2013
Bugs: #314663
ID: 201311-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A heap-based buffer overflow in cpio might allow a remote rmt server to
execute arbitrary code or cause a Denial of Service condition.

Background
==========

GNU cpio copies files into or out of a cpio or tar archive.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-arch/cpio < 2.11 >= 2.11

Description
===========

Cpio contains a heap-based buffer overflow in the rmt_read__ function
in lib/rtapelib.c.

Impact
======

A remote server could sending more data than was requested, related to
archive filenames that contain a : (colon) character, possibly
resulting in execution of arbitrary code or a Denial of Service
condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All cpio users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/cpio-2.11"

References
==========

[ 1 ] CVE-2010-0624
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0624

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201311-21.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201311-20 ] Okular: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Okular: Arbitrary code execution
Date: November 28, 2013
Bugs: #334469
ID: 201311-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A heap-based buffer overflow in Okular might allow a remote attacker to
execute arbitrary code or cause a Denial of Service condition.

Background
==========

Okular is a universal document viewer based on KPDF for KDE 4.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-base/okular < 4.4.5-r2 >= 4.4.5-r2

Description
===========

Okular contains a heap-based buffer overflow in the RLE decompression
functionality in the TranscribePalmImageToJPEG function in
generators/plucker/inplug/image.cpp.

Impact
======

A remote attacker could entice a user to open a specially crafted PBD
file using Okular, possibly resulting in execution of arbitrary code
with the privileges of the process, or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Okular users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/okular-4.4.5-r2"

References
==========

[ 1 ] CVE-2010-2575
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2575

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201311-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201311-19 ] rssh: Access restriction bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: rssh: Access restriction bypass
Date: November 28, 2013
Bugs: #415255, #445166
ID: 201311-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in rssh, allowing local
attackers to bypass access restrictions.

Background
==========

rssh is a restricted shell, allowing only a few commands like scp or
sftp. It is often used as a complement to OpenSSH to provide limited
access to users.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-shells/rssh < 2.3.4 >= 2.3.4

Description
===========

Multiple command line parsing and validation vulnerabilities have been
discovered in rssh. Please review the CVE identifiers referenced below
for details.

Impact
======

Multiple parsing and validation vulnerabilities can cause the
restrictions set up by rssh to be bypassed.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All rssh users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/rssh-2.3.4"

References
==========

[ 1 ] CVE-2012-2252
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2252
[ 2 ] CVE-2012-3478
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3478

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201311-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201311-18 ] Unbound: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Unbound: Denial of Service
Date: November 28, 2013
Bugs: #395287
ID: 201311-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple Denial of Service vulnerabilities have been found in Unbound.

Background
==========

Unbound is a validating, recursive, and caching DNS resolver.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/unbound < 1.4.13_p2 >= 1.4.13_p2

Description
===========

Multiple vulnerabilities have been discovered in Unbound. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly cause a Denial of Service condition
via a specially crafted response.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Unbound users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/unbound-1.4.13_p2"

References
==========

[ 1 ] CVE-2011-4528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4528
[ 2 ] CVE-2011-4869
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4869

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201311-18.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201311-17 ] Perl: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Perl: Multiple vulnerabilities
Date: November 28, 2013
Bugs: #249629, #313565, #362025, #386357
ID: 201311-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in Perl, the worst of which could
allow a local attacker to cause a Denial of Service condition.

Background
==========

Perl is Larry Wall's Practical Extraction and Report Language.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/perl < 5.12.3-r1 >= 5.12.3-r1

Description
===========

Multiple vulnerabilities have been discovered in Perl. Please review
the CVE identifiers referenced below for details.

Impact
======

A local attacker could cause a Denial of Service condition or perform
symlink attacks to overwrite arbitrary files with the privileges of the
user running the application. A context-dependent attacker could cause
a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Perl users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.12.3-r1"

References
==========

[ 1 ] CVE-2008-5302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5302
[ 2 ] CVE-2008-5303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5303
[ 3 ] CVE-2010-1158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1158
[ 4 ] CVE-2011-0761
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0761
[ 5 ] CVE-2011-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1487

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201311-17.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5