SUSE has published their Security Summary Report: SUSE-SR:2010:017



[security-announce] SUSE Security Summary Report: SUSE-SR:2010:017

______________________________________________________________________________

SUSE Security Summary Report

Announcement ID: SUSE-SR:2010:017
Date: Tue, 21 Sep 2010 11:00:00 +0000
Cross-References: CVE-2010-0084, CVE-2010-0085, CVE-2010-0087
CVE-2010-0088, CVE-2010-0089, CVE-2010-0091
CVE-2010-0095, CVE-2010-0397, CVE-2010-0407
CVE-2010-0743, CVE-2010-0839, CVE-2010-0840
CVE-2010-0841, CVE-2010-0842, CVE-2010-0843
CVE-2010-0844, CVE-2010-0846, CVE-2010-0847
CVE-2010-0848, CVE-2010-0849, CVE-2010-1157
CVE-2010-1205, CVE-2010-1512, CVE-2010-1860
CVE-2010-1862, CVE-2010-1864, CVE-2010-1866
CVE-2010-1914, CVE-2010-1915, CVE-2010-1917
CVE-2010-2059, CVE-2010-2093, CVE-2010-2094
CVE-2010-2097, CVE-2010-2100, CVE-2010-2101
CVE-2010-2190, CVE-2010-2191, CVE-2010-2221
CVE-2010-2225, CVE-2010-2227, CVE-2010-2237
CVE-2010-2238, CVE-2010-2239, CVE-2010-2242
CVE-2010-2249, CVE-2010-2526, CVE-2010-2531
CVE-2010-2950, CVE-2010-2956, CVE-2010-3062
CVE-2010-3063, CVE-2010-3064, CVE-2010-3065
CVE-2010-3081, CVE-2010-3087, CVE-2010-3301
CVE-2010-3304

Content of this advisory:
1) Solved Security Vulnerabilities:
- java-1_4_2-ibm
- sudo
- libpng
- php5
- tgt, iscsitarget
- aria2
- pcsc-lite
- tomcat5, tomcat6
- lvm2
- libvirt
- rpm
- libtiff
- dovecot12
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- kernel
3) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Solved Security Vulnerabilities

To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.

Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.

- java-1_4_2-ibm
IBM Java was updated to 1.4.2 FP5, fixing various bugs and security issues:

CVE-2010-0084: Unspecified vulnerability in the Java Runtime Environment
component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, and 1.4.2_25 allows remote attackers to affect confidentiality via
unknown vectors.

CVE-2010-0085: Unspecified vulnerability in the Java Runtime Environment
component in Oracle Java SE and Java for Business 6 Update 18, 5.0
Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0087: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update 18,
5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0088: Unspecified vulnerability in the Java Runtime Environment
component in Oracle Java SE and Java for Business 6 Update 18, 5.0
Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0089: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update 18,
5.0 Update 23, and 1.4.2_25 allows remote attackers to affect availability
via unknown vectors.

CVE-2010-0091: Unspecified vulnerability in the Java Runtime Environment
component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, and 1.4.2_25 allows remote attackers to affect confidentiality via
unknown vectors.

CVE-2010-0095: Unspecified vulnerability in the Java Runtime Environment
component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, and 1.4.2_25 allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors.

CVE-2010-0839: Unspecified vulnerability in the Sound component in Oracle
Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors.

CVE-2010-0840: Unspecified vulnerability in the Java Runtime Environment
component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, and 1.4.2_25 allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors. NOTE: the previous
information was obtained from the March 2010 CPU. Oracle has not
commented on claims from a reliable researcher that this is related to
improper checks when executing privileged methods in the Java Runtime
Environment (JRE), which allows attackers to execute arbitrary code
via (1) an untrusted object that extends the trusted class but has not
modified a certain method, or (2) "a similar trust issue with interfaces,"
aka "Trusted Methods Chaining Remote Code Execution Vulnerability."

CVE-2010-0841: Unspecified vulnerability in the ImageIO component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and
1.4.2_25 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on claims
from a reliable researcher that this is an integer overflow in the Java
Runtime Environment that allows remote attackers to execute arbitrary code
via a JPEG image that contains subsample dimensions with large values,
related to JPEGImageReader and "stepX".

CVE-2010-0842: Unspecified vulnerability in the Sound component in Oracle
Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on claims
from a reliable researcher that this is an uncontrolled array index that
allows remote attackers to execute arbitrary code via a MIDI file with
a crafted MixerSequencer object, related to the GM_Song structure.

CVE-2010-0843: Unspecified vulnerability in the Sound component in Oracle
Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on
claims from a reliable researcher that this is related to XNewPtr and
improper handling of an integer parameter when allocating heap memory
in the com.sun.media.sound libraries, which allows remote attackers to
execute arbitrary code.

CVE-2010-0844: Unspecified vulnerability in the Sound component in Oracle
Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on claims
from a reliable researcher that this is for improper parsing of a crafted
MIDI stream when creating a MixerSequencer object, which causes a pointer
to be corrupted and allows a NULL byte to be written to arbitrary memory.

CVE-2010-0846: Unspecified vulnerability in the ImageIO component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25,
and 1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information was
obtained from the March 2010 CPU. Oracle has not commented on claims
from a reliable researcher that this is a heap-based buffer overflow
that allows remote attackers to execute arbitrary code, related to an
"invalid assignment" and inconsistent length values in a JPEG image
encoder (JPEGImageEncoderImpl).

CVE-2010-0847: Unspecified vulnerability in the Java 2D component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25,
and 1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information was
obtained from the March 2010 CPU. Oracle has not commented on claims
from a reliable researcher that this is a heap-based buffer overflow
that allows arbitrary code execution via a crafted image.

CVE-2010-0848: Unspecified vulnerability in the Java 2D component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25,
and 1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors.

CVE-2010-0849: Unspecified vulnerability in the Java 2D component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25,
and 1.3.1_27 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information was
obtained from the March 2010 CPU. Oracle has not commented on claims
from a reliable researcher that this is a heap-based buffer overflow
in a decoding routine used by the JPEGImageDecoderImpl interface, which
allows code execution via a crafted JPEG image.

Affected Products: SLES9, SLE10-SP3, SLE11, SLE11-SP1

- sudo
sudo's handling of the -g command line option allowed to also
specify -u in some cases, therefore allowing users to actually run
commands as root (CVE-2010-2956).

Affected Products: openSUSE 11.2, 11.3

- libpng
Specially crafted png files could cause crashes or even execution of
arbitrary code in applications using libpng to process such files
(CVE-2010-1205, CVE-2010-2249).

Affected Products: SLES9, SLE10-SP3, SLE11, SLE11-SP1, openSUSE 11.1, 11.2

- php5
PHP was updated to version 5.3.3/5.2.14 to fix serveral security issues.

(CVE-2010-0397, CVE-2010-1860, CVE-2010-1862, CVE-2010-1864,
CVE-2010-1866, CVE-2010-1914, CVE-2010-1915, CVE-2010-1917,
CVE-2010-2093, CVE-2010-2094, CVE-2010-2097, CVE-2010-2100,
CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2225,
CVE-2010-2531, CVE-2010-2950, CVE-2010-3062, CVE-2010-3063,
CVE-2010-3064, CVE-2010-3065)

Affected Products: SLE10-SP3, SLE11, SLE11-SP1, openSUSE 11.1, 11.2, 11.3

- tgt, iscsitarget
tgt and iscsitarget were updated to fix multiple overflows and a
format string vulnerability (CVE-2010-2221, CVE-2010-0743).

- aria2
Specially crafted metalink files could trick aria2 into store
downloaded files outside of the intended directory (CVE-2010-1512).

Affected Products: openSUSE 11.1

- pcsc-lite
A stack overflow in the pcsc-lite daemon allowed local users with
write-access to "/var/run/pcscd/pcscd.comm" to gain root privileges
(CVE-2010-0407).

Affected Products: SLE10-SP3, SLE11, SLE11-SP1, openSUSE 11.0, 11.1

- tomcat5, tomcat6
tomcat was prone to denial of service and information disclosure
vulnerabilities. Remote attackers could exploit that to crash tomcat
or to obtain sensitive information (CVE-2010-2227, CVE-2010-1157).

Affected Products: SLES9, SLE10-SP3, SLE11, SLE11-SP1, openSUSE 11.1, 11.2, 11.3

- lvm2
clvmd, when running, allowed unprivileged local users to issue arbitrary lvm
commands (CVE-2010-2526).

Affected Products: SLE11, SLE11-SP1, openSUSE 11.1

- libvirt
libvirt did not properly handle configured disk formats which
potentially allowed users to read arbitrary files (CVE-2010-2237,
CVE-2010-2238, CVE-2010-2239)

Improperly mapped source privileged ports in guests
may allow obtaining privileged resources on the host
(CVE-2010-2242).

Affected Products: SLE10-SP3, SLE11, SLE11-SP1, openSUSE 11.1, 11.2, 11.3

- rpm
rpm did not clear the suid/sgid bit of old files during package
updates (CVE-2010-2059).

Affected Products: SLE10-SP3, SLE11, SLE11-SP1, openSUSE 11.0, 11.1, 11.2

- libtiff
specially crafted tiff files could cause a memory corruption in
libtiff. Attackers could potentially exploit that to execute
arbitrary code in applications that use libtiff for processing tiff
files (CVE-2010-3087).

Affected Products: openSUSE 11.3

- dovecot12
When using Maildir all ACLs on INBOX were copied to newly created mailboxes
although only default ACLs should have been copied (CVE-2010-3304).

Affected Products: openSUSE 11.2, 11.3


______________________________________________________________________________

2) Pending Vulnerabilities, Solutions, and Work-Arounds

- kernel
Vulnerabilities in the kernel were found that allow local users to
gain root privileges on 64bit systems. Updates for all supported
distributions are in the works (CVE-2010-3301, CVE-2010-3081).


______________________________________________________________________________

3) Authenticity Verification and Additional Information

- Announcement authenticity verification:

SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.

To verify the signature of the announcement, save it as text into a file
and run the command

gpg --verify

replacing with the name of the file containing the announcement.
The output for a valid signature looks like:

gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "

where is replaced by the date the document was signed.

If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command

gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

- Package authenticity verification:

SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.

The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command

rpm -v --checksig

to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.

This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.

- SUSE runs two security mailing lists to which any interested party may
subscribe:

opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.

opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.