Debian 10163 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 225-1] dnsmasq security update
[DSA 3261-2] libmodule-signature-perl regression update
[DSA 3265-1] zendframework security update
[DSA 3266-1] fuse security update
[DSA 3267-1] chromium-browser security update
[DSA 3268-1] ntfs-3g security update



[DLA 225-1] dnsmasq security update

Package : dnsmasq
Version : 2.55-2+deb6u1
CVE ID : CVE-2015-3294
Debian Bug : 783459

The following vulnerability vulnerability was found in dnsmasq:

CVE-2015-3294

Remote attackers could read process memory and cause DoS via
malformed DNS requests.

For Debian 6 “Squeeze”, these issues have been fixed in dnsmasq version
2.55-2+deb6u1.


[DSA 3261-2] libmodule-signature-perl regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3261-2 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 20, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libmodule-signature-perl
Debian Bug : 785701

The update for libmodule-signature-perl issued as DSA-3261-1 introduced
a regression in the handling of the --skip option of cpansign. Updated
packages are now available to address this regression. For reference,
the original advisory text follows.

Multiple vulnerabilities were discovered in libmodule-signature-perl, a
Perl module to manipulate CPAN SIGNATURE files. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-3406

John Lightsey discovered that Module::Signature could parses the
unsigned portion of the SIGNATURE file as the signed portion due to
incorrect handling of PGP signature boundaries.

CVE-2015-3407

John Lightsey discovered that Module::Signature incorrectly handles
files that are not listed in the SIGNATURE file. This includes some
files in the t/ directory that would execute when tests are run.

CVE-2015-3408

John Lightsey discovered that Module::Signature uses two argument
open() calls to read the files when generating checksums from the
signed manifest. This allows to embed arbitrary shell commands into
the SIGNATURE file that would execute during the signature
verification process.

CVE-2015-3409

John Lightsey discovered that Module::Signature incorrectly handles
module loading, allowing to load modules from relative paths in
@INC. A remote attacker providing a malicious module could use this
issue to execute arbitrary code during signature verification.

For the oldstable distribution (wheezy), this problem has been fixed in
version 0.68-1+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 0.73-1+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 0.79-1.

We recommend that you upgrade your libmodule-signature-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3265-1] zendframework security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3265-1 security@debian.org
http://www.debian.org/security/ David PrÃ:copyright:vot
May 20, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : zendframework
CVE ID : CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 CVE-2014-2684
CVE-2014-2685 CVE-2014-4914 CVE-2014-8088 CVE-2014-8089
CVE-2015-3154
Debian Bug : 743175 754201

Multiple vulnerabilities were discovered in Zend Framework, a PHP
framework. Except for CVE-2015-3154, all these issues were already fixed
in the version initially shipped with Jessie.

CVE-2014-2681

Lukas Reschke reported a lack of protection against XML External
Entity injection attacks in some functions. This fix extends the
incomplete one from CVE-2012-5657.

CVE-2014-2682

Lukas Reschke reported a failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. This fix extends the incomplete one from
CVE-2012-5657.

CVE-2014-2683

Lukas Reschke reported a lack of protection against XML Entity
Expansion attacks in some functions. This fix extends the incomplete
one from CVE-2012-6532.

CVE-2014-2684

Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported an error in the consumer's verify method that lead
to acceptance of wrongly sourced tokens.

CVE-2014-2685

Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported a specification violation in which signing of a
single parameter is incorrectly considered sufficient.

CVE-2014-4914

Cassiano Dal Pizzol discovered that the implementation of the ORDER
BY SQL statement in Zend_Db_Select contains a potential SQL
injection when the query string passed contains parentheses.

CVE-2014-8088

Yury Dyachenko at Positive Research Center identified potential XML
eXternal Entity injection vectors due to insecure usage of PHP's DOM
extension.

CVE-2014-8089

Jonas Sandström discovered an SQL injection vector when manually
quoting value for sqlsrv extension, using null byte.

CVE-2015-3154

Filippo Tessarotto and Maks3w reported potential CRLF injection
attacks in mail and HTTP headers.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.11.13-1.1+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 1.12.9+dfsg-2+deb8u1.

For the testing distribution (stretch), these problems will be fixed
in version 1.12.12+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.12.12+dfsg-1.

We recommend that you upgrade your zendframework packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3266-1] fuse security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3266-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 21, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : fuse
CVE ID : CVE-2015-3202

Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not
scrub the environment before executing mount or umount with elevated
privileges. A local user can take advantage of this flaw to overwrite
arbitrary files and gain elevated privileges by accessing debugging
features via the environment that would not normally be safe for
unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.9.0-2+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.9.3-15+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your fuse packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3267-1] chromium-browser security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3267-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
May 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254
CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258
CVE-2015-1259 CVE-2015-1260 CVE-2015-1261 CVE-2015-1262
CVE-2015-1263 CVE-2015-1264 CVE-2015-1265

Several vulnerabilities were discovered in the chromium web browser.

CVE-2015-1251

SkyLined discovered a use-after-free issue in speech recognition.

CVE-2015-1252

An out-of-bounds write issue was discovered that could be used to
escape from the sandbox.

CVE-2015-1253

A cross-origin bypass issue was discovered in the DOM parser.

CVE-2015-1254

A cross-origin bypass issue was discovered in the DOM editing feature.

CVE-2015-1255

Khalil Zhani discovered a use-after-free issue in WebAudio.

CVE-2015-1256

Atte Kettunen discovered a use-after-free issue in the SVG
implementation.

CVE-2015-1257

miaubiz discovered an overflow issue in the SVG implementation.

CVE-2015-1258

cloudfuzzer discovered an invalid size parameter used in the
libvpx library.

CVE-2015-1259

Atte Kettunen discovered an uninitialized memory issue in the
pdfium library.

CVE-2015-1260

Khalil Zhani discovered multiple use-after-free issues in chromium's
interface to the WebRTC library.

CVE-2015-1261

Juho Nurminen discovered a URL bar spoofing issue.

CVE-2015-1262

miaubiz discovered the use of an uninitialized class member in
font handling.

CVE-2015-1263

Mike Ruddy discovered that downloading the spellcheck dictionary
was not done over HTTPS.

CVE-2015-1264

K0r3Ph1L discovered a cross-site scripting issue that could be
triggered by bookmarking a site.

CVE-2015-1265

The chrome 43 development team found and fixed various issues
during internal auditing. Also multiple issues were fixed in
the libv8 library, version 4.3.61.21.

For the stable distribution (jessie), these problems have been fixed in
version 43.0.2357.65-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 43.0.2357.65-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3268-1] ntfs-3g security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3268-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntfs-3g
CVE ID : CVE-2015-3202
Debian Bug : 786475

Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for
FUSE, does not scrub the environment before executing mount or umount
with elevated privileges. A local user can take advantage of this flaw
to overwrite arbitrary files and gain elevated privileges by accessing
debugging features via the environment that would not normally be safe
for unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed in
version 1:2012.1.15AR.5-2.1+deb7u1. Note that this issue does not affect
the binary packages distributed in Debian in wheezy as ntfs-3g does not
use the embedded fuse-lite library.

For the stable distribution (jessie), this problem has been fixed in
version 1:2014.2.15AR.2-1+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your ntfs-3g packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/