Mandriva

The LIRC packages included with Mandriva Linux 2008 and Mandriva Linux
2008 Spring did not include the 'commandir' module, which is necessary
(along with the 'lirc_cmdir' module) to properly support CommandIR
remote controls.

These updated packages do include the module.

A heap overflow was found in the CDDB retrieval code of libcdaudio,
which could result in the execution of arbitrary code (CVE-2008-5030).

In addition, the fixes for CVE-2005-0706 were not applied to newer
libcdaudio packages as shipped with Mandriva Linux, so the patch to fix
that issue has been applied to 2008.1 and 2009.0 (this was originally
fixed in MDKSA-2005:075). This issue is a buffer overflow flaw found
by Joseph VanAndel. Corporate 3.0 has this fix already applied.

The updated packages have been patched to prevent these issues.

mdadm would crash during bootup when trying to activate several raid10
devices, dropping the system in maintenance mode, where you had to
manually reactivate the missing raid10 sets in order to continue
the boot.

The updated mdadm fixes this issue, allowing systems with raid10 to
boot normally.

Since version 6.14.9 Urpmi would spontaneously un-ignore any updated
medias.

This update fixes that regression.

This update fixes errors in be-latin1, be2-latin1, ro-comma,
ro-academic, and gr-utf8 keymaps, shipped on Mandriva Linux 2008
Spring and Mandriva Linux 2009.

Under certain conditions, imwheel would enter an infinite loop and
force the X server to consume a lot of CPU time, rendering the system
unusable.

This update fixes the issue.

The kdeeject command did not work, which resulted in a user being
able to unmount, but not eject, removable devices. This package
update corrects the issue.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The snd_seq_oss_synth_make_info function in
sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux
kernel before 2.6.27-rc2 does not verify that the device number is
within the range defined by max_synthdev before returning certain
data to the caller, which allows local users to obtain sensitive
information. (CVE-2008-3272)

Unspecified vulnerability in the 32-bit and 64-bit emulation in the
Linux kernel 2.6.9, 2.6.18, and probably other versions allows local
users to read uninitialized memory via unknown vectors involving a
crafted binary. (CVE-2008-0598)

The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c
in the vfs implementation in the Linux kernel before 2.6.25.15 does
not prevent creation of a child dentry for a deleted (aka S_DEAD)
directory, which allows local users to cause a denial of service
(overflow of the UBIFS orphan area) via a series of attempted file
creations within deleted directories. (CVE-2008-3275)

Integer overflow in the sctp_setsockopt_auth_key function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows
remote attackers to cause a denial of service (panic) or possibly have
unspecified other impact via a crafted sca_keylength field associated
with the SCTP_AUTH_KEY option. (CVE-2008-3525)

fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23
does not properly zero out the dio struct, which allows local users
to cause a denial of service (OOPS), as demonstrated by a certain
fio test. (CVE-2007-6716)

fs/open.c in the Linux kernel before 2.6.22 does not properly strip
setuid and setgid bits when there is a write to a file, which allows
local users to gain the privileges of a different group, and obtain
sensitive information or possibly have unspecified other impact,
by creating an executable file in a setgid directory through the (1)
truncate or (2) ftruncate function in conjunction with memory-mapped
I/O. (CVE-2008-4210)

Additionaly, support for Intel's ICH9 controller was added, and 'tg3'
driver was updated to version 3.71b.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Update:

Support for Intel's ICH9 controller and the updated 'tg3' driver were
actually missing in the previous update, this new update adds them.

The ACL plugin in dovecot prior to version 1.1.4 treated negative
access rights as though they were positive access rights, which allowed
attackers to bypass intended access restrictions (CVE-2008-4577).

The ACL plugin in dovecot prior to version 1.1.4 allowed attackers to
bypass intended access restrictions by using the 'k' right to create
unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).

In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot's 'deliver' command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message 'Time just moved backwards
by X seconds. This might cause a lot of problems, so I'll just kill
myself now.' The update resolves both these problems. The default
permissions on dovecot.conf now allow the 'deliver' command to read the
file. Note that if you edited dovecot.conf at all prior to installing
the update, the new permissions may not be applied. If you find the
'deliver' command still does not work following the update, please
run these commands as root:

# chmod 0640 /etc/dovecot.conf
# chown root:mail /etc/dovecot.conf

Dovecot's initialization script now configures it to start after the
ntpd service, to ensure ntpd resetting the clock does not interfere
with Dovecot operation.

This package corrects the above-noted bugs and security issues by
upgrading to the latest dovecot 1.1.6, which also provides additional
bug fixes.

Drew Yao of the Apple Product Security Team found two flaws in libxml2.
The first is a denial of service flaw in libxml2's XML parser. If an
application linked against libxml2 were to process certain malformed
XML content, it cause the application to enter an infinite loop
(CVE-2008-4225).

The second is an integer overflow that caused a heap-based buffer
overflow in libxml2's XML parser. If an application linked against
libxml2 were to process certain malformed XML content, it could
cause the application to crash or possibly execute arbitrary code
(CVE-2008-4226).

The updated packages have been patched to correct these issues.

Security vulnerabilities have been discovered and corrected in
the latest Mozilla Firefox 3.x, version 3.0.4 (CVE-2008-0017,
CVE-2008-5014, CVE-2008-5015, CVE-2008-5016, CVE-2008-5017,
CVE-2008-5018, CVE-2008-5019, CVE-2008-5021, CVE-2008-5022,
CVE-2008-5023, CVE-2008-5024).

This update provides the latest Mozilla Firefox 3.x to correct
these issues.

Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until
2.6.1 verified certificate chains provided by a server. A malicious
server could use this flaw to spoof its identity by tricking client
applications that used the GnuTLS library to trust invalid certificates
(CVE-2008-4989).

Update:

It was found that the previously-published patch to correct this
issue caused a regression when dealing with self-signed certificates.
An updated patch that fixes the security issue and resolves the
regression issue has been applied to these packages.

An incorrect memory deallocation was causing a crash when the GNOME
display manager was exiting. This package update fixes this issue
and includes additional bug fixes and translation updates.

An off-by-one error was found in ClamAV versions prior to 0.94.1 that
could allow remote attackers to cause a denial of service or possibly
execute arbitrary code via a crafted VBA project file (CVE-2008-5050).

Other bugs have also been corrected in 0.94.1 which is being provided
with this update.

The version of alsa-plugins provided with Mandriva Linux 2009.0 fails
when trying to record sound via alsa using pulseaudio. This updated
package contains an upstream patch to fix this bug.

f-spot as released with Mandriva Linux 2009.0 presented a misleading
dialog when connecting a digital camera. It could also potentially
hang when upgrading its database from an earlier version. This update
fixes both problems.

Security vulnerabilities have been discovered and corrected in
the latest Mozilla Firefox 2.x, version 2.0.0.18 (CVE-2008-0017,
CVE-2008-5012, CVE-2008-5013, CVE-2008-5014, CVE-2008-5017,
CVE-2008-5018, CVE-2008-5019, CVE-2008-5021, CVE-2008-5022,
CVE-2008-5023, CVE-2008-5024, CVE-2008-5052).

This update provides the latest Mozilla Firefox 2.x to correct
these issues.

The clock applet in GNOME could crash when using some specific
locations or when using updated timezone data. The Recent Documents
menu was not always able to start the right application for a specific
document.

Update:

The previous gnome-applets package on x86_64 was improperly built
and included apm support when it should not have, resulting in an
extra dependency that could cause installation issues. This update
corrects the problem.

Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until
2.6.1 verified certificate chains provided by a server. A malicious
server could use this flaw to spoof its identity by tricking client
applications that used the GnuTLS library to trust invalid certificates
(CVE-2008-4989).

The updated packages have been patched to correct this issue.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The error-reporting functionality in (1) fs/ext2/dir.c, (2)
fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel
2.6.26.5 does not limit the number of printk console messages that
report directory corruption, which allows physically proximate
attackers to cause a denial of service (temporary system hang) by
mounting a filesystem that has corrupted dir->i_size and dir->i_blocks
values and performing (a) read or (b) write operations. NOTE:
there are limited scenarios in which this crosses privilege
boundaries. (CVE-2008-3528)

The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel
2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in
OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct
Rendering Manager (DRM) master, which allows local users to cause
a denial of service (memory corruption) via a crafted ioctl call,
related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the
ioctl's configuration. (CVE-2008-3831)

The do_splice_from function in fs/splice.c in the Linux kernel before
2.6.27 does not reject file descriptors that have the O_APPEND flag
set, which allows local users to bypass append mode and make arbitrary
changes to other locations in the file. (CVE-2008-4554)

Additionaly, a problem with TCP options ordering, which could manifest
as connection problems with many websites (bug #43372), was solved, a
number of fixes for Intel HDA were added, another number of fixes for
issues on Asus EEE PC, Panasonic Let's Note, Acer One, Dell XPS, and
others, were also added. Check package changelog for more information.



To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Update:

The previous update included a patch which introduced a bug that would
make the boot process to stop halfway in several machines. That patch
has been removed in this new update, to avoid that problem.