Gentoo 2514 Published by

The following security updates has been released for Gentoo Linux:

[ GLSA 201404-01 ] CUPS: Arbitrary file read/write
[ GLSA 201404-02 ] libproxy: User-assisted execution of arbitrary code
[ GLSA 201404-03 ] OptiPNG: User-assisted execution of arbitrary code
[ GLSA 201404-04 ] Crack: Arbitrary code execution
[ GLSA 201404-05 ] OpenAFS: Multiple vulnerabilities



[ GLSA 201404-01 ] CUPS: Arbitrary file read/write

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201404-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: CUPS: Arbitrary file read/write
Date: April 07, 2014
Bugs: #442926
ID: 201404-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in CUPS may allow for arbitrary file access.

Background
==========

CUPS, the Common Unix Printing System, is a full-featured print server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups < 1.6.2-r5 >= 1.6.2-r5

Description
===========

Members of the lpadmin group have admin access to the web interface,
where they can
edit the config file and set some “dangerous” directives (like the log
filenames), which enable them to read or write files as the user
running
the CUPS webserver.

Impact
======

A local attacker could possibly exploit this vulnerability to read or
write files as the user running the CUPS webserver.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-1.6.2-r5"

References
==========

[ 1 ] CVE-2012-5519
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5519

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201404-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201404-02 ] libproxy: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201404-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: libproxy: User-assisted execution of arbitrary code
Date: April 07, 2014
Bugs: #438146
ID: 201404-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in libproxy might allow remote attackers to execute
arbitrary code.

Background
==========

libproxy is a library for automatic proxy configuration management.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/libproxy < 0.4.10 >= 0.4.10

Description
===========

A boundary error when processing the proxy.pac file could cause a
stack-based buffer overflow.

Impact
======

A man-in-the-middle attacker could provide a specially crafted
proxy.pac file on a remote server, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libproxy users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libproxy-0.4.10"

References
==========

[ 1 ] CVE-2012-4504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4504

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201404-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

--
Mikle Kolyada
Gentoo Linux Developer




[ GLSA 201404-03 ] OptiPNG: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201404-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OptiPNG: User-assisted execution of arbitrary code
Date: April 07, 2014
Bugs: #435340
ID: 201404-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A use-after-free error in OptiPNG could result in execution of
arbitrary code or Denial of Service.

Background
==========

OptiPNG is a PNG optimizer that recompresses image files to a smaller
size, without losing any information.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-gfx/optipng < 0.7.3 >= 0.7.3

Description
===========

A use-after-free vulnerability exists in the palette reduction
functionality of OptiPNG.

Impact
======

A remote attacker could entice a user to open a specially crafted image
file, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OptiPNG users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/optipng-0.7.3"

References
==========

[ 1 ] CVE-2012-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4432

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201404-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

--
Mikle Kolyada
Gentoo Linux Developer




[ GLSA 201404-04 ] Crack: Arbitrary code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201404-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Crack: Arbitrary code execution
Date: April 07, 2014
Bugs: #460164
ID: 201404-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Crack might allow remote attackers to execute
arbitrary code.

Background
==========

Crack is a really simple JSON and XML parsing Ruby gem, ripped from
Merb and Rails.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/crack < 0.3.2 >= 0.3.2

Description
===========

An XML parameter parsing vulnerability has been discovered in Crack.

Impact
======

A remote attacker could execute arbitrary code with the privileges of
the process, cause a Denial of
Service condition, or bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Crack users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/crack-0.3.2"

References
==========

[ 1 ] CVE-2013-1800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1800

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201404-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

--
Mikle Kolyada
Gentoo Linux Developer




[ GLSA 201404-05 ] OpenAFS: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201404-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: OpenAFS: Multiple vulnerabilities
Date: April 07, 2014
Bugs: #265538, #355533, #460494, #478282, #478296
ID: 201404-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in OpenAFS, worst of which can
allow attackers to execute arbitrary code

Background
==========

OpenAFS is an client-server program suite for federated file sharing
and replicated content distribution.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-fs/openafs < 1.6.5 >= 1.6.5

Description
===========

Multiple vulnerabilities have been discovered in OpenAFS. Please review
the CVE identifiers referenced below for details.

Impact
======

An attacker could potentially execute arbitrary code with the
permissions of the user running the AFS server, cause a Denial of
Service condition, or gain access to sensitive information.
Additionally, an attacker could compromise a cell's private key,
allowing them to impersonate any user in the cell.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenAFS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-fs/openafs-1.6.5"

References
==========

[ 1 ] CVE-2009-1250
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1250
[ 2 ] CVE-2009-1251
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1251
[ 3 ] CVE-2011-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0430
[ 4 ] CVE-2011-0431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0431
[ 5 ] CVE-2013-1794
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1794
[ 6 ] CVE-2013-1795
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1795
[ 7 ] CVE-2013-4134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4134
[ 8 ] CVE-2013-4135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4135

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201404-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

--
Mikle Kolyada
Gentoo Linux Developer