Gentoo 2510 Published by

The following updates has been released for Gentoo Linux:

[ GLSA 201512-06 ] MPFR: User-assisted execution of arbitrary code
[ GLSA 201512-07 ] GStreamer: User-assisted execution of arbitrary code
[ GLSA 201512-08 ] ClamAV: Multiple vulnerabilities
[ GLSA 201512-09 ] encfs: Multiple vulnerabilities
[ GLSA 201512-10 ] Mozilla Products: Multiple vulnerabilities
[ GLSA 201512-11 ] Firebird: Buffer Overflow
[ GLSA 201512-12 ] KDE Systemsettings: Privilege escalation
[ GLSA 201512-13 ] InspIRCd: Multiple vulnerabilities



[ GLSA 201512-06 ] MPFR: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MPFR: User-assisted execution of arbitrary code
Date: December 30, 2015
Bugs: #532028
ID: 201512-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow vulnerability in MPFR could allow remote attackers to
execute arbitrary code or cause Denial of Service.

Background
==========

MPFR is a library for multiple-precision floating-point computations
with exact rounding.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/mpfr < 3.1.3_p4 >= 3.1.3_p4

Description
===========

MPFR fails to adequately check user-supplied input, which could lead to
a buffer overflow.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MPFR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/mpfr-3.1.3_p4"

References
==========

[ 1 ] CVE-2014-9474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9474

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-07 ] GStreamer: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GStreamer: User-assisted execution of arbitrary code
Date: December 30, 2015
Bugs: #553742
ID: 201512-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in GStreamer could allow remote attackers to execute
arbitrary code or cause Denial of Service.

Background
==========

GStreamer is an open source multimedia framework.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/gstreamer < 1.4.5 >= 1.4.5

Description
===========

A buffer overflow vulnerability has been found in the parsing of H.264
formatted video.

Impact
======

A remote attacker could entice a user to open a specially crafted H.264
formatted video using an application linked against GStreamer, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GStreamer users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/gstreamer-1.4.5"

References
==========

[ 1 ] CVE-2015-0797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0797

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-08 ] ClamAV: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ClamAV: Multiple vulnerabilities
Date: December 30, 2015
Bugs: #538084, #548066
ID: 201512-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in ClamAV, possibly resulting
in Denial of Service.

Background
==========

ClamAV is a GPL virus scanner.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-antivirus/clamav < 0.98.7 >= 0.98.7

Description
===========

Multiple vulnerabilities have been discovered in ClamAV. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could cause ClamAV to scan a specially crafted file,
possibly resulting in a Denial of Service condition or other
unspecified impact.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ClamAV users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.98.7"

References
==========

[ 1 ] CVE-2014-9328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9328
[ 2 ] CVE-2015-1461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1461
[ 3 ] CVE-2015-1462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1462
[ 4 ] CVE-2015-1463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1463
[ 5 ] CVE-2015-2170
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2170
[ 6 ] CVE-2015-2221
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2221
[ 7 ] CVE-2015-2222
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2222
[ 8 ] CVE-2015-2668
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2668

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-09 ] encfs: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: encfs: Multiple vulnerabilities
Date: December 30, 2015
Bugs: #510290
ID: 201512-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in encfs, the worst of which
can allow remote attackers to execute arbitrary code or cause a Denial
of Service condition.

Background
==========

Encfs is an implementation of encrypted filesystem in user-space using
FUSE.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-fs/encfs < 1.7.5 >= 1.7.5

Description
===========

Multiple vulnerabilities have been discovered in encfs. Please review
the CVE identifiers referenced below for details.

Impact
======

A local attacker can utilize a possible buffer overflow in the
encodeName method of StreamNameIO and BlockNameIO to execute arbitrary
code or cause a Denial of Service. Also multiple weak cryptographics
practices have been found in encfs.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All encfs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/encfs-1.7.5"

References
==========

[ 1 ] CVE-2014-3462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3462

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-10 ] Mozilla Products: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Mozilla Products: Multiple vulnerabilities
Date: December 30, 2015
Bugs: #545232, #554036, #556942, #564818, #568376
ID: 201512-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Mozilla Firefox and
Thunderbird, the worst of which may allow user-assisted execution of
arbitrary code.

Background
==========

Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/firefox < 38.5.0 >= 38.5.0
2 www-client/firefox-bin < 38.5.0 >= 38.5.0
3 mail-client/thunderbird < 38.5.0 >= 38.5.0
4 mail-client/thunderbird-bin
< 38.5.0 >= 38.5.0
-------------------------------------------------------------------
4 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox and
Mozilla Thunderbird. Please review the CVE identifiers referenced below
for details.

Impact
======

A remote attacker could entice a user to view a specially crafted web
page or email, possibly resulting in execution of arbitrary code or a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-38.5.0"

All Firefox-bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-38.5.0"

All Thunderbird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-38.5.0"

All Thunderbird-bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-38.5.0"

References
==========

[ 1 ] CVE-2015-0798
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0798
[ 2 ] CVE-2015-0799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0799
[ 3 ] CVE-2015-0801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0801
[ 4 ] CVE-2015-0802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0802
[ 5 ] CVE-2015-0803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0803
[ 6 ] CVE-2015-0804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0804
[ 7 ] CVE-2015-0805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0805
[ 8 ] CVE-2015-0806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0806
[ 9 ] CVE-2015-0807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0807
[ 10 ] CVE-2015-0808
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0808
[ 11 ] CVE-2015-0810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0810
[ 12 ] CVE-2015-0811
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0811
[ 13 ] CVE-2015-0812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0812
[ 14 ] CVE-2015-0813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0813
[ 15 ] CVE-2015-0814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0814
[ 16 ] CVE-2015-0815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0815
[ 17 ] CVE-2015-0816
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0816
[ 18 ] CVE-2015-2706
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2706
[ 19 ] CVE-2015-2721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2721
[ 20 ] CVE-2015-2722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2722
[ 21 ] CVE-2015-2724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2724
[ 22 ] CVE-2015-2725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2725
[ 23 ] CVE-2015-2726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2726
[ 24 ] CVE-2015-2727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2727
[ 25 ] CVE-2015-2728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2728
[ 26 ] CVE-2015-2729
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2729
[ 27 ] CVE-2015-2730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2730
[ 28 ] CVE-2015-2731
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2731
[ 29 ] CVE-2015-2733
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2733
[ 30 ] CVE-2015-2734
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2734
[ 31 ] CVE-2015-2735
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2735
[ 32 ] CVE-2015-2736
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2736
[ 33 ] CVE-2015-2737
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2737
[ 34 ] CVE-2015-2738
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2738
[ 35 ] CVE-2015-2739
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2739
[ 36 ] CVE-2015-2740
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2740
[ 37 ] CVE-2015-2741
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2741
[ 38 ] CVE-2015-2742
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2742
[ 39 ] CVE-2015-2743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2743
[ 40 ] CVE-2015-2808
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2808
[ 41 ] CVE-2015-4000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000
[ 42 ] CVE-2015-4495
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4495
[ 43 ] CVE-2015-4513
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4513
[ 44 ] CVE-2015-4514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4514
[ 45 ] CVE-2015-4515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4515
[ 46 ] CVE-2015-4518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4518
[ 47 ] CVE-2015-7181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7181
[ 48 ] CVE-2015-7182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7182
[ 49 ] CVE-2015-7183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7183
[ 50 ] CVE-2015-7187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7187
[ 51 ] CVE-2015-7188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7188
[ 52 ] CVE-2015-7189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7189
[ 53 ] CVE-2015-7191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7191
[ 54 ] CVE-2015-7192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7192
[ 55 ] CVE-2015-7193
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7193
[ 56 ] CVE-2015-7194
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7194
[ 57 ] CVE-2015-7195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7195
[ 58 ] CVE-2015-7196
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7196
[ 59 ] CVE-2015-7197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7197
[ 60 ] CVE-2015-7198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7198
[ 61 ] CVE-2015-7199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7199
[ 62 ] CVE-2015-7200
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7200
[ 63 ] CVE-2015-7201
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7201
[ 64 ] CVE-2015-7202
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7202
[ 65 ] CVE-2015-7203
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7203
[ 66 ] CVE-2015-7204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7204
[ 67 ] CVE-2015-7205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7205
[ 68 ] CVE-2015-7207
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7207
[ 69 ] CVE-2015-7208
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7208
[ 70 ] CVE-2015-7210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7210
[ 71 ] CVE-2015-7211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7211
[ 72 ] CVE-2015-7212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7212
[ 73 ] CVE-2015-7213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7213
[ 74 ] CVE-2015-7214
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7214
[ 75 ] CVE-2015-7215
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7215
[ 76 ] CVE-2015-7216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7216
[ 77 ] CVE-2015-7217
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7217
[ 78 ] CVE-2015-7218
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7218
[ 79 ] CVE-2015-7219
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7219
[ 80 ] CVE-2015-7220
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7220
[ 81 ] CVE-2015-7221
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7221
[ 82 ] CVE-2015-7222
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7222
[ 83 ] CVE-2015-7223
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7223

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-11 ] Firebird: Buffer Overflow

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Firebird: Buffer Overflow
Date: December 30, 2015
Bugs: #460780
ID: 201512-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in Firebird might allow remote attackers to execute
arbitrary code.

Background
==========

Firebird is a multi-platform, open source relational database.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/firebird < 2.5.3.26780.0-r3 >= 2.5.3.26780.0-r3

Description
===========

The vulnerability is caused due to an error when processing requests
from remote clients.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Firebird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-db/firebird-2.5.3.26780.0-r3"

NOTE: Firebird package was moved to the testing branch (unstable) of
Gentoo. There is currently no stable version of Firebird, and there
will be no further GLSAs for this package.

References
==========

[ 1 ] CVE-2013-2492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2492

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-12 ] KDE Systemsettings: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: KDE Systemsettings: Privilege escalation
Date: December 30, 2015
Bugs: #528468
ID: 201512-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Data validation in KDE Systemsettings could lead to local privilege
escalation.

Background
==========

KDE workspace configuration module for setting the date and time has a
helper program
which runs as root for performing actions.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-base/systemsettings < 4.11.13-r1 >= 4.11.13-r1

Description
===========

KDE Systemsettings fails to properly validate user input before passing
it as argument in context of higher privilege.

Impact
======

A local attacker could gain privileges via a crafted ntpUtility (ntp
utility name) argument.

Workaround
==========

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action.

Resolution
==========

All KDE Systemsettings users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=kde-base/systemsettings-4.11.13-r1"

References
==========

[ 1 ] CVE-2014-8651
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8651

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201512-13 ] InspIRCd: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201512-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: InspIRCd: Multiple vulnerabilities
Date: December 30, 2015
Bugs: #545034, #570244
ID: 201512-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in InspIRCd, the worst
allowing remote attackers to execute arbitrary code.

Background
==========

InspIRCd is a modular Internet Relay Chat (IRC) server written in C++
which was created from scratch to be stable, modern and lightweight.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-irc/inspircd < 2.0.20 >= 2.0.20

Description
===========

Multiple vulnerabilities have been discovered in InspIRCd. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All InspIRCd users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/inspircd-2.0.20"

References
==========

[ 1 ] CVE-2012-6697
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6697
[ 2 ] CVE-2015-6674
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6674
[ 3 ] CVE-2015-8702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8702

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201512-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5