Slackware Security Updates: KOffice, lynx, curl, wget, apache, imapd, PHP and elm

Yep, massive updates. Slackware users are advised to grab the latest packages of these apps:

  • KOffice
  • lynx
  • curl
  • wget
  • apache
  • imapd
  • PHP
  • elm

Details are as follows;

New KOffice packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue with KWord. A buffer overflow in the RTF import functionality could result in the execution of arbitrary code.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/koffice-1.4.1-i486-2.tgz: Patched.
Fixes a buffer overflow in KWord’s RTF import discovered by Chris Evans.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971
(* Security fix *)
+————————–+

New Lynx packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. An overflow could result in the execution of arbitrary code when using Lynx to connect to a malicious NNTP server.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/lynx-2.8.5rel.5-i486-1.tgz: Upgraded to lynx-2.8.5rel.5.
Fixes an issue where the handling of Asian characters when using lynx to
connect to an NNTP server (is this a common use?) could result in a buffer
overflow causing the execution of arbitrary code.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
(* Security fix *)
+————————–+

New curl packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current, and new wget packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current. These address a buffer overflow in NTLM handling which may present a security problem, though no public exploits are known at this time.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/curl-7.12.2-i486-2.tgz: Patched. This addresses a buffer
overflow in libcurl’s NTLM function that could have possible security
implications.
For more details, see:
http://curl.haxx.se/docs/security.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(* Security fix *)
patches/packages/wget-1.10.2-i486-1.tgz: Upgraded to wget-1.10.2.
This addresses a buffer overflow in wget’s NTLM handling function that could
have possible security implications.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(* Security fix *)
+————————–+

New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix potential security issues:

  • If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.
  • Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method.

It’s hard to say how much real-world impact these have, as there’s no more information about that in the announcement. The original Apache announcement can be read here:

http://www.apache.org/dist/httpd/Announcement1.3.html

Note that if you use mod_ssl, you will also need a new mod_ssl package. These have been provided for the same releases of Slackware.

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/apache-1.3.34-i486-1.tgz: Upgraded to apache-1.3.34.
Fixes this minor security bug: “If a request contains both Transfer-Encoding
and Content-Length headers, remove the Content-Length, mitigating some HTTP
Request Splitting/Spoofing attacks.”
(* Security fix *)
patches/packages/mod_ssl-2.8.25_1.3.34-i486-1.tgz:
Upgraded to mod_ssl-2.8.25-1.3.34.
+————————–+

New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix (an alleged) security issue. See the details below for more information. Also, new Pine packages are provided since these are built together… why not? Might as well upgrade that too, while I’m fixing the fake security problem. 🙂

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/imapd-4.64-i486-1.tgz: Upgraded to imapd-4.64.
A buffer overflow was reported in the mail_valid_net_parse_work function.
However, this function in the c-client library does not appear to be called
from anywhere in imapd. iDefense states that the issue is of LOW risk to
sites that allow users shell access, and LOW-MODERATE risk to other servers.
I believe it’s possible that it is of NIL risk if the function is indeed
dead code to imapd, but draw your own conclusions…
(* Security fix *)
+————————–+

New PHP packages are available for Slackware 10.2 and -current to fix minor security issues relating to the overwriting of the GLOBALS array.

It has been reported here that this new version of PHP also breaks squirrelmail and probably some other things. Given the vague nature of the security report, it’s possible that the cure might be worse than the disease as far as this upgrade is concerned. If you encounter problems,
you may wish to drop back to 4.4.0, and I believe that doing so is relatively safe. I understand at least some of the issues are fixed in CVS already, so perhaps another maintainance release is not far off.

Thanks to Gerardo Exequiel Pozzi for bringing the issues with 4.4.1 to my attention so that this additional information could be included here.

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/php-4.4.1-i486-1.tgz: Upgraded to php-4.4.1.
Fixes a number of bugs, including several minor security fixes relating to
the overwriting of the GLOBALS array.
(* Security fix *)
+————————–+

New Elm packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
10.2, and -current to fix a security issue. A buffer overflow in the
parsing of the Expires header could allow arbitrary code to be executed
as the user running Elm.

Here are the details from the Slackware 10.2 ChangeLog:
+————————–+
patches/packages/elm-2.5.8-i486-1.tgz: Upgraded to elm2.5.8.
This fixes a buffer overflow in the parsing of the Expires header that
could be used to execute arbitrary code as the user running Elm.
Thanks to Ulf Harnhammar for finding the bug and reminding me to get
out updated packages to address the issue.
A reference to the original advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html
+————————–+

Updated packages can be downloaded from the Slackware Package Browser or using automated package management tools like Swaret or slapt-get.