Mandriva

Outgoing mails sent through the Evolution Exchange plugin were not
always sent properly. Spell checking was not working properly when
two different languages were enabled, causing all words to be detected
as mistyped. Those bugs are fixed by this package updates, as well
as massive performance improvements in IMAP handling, additional
translations and many bug fixes from GNOME 2.24.2.

Mandriva Linux 2009.0 shipped with KDE 4.1.2. This update provides
the full KDE 4.1.3 for Mandriva Linux 2009.0 which brings with it
numerous enhancements and bugfixes.

Please note: the package list looks empty in this advisory due to
the fact this update provides over 900 packages. The web advisory
lists all packages with their md5sums.

KDevelop as shipped in Mandriva Linux 2009.0 contains a build time
bug, which led to subversion support not being correctly compiled.
As a result, it was not possible to use subversion as the version
control system for projects in KDevelop. The updated package fixes
this problem.

Live, as shipped with Mandriva Linux 2009.0, was missing the main
executable: live555MediaServer. This update provides the program.

Evince would sometimes crash when searching in a PDF document.
This update fixes the bug.

A bug in the ASF demuxer in gstreamer0.10-plugins-ugly prevented
video players like Totem from seeking in WMV files, causing an error
message Internal data stream error. This updated package contains
a patch fixing this problem.

The cracklib library package was incorrectly providing the development
package, which was preventing the compilation of anything relying on
cracklib-devel. This update fixes the incorrect Provides. It also
corrects an issue when /usr is a separate partition the fails to
mount at start, logging in is impossible because the pam_cracklib
module is linked to /usr/lib/libcrack.so.2.

The graphviz package shipped in Mandriva Linux 2008.1 has a bug in
its builtin ps renderer: included images are displayed as blank area.
An upstream patch fixes the issue.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Buffer overflow in the hfsplus_find_cat function in
fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or
system crash) via an hfsplus filesystem image with an invalid
catalog namelength field, related to the hfsplus_cat_build_key_uni
function. (CVE-2008-4933)

The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the
Linux kernel before 2.6.28-rc1 does not check a certain return value
from the read_mapping_page function before calling kmap, which allows
attackers to cause a denial of service (system crash) via a crafted
hfsplus filesystem image. (CVE-2008-4934)

The __scm_destroy function in net/core/scm.c in the Linux kernel
2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to
itself through calls to the fput function, which allows local users
to cause a denial of service (panic) via vectors related to sending
an SCM_RIGHTS message through a UNIX domain socket and closing file
descriptors. (CVE-2008-5029)

Additionaly, support for a broadcom bluetooth dongle was added to btusb
driver, an eeepc shutdown hang caused by snd-hda-intel was fixed,
a Realtek auto-mute bug was fixed, the pcspkr driver was reenabled,
an acpi brightness setting issue on some laptops was fixed, sata_nv
(NVidia) driver bugs were fixed, horizontal mousewheel scrolling
with Logitech V150 mouse was fixed, and more. Check the changelog
and related bugs for more details.

This kernel also fixes the driver for Intel G45/GM45 video chipsets,
in a way requiring also an updated Xorg driver, which is also being
provided in this update.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Thunderbird program, version 2.0.0.18
(CVE-2008-5012, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017,
CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024,
CVE-2008-5052).

This update provides the latest Thunderbird to correct these issues.

A heap overflow was found in the CDDB retrieval code of libcdaudio,
which could result in the execution of arbitrary code (CVE-2008-5030).

In addition, the fixes for CVE-2005-0706 were not applied to newer
libcdaudio packages as shipped with Mandriva Linux, so the patch to fix
that issue has been applied to 2008.1 and 2009.0 (this was originally
fixed in MDKSA-2005:075). This issue is a buffer overflow flaw found
by Joseph VanAndel. Corporate 3.0 has this fix already applied.

The updated packages have been patched to prevent these issues.

The LIRC packages included with Mandriva Linux 2008 and Mandriva Linux
2008 Spring did not include the 'commandir' module, which is necessary
(along with the 'lirc_cmdir' module) to properly support CommandIR
remote controls.

These updated packages do include the module.

The ACL plugin in dovecot prior to version 1.1.4 treated negative
access rights as though they were positive access rights, which allowed
attackers to bypass intended access restrictions (CVE-2008-4577).

The ACL plugin in dovecot prior to version 1.1.4 allowed attackers to
bypass intended access restrictions by using the 'k' right to create
unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).

In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot's 'deliver' command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message 'Time just moved backwards
by X seconds. This might cause a lot of problems, so I'll just kill
myself now.' The update resolves both these problems. The default
permissions on dovecot.conf now allow the 'deliver' command to read the
file. Note that if you edited dovecot.conf at all prior to installing
the update, the new permissions may not be applied. If you find the
'deliver' command still does not work following the update, please
run these commands as root:

# chmod 0640 /etc/dovecot.conf
# chown root:mail /etc/dovecot.conf

Dovecot's initialization script now configures it to start after the
ntpd service, to ensure ntpd resetting the clock does not interfere
with Dovecot operation.

This package corrects the above-noted bugs and security issues by
upgrading to the latest dovecot 1.1.6, which also provides additional
bug fixes.

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The snd_seq_oss_synth_make_info function in
sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux
kernel before 2.6.27-rc2 does not verify that the device number is
within the range defined by max_synthdev before returning certain
data to the caller, which allows local users to obtain sensitive
information. (CVE-2008-3272)

Unspecified vulnerability in the 32-bit and 64-bit emulation in the
Linux kernel 2.6.9, 2.6.18, and probably other versions allows local
users to read uninitialized memory via unknown vectors involving a
crafted binary. (CVE-2008-0598)

The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c
in the vfs implementation in the Linux kernel before 2.6.25.15 does
not prevent creation of a child dentry for a deleted (aka S_DEAD)
directory, which allows local users to cause a denial of service
(overflow of the UBIFS orphan area) via a series of attempted file
creations within deleted directories. (CVE-2008-3275)

Integer overflow in the sctp_setsockopt_auth_key function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows
remote attackers to cause a denial of service (panic) or possibly have
unspecified other impact via a crafted sca_keylength field associated
with the SCTP_AUTH_KEY option. (CVE-2008-3525)

fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23
does not properly zero out the dio struct, which allows local users
to cause a denial of service (OOPS), as demonstrated by a certain
fio test. (CVE-2007-6716)

fs/open.c in the Linux kernel before 2.6.22 does not properly strip
setuid and setgid bits when there is a write to a file, which allows
local users to gain the privileges of a different group, and obtain
sensitive information or possibly have unspecified other impact,
by creating an executable file in a setgid directory through the (1)
truncate or (2) ftruncate function in conjunction with memory-mapped
I/O. (CVE-2008-4210)

Additionaly, support for Intel's ICH9 controller was added, and 'tg3'
driver was updated to version 3.71b.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Update:

Support for Intel's ICH9 controller and the updated 'tg3' driver were
actually missing in the previous update, this new update adds them.

The OpenVPN package that shipped with Mandriva Linux 2009.0 does not
come with pkcs11 support, which meant that pkcs11 could not be used
together with OpenVPN. This updated package fixes this problem.

mdadm would crash during bootup when trying to activate several raid10
devices, dropping the system in maintenance mode, where you had to
manually reactivate the missing raid10 sets in order to continue
the boot.

The updated mdadm fixes this issue, allowing systems with raid10 to
boot normally.

Since version 6.14.9 Urpmi would spontaneously un-ignore any updated
medias.

This update fixes that regression.

This update fixes errors in be-latin1, be2-latin1, ro-comma,
ro-academic, and gr-utf8 keymaps, shipped on Mandriva Linux 2008
Spring and Mandriva Linux 2009.

Under certain conditions, imwheel would enter an infinite loop and
force the X server to consume a lot of CPU time, rendering the system
unusable.

This update fixes the issue.

The kdeeject command did not work, which resulted in a user being
able to unmount, but not eject, removable devices. This package
update corrects the issue.