Frugalware Security Announcements (FSAs)

• Author: kikadf
• Vulnerable: 1.4.5-2arcturus2
• Unaffected: 1.4.5-2arcturus3

Integer overflow of allocations in font metadata file parsing could allow a local user who is already authenticated to the X server to overwrite other memory in the heap. Libxfont does not validate length fields when parsing xfs protocol replies allowing to write past the bounds of allocated memory when storing the returned data from the font server. Integer overflows calculating memory needs for xfs replies could result in allocating too little memory and then writing the returned data from the font server past the end of the allocated buffer.

• Author: kikadf
• Vulnerable: 9.18-1
• Unaffected: 9.18-2arcturus1

Phillip Hallam-Baker discovered that window property values could be queried in rxvt-unicode, resulting in the potential execution of arbitrary commands.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3121

• Author: kikadf
• Vulnerable: 3.9.5-1
• Unaffected: 3.9.5-2arcturus1

It was discovered that LibTIFF incorrectly handled certain malformed images when using the gif2tiff tool. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5581
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244

• Author: kikadf
• Vulnerable: 1.0.1-5arcturus3
• Unaffected: 1.0.1-5arcturus4

It was discovered that OpenSSL incorrectly handled memory in the do_ssl3_write() function. A remote attacker could use this issue to possibly cause OpenSSL to crash, resulting in a denial of service.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198

• Author: kikadf
• Vulnerable: 5.0.1-2arcturus1
• Unaffected: 5.0.1-2arcturus2

A vulnerability has been found in the ASN.1 parser of strongSwan, an IKE/IPsec suite used to establish IPsec protected links.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2891

• Author: kikadf
• Vulnerable: 0.6.2-1
• Unaffected: 0.6.2-2arcturus1

Alex Chapman discovered that a buffer overflow in processing “MMS over HTTP” messages could result in the execution of arbitrary code.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2892

• Author: kikadf
• Vulnerable: 1.5.2-3arcturus3
• Unaffected: 1.5.2-3arcturus4

Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. Benoît Canet discovered that QEMU incorrectly handled SMART self-tests. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4544
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894

• Author: kikadf
• Vulnerable: 6.30-1arcturus1
• Unaffected: 6.31-1arcturus1

An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983

• Author: kikadf
• Vulnerable: 7.22-2arcturus1
• Unaffected: 7.22-2arcturus2

An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983

• Author: kikadf
• Vulnerable: 1.6.1-3arcturus1
• Unaffected: 1.6.1-3arcturus2

Alex Korobkin discovered that the CUPS web interface incorrectly protected against cross-site scripting (XSS) attacks.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856