Full Disclosure mailing list archives
[Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2118 (De retour le mardi 28 décembre.)
From: "Christophe Savin" <christophe.savin () tdf fr>
Date: Tue, 21 Dec 2004 18:38:56 +0100
En mon absence, toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux () tdf fr ou (ars_transpac pour tout incident lié à ce réseau) En cas d'urgence, Vous pouvez contacter : La Hot-line Réseaux : 01 49 15 32 53 François LEVEQUE au 01 49 15 30 56 Pascal PAINPARAY au 01 49 15 31 36. Bonnes fêtes de fin d'année. Christophe SAVIN
full-disclosure 12/20/04 18:01 >>>
Send Full-Disclosure mailing list submissions to
full-disclosure () lists netsys com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request () lists netsys com
You can reach the person managing the list at
full-disclosure-owner () lists netsys com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Today's Topics:
1. [ GLSA 200412-21 ] MPlayer: Multiple overflows (Thierry Carrez)
2. RE: RE: Cipher Tool (Todd Towles)
3. [USN-42-1] Xine library vulnerabilities (Martin Pitt)
----------------------------------------------------------------------
Message: 1
Date: Mon, 20 Dec 2004 15:06:31 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200412-21 ] MPlayer: Multiple
overflows
To: gentoo-announce () lists gentoo org
Cc: security-alerts () linuxsecurity com, bugtraq () securityfocus com,
full-disclosure () lists netsys com
Message-ID: <41C6DC67.9010300 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200412-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MPlayer: Multiple overflows
Date: December 20, 2004
Bugs: #74473
ID: 200412-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple overflow vulnerabilities have been found in MPlayer,
potentially resulting in remote executing of arbitrary code.
Background
==========
MPlayer is a media player capable of handling multiple multimedia file
formats.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-video/mplayer <= 1.0_pre5-r4 >= 1.0_pre5-r5
Description
===========
iDEFENSE, Ariel Berkman and the MPlayer development team found multiple
vulnerabilities in MPlayer. These include potential heap overflows in
Real RTSP and pnm streaming code, stack overflows in MMST streaming
code and multiple buffer overflows in BMP demuxer and mp3lib code.
Impact
======
A remote attacker could craft a malicious file or design a malicious
streaming server. Using MPlayer to view this file or connect to this
server could trigger an overflow and execute attacker-controlled code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MPlayer users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_pre5-r5"
References
==========
[ 1 ] iDEFENSE Advisory
http://www.idefense.com/application/poi/display?id=168&type=vulnerabilities
[ 2 ] iDEFENSE Advisory
http://www.idefense.com/application/poi/display?id=167&type=vulnerabilities
[ 3 ] iDEFENSE Advisory
http://www.idefense.com/application/poi/display?id=166&type=vulnerabilities
[ 4 ] Ariel Berkman Advisory
http://tigger.uic.edu/~jlongs2/holes/mplayer.txt
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200412-21.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.netsys.com/pipermail/full-disclosure/attachments/20041220/e2d182a7/signature-0001.bin
------------------------------
Message: 2
Date: Mon, 20 Dec 2004 08:23:49 -0600
From: "Todd Towles" <toddtowles () brookshires com>
Subject: RE: [Full-disclosure] RE: Cipher Tool
To: "James Tucker" <jftucker () gmail com>, "richard capistrano"
<mikoc02 () yahoo com>
Cc: full-disclosure () lists netsys com
Message-ID:
<9E97F0997FB84D42B221B9FB203EFA275CB4B4 () dc1ms2 msad brookshires net>
Content-Type: text/plain; charset="us-ascii"
Or you could go buy some of these and link them together to reach over a
distance.
The First Commercial Quantum Cryptography solution - encryption per
photon =)
http://www.magiqtech.com/index.php
-----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of James Tucker Sent: Wednesday, December 15, 2004 10:38 PM To: richard capistrano Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] RE: Cipher Tool Have you considered using secured network protocols on dedicated encryption hardware? or is that beyond the price point? Any cipher algorithm would be theoretically implementable (providing the length of data is suitable). If you are looking for _real_ performance though then ciphering may not be what you want as there isn't any good cipher that is really overly fast fast (deliberate double). There are other core pieces of the puzzle to be considered though, like are you going to be talking in a client less manner (i.e. is the client pre-configured or has the client never received secure comms before?) Is there a socket/tunnel already running? What is the rough length of the data set (impact readability and suitability for encryption algorithms)? What is the performance restriction (i.e. where is the bottleneck)? How secure do you need it, anti-fool, seconds, hours, years or millennial(might actually require more data storage than money can buy)? I raised an eyebrow at the last portion of your mail, "Is there a freeware or software or information, I can check out?". This would suggest that you are looking to put another program somewhere mid-flow in a data pipe; thats not always a good option. If you're really looking for speed and ease of implementation then something like a simple rotation cipher might work out for you, but this is going to be so poor a encryption that some cipher pro's could read it in its encrypted form. This is obviously no good if you're worried about credit card info, but is OK if it's just your girlfriend being a nosy ....... . On Tue, 14 Dec 2004 00:23:41 -0800 (PST), richard capistrano <mikoc02 () yahoo com> wrote:Hello, We are looking for a tool that can actually cipher or hash a particular portion of a file so that it will not display the particular field of a file. This will be applied to thefile so thatwhen it travels the network, the confidential field in thefile is notdisplayed in clear text. Due to performance issues, we cannot simply hash the whole file.Is there a freeware or software or information, I can check out? Thanks in advance. ________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
------------------------------ Message: 3 Date: Mon, 20 Dec 2004 16:34:37 +0100 From: Martin Pitt <martin.pitt () canonical com> Subject: [Full-disclosure] [USN-42-1] Xine library vulnerabilities To: ubuntu-security-announce () lists ubuntu com Cc: bugtraq () securityfocus com, full-disclosure () lists netsys com Message-ID: <20041220153437.GA10100 () box79162 elkhouse de> Content-Type: text/plain; charset="us-ascii" =========================================================== Ubuntu Security Notice USN-42-1 December 20, 2004 xine-lib vulnerabilities https://sourceforge.net/project/shownotes.php?group_id=9655&release_id=290099 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: libxine1 The problem can be corrected by upgrading the affected package to version 1-rc5-1ubuntu2.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Several buffer overflows have been discovered in xine-lib, the video/audio codec library for Xine frontends (xine-ui, totem-xine, kaffeine, and others). If an attacker tricked a user into loading a malicious RTSP stream or a stream with specially crafted AIFF audio or PNM image data, they could exploit this to execute arbitrary code with the privileges of the user opening the audio/video file. Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.1.diff.gz Size/MD5: 220103 36088cafe1ebf980e974121c75509342 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.1.dsc Size/MD5: 950 b91b838d1e93be1d6dbaf4e25fdcc0a2 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5.orig.tar.gz Size/MD5: 7052663 703c3e68d60524598d4d9e527fe38286 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.1_amd64.deb Size/MD5: 101304 3924c05126efb642a3a4caeb76fa103f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.1_amd64.deb Size/MD5: 3542990 2b49a83c4ac8aee07480cbe4f0639802 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.1_i386.deb Size/MD5: 101282 650241599ab0b2b95e87e4ea998392ca http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.1_i386.deb Size/MD5: 3728702 b5aabac9ef7413d59ed599589876c5ab powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.1_powerpc.deb Size/MD5: 101296 604e0163adfa10406d729321977de6d5 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.1_powerpc.deb Size/MD5: 3886558 4aa25f9823981361dd44ec1f4a53f62f -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.netsys.com/pipermail/full-disclosure/attachments/20041220/2875d1b3/attachment-0001.bin ------------------------------ _______________________________________________ Full-Disclosure mailing list Full-Disclosure () lists netsys com https://lists.netsys.com/mailman/listinfo/full-disclosure End of Full-Disclosure Digest, Vol 1, Issue 2118 ************************************************ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2118 (De retour le mardi 28 décembre.) Christophe Savin (Dec 21)