[CLA-2003:769] Conectiva Security Announcement - sane

From: Conectiva Updates (secure_at_conectiva.com.br)
Date: 10/22/03

  • Next message: Steven M. Christey: ""Local" and "Remote" considered insufficient"
    Date: Wed, 22 Oct 2003 17:55:57 -0200
    To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : sane
    SUMMARY : Vulnerabilities in saned and in temporary files handling
    DATE : 2003-10-22 17:55:00
    ID : CLA-2003:769
    RELEVANT
    RELEASES : 7.0, 8, 9

    - -------------------------------------------------------------------------

    DESCRIPTION
     SANE (Scanner Access Now Easy) is an interface to both local and
     networked scanners and other image acquisition devices. The sane
     package contains several scanner drivers, utilities and saned, a
     application that allows the sharing of scanners across a network.
     
     This update fixes several vulnerabilities in the sane package:
     
     - Remote vulnerabilities in saned. These vulnerabilities can be
     exploited by remote attackers to cause a denial of service or even
     execute arbitrary code with the privileges of the user running saned
     (which is usually root). The Common Vulnerabilities and Exposures
     project (cve.mitre.org) has assigned[1,2,3,4,5,6] the names
     CAN-2003-0773, CAN-2003-0774, CAN-2003-0775, CAN-2003-0776,
     CAN-2003-0777 and CAN-2003-0778 to these issues.
     
     - Temporary file handling vulnerabilities (does not affect Conectiva
     Linux 9). In several sane backends (drivers), temporary files are
     created in an unsafe manner. A local attacker can exploit these
     vulnerabilities to overwrite arbitrary system or user files. The
     Common Vulnerabilities and Exposures project (cve.mitre.org) has
     assigned the name CAN-2001-0890[7] to this issue.
     
     The Conectiva Linux 9 package (sane-1.0.9) also includes fixes for a
     bug[8] in the plustek driver which may cause hardware damage in EPSON
     1260 scanners (previous versions do not contain the driver).

    SOLUTION
     All users of the sane package should upgrade.
     
     
     REFERENCES:
     1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0773
     2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0774
     3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0775
     4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0776
     5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0777
     6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0778
     7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0890
     8.http://www.gjaeger.de/scanner/plustek.html#epson

    UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-1.0.4-3U70_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-devel-1.0.4-3U70_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-devel-static-1.0.4-3U70_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sane-1.0.4-3U70_1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-1.0.6-3U80_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-devel-1.0.6-3U80_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-devel-static-1.0.6-3U80_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/SRPMS/sane-1.0.6-3U80_1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-1.0.9-23360U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-devel-1.0.9-23360U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-devel-static-1.0.9-23360U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/SRPMS/sane-1.0.9-23360U90_1cl.src.rpm

    ADDITIONAL INSTRUCTIONS
     The apt tool can be used to perform RPM packages upgrades:

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions reagarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    Copyright (c) 2003 Conectiva Inc.
    http://www.conectiva.com

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE/luDM42jd0JmAcZARAqfJAJ9Ua/3VDbbbbASQFDe303KOMFdXyQCdGwz4
    Fz1fwvgojBjRZSI4oODNbAE=
    =smmb
    -----END PGP SIGNATURE-----


  • Next message: Steven M. Christey: ""Local" and "Remote" considered insufficient"

    Relevant Pages