Multiple packages, Multiple vulnerabilities fixed in 2011 — GLSA 201412-09

This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE identifiers below for more information.

Affected Packages

games-sports/racer-bin on all architectures
Affected versions >= 0.5.0-r1
Unaffected versions
media-libs/fmod on all architectures
Affected versions < 4.38.00
Unaffected versions >= 4.38.00
dev-php/PEAR-Mail on all architectures
Affected versions < 1.2.0
Unaffected versions >= 1.2.0
sys-fs/lvm2 on all architectures
Affected versions < 2.02.72
Unaffected versions >= 2.02.72
app-office/gnucash on all architectures
Affected versions < 2.4.4
Unaffected versions >= 2.4.4
media-libs/xine-lib on all architectures
Affected versions < 1.1.19
Unaffected versions >= 1.1.19
media-sound/lastfmplayer on all architectures
Affected versions < 1.5.4.26862-r3
Unaffected versions >= 1.5.4.26862-r3
net-libs/webkit-gtk on all architectures
Affected versions < 1.2.7
Unaffected versions >= 1.2.7
sys-apps/shadow on all architectures
Affected versions < 4.1.4.3
Unaffected versions >= 4.1.4.3
dev-php/PEAR-PEAR on all architectures
Affected versions < 1.9.2-r1
Unaffected versions >= 1.9.2-r1
dev-db/unixODBC on all architectures
Affected versions < 2.3.0-r1
Unaffected versions >= 2.3.0-r1
sys-cluster/resource-agents on all architectures
Affected versions < 1.0.4-r1
Unaffected versions >= 1.0.4-r1
net-misc/mrouted on all architectures
Affected versions < 3.9.5
Unaffected versions >= 3.9.5
net-misc/rsync on all architectures
Affected versions < 3.0.8
Unaffected versions >= 3.0.8
dev-libs/xmlsec on all architectures
Affected versions < 1.2.17
Unaffected versions >= 1.2.17
x11-apps/xrdb on all architectures
Affected versions < 1.0.9
Unaffected versions >= 1.0.9
net-misc/vino on all architectures
Affected versions < 2.32.2
Unaffected versions >= 2.32.2
dev-util/oprofile on all architectures
Affected versions < 0.9.6-r1
Unaffected versions >= 0.9.6-r1
app-admin/syslog-ng on all architectures
Affected versions < 3.2.4
Unaffected versions >= 3.2.4
net-analyzer/sflowtool on all architectures
Affected versions < 3.20
Unaffected versions >= 3.20
gnome-base/gdm on all architectures
Affected versions < 3.8.4-r3
Unaffected versions >= 3.8.4-r3
net-libs/libsoup on all architectures
Affected versions < 2.34.3
Unaffected versions >= 2.34.3
app-misc/ca-certificates on all architectures
Affected versions < 20110502-r1
Unaffected versions >= 20110502-r1
dev-vcs/gitolite on all architectures
Affected versions < 1.5.9.1
Unaffected versions >= 1.5.9.1
dev-util/qt-creator on all architectures
Affected versions < 2.1.0
Unaffected versions >= 2.1.0

Background

For more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild.

Description

Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details.

  • FMOD Studio
  • PEAR Mail
  • LVM2
  • GnuCash
  • xine-lib
  • Last.fm Scrobbler
  • WebKitGTK+
  • shadow tool suite
  • PEAR
  • unixODBC
  • Resource Agents
  • mrouted
  • rsync
  • XML Security Library
  • xrdb
  • Vino
  • OProfile
  • syslog-ng
  • sFlow Toolkit
  • GNOME Display Manager
  • libsoup
  • CA Certificates
  • Gitolite
  • QtCreator
  • Racer

Impact

A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions.

Workaround

There are no known workarounds at this time.

Resolution

All FMOD Studio users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
 

All PEAR Mail users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
 

All LVM2 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
 

All GnuCash users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
 

All xine-lib users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
 

All Last.fm Scrobbler users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=media-sound/lastfmplayer-1.5.4.26862-r3"
 

All WebKitGTK+ users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
 

All shadow tool suite users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
 

All PEAR users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
 

All unixODBC users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
 

All Resource Agents users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=sys-cluster/resource-agents-1.0.4-r1"
 

All mrouted users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
 

All rsync users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
 

All XML Security Library users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
 

All xrdb users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
 

All Vino users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
 

All OProfile users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
 

All syslog-ng users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
 

All sFlow Toolkit users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
 

All GNOME Display Manager users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
 

All libsoup users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
 

All CA Certificates users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=app-misc/ca-certificates-20110502-r1"
 

All Gitolite users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
 

All QtCreator users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
 

Gentoo has discontinued support for Racer. We recommend that users unmerge Racer:

 # emerge --unmerge "games-sports/racer-bin"
 

NOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2012. It is likely that your system is already no longer affected by these issues.

References

Release Date
December 11, 2014

Latest Revision
December 11, 2014: 2

Severity
high

Exploitable
local, remote

Bugzilla entries