OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[sec-adv] Debian Mozart Unsafe Mailcap Configuration Vulnerability

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Tue Jul 08 2003 - 05:05:48 CDT

TITLE:
Debian Mozart Unsafe Mailcap Configuration Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9201/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
Debian GNU/Linux unstable alias sid
Debian GNU/Linux 3.0

DESCRIPTION:
A vulnerability has been identified in Mozart installed on Debian
Linux, which potentially can be exploited by malicious people to
compromise a user's system.

The problem is that the entry in mailcap for Mozart passes Oz
applications directly to the Oz interpreter for execution. This could
be exploited to cause any program honouring the mailcap entry to
execute arbitrary code on a user's system with the privileges of the
user via eg. a malicious link in a browser.

SOLUTION:
Updated packages:

-- Debian GNU/Linux 3.0 alias woody --

Source archives:

http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.dsc
Size/MD5 checksum: 737 db77a39aa2f010ec8834a711401f362b
http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.diff.gz
Size/MD5 checksum: 13985 dca9c9a8e6d7df6e8c8629f7a6c593c7
http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204.orig.tar.gz
Size/MD5 checksum: 11750595 6dd46e253d42fb3b28f92fbe679f0cca

Architecture independent components:

http://security.debian.org/pool/updates/main/m/mozart/mozart-doc-html_1.2.3.20011204-3woody1_all.deb
Size/MD5 checksum: 3715030 a9560d20cf60681d7e886ed67fafc39c

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_i386.deb
Size/MD5 checksum: 2603488 bf5ee9d14f658391b5b52635490b5f9b
http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_i386.deb
Size/MD5 checksum: 453818 38da640e3bc647ea2118caea3be5383a

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_m68k.deb
Size/MD5 checksum: 2693506 773a378bf0d495ff06377fa6447a5bdd
http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_m68k.deb
Size/MD5 checksum: 455708 cd8bbdea2e3cb0c78a3fb536349457f3

PowerPC architecture:

http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_powerpc.deb
Size/MD5 checksum: 2713842 a2fe0fbe15568cced1ab30ca3afbb5f5
http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_powerpc.deb
Size/MD5 checksum: 461030 d0fb02a21bed8c59c23d1f2c4ba225e3

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_sparc.deb
Size/MD5 checksum: 2616888 adf887815d1f6a8544ef89cce8967bb6
http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_sparc.deb
Size/MD5 checksum: 452178 8767035f4d1e4df343b5b38c8b2a91e0

-- Debian GNU/Linux unstable alias sid --

Fixed in version 1.2.5.20030212-2.

REPORTED BY / CREDITS:
Micha Politowski

ORIGINAL ADVISORY:
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00139.html

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------