Mageia alert MGASA-2012-0209 (gypsy)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2012-0209: gypsy-0.8-2.1.mga (1, 2/core) 
Date:
    	     
 
Sun, 12 Aug 2012 20:33:51 +0200
Message-ID:
    	     
 
<20120812183351.GA11075@valstar.mageia.org>

MGASA-2012-0209
Date: 	August 12th, 2012
Affected releases: 	1, 2


Description:
Updated gypsy packages fix security vulnerabilities:

Regular users can request that arbitrary files be opened for reading.
In the best case, this is a denial of service. Worst-case, this could
lead to information disclosure or privilege escalation (CVE-2011-0523).

Unchecked buffer overflows as well in gps_channel_garmin_input() via
nmeabuf and nmea_gpgsv(), which could be used in an attack
(CVE-2011-0524).

Note: a new config file, /etc/gypsy.conf, has been added that specifies
a whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps",
and "bluetooth" (which matches Bluetooth addresses)


Updated Packages:
Mageia 1:
gypsy-0.8-2.1.mga1
gypsy-devel-0.8-2.1.mga1
gypsy-docs-0.8-2.1.mga1
lib(64)gypsy0-0.8-2.1.mga1

Mageia 2:
gypsy-0.8-2.1.mga2
gypsy-devel-0.8-2.1.mga2
gypsy-docs-0.8-2.1.mga2
lib(64)gypsy0-0.8-2.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524
https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
http://lists.opensuse.org/opensuse-updates/2012-07/msg000...
https://bugs.mageia.org/show_bug.cgi?id=6808
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...