B.88. spice-xpi

The spice-xpi package provides a plug-in that allows the SPICE client to run from within Mozilla Firefox.

An uninitialized pointer use flaw was found in the SPICE Firefox plug-in. If a user were tricked into visiting a malicious web page with Firefox while the SPICE plug-in was enabled, it could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox.

It was found that the SPICE Firefox plug-in used a predictable name for one of its log files. A local attacker could use this flaw to conduct a symbolic link attack, allowing them to overwrite arbitrary files accessible to the user running Firefox.

During an upgrade of the sssd package, the package manager restarts the sssd service to ensure the running instance is properly replaced with the newer version. However, prior to this update, a race condition could occur upon the service shutdown, causing the parent process not to wait for its children to terminate. When this happened, these running sub-processes may have prevented sssd from starting again. With this update, the sssd service has been corrected to wait for the children processes to terminate, so that it can be restarted as expected.

On 32-bit architectures, running the "getent passwd" command on a username with a very large user or group identifier (that is, UID or GID greater than 2147483647) resulted in an empty output. With this update, the underlying source code has been modified to address this issue, and the getent command now returns the expected output.

Previously, shutting down the sssd service (either by using the "service sssd stop" command, or with the SIGTERM signal) could cause the service to stop responding. This error has been fixed, and sssd no longer fails to shut down.

Previously, Kerberos applications running on the secondary architecture of a multilib platform (e.g. i686 on x86_64) would not be able to identify the Kerberos server for authentication. With this update, the Kerberos locator plugin is located in the sssd-client package to allow installation of both the 32-bit and 64-bit versions on 64-bit systems.

Previously, users would not always be assigned to all initgroups for which they were a member in LDAP. This could cause several issues related to group-based permissions. With this update, the initgroups() call always returns all groups for the specified user.

Previously, SSSD could remove legitimate groups that were only identified as a user's primary group when the cache cleanup routine ran. This could cause issues with group-based access control permissions such as access.conf and sudoers. With this update, SSSD checks also whether there are users who have this group as their primary group ID.

An access restriction bypass flaw was found in the mod_dav_svn module. If the SVNPathAuthz directive was set to "short_circuit", certain access rules were not enforced, possibly allowing sensitive repository data to be leaked to remote users. Note that SVNPathAuthz is set to "On" by default.

A server-side memory leak was found in the Subversion server. If a malicious, remote user performed "svn blame" or "svn log" operations on certain repository files, it could cause the Subversion server to consume a large amount of system memory.

A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests. If a malicious, remote user issued a certain type of request to display a collection of Subversion repositories on a host that has the SVNListParentPath directive enabled, it could cause the httpd process serving the request to crash. Note that SVNListParentPath is not enabled by default.

A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests to lock working copy paths in a repository. A remote attacker could issue a lock request that could cause the httpd process serving the request to crash.

Due to recent changes in the /proc/interrupts format, running the "mpstat -I ALL" command did not produce the correct output. With this update, the mpstat utility has been updated to recognize the new format, and running the above command now works as expected.

On a system with a running KVM virtual machine and under very special circumstances, the mpstat utility may have produced an output that contained incorrect values. This error no longer occurs, and the mpstat utility now always produces the correct output.

Prior to this update, certain dialog windows in the Tamil translation of the Firewall Configuration utility contained untranslated strings. With this update, the remaining strings have been translated into the Tamil language, so that dialog windows no longer contain English texts.

When creating users, or more specifically their home directories, system-config-users relied on the access() system call to check if a directory was writable (and, consequently, whether a new home directory could be created in the requested location).

The access() system call returns reliable information for POSIX-compliant (or mostly POSIX-compliant) file-systems only. In some cases, therefore, relying on the information returned by access() could result in user creation failing.

If, for example, system-config-users was directed to create a user with a home folder in a directory managed by an auto-mounter (such as /net), access() returned inaccurate information and user creation subsequently failed.

With this update, system-config-users no longer relies on access(), or other operating system functions, in such cases: it now attempts to create the home directory and checks whether it has succeeded in doing so.

As well, if the chosen location is not writable, system-config-users returns an alert to this effect and requests 'a writable location' be chosen rather than simply writing errors to the terminal and failing.

It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges.

It was discovered that staprun did not check if the module to be unloaded was previously loaded by SystemTap. A local, unprivileged user could use this flaw to unload an arbitrary kernel module that was not in use.

This enhancement update adds the tdb-tools packages to Red Hat Enterprise Linux 6.

A race condition flaw was found in the way Thunderbird handled Document Object Model (DOM) element properties. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

A same-origin policy bypass flaw was found in Thunderbird. Remote HTML content could steal private data from different remote HTML content Thunderbird had loaded.

A flaw was found in the script that launches Thunderbird. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Thunderbird, if that user ran Thunderbird from within an attacker-controlled directory.

Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

This update adds support for the Sanitiser for OpenType (OTS) library to Thunderbird. This library helps prevent potential exploits in malformed OpenType fonts by verifying the font file prior to use.

Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

A flaw was found in the way Thunderbird handled malformed JPEG images. An HTML mail message containing a malicious JPEG image could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

The RHSA-2011:0312 and RHSA-2011:0311 updates introduced a regression, preventing some Java content and plug-ins written in Java from loading. With this update, the Java content and plug-ins work as expected.

Several flaws were found in the processing of malformed HTML content. An HTML mail message containing malicious content could possibly lead to arbitrary code execution with the privileges of the user running Thunderbird.

An arbitrary memory write flaw was found in the way Thunderbird handled out-of-memory conditions. If all memory was consumed when a user viewed a malicious HTML mail message, it could possibly lead to arbitrary code execution with the privileges of the user running Thunderbird.

An integer overflow flaw was found in the way Thunderbird handled the HTML frameset tag. An HTML mail message with a frameset tag containing large values for the "rows" and "cols" attributes could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Thunderbird.

A flaw was found in the way Thunderbird handled the HTML iframe tag. An HTML mail message with an iframe tag containing a specially-crafted source address could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Thunderbird.

A flaw was found in the way Thunderbird displayed multiple marquee elements. A malformed HTML mail message could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird.

A flaw was found in the way Thunderbird handled the nsTreeSelection element. Malformed content could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird.

A directory traversal flaw was found in the Thunderbird resource:// protocol handler. Malicious content could cause Thunderbird to access arbitrary files accessible to the user running Thunderbird.

A double free flaw was found in the way Thunderbird handled "application/http-index-format" documents. A malformed HTTP response could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird.

A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Tomcat to hang via a specially-crafted HTTP request.

A flaw was found in the Tomcat NIO (Non-Blocking I/O) connector. A remote attacker could use this flaw to cause a denial of service (out-of-memory condition) via a specially-crafted request containing a large NIO buffer size request value.

A bug in the "tomcat6" init script prevented additional Tomcat instances from starting. As well, running "service tomcat6 start" caused configuration options applied from "/etc/sysconfig/tomcat6" to be overwritten with those from "/etc/tomcat6/tomcat6.conf". With this update, multiple instances of Tomcat run as expected.

Prior to this update, I/O scheduler changes were not applied to device mapper (dm) devices, which affected the enterprise-storage, latency-performance and throughput-performance profiles. This error has been fixed, device mapper devices have been added to the "ELEVATOR_TUNE_DEVS" list, and I/O scheduler changes are now applied to all devices as expected.

When a mingetty session is terminated, the relevant entry in the utmp table is now correctly set to "DEAD_PROCESS".

To address problems with iSCSI root devices not being checked with the fsck utility, Red Hat Enterprise Linux 5.2 introduced the "_rnetdev" mount option. However, this functionality was missing in the package for Red Hat Enterprise Linux 6. With this update, the mount utility has been updated to support this option.

A flaw was discovered in the way vsftpd processed file name patterns. An FTP user could use this flaw to cause the vsftpd process to use an excessive amount of CPU time, when processing a request with a specially-crafted file name pattern.

Multiple memory corruption flaws were found in WebKit. Malicious web content could cause an application using WebKitGTK+ to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Multiple use-after-free flaws were found in WebKit. Malicious web content could cause an application using WebKitGTK+ to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Two array index errors, leading to out-of-bounds memory reads, were found in WebKit. Malicious web content could cause an application using WebKitGTK+ to crash.

A flaw in WebKit could allow malicious web content to trick a user into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker.

It was found that WebKit did not correctly restrict read access to images created from the "canvas" element. Malicious web content could allow a remote attacker to bypass the same-origin policy and potentially access sensitive image data.

A flaw was found in the way WebKit handled DNS prefetching. Even when it was disabled, web content containing certain "link" elements could cause WebKitGTK+ to perform DNS prefetching.

A heap-based buffer overflow flaw was found in the Wireshark Local Download Sharing Service (LDSS) dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.

A denial of service flaw was found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.

An array index error, leading to a stack-based buffer overflow, was found in the Wireshark ENTTEC dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.

A heap-based buffer overflow flaw was found in the Wireshark MAC-LTE dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.

A heap-based buffer overflow flaw was found in the way Wireshark processed signaling traces generated by the Gammu utility on Nokia DCT3 phones running in Netmonitor mode. If Wireshark opened a specially-crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.

Previously, xguest installed its 'sabayon' profile file in the wrong directory. This would cause packagekit and seapplet to be started by default for the xguest user. With this update, the 'sabayon' profile file is installed in the correct directory.

When using the xql driver, only a limited number of resolution choices were available for use inside the guest, none of which exceeded 1024x768 in size unless the xorg.conf configuration file was (first created, and then) manually edited. This update ensures that larger resolutions are available for guests with appropriate hardware without needing to manually change xorg.conf.

When using the qxl driver, after connecting to a virtual guest over the SPICE protocol and logging into a desktop session from the GDM display manager, attempting to switch to a virtual console using a key combination caused the X server to crash, and GDM to respawn. This update fixes this issue so that, in the aforementioned situation, switching to a virtual console and back to the graphical desktop works as expected.

Changing the screen mapping caused the wacompl GUI to become unresponsive. With this update, changing the screen mapping works as expected.

Attempting to calibrate a device could have failed with an error message. With this update, calibration now succeeds.

Prior to this update, when the X Window System was unable to detect a monitor and obtain valid extended display identification data (EDID), it set the default resolution limit to 800x600. Consequent to this, users of the "mga" driver for Matrox video cards were unable to select a screen resolution higher than 800x600. This update increases the default limit to 1024x768, allowing users of Matrox video cards to select this resolution as expected.

A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially-crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name.

A previous advisory, the RHSA-2011:0433 xorg-x11-server-utils security update, applied a backported patch to fix a flaw in the X server resource database utility, xrdb. While this patch resolved the security issue, it also introduced an error in the macro expansion mechanism. Consequent to this, an attempt to run the xrdb utility could fail with the following messages written to standard error:

sh: -c: line 0: unexpected EOF while looking for matching `"'sh: -c: line 1: syntax error: unexpected end of file

With this update, the underlying source code has been adapted to correct the macro expansion mechanism, and the xrdb utility now works as expected.

Previously, yaboot netboot failed to operate in an environment where the gateway is not same as the 'tftp' server, even though the 'tftp' server is on the same subnet. This issue was caused by yaboot's inability to check whether an IP address is valid. With this update, an IP address validity check has been added that resolves this issue.

Previously, yum treated packages that provide kernel-modules as install-only packages. With this update, the install-only option has been removed.

Previously, the "/var/cache/yum/" directory kept accumulating multiple '.sqlite' files and never cleaned them out. With this update, the '.sqlite' are automatically cleaned up.

These packages have been updated to support the Red Hat Network Satellite Server Maintenance Window, allowing a user to download scheduled packages and errata before the start of the maintenance window.