ubuntu-security-announce Digest, Vol 95, Issue 5

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1526-1] KOffice vulnerability (Marc Deslauriers)
2. [USN-1525-1] Calligra vulnerability (Marc Deslauriers)
3. [USN-1527-1] Expat vulnerabilities (Tyler Hicks)


----------------------------------------------------------------------

Message: 1
Date: Thu, 09 Aug 2012 14:52:57 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1526-1] KOffice vulnerability
Message-ID: <1344538377.3207.95.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1526-1
August 09, 2012

koffice vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04

Summary:

KOffice could be made to crash or run programs as your login if it opened
a specially crafted file.

Software Description:
- koffice: KDE Office Suite

Details:

It was discovered that KOffice incorrectly handled certain malformed
MS Word documents. If a user or automated system were tricked into opening
a crafted MS Word file, an attacker could cause a denial of service or
execute arbitrary code with privileges of the user invoking the program.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
koffice 1:2.3.3-0ubuntu6.1

Ubuntu 11.04:
koffice 1:2.3.3-0ubuntu4.1

After a standard system update you need to restart KOffice to make all the
necessary changes.

References:
http://www.ubuntu.com/usn/usn-1526-1
CVE-2012-3455

Package Information:
https://launchpad.net/ubuntu/+source/koffice/1:2.3.3-0ubuntu6.1
https://launchpad.net/ubuntu/+source/koffice/1:2.3.3-0ubuntu4.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120809/c974bda8/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 09 Aug 2012 14:52:31 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1525-1] Calligra vulnerability
Message-ID: <1344538351.3207.94.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1525-1
August 09, 2012

calligra vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Calligra could be made to crash or run programs as your login if it opened
a specially crafted file.

Software Description:
- calligra: integrated work applications suite

Details:

It was discovered that Calligra incorrectly handled certain malformed
MS Word documents. If a user or automated system were tricked into opening
a crafted MS Word file, an attacker could cause a denial of service or
execute arbitrary code with privileges of the user invoking the program.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
calligra 1:2.4.0-0ubuntu2.1

After a standard system update you need to restart Calligra to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1525-1
CVE-2012-3456

Package Information:
https://launchpad.net/ubuntu/+source/calligra/1:2.4.0-0ubuntu2.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120809/8035ea84/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 9 Aug 2012 21:23:10 -0700
From: Tyler Hicks <tyhicks@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1527-1] Expat vulnerabilities
Message-ID: <20120810042310.GA15123@boyd>
Content-Type: text/plain; charset="us-ascii"

==========================================================================
Ubuntu Security Notice USN-1527-1
August 10, 2012

expat vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Expat could be made to cause a denial of service by consuming excessive CPU
and memory resources.

Software Description:
- expat: XML parsing C library - example application

Details:

It was discovered that Expat computed hash values without restricting the
ability to trigger hash collisions predictably. If a user or application linked
against Expat were tricked into opening a crafted XML file, an attacker could
cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876)

Tim Boddy discovered that Expat did not properly handle memory reallocation
when processing XML files. If a user or application linked against Expat were
tricked into opening a crafted XML file, an attacker could cause a denial of
service by consuming excessive memory resources. This issue only affected
Ubuntu 8.04 LTS, 10.04 LTS, 11.04 and 11.10. (CVE-2012-1148)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
lib64expat1 2.0.1-7.2ubuntu1.1
libexpat1 2.0.1-7.2ubuntu1.1
libexpat1-udeb 2.0.1-7.2ubuntu1.1

Ubuntu 11.10:
lib64expat1 2.0.1-7ubuntu3.11.10.1
libexpat1 2.0.1-7ubuntu3.11.10.1
libexpat1-udeb 2.0.1-7ubuntu3.11.10.1

Ubuntu 11.04:
lib64expat1 2.0.1-7ubuntu3.11.04.1
libexpat1 2.0.1-7ubuntu3.11.04.1
libexpat1-udeb 2.0.1-7ubuntu3.11.04.1

Ubuntu 10.04 LTS:
lib64expat1 2.0.1-7ubuntu1.1
libexpat1 2.0.1-7ubuntu1.1
libexpat1-udeb 2.0.1-7ubuntu1.1

Ubuntu 8.04 LTS:
lib64expat1 2.0.1-0ubuntu1.2
libexpat1 2.0.1-0ubuntu1.2
libexpat1-udeb 2.0.1-0ubuntu1.2

After a standard system upgrade you need to restart any applications linked
against Expat to effect the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1527-1
CVE-2012-0876, CVE-2012-1148

Package Information:
https://launchpad.net/ubuntu/+source/expat/2.0.1-7.2ubuntu1.1
https://launchpad.net/ubuntu/+source/expat/2.0.1-7ubuntu3.11.10.1
https://launchpad.net/ubuntu/+source/expat/2.0.1-7ubuntu3.11.04.1
https://launchpad.net/ubuntu/+source/expat/2.0.1-7ubuntu1.1
https://launchpad.net/ubuntu/+source/expat/2.0.1-0ubuntu1.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120809/538d6b92/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 95, Issue 5
*******************************************************