[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[DONE] wml://{security/2001/dsa-030.wml}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- --- english/security/2001/dsa-030.wml	2002-04-23 19:39:45.000000000 +0600
+++ russian/security/2001/dsa-030.wml	2016-07-07 18:55:26.283357574 +0500
@@ -1,74 +1,74 @@
- -<define-tag moreinfo>Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox,
- -and others have noted a number of problems in several components of the X
- -Window System sample implementation (from which XFree86 is derived). While
- -there are no known reports of real-world malicious exploits of any of these
- -problems, it is nevertheless suggested that you upgrade your XFree86 packages
- -immediately.
+#use wml::debian::translation-check translation="1.5" maintainer="Lev Lamberov"
+<define-tag moreinfo>Ð?Ñ?иÑ? ЭванÑ?, Ð?жозеÑ? Ð?айеÑ?Ñ?, Ð?иÑ?ал Ð?алевÑ?кий, Ð?лан Ð?окÑ?
+и дÑ?Ñ?гие оÑ?меÑ?или Ñ?Ñ?д пÑ?облем в некоÑ?оÑ?Ñ?Ñ? компоненÑ?аÑ? обÑ?азÑ?овой
+Ñ?еализаÑ?ии X Window System (на оÑ?нове коÑ?оÑ?ой Ñ?оздана Ñ?иÑ?Ñ?ема XFree86). ХоÑ?Ñ?
+нам не извеÑ?Ñ?но о Ñ?еалÑ?ном иÑ?полÑ?зовании Ñ?Ñ?иÑ? пÑ?облем злоÑ?мÑ?Ñ?ленниками,
+наÑ?Ñ?оÑ?Ñ?елÑ?но Ñ?екомендÑ?еÑ?Ñ?Ñ? обновиÑ?Ñ? пакеÑ?Ñ? XFree86.
 
 <p>
- -The scope of this advisory is XFree86 3.3.6 only, since that is the version
- -released with Debian GNU/Linux 2.2 ("potato"); Debian packages of XFree86 4.0
- -and later have not been released as part of a Debian distribution.
+Ð?аннаÑ? Ñ?екомендаÑ?иÑ? каÑ?аеÑ?Ñ?Ñ? Ñ?олÑ?ко XFree86 веÑ?Ñ?ии 3.3.6, поÑ?колÑ?кÑ? Ñ?Ñ?а веÑ?Ñ?иÑ?
+вÑ?пÑ?Ñ?ена в Ñ?оÑ?Ñ?аве Debian GNU/Linux 2.2 ("potato"); пакеÑ?Ñ? XFree86 4.0
+и более поздниÑ? веÑ?Ñ?ий не бÑ?ли вÑ?пÑ?Ñ?енÑ? в Ñ?оÑ?Ñ?аве диÑ?Ñ?Ñ?ибÑ?Ñ?ива Debian.
 
 <p>
- -Several people are responsible for authoring the fixes to these problems,
- -including Aaron Campbell, Paulo Cesar Pereira de Andrade, Keith Packard, David
- -Dawes, Matthieu Herrb, Trevor Johnson, Colin Phipps, and Branden Robinson.
+Ð?вÑ?оÑ?ам иÑ?пÑ?авлений Ñ?Ñ?иÑ? пÑ?облем Ñ?влÑ?Ñ?Ñ?Ñ?Ñ? неÑ?колÑ?ко Ñ?еловек,
+вклÑ?Ñ?аÑ? Ð?аÑ?она Ð?Ñ?мпбела, Ð?аÑ?ло ЦезаÑ? Ð?еÑ?ейÑ?а да Ð?ндÑ?аде, Ð?иÑ? Ð?акаÑ?д, Ð?Ñ?вид
+Ð?аÑ?Ñ?, Ð?аÑ?Ñ?Ñ? ХеÑ?б, ТÑ?евоÑ? Ð?жонÑ?он, Ð?олин ФипÑ? и Ð?Ñ?Ñ?нден РобинÑ?он.
 
 <ul>
- -<li>The X servers are vulnerable to a denial-of-service attack during
- -XC-SECURITY protocol negotiation.
- -<li>X clients based on Xlib (which is most of them) are subject to potential
- -buffer overflows in the _XReply() and _XAsyncReply() functions if they connect
- -to a maliciously-coded X server that places bogus data in its X protocol
- -replies. NOTE: This is only an effective attack against X clients running
- -with elevated privileges (setuid or setgid programs), and offers potential
- -access only to the elevated privilege. For instance, the most common setuid X
- -client is probably xterm. On many Unix systems, xterm is setuid root; in Debian
- -2.2, xterm is only setgid utmp, which means that an effective exploit is
- -limited to corruption of the lastlog, utmp, and wtmp files --
- -<strong>not</strong> general
- -root access. Also note that the attacker must already have sufficient
- -privileges to start such an X client and successfully connect to the X server.
- -<li>There is a buffer overflow (not stack-based) in xdm's XDMCP code.
- -<li>There is a one-byte overflow in Xtrans.c.
- -<li>Xtranssock.c is also subject to buffer overflow problems.
- -<li>There is a buffer overflow with the -xkbmap X server flag.
- -<li>The MultiSrc widget in the Athena widget library handle temporary files
- -insecurely.
- -<li>The imake program handles temporary files insecurely when executing install
- -rules.
- -<li>The ICE library is subject to buffer overflow attacks.
- -<li>The xauth program handles temporary files insecurely.
- -<li>The XauLock() function in the Xau library handles temporary files
- -insecurely.
- -<li>The gccmakedep and makedepend programs handle temporary files insecurely.
+<li>X-Ñ?еÑ?веÑ?Ñ? Ñ?Ñ?звимÑ? к оÑ?казÑ? в обÑ?лÑ?живании во вÑ?емÑ?
+Ñ?оглаÑ?ованиÑ? по пÑ?оÑ?околÑ? XC-SECURITY.
+<li>X-клиенÑ?Ñ? на оÑ?нове Xlib (болÑ?Ñ?инÑ?Ñ?во клиенÑ?ов) Ñ?Ñ?звимоÑ? к поÑ?енÑ?иалÑ?нÑ?м
+пеÑ?еполнениÑ?м бÑ?Ñ?еÑ?а в Ñ?Ñ?нкÑ?иÑ?Ñ? _XReply() и _XAsyncReply() в Ñ?ом Ñ?лÑ?Ñ?ае, еÑ?ли они Ñ?оединенÑ?
+Ñ? некоÑ?Ñ?екÑ?нÑ?м X-Ñ?еÑ?веÑ?ом, помеÑ?аÑ?Ñ?им подделÑ?нÑ?е даннÑ?е в оÑ?веÑ?Ñ? по пÑ?оÑ?околÑ?
+X. Ð?Ð?Ð?Ð?Ð?Ð?Ð?Ð?: Ñ?Ñ?и каÑ?аеÑ?Ñ?Ñ? Ñ?олÑ?ко X-клиенÑ?ов, запÑ?Ñ?еннÑ?Ñ? Ñ? повÑ?Ñ?еннÑ?ми
+пÑ?ивилегиÑ?ми (пÑ?огÑ?аммÑ? Ñ? Ñ?лагами пÑ?ав доÑ?Ñ?Ñ?па, позволÑ?Ñ?Ñ?ими запÑ?Ñ?каÑ?Ñ? из оÑ? лиÑ?а владелÑ?Ñ?а или гÑ?Ñ?ппÑ? владелÑ?Ñ?а), и
+даÑ?Ñ? поÑ?енÑ?иалÑ?нÑ?й доÑ?Ñ?Ñ?п Ñ?олÑ?ко к повÑ?Ñ?еннÑ?м пÑ?ивилегиÑ?м. Ð?апÑ?имеÑ?, болÑ?Ñ?ее колиÑ?еÑ?Ñ?во обÑ?Ñ?нÑ?Ñ? X-клиенÑ?ов
+Ñ? Ñ?аким Ñ?лагом доÑ?Ñ?Ñ?па Ñ?влÑ?Ñ?Ñ?Ñ?Ñ? xterm. Ð? болÑ?Ñ?инÑ?Ñ?ве Ñ?иÑ?Ñ?ем Unix Ñ? xterm Ñ?Ñ?Ñ?ановлен Ñ?лаг пÑ?ав доÑ?Ñ?Ñ?па, позволÑ?Ñ?Ñ?ий запÑ?Ñ?каÑ?Ñ? пÑ?огÑ?аммÑ? оÑ? лиÑ?а
+Ñ?Ñ?пеÑ?полÑ?зоваÑ?елÑ?; в Debian 2.2 xterm имееÑ? Ñ?акой Ñ?лаг гÑ?Ñ?ппÑ? utmp, Ñ?Ñ?о ознаÑ?аеÑ?, Ñ?Ñ?о злоÑ?мÑ?Ñ?ленник можеÑ?
+повÑ?едиÑ?Ñ? Ñ?олÑ?ко Ñ?айлÑ? lastlog, utmp и wtmp, но
+<strong>не</strong> можеÑ? полÑ?Ñ?иÑ?Ñ? доÑ?Ñ?Ñ?п
+Ñ? пÑ?авами Ñ?Ñ?пеÑ?полÑ?зоваÑ?елÑ?. Также замеÑ?Ñ?Ñ?е, Ñ?Ñ?о злоÑ?мÑ?Ñ?ленник должен обладаÑ?Ñ? доÑ?Ñ?аÑ?оÑ?нÑ?ми
+пÑ?ивилегиÑ?ми длÑ? запÑ?Ñ?ка Ñ?акого X-клиенÑ?а и должен Ñ?Ñ?пеÑ?но Ñ?оединиÑ?Ñ?Ñ?Ñ? Ñ? X-Ñ?еÑ?веÑ?ом.
+<li>Ð?еÑ?еполнение бÑ?Ñ?еÑ?а (не Ñ?Ñ?ека) в коде XDMCP в xdm.
+<li>Ð?еÑ?еполнение на один байÑ? в Xtrans.c.
+<li>Также Xtranssock.c имееÑ? пÑ?облемÑ? Ñ? пеÑ?еполнение бÑ?Ñ?еÑ?а.
+<li>Ð?еÑ?еполнение бÑ?Ñ?еÑ?а пÑ?и иÑ?полÑ?зовании Ñ?лага X-Ñ?еÑ?веÑ?а -xkbmap.
+<li>Ð?иджеÑ? MultiSrc в библиоÑ?еке виджеÑ?ов Athena обÑ?абаÑ?Ñ?ваеÑ? вÑ?еменнÑ?е Ñ?айлÑ?
+небезопаÑ?нÑ?м обÑ?азом.
+<li>Ð?Ñ?огÑ?амма imake обÑ?абаÑ?Ñ?ваеÑ? вÑ?еменнÑ?е Ñ?айлÑ? небезопаÑ?нÑ?м обÑ?азом пÑ?и вÑ?полнении
+пÑ?авил Ñ?Ñ?Ñ?ановки.
+<li>Ð?иблиоÑ?ека ICE подвеÑ?жена пеÑ?еполнениÑ?м бÑ?Ñ?еÑ?а.
+<li>Ð?Ñ?огÑ?амма xauth обÑ?абаÑ?Ñ?ваеÑ? вÑ?еменнÑ?е Ñ?айлÑ? небезопаÑ?нÑ?м обÑ?азом.
+<li>ФÑ?нкÑ?иÑ? XauLock() в библиоÑ?еке Xau обÑ?абаÑ?Ñ?ваеÑ? вÑ?еменнÑ?е Ñ?айлÑ?
+небезопаÑ?нÑ?м обÑ?азом.
+<li>Ð?Ñ?огÑ?аммÑ? gccmakedep и makedepend обÑ?абаÑ?Ñ?ваÑ?Ñ? вÑ?еменнÑ?е Ñ?айлÑ? небезопаÑ?нÑ?м обÑ?азом.
 </ul>
- -All of the above issues are resolved by this security release.
+Ð?Ñ?е Ñ?казаннÑ?е вÑ?Ñ?е пÑ?облемÑ? иÑ?пÑ?авленÑ? в наÑ?Ñ?оÑ?Ñ?ем вÑ?пÑ?Ñ?ке.
 
- -<p>There are several other XFree86 security issues commonly discussed in conjunction with the above, to which an up-to-date Debian 2.2 system is
- -<strong>NOT</strong> vulnerable:
+<p>Ð?меÑ?Ñ?е Ñ? Ñ?казаннÑ?ми вÑ?Ñ?е пÑ?облемами обÑ?Ñ?но обÑ?Ñ?ждаÑ?Ñ? некоÑ?оÑ?Ñ?е дÑ?Ñ?гие пÑ?облемÑ? безопаÑ?ноÑ?Ñ?и XFree86, но они <strong>не</strong>
+каÑ?аÑ?Ñ?Ñ?Ñ? Ñ?иÑ?Ñ?емÑ? Debian 2.2:
 
 <ul>
- -<li>There are 4 distinct problems with Xlib's XOpenDisplay() function in which
- -a maliciously coded X server could cause a denial-of-service attack or buffer
- -overflow. As before, this is only an effective attack against X clients running
- -with elevated privileges, and the attacker must already have sufficient
- -privileges to start such an X client and successfully connect to the X server.
- -Debian 2.2 and 2.2r1 are only vulnerable to one of these problems, because we
- -applied patches to XFree86 3.3.6 to correct the other three. An additional
- -patch applied for Debian 2.2r2 corrected the fourth.
- -<li>The AsciiSrc widget in the Athena widget library handles temporary files
- -insecurely. Debian 2.2r2 is not vulnerable to this problem because we applied a
- -patch to correct it.
- -<li>The imake program uses mktemp() instead of mkstemp(). This problem does not
- -exist in XFree86 3.3.6, and therefore no release of Debian 2.2 is affected.
+<li>Ð? Ñ?Ñ?нкÑ?ии XOpenDisplay() из Xlib имееÑ?Ñ?Ñ? 4 Ñ?азнÑ?Ñ? пÑ?облемÑ?, коÑ?оÑ?Ñ?е позволÑ?Ñ?Ñ?
+некоÑ?Ñ?екÑ?номÑ? X-Ñ?еÑ?веÑ?Ñ? вÑ?зваÑ?Ñ? оÑ?каз в обÑ?лÑ?живании или пеÑ?еполнение
+бÑ?Ñ?еÑ?а. Ð?ак и Ñ?казаннаÑ? вÑ?Ñ?е пÑ?облема Ñ?Ñ?о каÑ?аеÑ?Ñ?Ñ? Ñ?олÑ?ко X-клиенÑ?ов, запÑ?Ñ?еннÑ?Ñ?
+Ñ? повÑ?Ñ?еннÑ?ми пÑ?ивилегиÑ?ми, а злоÑ?мÑ?Ñ?ленник должен обладаÑ?Ñ? доÑ?Ñ?аÑ?оÑ?нÑ?ми
+пÑ?ивилегиÑ?ми длÑ? запÑ?Ñ?ка Ñ?акого X-клиенÑ?а и должен Ñ?Ñ?пеÑ?но подклÑ?Ñ?иÑ?Ñ?Ñ?Ñ? к X-Ñ?еÑ?веÑ?Ñ?.
+Debian 2.2 и 2.2r1 Ñ?Ñ?звимÑ? Ñ?олÑ?ко к Ñ?казанной вÑ?Ñ?е пÑ?облеме, а не к Ñ?Ñ?ой, Ñ?ак как мÑ?
+пÑ?именили заплаÑ?Ñ? к XFree86 3.3.6 Ñ? Ñ?ем, Ñ?Ñ?обÑ? иÑ?пÑ?авиÑ?Ñ? дÑ?Ñ?гие Ñ?Ñ?и пÑ?облемÑ?. Ð?
+Debian 2.2r2 бÑ?ла пÑ?именена дополниÑ?елÑ?наÑ? заплаÑ?а, иÑ?пÑ?авлÑ?Ñ?Ñ?аÑ? Ñ?еÑ?вÑ?Ñ?Ñ?Ñ?Ñ? пÑ?облемÑ?.
+<li>Ð?иджеÑ? AsciiSrc в библиоÑ?еке виджеÑ?ов Athena обÑ?абаÑ?Ñ?ваеÑ? вÑ?еменнÑ?е Ñ?айлÑ?
+небезопаÑ?нÑ?м обÑ?азом. Debian 2.2r2 не Ñ?одеÑ?жиÑ? Ñ?Ñ?Ñ? Ñ?Ñ?звимоÑ?Ñ?Ñ?, Ñ?ак как мÑ? пÑ?именили
+заплаÑ?Ñ? длÑ? еÑ? иÑ?пÑ?авлениÑ?.
+<li>Ð?Ñ?огÑ?амма imake иÑ?полÑ?зÑ?еÑ? mktemp() вмеÑ?Ñ?о mkstemp(). ЭÑ?а пÑ?облема оÑ?Ñ?Ñ?Ñ?Ñ?Ñ?вÑ?еÑ?
+в XFree86 3.3.6, а поÑ?омÑ? вÑ?пÑ?Ñ?к Debian 2.2 еÑ? не подвеÑ?жен.
 </ul>
 
- -These problems have been fixed in version 3.3.6-11potato32 and we recommend
- -that you upgrade your X packages immediately.
+ЭÑ?и пÑ?облемÑ? бÑ?ли иÑ?пÑ?авленÑ? в веÑ?Ñ?ии 3.3.6-11potato32, Ñ?екомендÑ?еÑ?Ñ?Ñ? как можно
+Ñ?коÑ?ее обновиÑ?Ñ? пакеÑ? X.
 </define-tag>
- -<define-tag description>buffer overflow, insecure tempfile handling, denial-of-service attack</define-tag>
+<define-tag description>пеÑ?еполнение бÑ?Ñ?еÑ?а, небезопаÑ?наÑ? обÑ?абоÑ?ка вÑ?еменнÑ?Ñ? Ñ?айлов, оÑ?каз в обÑ?лÑ?живании</define-tag>
 
 # do not modify the following line
 #include '$(ENGLISHDIR)/security/2001/dsa-030.data'
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXfl9QAAoJEF7nbuICFtKlkSAP/jiAdr3VJWogExsF4e1NuTHz
BD6ApdYNRzggFkjeyKhXF23MnyAonYzQ0v01i8028t6/tlOOshQrhxE7JQHiFbiF
0f9QyjPvKGRtBCnnPRXl3onP5RSYjlHZ/B5R4WFdjd7rxXnNETXt5qVzsxibCrfF
eHO03PqcUX51A7JKIWjvO5ac/cfb+XFRXLeCXF5FQLO62RAVS35FQEhmLFNUjOcp
28Yoj3HQaJjKhnbqJEdtopuBbAqtEF8B/L2B2AhDQSwTT3/ccmQpMxVKNDEuhjoY
KHJtdWrNOWNOWndZ0Py/kyxIz1Xke+qhns/p1fwOQEPbxqnywhVhzMK14ALD/Mn4
SvwyqNZl6OZTDTn1EDyDs/NJaXoKC05OeUk2j2M37INyGUk9K8PFuvVzeJhabzcI
e1ZfSlwCKs8euhncweSdVujKYHkFMbtYv9BvFhaRw1G/PVkcz8GaJKuOOsXePBBe
4osfC4CD5XKTlPAv7+mXiu/l9kPl8c2VNGgtIfKoLDvJFuXhdoqLeeXbRszJYjMu
Dw02LGwpJYskR07LKI2sl5GhO9I78/Bs69Xd/NIiLOj3DyuS/xs+kpHFLx3ivYdZ
lGmWd36fDZqDyb8CVkqm4TaZP5EBPwnpkI9dmZgPoNuRqA54olyQer5c0Uv9V0ya
415SSxA3ZNgyyEZrnF8d
=I/F1
-----END PGP SIGNATURE-----
Reply to: