|
|
| |
|
| |
Security
Brief items
September 15, 2004
This article was contributed by Jake Edge.
Making sweeping statements about the security of a particular program
can come back to haunt you rather quickly as the recent case of a local
root exploit in cdrecord demonstrates. During a discussion of recent changes
in the 2.6 Linux kernel (as covered
by LWN), Jörg Schilling, the author of cdrecord, made a comment about
the security of that program:
Judging from the number of reports, I would guess that the Linux kernel is
much more insecure than cdrecord.
That statement could well be true, but in making it, Jörg may have
inspired someone to take a closer look at cdrecord.
Max Vozeler recently found that cdrecord fails to drop privileges when it executes
an external program, and that users can specify which external program is run
via the RSH environment variable. If cdrecord is
installed setuid root, any local user can exploit this vulnerability to
gain root access; multiple exploits have already been posted on bugtraq.
Jörg recommends installing
cdrecord as a setuid root.
cdrecord uses the elevated privileges to lock its buffers into physical
memory and to request real-time scheduling, both of which reduce the
chances of a buffer underrun. In addition, cdrecord opens the
SCSI device before dropping privileges back to that of the user who executed
it. In the case of a remote device, it executes the command to access
that device, but prior to this bug being fixed, it did that with
elevated privileges.
Other means for allowing non-root users to
burn CDs do exist, but they are less secure, according to Jörg:
What some people did (chmod on /dev/ entries) was definitely always a bigger
security risk than running cdrecord suid root.
Another alternative, which is used by some distribution vendors (notably
Red Hat and SuSE), is to disallow non-root users from burning CDs; clearly this
is the most secure choice, but can be inconvenient for users and
system administrators. Many administrators and some CD burning front end programs override
this choice and, in this case,
that could lead to a large security hole that may not be patched by the
distribution. To avoid this possibility, some distributions have issued
cdrecord updates even though they do not install the program in a setuid
mode; see the LWN vulnerability
entry for the current list.
Jörg has fixed this bug in the most recent version of his cdrtools
package (2.01a38, available from his
cdrecord page).
Comments (3 posted)
The announcements for the new releases from the Mozilla project discussed
new features at length, but were silent on one other point: those releases
include fixes for a number of security vulnerabilities, some of which can
lead to remote code execution. See this
list of fixed vulnerabilities for several good reasons to upgrade.
Comments (none posted)
New vulnerabilities
apache2: IPv6 denial of service
| Package(s): | httpd apache2 |
CVE #(s): | CAN-2004-0747
CAN-2004-0751
CAN-2004-0786
CAN-2004-0809
|
| Created: | September 15, 2004 |
Updated: | October 6, 2004 |
| Description: |
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups cupsys |
CVE #(s): | CAN-2004-0558
|
| Created: | September 15, 2004 |
Updated: | October 14, 2004 |
| Description: |
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
OpenOffice: information disclosure
| Package(s): | openoffice.org |
CVE #(s): | CAN-2004-0752
|
| Created: | September 15, 2004 |
Updated: | October 20, 2004 |
| Description: |
OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files. |
| Alerts: |
|
Comments (none posted)
Samba: Denial of Service vulnerabilities
| Package(s): | samba |
CVE #(s): | CAN-2004-0807
CAN-2004-0808
|
| Created: | September 13, 2004 |
Updated: | September 22, 2004 |
| Description: |
There is a defect in smbd's ASN.1 parsing. A bad packet received during
the authentication request could throw newly-spawned smbd processes
into an infinite loop (CAN-2004-0807). Another defect was found in
nmbd's processing of mailslot packets, where a bad NetBIOS request
could crash the nmbd process (CAN-2004-0808). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
SUS 2.0.2 local root vulnerability
| Package(s): | SUS |
CVE #(s): | |
| Created: | September 14, 2004 |
Updated: | September 15, 2004 |
| Description: |
SUS is a suid root program that allows ordinary users the execution of
certain programs with superuser privileges. SUS is run by default as setuid
root. A simple format string bug in the log() function allows any local
user to gain root privileges. See this
BugTraq advisory for more information. |
| Alerts: |
|
Comments (none posted)
Webmin, Usermin: Multiple vulnerabilities in Usermin
| Package(s): | webmin usermin |
CVE #(s): | CAN-2004-0559
|
| Created: | September 13, 2004 |
Updated: | September 23, 2004 |
| Description: |
There is an input validation bug in the webmail feature of Usermin.
Additionally, the Webmin and Usermin installation scripts write to
/tmp/.webmin without properly checking if it exists first.
The first vulnerability allows a remote attacker to inject arbitrary
shell code in a specially-crafted e-mail. This could lead to remote
code execution with the privileges of the user running Webmin or
Usermin.
The second could allow local users who know Webmin or Usermin is going
to be installed to have arbitrary files be overwritten by creating a
symlink by the name /tmp/.webmin that points to some target file, e.g.
/etc/passwd. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
eGroupWare: cross site scripting vulnerabilities in modules
| Package(s): | egroupware |
CVE #(s): | |
| Created: | September 2, 2004 |
Updated: | September 8, 2004 |
| Description: |
The eGroupWare has multiple vulnerabilities in the
calendar, address book, messenger and ticket modules.
An attacker can potentially execute script code and compromise
the victim's browser. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
gallery: temp file vulnerability in upload code
| Package(s): | gallery |
CVE #(s): | |
| Created: | September 2, 2004 |
Updated: | September 8, 2004 |
| Description: |
Gallery has a vulnerability with temp file handling in the
upload code. An attacker can run arbitrary code as the user
running PHP. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
httpd: mod_ssl input filter denial of service vulnerability
| Package(s): | httpd |
CVE #(s): | CAN-2004-0748
|
| Created: | September 2, 2004 |
Updated: | September 23, 2004 |
| Description: |
Apache httpd has a denial of service vulnerability in mod_ssl in which
an attacker can force
an SSL connection to abort, resulting in the Apache child process entering
an infinite loop. This affects httpd versions up to and including
2.0.50. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5: double-free and ASN.1 parsing
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0642
CAN-2004-0643
CAN-2004-0644
CAN-2004-0772
|
| Created: | August 31, 2004 |
Updated: | September 21, 2004 |
| Description: |
Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execute arbitrary
code. See CAN-2004-0642, CAN-2004-0643 and CAN-2004-0772. An infinite
loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote
attacker may be able to trigger this flaw and cause a denial of
service. See CAN-2004-0644. See this CERT
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
lha: stack-based buffer overflow
| Package(s): | lha |
CVE #(s): | CAN-2004-0769
CAN-2004-0771
CAN-2004-0694
CAN-2004-0745
|
| Created: | September 2, 2004 |
Updated: | October 14, 2004 |
| Description: |
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
multi-gnome-terminal: Information leak
| Package(s): | multi-gnome-terminal |
CVE #(s): | |
| Created: | September 6, 2004 |
Updated: | September 8, 2004 |
| Description: |
multi-gnome-terminal contains debugging code that has been known to
output active keystrokes to a potentially unsafe location. Output has
been seen to show up in the '.xsession-errors' file in the users home
directory. Since this file is world-readable on many machines, this bug
has the potential to leak sensitive information to anyone using the
system. Any authorized user on the local machine has the ability to read
any critical data that has been entered into the terminal, including
passwords. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
Comments (none posted)
ruby: insecure file permissions
| Package(s): | ruby |
CVE #(s): | CAN-2004-0755
|
| Created: | August 16, 2004 |
Updated: | October 14, 2004 |
| Description: |
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
star: failure to drop privilege
| Package(s): | star |
CVE #(s): | |
| Created: | September 8, 2004 |
Updated: | September 8, 2004 |
| Description: |
Versions of star prior to 1.5alpha46 suffer from a failure to drop privileges which can lead to a local root exploit. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xv: image handling buffer overflows
| Package(s): | xv |
CVE #(s): | CAN-2004-0802
|
| Created: | September 3, 2004 |
Updated: | September 8, 2004 |
| Description: |
According to this
BugTraq advisory xv contains at least 5 exploitable buffer and heap
overflows in the image handling code. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for September is out. Covered
topics include Beyond Fear, travel security, olympic security, and
the attacks against MD5 and SHA. " The techniques
described by the researchers are likely to have other applications, and
we'll be better able to design secure systems as a result. This is how
the science of cryptography advances: we learn how to design new
algorithms by breaking other algorithms. Additionally, algorithms from
the NSA are considered a sort of alien technology: they come from a
superior race with no explanations. Any successful cryptanalysis
against an NSA algorithm is an interesting data point in the eternal
question of how good they really are in there."
Full Story (comments: 5)
CERT has gone through its annual PGP key change; click below for the new
public key.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|