|
|
| |
|
| |
Security
One of the biggest fringe benefits of writing book reviews is that
publishers are happy to send you samples of their wares. Sometimes they
![[cover]](/images/ns/intro-comp-sec.jpg)
are a little too enthusiastic; your editor has been buried under books on
.NET programming, XML for legacy business applications, DBA certification,
and more. The pile of such books threatens to fall over and make a big
mess in the otherwise immaculate LWN.net data center. When an envelope
showed up with a book called Introduction to Computer Security (by
Matt Bishop), it almost joined that pile. Your editor hardly needs another
book on password policies, anti-virus software, and attachment filtering.
Consigning this book to that pile would have been a mistake, however.
"Introduction" might be an accurate description of this book, but only with
a suitable understanding of the target audience: this book could serve for
an introductory, graduate-level course for security researchers. People
looking for ways to lock down their Windows boxes will not find it here;
if, instead, you want to argue about the theoretical limitations of the
type enforcement model with the SELinux folks, you're in the right place.
Chapter 1 (available online
(PDF)) starts with the real introduction, where a number of important
terms are defined: integrity, confidentiality, availability, assurance,
etc. Chapter 2 gets into protection models, access matrices, and
state transitions. Chapter 3 turns up the rigor by proving some
theorems on whether a given system can be proven to be safe or not.
The fourth chapter gets into security policies, and makes some interesting
distinctions: a "military" policy is one oriented primarily around
confidentiality, while a "commercial" policy is aimed at integrity.
Chapter 5 goes military with a more detailed look at confidentiality
policies, with more theorems and a look at mandatory access control.
Integrity policies are covered in the following chapter; a few integrity
models are introduced. Chapter 7 addresses the fact that most
organizations want both integrity and confidentiality by looking at
hybrid models: chinese walls, etc.
Then the focus shifts to cryptography. Chapter 8 is a whirlwind
introduction, starting with basic ciphers and progressing through DES,
public key encryption, and more. The crucial problem of key management is
chapter 9's topic; chapter 10 looks at ciphers in more detail.
There is some discussion there about how ciphers and network stacks can be
brought together, ending with an overview of IPSec. Chapter 11 is
about authentication; here your editor got his discussion of password
policies after all, though in a bit more depth than usual.
Chapter 12 gets into design principles for secure systems: least privilege,
fail-safe defaults, complete mediation, open design (with a discussion of
DeCSS), etc. Chapter 13 looks at identity representations,
certificates, and anonymity, and chapter 14 returns to access control
mechanisms in more detail.
The book then gets into a more serious look at information flow and how it
might be controlled in a secure system. Chapter 16 moves on to
confinement - keeping processes within their defined boundaries; it looks
at virtual machines, sandboxes, and the covert channel problem.
Chapter 17 is an introduction to assurance - how one can be reasonably
sure that a given system meets its security criteria. Then an introduction
to evaluation techniques is given: TCSEC, FIPS, Common Criteria, etc.
After those dry chapters, chapter 19 ("malicious logic") is a relatively
fun look at malware: trojan horses, viruses, worms, and how to defend
against them. Chapter 20 is on vulnerability analysis, penetration
testing, flaw models, etc. with a number of real-world examples. The next
two chapters look at auditing and intrusion detection. Then follows a
series of relatively high-level chapters on network, system, user, and
program security techniques - firewalls, user policies, programming
techniques, and more. The book finishes up with some background material
(lattices, virtual machines) and a 63-page, 968-entry bibliography.
Introduction to Computer Security is an intense reading experience.
Interestingly, this book can be seen as a watered-down version of another
book by the same author: Computer
Security: Art and Science. According to the introduction,
Introduction to Computer Security is a shorter book (a mere 750
pages) with much of the mathematical formalism left out. For most readers,
however, the shortened version is likely to be enough - and to be an
important resource for anybody who wishes to truly understand what secure
computing means.
Comments (4 posted)
New vulnerabilities
hpsockd: missing input sanitizing
| Package(s): | hpsockd |
CVE #(s): | CAN-2004-0993
|
| Created: | December 3, 2004 |
Updated: | December 8, 2004 |
| Description: |
"infamous41md" discovered a buffer overflow condition in hpsockd, the
socks server written at Hewlett-Packard. An exploit could cause the
program to crash or may have worse effect. |
| Alerts: |
|
Comments (none posted)
imlib: buffer overflows in image decoding
| Package(s): | imlib |
CVE #(s): | CAN-2004-1026
|
| Created: | December 6, 2004 |
Updated: | January 13, 2005 |
| Description: |
Pavel Kankovsky discovered that several overflows found in the libXpm
library also applied to imlib. He also fixed a number of other potential
flaws. A remote attacker could entice a user to view a carefully-crafted
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the imlib library. |
| Alerts: |
|
Comments (none posted)
mirrorselect: insecure temporary file creation
| Package(s): | mirrorselect |
CVE #(s): | |
| Created: | December 7, 2004 |
Updated: | December 8, 2004 |
| Description: |
Ervin Nemeth discovered that mirrorselect creates temporary files in
world-writable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When mirrorselect is executed, this would
result in the file being overwritten with the rights of the user running
the utility, which could be the root user. |
| Alerts: |
|
Comments (none posted)
rssh, scponly: unrestricted command execution
| Package(s): | rssh, scponly |
CVE #(s): | |
| Created: | December 3, 2004 |
Updated: | December 8, 2004 |
| Description: |
Jason Wies discovered that when receiving an authorized command from an
authorized user, rssh and scponly do not filter command-line options
that can be used to execute any command on the target host. Using a
malicious command, it is possible for a remote authenticated user to
execute any command (or upload and execute any file) on the target machine
with user rights, effectively bypassing any restriction of scponly or
rssh. See
this Bugtraq post for more details. |
| Alerts: |
|
Comments (none posted)
viewcvs settings not honored
| Package(s): | viewcvs |
CVE #(s): | CAN-2004-0915
|
| Created: | December 6, 2004 |
Updated: | December 28, 2004 |
| Description: |
Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility
for viewing CVS and Subversion repositories via HTTP. When exporting
a repository as a tar archive the hide_cvsroot and forbidden settings
were not honored. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache: arbitrary code execution
| Package(s): | apache |
CVE #(s): | CAN-2004-0940
|
| Created: | October 29, 2004 |
Updated: | December 14, 2004 |
| Description: |
According to an Apache
announcement, a vulnerability exists in the Apache HTTP server, version
1.3. The problem is a potential buffer overflow in the "get_tag" function
of Apache's SSI module "mod_include". It allows local users who can create
SSI documents to execute arbitrary code as the Apache run-time user via SSI
documents that trigger a content length calculation error. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
BNC: Buffer overflow vulnerability
| Package(s): | bnc |
CVE #(s): | |
| Created: | November 16, 2004 |
Updated: | December 1, 2004 |
| Description: |
Leon Juranic discovered that BNC fails to do proper bounds checking
when checking server response. An attacker could exploit this to cause a
Denial of Service and potentially execute arbitrary code with the
permissions of the user running BNC. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress |
CVE #(s): | CAN-2001-1413
|
| Created: | October 11, 2004 |
Updated: | December 14, 2004 |
| Description: |
compress and uncompress do not properly check bounds on command line
options, including the filename. Large parameters would trigger a buffer
overflow. By supplying a carefully crafted filename or other option, an
attacker could execute arbitrary code on the system. A local attacker could
only execute code with his own rights, but since compress and uncompress
are called by various daemon programs, this might also allow a remote
attacker to execute code with the rights of the daemon making use of
ncompress. |
| Alerts: |
|
Comments (none posted)
cyrus-imap: multiple remote vulnerabilities
| Package(s): | cyrus-imap |
CVE #(s): | CAN-2004-1012
CAN-2004-1013
|
| Created: | November 23, 2004 |
Updated: | December 3, 2004 |
| Description: |
Several vulnerabilities have been found in
Cyrus IMAP Server <= 2.2.8 that could allow remote execution of arbitrary
code. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery |
CVE #(s): | CAN-2004-1106
|
| Created: | November 8, 2004 |
Updated: | January 17, 2005 |
| Description: |
Jim Paris has discovered a cross-site scripting vulnerability in
Gallery. By sending a carefully crafted URL, an attacker can inject and
execute script code in the victim's browser window, and potentially
compromise the users gallery. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
gzip: insecure temporary files
| Package(s): | gzip |
CVE #(s): | CAN-2004-0970
|
| Created: | November 8, 2004 |
Updated: | December 7, 2004 |
| Description: |
Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package which may allow local users
to overwrite files via a symlink attack. |
| Alerts: |
|
Comments (none posted)
ImageMagick: EXIF buffer overflow
| Package(s): | ImageMagick |
CVE #(s): | CAN-2004-0981
|
| Created: | November 8, 2004 |
Updated: | December 8, 2004 |
| Description: |
ImageMagick fails to do proper bounds checking when handling image
files with EXIF information. An attacker could use an image file with
specially-crafted EXIF information to cause arbitrary code execution with
the permissions of the user running ImageMagick. See this advisory for more
information. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kernel: vulnerabilities in the smb file system
Comments (1 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflow bug
| Package(s): | mpg123 |
CVE #(s): | CAN-2004-0805
|
| Created: | September 16, 2004 |
Updated: | January 11, 2005 |
| Description: |
The mpg123 audio playing utility has a buffer overflow
bug that may allow arbitrary execution of code. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
Open DC Hub: remote code execution
| Package(s): | opendchub |
CVE #(s): | |
| Created: | November 29, 2004 |
Updated: | December 1, 2004 |
| Description: |
Donato Ferrante discovered a buffer overflow vulnerability in the
RedirectAll command of the Open DC Hub. Upon exploitation, a remote user
with administrative privileges can execute arbitrary code on the system
running the Open DC Hub. See this
advisory. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
perl: insecure temp file creation
| Package(s): | perl |
CVE #(s): | CAN-2004-0976
|
| Created: | November 2, 2004 |
Updated: | December 7, 2004 |
| Description: |
Trustix Secure Linux has discovered some vulnerabilities in the perl
package. The utility "instmodsh", the Perl package "PPPort.pm", and several
test scripts (which are not shipped and only used during build) created
temporary files in an insecure way, which could allow a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the program, or building the perl package, respectively. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
phpbb: input sanitizing
| Package(s): | phpbb |
CVE #(s): | |
| Created: | December 1, 2004 |
Updated: | December 1, 2004 |
| Description: |
phpBB fails to sanitize input properly; this vulnerability may be exploited by a remote attacker to execute arbitrary code. Version 2.0.11 contains the fix. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin |
CVE #(s): | CAN-2004-1055
|
| Created: | November 29, 2004 |
Updated: | December 1, 2004 |
| Description: |
Cedric Cochin has discovered
multiple cross-site scripting vulnerabilities in phpMyAdmin. These
vulnerabilities can be exploited through the PmaAbsoluteUri parameter, the
zero_rows parameter in read_dump.php, the confirm form, or an error message
generated by the internal phpMyAdmin parser. By sending a
specially-crafted request, an attacker can inject and execute malicious
script code, potentially compromising the victim's browser. |
| Alerts: |
|
Comments (none posted)
phpWebSite: HTTP response splitting
| Package(s): | phpWebSite |
CVE #(s): | |
| Created: | November 26, 2004 |
Updated: | December 1, 2004 |
| Description: |
phpWebSite
is vulnerable to HTTP response splitting attacks. A malicious user
could inject arbitrary response data, leading to content spoofing, web
cache poisoning and other cross-site scripting or HTTP response splitting
attacks. |
| Alerts: |
|
Comments (none posted)
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL |
CVE #(s): | CAN-2004-0977
|
| Created: | October 18, 2004 |
Updated: | December 20, 2004 |
| Description: |
The make_oidjoins_check script insecurely creates temporary files in
world-writeable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When make_oidjoins_check is called, this
would result in file overwrite with the rights of the user running the
utility, which could be the root user. |
| Alerts: |
|
Comments (none posted)
ProZilla: Multiple vulnerabilities
| Package(s): | ProZilla |
CVE #(s): | CAN-2004-1120
|
| Created: | November 23, 2004 |
Updated: | February 1, 2005 |
| Description: |
ProZilla contains several exploitable buffer overflows in the code handling
the network protocols. A remote attacker could setup a malicious server
and entice a user to retrieve files from that server using ProZilla. This
could lead to the execution of arbitrary code with the rights of the user
running ProZilla. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: remote DoS vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-0930
CAN-2004-0882
|
| Created: | November 8, 2004 |
Updated: | December 1, 2004 |
| Description: |
According to this Samba advisory a remote
attacker could cause an smbd process to consume abnormal amounts of system
resources due to an input validation error when matching filenames
containing wildcard characters. Versions of Samba 3.0.x up to and
including 3.0.7 are vulnerable.
There is also an advisory about possible
buffer overruns in smbd. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: cross-site scripting
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-1036
|
| Created: | November 17, 2004 |
Updated: | December 23, 2004 |
| Description: |
Squirrelmail (through version 1.4.3a-r2) suffers from yet another cross-site scripting vulnerability. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
sun-jre: Java plugin vulnerability
| Package(s): | sun-jre |
CVE #(s): | CAN-2004-1029
|
| Created: | November 26, 2004 |
Updated: | December 1, 2004 |
| Description: |
Jouko Pynnonen reported
a vulnerability in the plugin mechanism which allows remote attackers to
bypass the Java sandbox through the use of javascript. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
TWiki: input sanitizing
| Package(s): | twiki |
CVE #(s): | CAN-2004-1037
|
| Created: | December 1, 2004 |
Updated: | December 1, 2004 |
| Description: |
The TWiki search function does not properly sanitize input, enabling a remote attacker to execute arbitrary commands. |
| Alerts: |
|
Comments (1 posted)
unarj: buffer overflow vulnerability
| Package(s): | unarj |
CVE #(s): | CAN-2004-0947
|
| Created: | November 11, 2004 |
Updated: | February 2, 2005 |
| Description: |
The unarj uncompression utility has a buffer overflow vulnerability
from handling long file names in an archive. An attacker can
cause unarj to crash or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
WordPress: HTTP response splitting and XSS vulnerabilities
| Package(s): | wordpress |
CVE #(s): | |
| Created: | October 14, 2004 |
Updated: | December 20, 2004 |
| Description: |
WordPress is vulnerable to HTTP response splitting and cross-site scripting
attacks, due to the lack of input validation in the administration panel
scripts. A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys |
CVE #(s): | CAN-2004-0888
CAN-2004-0889
|
| Created: | October 21, 2004 |
Updated: | February 18, 2005 |
| Description: |
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory. |
| Alerts: |
|
Comments (none posted)
yardradius: buffer overflow
| Package(s): | yardradius |
CVE #(s): | CAN-2004-0987
|
| Created: | November 26, 2004 |
Updated: | December 1, 2004 |
| Description: |
Max Vozeler noticed that yardradius, the YARD radius authentication
and accounting server, contained a stack overflow similar to the one
from radiusd which is referenced as
CAN-2001-0534. This could lead to the execution of arbitrary code as
root. |
| Alerts: |
|
Comments (none posted)
zgv: multiple buffer overflows
| Package(s): | zgv |
CVE #(s): | |
| Created: | November 8, 2004 |
Updated: | December 14, 2004 |
| Description: |
Multiple arithmetic overflows have been detected in the image
processing code of zgv. An attacker could entice a user to open a
specially-crafted image file, potentially resulting in execution of
arbitrary code with the rights of the user running zgv. See this BugTraq advisory
for more information. |
| Alerts: |
|
Comments (none posted)
zip: arbitrary code execution
| Package(s): | zip |
CVE #(s): | CAN-2004-1010
|
| Created: | November 5, 2004 |
Updated: | February 2, 2005 |
| Description: |
HexView discovered a buffer overflow in the zip package. The overflow is
triggered by creating a ZIP archive of files with very long path
names. This vulnerability might result in execution of arbitrary code with
the privileges of the user who calls zip. This flaw may lead to privilege
escalation on systems which automatically create ZIP archives of user
supplied files, like backup systems or web applications. |
| Alerts: |
|
Comments (1 posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
OpenPMF/M3 (a framework which allows for site-wide
management of security policies) has been released under the GPL; click
below for the details.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|