|
|
| |
|
| |
Security
2004 was another busy year for those concerned with the security of their
systems. The LWN security database shows that the top-tier distributors
issued 1660 updates in 2004 in response to 396 vulnerabilities. Once
again, the kernel leads the list for the sheer number of vulnerabilities:
19 of them last year. Apache comes in second with 12 vulnerabilities -
though that figure mixes versions 1 and 2 which, arguably, should be kept
separate.
For the curious, here's the beginning of our table showing vulnerabilities
and resulting alerts for 2004:
For the full table, in its bandwidth- and browser-busting glory, see this page over here.
When viewing this table, please keep in mind one fundamental limitation it
has: we have no way of marking when a given distribution is not affected by
a vulnerability. So, if no alerts show for a specific combination of
distributor and vulnerability, it means either (1) the distributor did
not bother to issue an update, or (2) that distribution was not
vulnerable. Someday we hope to get to where we can distinguish between
those two situations.
Comments (6 posted)
Brief items
The Register reports
that Verizon has come up with a novel way of reducing spam delivered to its
customers: blocking all email from Europe. " Verizon three million
DSL customers waiting for emails from Europe were advised to use
alternative forms of communication. 'If it's really important you might
want to make a phone call...'"
Comments (31 posted)
New vulnerabilities
apache: temporary file vulnerability
| Package(s): | apache |
CVE #(s): | |
| Created: | January 19, 2005 |
Updated: | January 19, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the Apache 1.3 "check_forensic"
script created temporary files in an insecure manner. |
| Alerts: |
|
Comments (none posted)
chbg: buffer overflow
| Package(s): | chbg |
CVE #(s): | CAN-2004-1264
|
| Created: | January 18, 2005 |
Updated: | February 2, 2005 |
| Description: |
Danny Lungstrom discovered a vulnerability in chbg, a tool to change
background pictures. A maliciously crafted configuration/scenario
file could overflow a buffer and lead to the execution of arbitrary
code on the victim's machine. |
| Alerts: |
|
Comments (none posted)
gatos: buffer overflow
| Package(s): | gatos |
CVE #(s): | CAN-2005-0016
|
| Created: | January 17, 2005 |
Updated: | January 17, 2005 |
| Description: |
Erik Sjölund discovered a buffer overflow in xatitv, one of the programs in
the gatos package, that is used to display video with certain ATI video
cards. xatitv is installed setuid root in order to gain direct access to
the video hardware. |
| Alerts: |
|
Comments (none posted)
gopher: multiple vulnerabilities
| Package(s): | gopher |
CVE #(s): | CAN-2004-0560
CAN-2004-0561
|
| Created: | January 13, 2005 |
Updated: | January 17, 2005 |
| Description: |
Gopher's gopherd has an integer overflow vulnerability and
the gopher log routine has a format string vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
mozilla: buffer overflow
| Package(s): | mozilla |
CVE #(s): | CAN-2004-1316
|
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
iSEC Security Research has discovered a buffer overflow bug in the way
Mozilla handles NNTP URLs. If a user visits a malicious web page or is
convinced to click on a malicious link, it may be possible for an attacker
to execute arbitrary code on the victim's machine. |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
playmidi: buffer overflow
| Package(s): | playmidi |
CVE #(s): | CAN-2005-0020
|
| Created: | January 17, 2005 |
Updated: | January 20, 2005 |
| Description: |
Erik Sjölund discovered that playmidi, a MIDI player, contains a setuid
root program with a buffer overflow that can be exploited by a local
attacker. |
| Alerts: |
|
Comments (none posted)
queue: buffer overflows
| Package(s): | queue |
CVE #(s): | CAN-2004-0555
|
| Created: | January 18, 2005 |
Updated: | January 19, 2005 |
| Description: |
"jaguar" of the Debian Security Audit Project has discovered several buffer
overflows in queue, a transparent load balancing system. |
| Alerts: |
|
Comments (none posted)
Squid: multiple vulnerabilities
| Package(s): | squid |
CVE #(s): | CAN-2005-0094
CAN-2005-0095
|
| Created: | January 17, 2005 |
Updated: | February 2, 2005 |
| Description: |
Squid contains a vulnerability in the gopherToHTML function and incorrectly
checks the 'number of caches' field when parsing WCCP_I_SEE_YOU messages.
Furthermore the NTLM code contains two errors. One is a memory leak in the
fakeauth_auth helper and the other is NULL pointer dereferencing error. |
| Alerts: |
|
Comments (none posted)
tnftp: arbitrary file overwriting
| Package(s): | tnftp |
CVE #(s): | CAN-2004-1294
|
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
According to this advisory, the
'mget' function in cmds.c lacks validation of the filenames that are
supplied by the server. An attacker running an FTP server could supply
clients with malicious filenames, potentially allowing the overwriting of
arbitrary files with the permission of the connected user. |
| Alerts: |
|
Comments (none posted)
twiki: arbitrary shell command execution
| Package(s): | twiki |
CVE #(s): | |
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
A vulnerability in twiki was found where a remote attacker could exploit it
to run arbitrary shell commands on the server. For further information, see
this announcement. |
| Alerts: |
|
Comments (none posted)
vim: symbolic link attack
| Package(s): | vim |
CVE #(s): | CAN-2005-0069
|
| Created: | January 18, 2005 |
Updated: | February 18, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the auxiliary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim). |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
bmv: insecure temporary file
| Package(s): | bmv |
CVE #(s): | CAN-2003-0014
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for
SVGAlib, discovered that temporary files are created in an insecure
fashion. A malicious local user could cause arbitrary files to be
overwritten by a symlink attack. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CAN-2004-1267
CAN-2004-1268
CAN-2004-1269
CAN-2004-1270
|
| Created: | December 17, 2004 |
Updated: | February 9, 2005 |
| Description: |
cups has a denial of service vulnerability in the lppasswd utility
and a remote code execution vulnerability in the hpgltops filter. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
dillo: format string vulnerability
| Package(s): | dillo |
CVE #(s): | CAN-2005-0012
|
| Created: | January 10, 2005 |
Updated: | January 12, 2005 |
| Description: |
Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's
handling of messages in a_Interface_msg(). An attacker could craft a
malicious web page which, when accessed using Dillo, would trigger the
format string vulnerability and potentially execute arbitrary code with the
rights of the user running Dillo. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2004-1139
CAN-2004-1140
CAN-2004-1141
CAN-2004-1142
|
| Created: | December 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.8, including:
- Bug in DICOM dissection discovered by Bing could make Ethereal crash
(CAN-2004-1139).
- An invalid RTP timestamp could make Ethereal hang and create a large
temporary file (CAN-2004-1140).
- The HTTP dissector could access previously-freed memory
(CAN-2004-1141).
- Brian Caswell discovered that an improperly formatted SMB could
make Ethereal hang (CAN-2004-1142).
|
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery |
CVE #(s): | CAN-2004-1106
|
| Created: | November 8, 2004 |
Updated: | January 17, 2005 |
| Description: |
Jim Paris has discovered a cross-site scripting vulnerability in
Gallery. By sending a carefully crafted URL, an attacker can inject and
execute script code in the victim's browser window, and potentially
compromise the users gallery. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temp file
| Package(s): | groff |
CVE #(s): | CAN-2004-1296
|
| Created: | December 20, 2004 |
Updated: | January 17, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered that the auxiliary scripts
"eqn2graph" and "pic2graph" created temporary files in an insecure
way, which allowed exploitation of a race condition to create or
overwrite files with the privileges of the user invoking the program. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hylafax: weak hostname and username validation
| Package(s): | hylafax |
CVE #(s): | CAN-2004-1182
|
| Created: | January 11, 2005 |
Updated: | January 13, 2005 |
| Description: |
Patrice Fournier discovered a vulnerability in the authorization
subsystem of hylafax, a flexible client/server fax system. A local or
remote user guessing the contents of the hosts.hfaxd database could
gain unauthorized access to the fax system. Fixed in HylaFAX
4.2.1. |
| Alerts: |
|
Comments (none posted)
imlib: buffer overflows in image decoding
| Package(s): | imlib |
CVE #(s): | CAN-2004-1026
|
| Created: | December 6, 2004 |
Updated: | January 13, 2005 |
| Description: |
Pavel Kankovsky discovered that several overflows found in the libXpm
library also applied to imlib. He also fixed a number of other potential
flaws. A remote attacker could entice a user to view a carefully-crafted
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the imlib library. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kerberos5: execution of arbitrary code by authenticated user
| Package(s): | kerberos5 |
CVE #(s): | CAN-2004-1189
|
| Created: | December 21, 2004 |
Updated: | February 15, 2005 |
| Description: |
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to execute
arbitrary code on a Key Distribution Center (KDC) server. |
| Alerts: |
|
Comments (none posted)
kernel: race condition, privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2004-1235
CAN-2004-1337
|
| Created: | January 10, 2005 |
Updated: | January 19, 2005 |
| Description: |
Paul Starzetz discovered a race condition in the ELF library and a.out
binary format loaders, which can be locally exploited in several
different ways to gain root privileges. (CAN-2004-1235)
Liang Bin found a design flaw in the capability module. After this
module was loaded on demand in a running system, all unprivileged user
space processes got all kernel capabilities (thus essentially root
privileges). (CAN-2004-1337) |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
Konqueror: Java sandbox vulnerabilities
| Package(s): | konqueror |
CVE #(s): | CAN-2004-1145
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
According to this KDE
Security Advisory, two flaws in the Konqueror web browser make it
possible to by pass the sandbox environment which is used to run
Java-applets. All versions of KDE up to KDE 3.3.1 inclusive are affected.
KDE 3.3.2 is not affected. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
lintian: insecure temporary directory
| Package(s): | lintian |
CVE #(s): | CAN-2004-1000
|
| Created: | January 10, 2005 |
Updated: | January 12, 2005 |
| Description: |
Jeroen van Wolffelaar discovered a problem in lintian, the Debian
package checker. The program removes the working directory even if it
wasn't created at program start, removing an unrelated file or
directory a malicious user inserted via a symlink attack. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
namazu2: cross-site scripting vulnerability
| Package(s): | namazu2 |
CVE #(s): | CAN-2004-1318
|
| Created: | January 6, 2005 |
Updated: | January 12, 2005 |
| Description: |
The namazu2 full text search engine has a cross-site scripting vulnerability
that may allow an attacker to display arbitrarily crafted text
by the use of specially crafted input information. |
| Alerts: |
|
Comments (none posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
o3read: buffer overflow during file conversion
| Package(s): | o3read |
CVE #(s): | CAN-2004-1288
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Wiktor Kopec discovered that
the parse_html function in o3read.c copies any number of bytes into a
1024-byte array. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
Comments (1 posted)
phpgroupware: information disclosure vulnerability
| Package(s): | phpgroupware |
CVE #(s): | |
| Created: | January 6, 2005 |
Updated: | January 12, 2005 |
| Description: |
phpgroupware has multiple vulnerabilities that may
be exploited for the purpose of information disclosure
or a remote compromise. |
| Alerts: |
|
Comments (none posted)
poppassd_pam: unauthorized password changing
| Package(s): | poppassd_pam |
CVE #(s): | CAN-2005-0002
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did
not check that the old password was valid before changing passwords.
Subsequent investigation revealed that poppassd_pam did not call
pam_authenticate before calling pam_chauthtok. |
| Alerts: |
|
Comments (none posted)
ProZilla: Multiple vulnerabilities
| Package(s): | ProZilla |
CVE #(s): | CAN-2004-1120
|
| Created: | November 23, 2004 |
Updated: | February 1, 2005 |
| Description: |
ProZilla contains several exploitable buffer overflows in the code handling
the network protocols. A remote attacker could setup a malicious server
and entice a user to retrieve files from that server using ProZilla. This
could lead to the execution of arbitrary code with the rights of the user
running ProZilla. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
TikiWiki: arbitrary command execution
| Package(s): | TikiWiki |
CVE #(s): | |
| Created: | January 10, 2005 |
Updated: | January 31, 2005 |
| Description: |
TikiWiki lacks a check on uploaded images in the Wiki edit page. A
malicious user could run arbitrary commands on the server by uploading and
calling a PHP script. |
| Alerts: |
|
Comments (none posted)
unarj: buffer overflow vulnerability
| Package(s): | unarj |
CVE #(s): | CAN-2004-0947
|
| Created: | November 11, 2004 |
Updated: | February 2, 2005 |
| Description: |
The unarj uncompression utility has a buffer overflow vulnerability
from handling long file names in an archive. An attacker can
cause unarj to crash or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
UnRTF: Buffer overflow
| Package(s): | unrtf |
CVE #(s): | |
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
An unchecked strcat() in unrtf may overflow the bounds of a static buffer.
Using a specially crafted file, possibly delivered by e-mail or over the
web, an attacker may execute arbitrary code with the permissions of the
user running UnRTF. |
| Alerts: |
|
Comments (1 posted)
vilistextum: buffer overflow vulnerability
| Package(s): | vilistextum |
CVE #(s): | CAN-2004-1299
|
| Created: | January 6, 2005 |
Updated: | January 12, 2005 |
| Description: |
Vilistextum has a buffer overflow vulnerability that can
allows an attacker
to execute arbitrary code via a maliciously created web page. |
| Alerts: |
|
Comments (none posted)
vim: modeline problems
| Package(s): | vim |
CVE #(s): | CAN-2004-1138
|
| Created: | December 15, 2004 |
Updated: | February 24, 2005 |
| Description: |
A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: arbitrary code execution
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1187
CAN-2004-1188
CAN-2004-1300
|
| Created: | December 21, 2004 |
Updated: | January 25, 2005 |
| Description: |
Several buffer overflows have been discovered in xine-lib, the video/audio
codec library for Xine frontends (xine-ui, totem-xine, kaffeine, and
others). If an attacker tricked a user into loading a malicious RTSP stream
or a stream with specially crafted AIFF audio or PNM image data, they could
exploit this to execute arbitrary code with the privileges of the user
opening the audio/video file. See this advisory
for more information. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2004-1125
|
| Created: | December 23, 2004 |
Updated: | April 1, 2005 |
| Description: |
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys |
CVE #(s): | CAN-2004-0888
CAN-2004-0889
|
| Created: | October 21, 2004 |
Updated: | February 18, 2005 |
| Description: |
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory. |
| Alerts: |
|
Comments (none posted)
xzgv integer overflows
| Package(s): | xzgv |
CVE #(s): | CAN-2004-0994
|
| Created: | December 21, 2004 |
Updated: | January 12, 2005 |
| Description: |
Luke "infamous41md" discovered multiple vulnerabilities in xzgv, a picture
viewer for X11 with a thumbnail-based selector. Remote exploitation of an
integer overflow vulnerability could allow the execution of arbitrary
code. |
| Alerts: |
|
Comments (none posted)
zip: arbitrary code execution
| Package(s): | zip |
CVE #(s): | CAN-2004-1010
|
| Created: | November 5, 2004 |
Updated: | February 2, 2005 |
| Description: |
HexView discovered a buffer overflow in the zip package. The overflow is
triggered by creating a ZIP archive of files with very long path
names. This vulnerability might result in execution of arbitrary code with
the privileges of the user who calls zip. This flaw may lead to privilege
escalation on systems which automatically create ZIP archives of user
supplied files, like backup systems or web applications. |
| Alerts: |
|
Comments (1 posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Events
The Central Pennsylvania Linux Users Group will be holding a security
conference near Harrisburg on March 5. Speakers include Russell
Coker, Brandon Hale, and Ed Reed; click below for the details.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|
