LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Address space randomization in 2.6
Arjan van de Ven has posted a series of patches which add some address space randomization to the 2.6 kernel. With these patches applied, each process's stack will begin at a random location, and the beginning of the memory area used for mmap() (which is where shared libraries go, among other things) will be randomized as well. These patches represent an improvement in the kernel's security infrastructure, but the reception on the public lists has been surprisingly hostile.Many buffer overflow exploits, especially those used in large-scale attacks, contain hardcoded addresses. An exploit which overflows a stack variable will place some executable code on the stack; it then overwrites the return pointer so that the broken function "returns" into the exploit code. If you look at a given distribution's shipped version of a vulnerable program, an exploit will always be able to place its payload at the same address on the stack, so it can contain that address directly. If, instead, the exploit author does not know ahead of time where the payload will end up, actually getting the computer to execute that code will be much harder.
That is why the stack randomization patch helps. When the stack location is deterministic, a relatively simple exploit can be made to work on all systems running the vulnerable distribution. If the stack moves, instead, hardcoded addresses no longer work.
Moving the mmap() area has similar benefits. One popular type of exploit prepares the stack and then "returns" into a shared library somewhere. That return can, for example, cause the application to behave as if it had intentionally called system() or a similar library function. Moving the libraries around makes these attacks harder.
One of the biggest complaints that has been raised is that the amount of randomization is insufficient. The patches, as posted, vary the stack base within a 64KB area and the mmap() base within a 1MB range. Alignment requirements prevent just any address from being used with the result that only a relatively small number of possible base addresses exists. So a determined attacker could repeatedly run a hardcoded exploit with some assurance that, within a reasonable amount of time, the stack would land at the right place and the exploit would work. Placing a long series of no-op instructions at the beginning of the payload can also make an exploit more robust when faced with randomization.
Arjan responds that the amount of randomization is not the issue at the moment. He is trying to get the infrastructure into the kernel and tested in a minimally disruptive way; the degree of randomization can be tweaked upward later on. That amount may never get as high as some people would like, at least on 32-bit systems, because it cuts back on the available virtual address space. But it is likely to go up once the developers are convinced that things are working.
In any case, a larger randomness makes the problem harder, but does not change its fundamental nature. With the ability to keep trying, an attacker will eventually get around any degree of randomization possible on 32-bit systems (64-bit systems are a different story). Thus, says Ingo Molnar:
conclusion: stack randomisation (and other VM randomisations) are
not a tool against local attacks (which are much easier and faster
to brute-force) or against targeted remote attacks, but mainly a
tool to degrade the economy of automated remote attacks.
Randomization is not a magic bullet which solves a wide range of security problems. It does make an attack harder, however, and that can only be a good thing.
New vulnerabilities
bind: validator function denial of service
| Package(s): | bind | CVE #(s): | CAN-2005-0034 | |||
| Created: | January 27, 2005 | Updated: | February 1, 2005 | |||
| Description: | A vulnerability was discovered in BIND version 9.3.0, an incorrect assumption in the validator function can be exploited by a remote attacker to cause named to exit prematurely. | |||||
| Alerts: |
| |||||
ClamAV: multiple issues
| Package(s): | clamav | CVE #(s): | CAN-2005-0133 | |||||||||
| Created: | January 31, 2005 | Updated: | March 3, 2005 | |||||||||
| Description: | ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs. | |||||||||||
| Alerts: |
| |||||||||||
cpio - file permissions error
| Package(s): | cpio | CVE #(s): | CAN-1999-1572 | |||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | July 19, 2005 | |||||||||||||||||||||
| Description: | Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
f2c: insecure temp files
| Package(s): | f2c | CVE #(s): | CAN-2005-0017 CAN-2005-0018 | |||||||||
| Created: | January 27, 2005 | Updated: | April 20, 2005 | |||||||||
| Description: | The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack. | |||||||||||
| Alerts: |
| |||||||||||
FireHOL: insecure temporary file creation
| Package(s): | FireHOL | CVE #(s): | ||||
| Created: | February 1, 2005 | Updated: | February 1, 2005 | |||
| Description: | FireHOL insecurely creates temporary files with predictable names. A local attacker could create malicious symbolic links to arbitrary system files. When FireHOL is executed, this could lead to these files being overwritten with the rights of the user launching FireHOL, usually the root user. | |||||
| Alerts: |
| |||||
Gallery: cross-site scripting vulnerability
| Package(s): | gallery | CVE #(s): | |||||||
| Created: | January 31, 2005 | Updated: | February 10, 2005 | ||||||
| Description: | Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. See this Gallery announcement for the release of 1.4.4-pl5 for more information. | ||||||||
| Alerts: |
| ||||||||
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs | CVE #(s): | CAN-2005-0013 CAN-2005-0014 | |||||||||||||||
| Created: | January 31, 2005 | Updated: | May 15, 2006 | |||||||||||||||
| Description: | Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ngIRCd: buffer overflow
| Package(s): | ngIRCd | CVE #(s): | ||||
| Created: | January 28, 2005 | Updated: | February 1, 2005 | |||
| Description: | Florian Westphal discovered a buffer overflow caused by an integer underflow in the Lists_MakeMask() function of lists.c. See the ngIRCd 0.8.2 release announcement for more information. | |||||
| Alerts: |
| |||||
openswan: stack based buffer overflow
| Package(s): | openswan | CVE #(s): | CAN-2005-0162 | |||
| Created: | January 28, 2005 | Updated: | February 1, 2005 | |||
| Description: | A stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code. | |||||
| Alerts: |
| |||||
perl: setuid vulnerabilities
| Package(s): | perl | CVE #(s): | CAN-2005-0155 CAN-2005-0156 | ||||||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | August 11, 2006 | ||||||||||||||||||||||||
| Description: | There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: privilege escalation via LOAD
| Package(s): | postgresql | CVE #(s): | CAN-2005-0227 | ||||||||||||
| Created: | February 1, 2005 | Updated: | February 7, 2005 | ||||||||||||
| Description: | John Heasman has discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library's initialization function was then executed with the permissions of the server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail | CVE #(s): | CAN-2005-0075 CAN-2005-0103 CAN-2005-0104 | ||||||||||||||||||||||||
| Created: | January 28, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
uw-imap: authentication bypass
| Package(s): | uw-imap imap | CVE #(s): | CAN-2005-0198 | ||||||||||||
| Created: | February 2, 2005 | Updated: | March 1, 2005 | ||||||||||||
| Description: | The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ProZilla: Multiple vulnerabilities
| Package(s): | ProZilla | CVE #(s): | CAN-2004-1120 | ||||||
| Created: | November 23, 2004 | Updated: | February 1, 2005 | ||||||
| Description: | ProZilla contains several exploitable buffer overflows in the code handling the network protocols. A remote attacker could setup a malicious server and entice a user to retrieve files from that server using ProZilla. This could lead to the execution of arbitrary code with the rights of the user running ProZilla. | ||||||||
| Alerts: |
| ||||||||
TikiWiki: arbitrary command execution
| Package(s): | TikiWiki | CVE #(s): | |||||||
| Created: | January 10, 2005 | Updated: | January 31, 2005 | ||||||
| Description: | TikiWiki lacks a check on uploaded images in the Wiki edit page. A malicious user could run arbitrary commands on the server by uploading and calling a PHP script. | ||||||||
| Alerts: |
| ||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
AWStats: remote code execution
| Package(s): | awstats | CVE #(s): | CAN-2005-0116 CAN-2005-0362 CAN-2005-0363 | |||||||||
| Created: | January 25, 2005 | Updated: | February 15, 2005 | |||||||||
| Description: | When 'awstats.pl' is run as a CGI script, it fails to validate specific inputs which are used in a Perl open() function call. A remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code with the rights of the web server. | |||||||||||
| Alerts: |
| |||||||||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
chbg: buffer overflow
| Package(s): | chbg | CVE #(s): | CAN-2004-1264 | ||||||
| Created: | January 18, 2005 | Updated: | February 2, 2005 | ||||||
| Description: | Danny Lungstrom discovered a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine. | ||||||||
| Alerts: |
| ||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270 | |||||||||||||||||||||
| Created: | December 17, 2004 | Updated: | February 9, 2005 | |||||||||||||||||||||
| Description: | cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
dhcp: format string vulnerability
| Package(s): | dhcp | CVE #(s): | CAN-2004-1006 | |||||||||
| Created: | November 4, 2004 | Updated: | July 13, 2005 | |||||||||
| Description: | Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server. | |||||||||||
| Alerts: |
| |||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ethereal: multiple vulnerabilites
| Package(s): | ethereal | CVE #(s): | CAN-2005-0006 CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084 | |||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | February 15, 2005 | |||||||||||||||||||||
| Description: | Ethereal has released 0.10.9 to fix several vulnerabilities. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
evolution: arbitrary code execution
| Package(s): | evolution | CVE #(s): | CAN-2005-0102 | ||||||||||||||||||
| Created: | January 24, 2005 | Updated: | May 19, 2005 | ||||||||||||||||||
| Description: | Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
exim: buffer overflows
| Package(s): | exim | CVE #(s): | CAN-2005-0021 CAN-2005-0022 | |||||||||||||||||||||
| Created: | January 7, 2005 | Updated: | February 15, 2005 | |||||||||||||||||||||
| Description: | A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with
elevated privileges by a local user. This has been patched in Exim
4.43.
Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: denial of service
| Package(s): | freeradius | CVE #(s): | CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 | |||||||||
| Created: | September 22, 2004 | Updated: | February 2, 2005 | |||||||||
| Description: | FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. | |||||||||||
| Alerts: |
| |||||||||||
gaim: buffer overflow in MSN protocol
| Package(s): | gaim | CVE #(s): | CAN-2004-0891 | ||||||||||||||||||
| Created: | October 25, 2004 | Updated: | February 11, 2005 | ||||||||||||||||||
| Description: | A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2005-0005 | ||||||||||||||||||
| Created: | January 18, 2005 | Updated: | March 23, 2005 | ||||||||||||||||||
| Description: | According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
iptables: missing initialization
| Package(s): | iptables | CVE #(s): | CAN-2004-0986 | ||||||||||||
| Created: | November 1, 2004 | Updated: | February 11, 2005 | ||||||||||||
| Description: | Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdebase: screen saver crash
| Package(s): | kdebase | CVE #(s): | CAN-2005-0078 | |||
| Created: | January 26, 2005 | Updated: | January 26, 2005 | |||
| Description: | From the Debian advisory: "Raphaël Enrici discovered that the KDE screensaver can crash under certain local circumstances. This can be exploited by an attacker with physical access to the workstation to take over the desktop session." | |||||
| Alerts: |
| |||||
kdelibs: unsanitzied input
| Package(s): | kdelibs | CVE #(s): | CAN-2004-1165 | ||||||||||||||||||||||||
| Created: | January 10, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kerberos5: execution of arbitrary code by authenticated user
| Package(s): | kerberos5 | CVE #(s): | CAN-2004-1189 | ||||||||||||||||||||||||||||||
| Created: | December 21, 2004 | Updated: | February 15, 2005 | ||||||||||||||||||||||||||||||
| Description: | There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel | CVE #(s): | CAN-2005-0001 | ||||||||||||||||||||||||||||||
| Created: | January 14, 2005 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||
| Description: | Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
Konversation: multiple vulnerabilities
| Package(s): | konversation | CVE #(s): | CAN-2005-0129 CAN-2005-0130 CAN-2005-0131 | |||
| Created: | January 24, 2005 | Updated: | January 26, 2005 | |||
| Description: | Multiple vulnerabilities have been discovered in all Konversation versions up to and including 0.15. | |||||
| Alerts: |
| |||||
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl | CVE #(s): | CAN-2005-0077 | ||||||||||||||||||||||||
| Created: | January 25, 2005 | Updated: | March 2, 2006 | ||||||||||||||||||||||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libpam-radius-auth
| Package(s): | libpam-radius-auth | CVE #(s): | CAN-2005-0108 | |||
| Created: | January 26, 2005 | Updated: | January 26, 2005 | |||
| Description: | The PAM RADIUS authentication module suffers from an integer overflow vulnerability. | |||||
| Alerts: |
| |||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CAN-2004-1308 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 22, 2004 | Updated: | May 19, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The libtiff image manipulation library contains several exploitable buffer overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: multiple buffer overflows
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0989 | |||||||||||||||||||||||||||||||||
| Created: | October 28, 2004 | Updated: | February 28, 2005 | |||||||||||||||||||||||||||||||||
| Description: | libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
libxpm4: stack and integer overflows
| Package(s): | libxpm4 | CVE #(s): | CAN-2004-0687 CAN-2004-0688 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 16, 2004 | Updated: | February 14, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
lvm10: creates insecure temporary directory
| Package(s): | lvm10 | CVE #(s): | CAN-2004-0972 | |||||||
| Created: | November 1, 2004 | Updated: | July 25, 2005 | |||||||
| Description: | Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||
| Alerts: |
| |||||||||