Mailman and safe input validation
Members of the Full Disclosure mailing list recently
got
a little more disclosure than they had been looking for. It
turns out that a bug in the
mailman list manager enabled a
suitably clever attacker to pull arbitrary files from the server. In
particular, the list of mailman accounts and passwords was taken from the
Full Disclosure server. Since people tend to use username and password
combinations in more than one place, it is entirely possible that the
information obtained could be used to attack user accounts elsewhere.
The bug was in this bit of code:
def true_path(path):
"Ensure that the path is safe by removing .."
path = path.replace('../', '')
path = path.replace('./', '')
return path[1:]
At first glance, it would appear that the above checks would remove any
directory traversal attempts. If, however, the URL contains a string like
".../....///", the string replacements performed will leave a
simple "../" in the path.
In retrospect, there is an obvious error here. The checks in the function
above perform some transformations to the input string, but never actually
verify that the resulting string does not violate the constraints they are
supposed to be enforcing. Such
code will likely always be exploitable in one way or another. The
short-term fix changes the above logic by splitting the path into
components and dealing with each component separately.
The bigger error, however, and one which is not addressed by the short-term
fix, is to allow the request to proceed at all if undesirable elements are
found. Assuming the code is reasonably well done, it should not generate
URLs which later need to be fixed up by the input validation routines. So
if something comes through which looks like a directory traversal attempt,
the more prudent action would be to reject the request outright. Hostile
input suggests hostile intent; it should be responded to accordingly.
Comments (11 posted)
Security reports
Mozilla Foundation Response to IDN Homograph Spoofing Attack (MozillaZine)
The Mozilla Foundation has
issued a
short-term response to Mozilla's vulnerability to a homograph spoofing
attack using international domain names (IDNs). "
In the forthcoming
Mozilla Firefox 1.0.1 and Mozilla 1.8 Beta releases, IDN support will be
disabled (bug 282270). For those users that need it, an XPI will be
released to turn IDN support back on (bug 282269)." Gervase Markham
has also provided some clarification and possible long-term solutions on
his
web
log.
Comments (1 posted)
New vulnerabilities
alsa-lib: disabled stack execution protection
| Package(s): | alsa-lib |
CVE #(s): | CAN-2005-0087
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A flaw in the alsa mixer code was discovered that caused stack execution
protection to be disabled for the libasound.so library. The effect of this
flaw is that stack execution protection, through NX or Exec-Shield, would
be disabled for any application linked to libasound. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
hztty: local utmp exploit
| Package(s): | hztty |
CVE #(s): | CAN-2005-0019
|
| Created: | February 10, 2005 |
Updated: | February 14, 2005 |
| Description: |
hztty has a vulnerability in which local users can
execute arbitrary commands with group utmp privileges. |
| Alerts: |
|
Comments (none posted)
lighttpd: script source disclosure
| Package(s): | lighttpd |
CVE #(s): | |
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
lighttpd uses file extensions to determine which elements are programs
that should be executed and which are static pages that should be sent
as-is. By appending %00 to the filename, you can evade the extension
detection mechanism while still accessing the file. A remote attacker
could send specific queries and access the source of scripts that should
have been executed as CGI or FastCGI applications. |
| Alerts: |
|
Comments (none posted)
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
|
| Created: | February 15, 2005 |
Updated: | March 15, 2005 |
| Description: |
Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly
set to 128 instead of 256. This caused a buffer overflow in some cases
which could be exploited to crash the kernel. (CAN-2005-177)
A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178)
|
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 9, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
netkit-rwho: missing input validation
| Package(s): | netkit-rwho |
CVE #(s): | CAN-2004-1180
|
| Created: | February 11, 2005 |
Updated: | February 17, 2005 |
| Description: |
"Vlad902" discovered a vulnerability in the rwhod program that can be
used to crash the listening process. The broadcasting one is
unaffected. This vulnerability only affects little endian
architectures (i.e. on Debian: alpha, arm, alpha, ia64, i386, mipsel
and s390). |
| Alerts: |
|
Comments (none posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
PowerDNS: denial of service
| Package(s): | pdns |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | February 14, 2005 |
| Description: |
A vulnerability has been reported in the DNSPacket::expand method of
dnspacket.cc. An attacker could cause a temporary Denial of Service by
sending a random stream of bytes to the PowerDNS Daemon. |
| Alerts: |
|
Comments (none posted)
sympa: arbitrary code execution
| Package(s): | sympa |
CVE #(s): | CAN-2005-0073
|
| Created: | February 11, 2005 |
Updated: | February 14, 2005 |
| Description: |
Erik Sjölund discovered that a support script of sympa, a mailing list
manager, is running setuid sympa and vulnerable to a buffer overflow.
This could potentially lead to the execution of arbitrary code under
the sympa user id. |
| Alerts: |
|
Comments (none posted)
synaesthesia: privilege escalation
| Package(s): | synaesthesia |
CVE #(s): | CAN-2005-0070
|
| Created: | February 14, 2005 |
Updated: | February 14, 2005 |
| Description: |
Erik Sjölund and Devin Carraway discovered that synaesthesia, a
program for representing sounds visually, accesses user-controlled
configuration and mixer files with elevated privileges. Thus, it is
possible to read arbitrary files. |
| Alerts: |
|
Comments (none posted)
thunderbird: cookie handling bug
| Package(s): | thunderbird |
CVE #(s): | CAN-2005-0149
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A bug was found in the way Thunderbird handled cookies when loading content
over HTTP regardless of the user's preference. It is possible that a
particular user could be tracked through the use of malicious mail messages
which load content over HTTP. |
| Alerts: |
|
Comments (none posted)
toolchain-source: insecure temporary files
| Package(s): | toolchain-source |
CVE #(s): | CAN-2005-0159
|
| Created: | February 14, 2005 |
Updated: | February 14, 2005 |
| Description: |
Sean Finney discovered several insecure temporary file uses in
toolchain-source, the GNU binutils and GCC source code and scripts. These
bugs can lead a local attacker with minimal knowledge to trick the admin
into overwriting arbitrary files via a symlink attack. The problems exist
inside the Debian-specific tpkg-* scripts. |
| Alerts: |
|
Comments (none posted)
vmware: untrusted library search path
| Package(s): | vmware |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | February 16, 2005 |
| Description: |
VMware may load shared libraries from an untrusted, world-writable
directory, resulting in the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Webmin: Information leak in Gentoo binary package
| Package(s): | webmin |
CVE #(s): | |
| Created: | February 11, 2005 |
Updated: | February 14, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that
the Webmin ebuild contains a design flaw. It imports the encrypted
local root password into the miniserv.users file before building binary
packages that include this file. A remote attacker could retrieve
Portage-built Webmin binary packages and recover the encrypted root
password from the build host. |
| Alerts: |
|
Comments (none posted)
xpcd: buffer overflow in pcdsvgaview
| Package(s): | xpcd |
CVE #(s): | CAN-2005-0074
|
| Created: | February 11, 2005 |
Updated: | February 14, 2005 |
| Description: |
Erik Sjölund discovered a buffer overflow in pcdsvgaview, an SVGA
PhotoCD viewer. xpcd-svga is part of xpcd and uses svgalib to display
graphics on the Linux console for which root permissions are required.
A malicious user could overflow a fixed-size buffer and may cause the
program to execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
AWStats: remote code execution
| Package(s): | awstats |
CVE #(s): | CAN-2005-0116
CAN-2005-0362
CAN-2005-0363
|
| Created: | January 25, 2005 |
Updated: | February 15, 2005 |
| Description: |
When 'awstats.pl' is run as a CGI script, it fails to validate specific
inputs which are used in a Perl open() function call. A remote attacker
could supply AWStats malicious input, potentially allowing the execution of
arbitrary code with the rights of the web server. |
| Alerts: |
|
Comments (1 posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
ClamAV: multiple issues
| Package(s): | clamav |
CVE #(s): | CAN-2005-0133
|
| Created: | January 31, 2005 |
Updated: | March 3, 2005 |
| Description: |
ClamAV fails to properly scan ZIP files with special headers and base64
encoded images in URLs. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CAN-2004-1267
CAN-2004-1268
CAN-2004-1269
CAN-2004-1270
|
| Created: | December 17, 2004 |
Updated: | February 9, 2005 |
| Description: |
cups has a denial of service vulnerability in the lppasswd utility
and a remote code execution vulnerability in the hpgltops filter. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilites
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
exim: buffer overflows
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | gallery |
CVE #(s): | |
| Created: | January 31, 2005 |
Updated: | February 10, 2005 |
| Description: |
Rafel Ivgi has discovered a cross-site scripting vulnerability where
the 'username' parameter is not properly sanitized in 'login.php'. See
this Gallery
announcement for the release of 1.4.4-pl5 for more information. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kdeenu: buffer overflow in fliccd
| Package(s): | kdeenu kstars |
CVE #(s): | CAN-2005-0011
|
| Created: | February 16, 2005 |
Updated: | February 18, 2005 |
| Description: |
Erik Sjolund discovered a buffer overflow in fliccd which is part of
kdeedu, edutainment applications for KDE. An attacker could exploit this
vulnerability to execute code with elevated privileges. If fliccd does not
run as daemon remote exploitation of this vulnerability is not possible. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kerberos5: execution of arbitrary code by authenticated user
| Package(s): | kerberos5 |
CVE #(s): | CAN-2004-1189
|
| Created: | December 21, 2004 |
Updated: | February 15, 2005 |
| Description: |
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to execute
arbitrary code on a Key Distribution Center (KDC) server. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | February 28, 2005 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Aler |
