LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Secret answers as insecure passwords
Here at LWN security headquarters, we have received hundreds of messages from readers with one crucial security question on their minds: how was Paris Hilton's T-Mobile account cracked? Well...OK...maybe we haven't received quite that many messages. But we're sure people will want to know. Turns out that OSDir has the answer. Apparently T-Mobile's site has a "secret answer" mechanism for people who forget their passwords. Ms Hilton's "secret answer" was her dog's name. Bitten again.Wherever there is a potential security problem, there is inevitably a Bruce Schneier column warning about it. In this case, Bruce notes:
Passwords have reached the end of their useful life. Today, they
only work for low-security applications. The secret question is
just one manifestation of that fact.
Passwords may well be heading toward the end of their useful life, but "secret answers" are not necessarily a demonstration of that fact. Many web sites (or other interfaces requiring confirmation) go out of their way to prevent the use of insecure passwords. Some site developers put considerable effort into creating novel rules for passwords. Then they add a "secret answer" mechanism which bypasses all of that.
The real issue here, perhaps, is that an authentication interface should actually control access to the resources it protects. Back doors are never good for the security of a system, and a "secret answer" scheme is really just a form of back door. If you provide a way around your password interface, you should not be surprised if attackers use it.
Security news
New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)
MozillaZine reports that IDN support will not be disabled. The details of the new short term solution are available. "Darin Fisher, network supremo, has pulled it out of the bag and come up with a less drastic short-term solution to the IDN problem. It has just been checked in for all three upcoming releases. Read about it over in bug 282270, but basically IDN will still work, but all occurrences of IDN domains in the browser UI (URL bar, security info etc.) will be the punycode form. There is a pref to re-enable full IDN - set "network.IDN_show_punycode" to false. As with the previous plan, this preference will be set to true in all official builds." Meanwhile the search for a long term solution continues.
New vulnerabilities
bidwatcher: format string vulnerability
| Package(s): | bidwatcher | CVE #(s): | CAN-2005-0158 | ||||||
| Created: | February 18, 2005 | Updated: | March 3, 2005 | ||||||
| Description: | Ulf Härnhammar from the Debian Security Audit Project discovered a format string vulnerability in bidwatcher, a tool for watching and bidding on eBay auctions. This problem can be triggered remotely by a web server of eBay, or someone pretending to be eBay, sending certain data back. As of version 1.3.17 the program uses cURL and is not vulnerable anymore. | ||||||||
| Alerts: |
| ||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gaim: client freezes
| Package(s): | gaim | CVE #(s): | CAN-2005-0472 CAN-2005-0473 | ||||||||||||
| Created: | February 22, 2005 | Updated: | April 27, 2005 | ||||||||||||
| Description: | The Gaim client freezes when receiving certain invalid messages and crashes when receiving specific malformed HTML. See this Secunia Advisory for additional information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
GProFTPD: gprostats format string vulnerability
| Package(s): | gproftpd | CVE #(s): | ||||
| Created: | February 18, 2005 | Updated: | February 23, 2005 | |||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team has identified a format string vulnerability in the gprostats utility. An attacker could exploit the vulnerability by performing a specially crafted FTP transfer, the resulting ProFTPD transfer log could potentially trigger the execution of arbitrary code when parsed by GProFTPD. | |||||
| Alerts: |
| |||||
gftp: missing input sanitizing
| Package(s): | gftp | CVE #(s): | CAN-2005-0372 CAN-2004-1376 | ||||||||||||||||||||||||
| Created: | February 17, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||
| Description: | gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
mc: multiple vulnerabilities
| Package(s): | mc | CVE #(s): | CAN-2004-1004 CAN-2004-1005 CAN-2004-1092 CAN-2004-1176 | ||||||
| Created: | February 17, 2005 | Updated: | March 4, 2005 | ||||||
| Description: | Midnight commander has multiple vulnerabilities including format string vulnerabilities, buffer overflows, a buffer underflow, and a memory deallocation error. An attacker can use these to run arbitrary code with the permission of the user. | ||||||||
| Alerts: |
| ||||||||
PuTTY: remote code execution
| Package(s): | putty | CVE #(s): | CAN-2005-0467 | |||
| Created: | February 21, 2005 | Updated: | March 2, 2005 | |||
| Description: | Two vulnerabilities have been discovered in the PSCP and PSFTP clients, which can be triggered by the SFTP server itself. See this iDEFENSE advisory for details. | |||||
| Alerts: |
| |||||
Squid: DNS response handling
| Package(s): | squid | CVE #(s): | CAN-2005-0446 | |||||||||||||||||||||||||||
| Created: | February 18, 2005 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||
| Description: | Handling of certain DNS responses trigger assertion failures. By returning a specially crafted DNS response an attacker could cause Squid to crash by triggering an assertion failure. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
xpdf: vulnerabilities on 64 bit platforms
| Package(s): | xpdf gpdf cups | CVE #(s): | CAN-2005-0206 | ||||||||||||||||||||||||
| Created: | February 18, 2005 | Updated: | March 16, 2005 | ||||||||||||||||||||||||
| Description: | The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
alsa-lib: disabled stack execution protection
| Package(s): | alsa-lib | CVE #(s): | CAN-2005-0087 | |||
| Created: | February 15, 2005 | Updated: | February 16, 2005 | |||
| Description: | A flaw in the alsa mixer code was discovered that caused stack execution protection to be disabled for the libasound.so library. The effect of this flaw is that stack execution protection, through NX or Exec-Shield, would be disabled for any application linked to libasound. | |||||
| Alerts: |
| |||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ClamAV: multiple issues
| Package(s): | clamav | CVE #(s): | CAN-2005-0133 | |||||||||
| Created: | January 31, 2005 | Updated: | March 3, 2005 | |||||||||
| Description: | ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs. | |||||||||||
| Alerts: |
| |||||||||||
cpio - file permissions error
| Package(s): | cpio | CVE #(s): | CAN-1999-1572 | |||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | July 19, 2005 | |||||||||||||||||||||
| Description: | Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
dhcp: format string vulnerability
| Package(s): | dhcp | CVE #(s): | CAN-2004-1006 | |||||||||
| Created: | November 4, 2004 | Updated: | July 13, 2005 | |||||||||
| Description: | Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server. | |||||||||||
| Alerts: |
| |||||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
evolution: arbitrary code execution
| Package(s): | evolution | CVE #(s): | CAN-2005-0102 | ||||||||||||||||||
| Created: | January 24, 2005 | Updated: | May 19, 2005 | ||||||||||||||||||
| Description: | Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
f2c: insecure temp files
| Package(s): | f2c | CVE #(s): | CAN-2005-0017 CAN-2005-0018 | |||||||||
| Created: | January 27, 2005 | Updated: | April 20, 2005 | |||||||||
| Description: | The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
htdig: cross site scripting
| Package(s): | htdig | CVE #(s): | CAN-2005-0085 | |||||||||||||||
| Created: | February 14, 2005 | Updated: | January 10, 2006 | |||||||||||||||
| Description: | Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2005-0005 | ||||||||||||||||||
| Created: | January 18, 2005 | Updated: | March 23, 2005 | ||||||||||||||||||
| Description: | According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kdeenu: buffer overflow in fliccd
| Package(s): | kdeenu kstars | CVE #(s): | CAN-2005-0011 | ||||||
| Created: | February 16, 2005 | Updated: | February 18, 2005 | ||||||
| Description: | Erik Sjolund discovered a buffer overflow in fliccd which is part of kdeedu, edutainment applications for KDE. An attacker could exploit this vulnerability to execute code with elevated privileges. If fliccd does not run as daemon remote exploitation of this vulnerability is not possible. | ||||||||
| Alerts: |
| ||||||||
kdelibs: unsanitzied input
| Package(s): | kdelibs | CVE #(s): | CAN-2004-1165 | ||||||||||||||||||||||||
| Created: | January 10, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel | CVE #(s): | CAN-2005-0001 | ||||||||||||||||||||||||||||||
| Created: | January 14, 2005 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||
| Description: | Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl | CVE #(s): | CAN-2005-0077 | ||||||||||||||||||||||||
| Created: | January 25, 2005 | Updated: | March 2, 2006 | ||||||||||||||||||||||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CAN-2004-1308 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 22, 2004 | Updated: | May 19, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The libtiff image manipulation library contains several exploitable buffer overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: multiple buffer overflows
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0989 | |||||||||||||||||||||||||||||||||
| Created: | October 28, 2004 | Updated: | February 28, 2005 | |||||||||||||||||||||||||||||||||
| Description: | libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
lighttpd: script source disclosure
| Package(s): | lighttpd | CVE #(s): | ||||
| Created: | February 15, 2005 | Updated: | February 16, 2005 | |||
| Description: | lighttpd uses file extensions to determine which elements are programs that should be executed and which are static pages that should be sent as-is. By appending %00 to the filename, you can evade the extension detection mechanism while still accessing the file. A remote attacker could send specific queries and access the source of scripts that should have been executed as CGI or FastCGI applications. | |||||
| Alerts: |
| |||||
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 | CVE #(s): | CAN-2005-0176 CAN-2005-0177 CAN-2005-0178 | ||||||||||||
| Created: | February 15, 2005 | Updated: | March 15, 2005 | ||||||||||||
| Description: | Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly set to 128 instead of 256. This caused a buffer overflow in some cases which could be exploited to crash the kernel. (CAN-2005-177) A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178) | ||||||||||||||
| Alerts: |
| ||||||||||||||
lvm10: creates insecure temporary directory
| Package(s): | lvm10 | CVE #(s): | CAN-2004-0972 | |||||||||||||||
| Created: | November 1, 2004 | Updated: | July 25, 2005 | |||||||||||||||
| Description: | Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mailman: cross-site scripting
| Package(s): | mailman | CVE #(s): | CAN-2004-1177 | |||||||||||||||||||||
| Created: | January 10, 2005 | Updated: | March 22, 2005 | |||||||||||||||||||||
| Description: | Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mailman: path traversal
| Package(s): | mailman | CVE #(s): | CAN-2005-0202 | ||||||||||||||||||||||||||||||||||||
| Created: | February 9, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: remote access vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2005-0088 | ||||||||||||||||||||||||||||||
| Created: | February 10, 2005 | Updated: | April 9, 2006 | ||||||||||||||||||||||||||||||
| Description: | mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
mysql: several vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 | |||||||||||||||||||||||||||||||||
| Created: | October 11, 2004 | Updated: | April 6, 2005 | |||||||||||||||||||||||||||||||||
| Description: | Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837) | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg | CVE #(s): | CAN-2005-0004 | |||||||||||||||
| Created: | January 18, 2005 | Updated: | March 25, 2005 | |||||||||||||||
| Description: | Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
nasm: Buffer overflow vulnerability
| Package(s): | nasm | CVE #(s): | CAN-2004-1287 | ||||||||||||||||||
| Created: | December 20, 2004 | Updated: | May 4, 2005 | ||||||||||||||||||
| Description: | Jonathan Rockway discovered that NASM-0.98.38 has an unprotected vsprintf() to an array in preproc.c. This code vulnerability may lead to a buffer overflow and potential execution of arbitrary code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs | CVE #(s): | CAN-2005-0013 CAN-2005-0014 |
| Created: | January 31, 2005 |