|
|
| |
|
| |
Security
CIO magazine has run an article called How To Save The
Internet. The core idea is that the Internet threatens to collapse
under the load of spam, spyware, worms, etc., and that some sort of Big
Ideas must be found to save the situation. A few of the suggested ideas
merit a look...
The first is "hire a czar." The idea would seem to be that the appointment
of a high-level (U.S.) "cybersecurity" official would do something to make
our systems more secure. It looks mostly like a bully-pulpit role:
We propose a high-profile surgeon general for information security,
who reports to the secretary of DHS. Imagine labels on software
like those on cigarettes--Infosecurity General's
Warning: The use of software and hardware that is not certified
secure can harm your system and other people's systems, and you may
be held liable for those damages.
Aside from the idea of how hardware and software would be "certified
secure," one could imagine that people in the free software community could
have a lot of fun creating warning labels.
Another suggestion is giving vendors incentives to create more secure
software. Essentially, it is the return of the product liability idea.
This approach may still offer some promise, but it is hard to see how to
make it fit with the "no warranties" nature of free software.
Two related items are well described by the title applied to the first:
"Treat End Users Like the Dummies They Are." The suggestion to have ISPs
provide more filtering, detection, and response services to those who are
willing to pay for them is fine. The other one, however, is more
problematic:
Let's make all end user devices nonprogrammable.... No one can
connect to the Internet on a machine that creates code. If you want
a computer to do programming, you would have to be licensed. We
could license software companies to purchase programmable machines,
which would be completely traceable along with the code created on
them.
The idea of "traceable code" would appear to pose some technical challenges
of its own. But the idea that you could "save the Internet" by restricting
access to programmable devices is truly frightening. There are a few of us
out there who see the net as a bit more than a clothing-optional shopping
mall. We would not react well to the idea that we would have to be
licensed before getting a machine we could hack on.
There is an idea for the creation of reputation servers as an antidote to
phishing problem (though, of course, it has to be expressed as "using
XML and meta-data to tag websites with safety, reputation, past performance
and other security ratings"). Something like that may yet be part
of a solution to certain classes of problems. More likely, however, is
that it would just become another variant of the (nearly useless) SSL
certificate mechanism.
Almost as an afterthought, the article presents a couple of relevant Big
Ideas: make a bigger effort to write error-free software, and think
carefully about what features any given program should have. Maybe an
email client really should not be able to execute code received in
messages. One wonders why nobody ever thought of that before.
See the article for the full list of "Big Ideas." For the most part, this
article can be dismissed as just another silly journalistic exercise. But
the truth of the matter is that people are actually likely to try some of
these ideas. Look for a "Code Traceability and Programmer Licensing"
initiative in a legislature near you sometime soon.
Comments (16 posted)
New vulnerabilities
Ethereal: Multiple vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2005-0699
CAN-2005-0704
CAN-2005-0705
|
| Created: | March 14, 2005 |
Updated: | March 28, 2005 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.10, including:
The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows
(CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the
"ignore cipher bit" option is enabled (CAN-2005-0705) and various
vulnerabilities in the IAPP, JXTA, and sFlow dissectors. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
IPsec-Tools: denial of service
| Package(s): | ipsec-tools setkey racoon |
CVE #(s): | CAN-2005-0398
|
| Created: | March 14, 2005 |
Updated: | April 5, 2005 |
| Description: |
The IPsec-Tools package is used to build other programs such as setkey and
racoon. There is a potential denial of service vulnerability when parsing
ISAKMP headers in racoon. |
| Alerts: |
|
Comments (none posted)
luxman: buffer overflow
| Package(s): | luxman |
CVE #(s): | CAN-2005-0385
|
| Created: | March 14, 2005 |
Updated: | March 16, 2005 |
| Description: |
Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based
PacMan clone, that could lead to the execution of arbitrary commands
as root. |
| Alerts: |
|
Comments (none posted)
MySQL: input validation and temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2005-0709
CAN-2005-0710
CAN-2005-0711
|
| Created: | March 16, 2005 |
Updated: | July 19, 2005 |
| Description: |
MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
|
| Alerts: |
|
Comments (none posted)
openslp: buffer overflows
| Package(s): | openslp |
CVE #(s): | |
| Created: | March 14, 2005 |
Updated: | March 21, 2005 |
| Description: |
The SUSE Security Team reviewed critical parts of the OpenSLP package, an
open source implementation of the Service Location Protocol (SLP). During
the audit, various buffer overflows and out of bounds memory access have
been fixed which can be triggered by remote attackers by sending malformed
SLP packets. |
| Alerts: |
|
Comments (none posted)
Ringtone Tools: buffer overflow
| Package(s): | ringtonetools |
CVE #(s): | |
| Created: | March 15, 2005 |
Updated: | March 16, 2005 |
| Description: |
Qiao Zhang has discovered a buffer overflow vulnerability in the
'parse_emelody' function in 'parse_emelody.c'. A remote attacker could
entice a Ringtone Tools user to open a specially crafted eMelody file,
which would potentially lead to the execution of arbitrary code with the
rights of the user running the application. |
| Alerts: |
|
Comments (none posted)
sylpheed: buffer overflow
| Package(s): | sylpheed |
CVE #(s): | CAN-2005-0667
|
| Created: | March 15, 2005 |
Updated: | April 15, 2005 |
| Description: |
Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5
allows remote attackers to execute arbitrary code via an e-mail message
with certain headers containing non-ASCII characters that are not properly
handled when the user replies to the message. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abuse: several vulnerabilities
| Package(s): | abuse |
CVE #(s): | CAN-2005-0098
CAN-2005-0099
|
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
Several vulnerabilities have been discovered in abuse, the SDL port of
the Abuse action game. Erik Sjölund discovered several buffer overflows in
the command line handling, which could lead to the execution of arbitrary
code with elevated privileges since it is installed setuid root. Steve
Kemp discovered that that abuse creates some files without dropping
privileges first, which may lead to the creation and overwriting of
arbitrary files. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
KDE dcopidlng: insecure temporary file creation
| Package(s): | dcopidlng |
CVE #(s): | |
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
Davide Madrisan has discovered that the dcopidlng script creates temporary
files in a world-writable directory with predictable names. A local
attacker could create symbolic links in the temporary files directory,
pointing to a valid file somewhere on the filesystem. When dcopidlng is
executed, this would result in the file being overwritten with the rights
of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: DoS issue in parsing malformed HTML
| Package(s): | gaim |
CVE #(s): | CAN-2005-0208
|
| Created: | February 25, 2005 |
Updated: | March 14, 2005 |
| Description: |
Gaim has a DoS issue in parsing malformed HTML, and a MSN related crash. |
| Alerts: |
|
Comments (none posted)
gaim: client freezes
| Package(s): | gaim |
CVE #(s): | CAN-2005-0472
CAN-2005-0473
|
| Created: | February 22, 2005 |
Updated: | April 27, 2005 |
| Description: |
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hashcash: format string vulnerability
| Package(s): | hashcash |
CVE #(s): | |
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw
in the Hashcash utility that an attacker could expose by specifying a
malformed reply address. Successful exploitation would permit an attacker
to disrupt Hashcash users, and potentially execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
HelixPlayer: buffer overflows
| Package(s): | HelixPlayer |
CVE #(s): | CAN-2005-0455
CAN-2005-0611
|
| Created: | March 3, 2005 |
Updated: | March 9, 2005 |
| Description: |
The Helix Player 1.0 media player has two buffer overflows
that can be exploited by playing specially crafted
SMIL and WAV files. This can allow a remote attacker to
execute code with the user's permissions. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imagemagick: format string vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0397
|
| Created: | March 3, 2005 |
Updated: | April 4, 2005 |
| Description: |
The ImageMagick file
name handling code has a format string vulnerability.
Specially crafted file names can be used to crash ImageMagick
and possibly execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kdenetwork: file descriptor leak
| Package(s): | kdenetwork |
CVE #(s): | CAN-2005-0205
|
| Created: | March 3, 2005 |
Updated: | March 16, 2005 |
| Description: |
The kdenetwork networking applications package has a bug
with the handling of privileged file descriptors in kppp.
A local user can use this to modify the /etc/hosts
and /etc/resolv.conf files, allowing them to
spoof domain information. |
| Alerts: |
|
Comments (none posted)
less: heap based buffer overflow
| Package(s): | less |
CVE #(s): | CAN-2005-0086
|
| Created: | March 8, 2005 |
Updated: | March 9, 2005 |
| Description: |
Victor Ashik discovered a heap based buffer overflow in less, caused by
a patch added to the less package in Red Hat Linux 9. An attacker could
construct a carefully crafted file that could cause less to crash or
possibly execute arbitrary code when opened. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libexif: improper validation
| Package(s): | libexif |
CVE #(s): | CAN-2005-0664
|
| Created: | March 7, 2005 |
Updated: | April 15, 2005 |
| Description: |
Sylvain Defresne discovered that the EXIF library did not properly
validate the structure of the EXIF tags. By tricking a user to load an
image with a malicious EXIF tag, an attacker could exploit this to
crash the process using the library, or even execute arbitrary code
with the privileges of the process. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
|
| Created: | February 15, 2005 |
Updated: | March 15, 2005 |
| Description: |
Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly
set to 128 instead of 256. This caused a buffer overflow in some cases
which could be exploited to crash the kernel. (CAN-2005-177)
A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178)
|
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
MediaWiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CAN-2005-0534
CAN-2005-0535
CAN-2005-0536
|
| Created: | February 28, 2005 |
Updated: | June 13, 2005 |
| Description: |
A security audit of the MediaWiki project discovered that MediaWiki is
vulnerable to several cross-site scripting and cross-site request
forgery attacks, and that the image deletion code does not sufficiently
sanitize input parameters. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mlterm: integer overflow
| Package(s): | mlterm |
CVE #(s): | |
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
mlterm is vulnerable to an integer overflow that can be triggered by
specifying a large image file as a background. This only effects users
that have compiled mlterm with the 'gtk' USE flag, which enables
gdk-pixbuf support. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
Mozilla and Mozilla Firefox: out of memory heap corruption
| Package(s): | mozilla firefox |
CVE #(s): | CAN-2005-0255
|
| Created: | March 1, 2005 |
Updated: | March 16, 2005 |
| Description: |
According to this iDEFENSE advisory, remote
exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 may allow
an attacker to cause heap corruption, resulting in execution of arbitrary
code. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | June 22, 2005 |
| Description: |
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
Comments (1 posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpMyAdmin |
CVE #(s): | |
| Created: | March 4, 2005 |
Updated: | March 9, 2005 |
| Description: |
phpMyAdmin contains multiple vulnerabilities that could lead to command
execution, XSS issues and bypass of security restrictions. See PMASA-2005-1
and PMASA-2005-2
for details. |
| Alerts: |
|
Comments (none posted)
postfix: error in IPv6 handling
| Package(s): | postfix |
CVE #(s): | CAN-2005-0337
|
| Created: | February 4, 2005 |
Updated: | March 16, 2005 |
| Description: |
Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code
of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup"
was enabled in the "smtpd_recipient_restrictions", Postfix turned into an
open relay, i. e. erroneously permitted the delivery of arbitrary mail to
any MX host which has an IPv6 address. |
| Alerts: |
|
Comments (1 posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
python: illegal function internals access
| Package(s): | python |
CVE #(s): | CAN-2005-0089
|
| Created: | February 3, 2005 |
Updated: | April 22, 2005 |
| Description: |
Python versions 2.2 and 2.3 has a vulnerability in the
SimpleXMLRPCServer module which may allow
remote users to read or change function internals via the
im_* and func_* attributes. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
RealPlayer: buffer overflows
| Package(s): | RealPlayer |
CVE #(s): | CAN-2005-0455
CAN-2005-0611
|
| Created: | March 3, 2005 |
Updated: | March 21, 2005 |
| Description: |
The RealPlayer media player has two buffer overflows
that can be exploited by playing specially crafted
SMIL and WAV files. This can allow a remote attacker to
execute code with the user's permissions. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
Squid: DNS response handling
| Package(s): | squid |
CVE #(s): | CAN-2005-0446
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
Handling of certain DNS responses trigger assertion failures. By returning
a specially crafted DNS response an attacker could cause Squid to crash by
triggering an assertion failure. |
| Alerts: |
|
Comments (none posted)
squid: race condition
| Package(s): | squid |
CVE #(s): | CAN-2005-0626
|
| Created: | March 8, 2005 |
Updated: | March 9, 2005 |
| Description: |
A race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the
Netscape Set-Cookie recommendations for handling cookies in caches, may
cause Set-Cookie headers to be sent to other users, which allows attackers
to steal the related cookies. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-0075
CAN-2005-0103
CAN-2005-0104
|
| Created: | January 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
SquirrelMail 1.4.4 has been
released, fixing a number of security issues that have been resolved
since 1.4.3a. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
UnAce: buffer overflow and directory traversal
| Package(s): | unace |
CVE #(s): | CAN-2005-0160
CAN-2005-0161
|
| Created: | February 28, 2005 |
Updated: | June 17, 2005 |
| Description: |
Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161). |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2004-1125
|
| Created: | December 23, 2004 |
Updated: | April 1, 2005 |
| Description: |
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: vulnerabilities on 64 bit platforms
| Package(s): | xpdf gpdf cups |
CVE #(s): | CAN-2005-0206
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities. |
| Alerts: |
|
Comments (none posted)
xv: filename handling vulnerability
| Package(s): | xv |
CVE #(s): | |
| Created: | March 4, 2005 |
Updated: | March 9, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw
in the handling of image filenames by xv. Successful exploitation would
require a victim to process a specially crafted image with a malformed
filename, potentially resulting in the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for March is out. Topics include
the breaking of SHA-1, two-factor authentication, ChoicePoint, and
Microsoft's "Ghostbuster" rootkit hunter. " This is too good an idea to abandon. Microsoft, if you're listening,
you should release this tool to the world. Make it public domain. Make
it open source, even. It's a great idea, and you deserve credit for
coming up with it."
Full Story (comments: 1)
Events
The CanSecWest Security Masters Dojo is happening May 3 and 4 in Vancouver, BC, Canada. It is described as " Advanced and intermediate security training
and technology enhancement for information
security professionals." Click below for the course details.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|