LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
An OpenOffice.org vulnerability
Many OpenOffice.org users have felt secure in using OpenOffice.org to open Microsoft Office files, assuming that the malware that attacks Microsoft Office would not affect the OpenOffice.org suite.
That may well be true, but it looks like the OpenOffice.org suite has a problem of its own. The OpenOffice.org suite has a vulnerability in its handling of .doc files. The flaw was discovered at the end of March, and was reported to the full-disclosure mailing list on Monday. The vulnerability affects the 1.1.4 and 2.0 series of the OpenOffice.org suite. It's unclear whether the vulnerability affects StarOffice, but it seems likely that it would.
According to the Secunia
advisory the problem is a boundary error in the
"StgCompObjStream::Load()" function used to process .doc
files. Theoretically, this vulnerability could be exploited to execute code in
almost all versions of OpenOffice.org if a user opens a specially-crafted document.
The vulnerability has been labeled
"moderately critical" by Secunia, because it could allow a system to be
compromised, but requires user interaction.
We touched base with OpenOffice.org community manager Louis Suarez-Potts about the bug. According to Suarez-Potts, work "began immediately" when the vulnerability was discovered, and the project is testing the patch on all platforms and languages supported by the OpenOffice.org suite.
At this time, Suarez-Potts says that the project is not aware of any real-world exploits of this vulnerability. The vulnerability exists on all platforms, but he said that he has "no idea" if it would be possible to craft a document to do something harmful on all platforms, or if it would only be possible to target one platform with a malformed .doc file.
It does seem likely that the OpenOffice.org project will be targeted more frequently by malware authors as it gains in popularity, though Suarez-Potts says that OpenOffice.org is "not as fun a target as MSFT."
This should serve as a cautionary tale for users of the OpenOffice.org suite. While this particular vulnerability was discovered before any exploits appeared in the wild, it's possible that exploits for future vulnerabilities could appear before the first report. Even though OpenOffice.org has a much better track record than Microsoft Office, users should exercise caution when opening any document from an untrusted source.
The LWN vulnerability database entry for this bug will track updates as they become available.
New vulnerabilities
Axel: vulnerability in HTTP redirection handling
| Package(s): | axel | CVE #(s): | CAN-2005-0390 | ||||||
| Created: | April 12, 2005 | Updated: | April 13, 2005 | ||||||
| Description: | A possible buffer overflow has been reported in the HTTP redirection handling code in conn.c. A remote attacker could exploit this vulnerability by setting up a malicious site and enticing a user to connect to it. This could possibly lead to the execution of arbitrary code with the permissions of the user running Axel. | ||||||||
| Alerts: |
| ||||||||
gld: multiple vulnerabilities
| Package(s): | gld | CVE #(s): | ||||
| Created: | April 13, 2005 | Updated: | April 13, 2005 | |||
| Description: | The Postfix graylisting daemon (gld), through version 1.4, contains several remotely exploitable buffer overflow vulnerabilities. See this advisory for details. | |||||
| Alerts: |
| |||||
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster | CVE #(s): | CVE-2005-1108 CVE-2005-1109 | ||||||
| Created: | April 13, 2005 | Updated: | November 5, 2005 | ||||||
| Description: | JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. | ||||||||
| Alerts: |
| ||||||||
kernel: arbitrary code execution, DoS
| Package(s): | kernel | CVE #(s): | CAN-2005-0867 CAN-2005-0937 | ||||||
| Created: | April 11, 2005 | Updated: | April 19, 2005 | ||||||
| Description: | Alexander Nyberg discovered an integer overflow in the sysfs_write_file()
function. A local attacker could exploit this to crash the kernel or
possibly even execute arbitrary code with root privileges by writing to an
user-writable file in /sys under certain low-memory conditions. However,
there are very few cases where a user-writeable sysfs file actually
exists. (CAN-2005-0867)
Olof Johansson discovered a Denial of Service vulnerability in the futex functions, which provide semaphores for exclusive locking of resources. A local attacker could possibly exploit this to cause a kernel deadlock. (CAN-2005-0937) | ||||||||
| Alerts: |
| ||||||||
OpenOffice.org: .doc parser buffer overflow
| Package(s): | openoffice.org | CVE #(s): | CAN-2005-0941 | |||||||||||||||||||||
| Created: | April 13, 2005 | Updated: | May 13, 2005 | |||||||||||||||||||||
| Description: | OpenOffice.org suffers from a buffer overflow in the parsing code for MS Word files; see this advisory for details. Since this vulnerability could conceivably be exploited via files received in email messages, it should be taken seriously. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
phpMyAdmin: cross-site scripting
| Package(s): | phpmyadmin | CVE #(s): | ||||
| Created: | April 11, 2005 | Updated: | April 13, 2005 | |||
| Description: | phpMyAdmin versions before 2.6.2-rc1 are vulnerable to a cross-site scripting attack. An attacker sending a specially-crafted request could inject and execute malicious script code. | |||||
| Alerts: |
| |||||
rsnapshot: symlink vulnerability
| Package(s): | rsnapshot | CVE #(s): | ||||
| Created: | April 13, 2005 | Updated: | April 13, 2005 | |||
| Description: | rsnapshot (prior to version 1.2.1) suffers from a symlink vulnerability. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cdrecord: insecure temp file
| Package(s): | cdrecord | CVE #(s): | CAN-2005-0866 | ||||||
| Created: | March 24, 2005 | Updated: | April 28, 2005 | ||||||
| Description: | The cdrecord utility makes insecure temp files if DEBUG is enabled in /etc/cdrecord/rscsi. This can allow a local user to launch a sym link attack and execute code with the user's privileges. | ||||||||
| Alerts: |
| ||||||||
cpio - file permissions error
| Package(s): | cpio | CVE #(s): | CAN-1999-1572 | |||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | July 19, 2005 | |||||||||||||||||||||
| Description: | Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cURL: buffer overflow
| Package(s): | curl | CVE #(s): | CAN-2005-0490 | ||||||||||||||||||||||||
| Created: | February 28, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
dhcp: format string vulnerability
| Package(s): | dhcp | CVE #(s): | CAN-2004-1006 | |||||||||
| Created: | November 4, 2004 | Updated: | July 13, 2005 | |||||||||
| Description: | Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server. | |||||||||||
| Alerts: |
| |||||||||||
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq | CVE #(s): | |||||||
| Created: | April 4, 2005 | Updated: | July 21, 2005 | ||||||
| Description: | Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing. | ||||||||
| Alerts: |
| ||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
evolution: arbitrary code execution
| Package(s): | evolution | CVE #(s): | CAN-2005-0102 | ||||||||||||||||||
| Created: | January 24, 2005 | Updated: | May 19, 2005 | ||||||||||||||||||
| Description: | Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
evolution: message crash vulnerability
| Package(s): | evolution | CVE #(s): | CAN-2005-0806 | |||||||||||||||
| Created: | March 17, 2005 | Updated: | August 11, 2005 | |||||||||||||||
| Description: | The Evolution mail client can be crashed when reading certain types of messages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
f2c: insecure temp files
| Package(s): | f2c | CVE #(s): | CAN-2005-0017 CAN-2005-0018 | |||||||||
| Created: | January 27, 2005 | Updated: | April 20, 2005 | |||||||||
| Description: | The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gaim: client freezes
| Package(s): | gaim | CVE #(s): | CAN-2005-0472 CAN-2005-0473 | ||||||||||||
| Created: | February 22, 2005 | Updated: | April 27, 2005 | ||||||||||||
| Description: | The Gaim client freezes when receiving certain invalid messages and crashes when receiving specific malformed HTML. See this Secunia Advisory for additional information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gaim: buffer overflow, DoS
| Package(s): | gaim | CVE #(s): | CAN-2005-0965 CAN-2005-0966 | |||||||||||||||||||||||||||
| Created: | April 5, 2005 | Updated: | May 15, 2005 | |||||||||||||||||||||||||||
| Description: | Jean-Yves Lefort discovered a buffer overflow in the
gaim_markup_strip_html() function. This caused Gaim to crash when
receiving certain malformed HTML messages. (CAN-2005-0965)
Jean-Yves Lefort also noticed that many functions that handle IRC commands do not escape received HTML metacharacters; this allowed remote attackers to cause a Denial of Service by injecting arbitrary HTML code into the conversation window, popping up arbitrarily many empty dialog boxes, or even causing Gaim to crash. (CAN-2005-0966) | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2005-0891 | ||||||||||||||||||||||||||||||||||||
| Created: | March 30, 2005 | Updated: | December 19, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gftp: missing input sanitizing
| Package(s): | gftp | CVE #(s): | CAN-2005-0372 CAN-2004-1376 | ||||||||||||||||||||||||
| Created: | February 17, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||
| Description: | gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnupg: information leak
| Package(s): | gnupg | CVE #(s): | CAN-2005-0366 | |||||||||
| Created: | March 16, 2005 | Updated: | August 19, 2005 | |||||||||
| Description: | GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." | |||||||||||
| Alerts: |
| |||||||||||
grip: buffer overflow
| Package(s): | grip | CVE #(s): | CAN-2005-0706 | |||||||||||||||||||||||||||
| Created: | March 10, 2005 | Updated: | September 16, 2005 | |||||||||||||||||||||||||||
| Description: | Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
htdig: cross site scripting
| Package(s): | htdig | CVE #(s): | CAN-2005-0085 | |||||||||||||||
| Created: | February 14, 2005 | Updated: | January 10, 2006 | |||||||||||||||
| Description: | Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kdelibs: unsanitzied input
| Package(s): | kdelibs | CVE #(s): | CAN-2004-1165 | ||||||||||||||||||||||||
| Created: | January 10, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kdelibs: dcopserver vulnerability
| Package(s): | kdelibs | CVE #(s): | CAN-2005-0396 CAN-2005-0237 CAN-2005-0365 | ||||||||||||||||||||||||
| Created: | March 17, 2005 | Updated: | May 17, 2005 | ||||||||||||||||||||||||
| Description: | The KDE Desktop Communication Protocol daemon (dcopserver) is vulnerable to lockup by a local user, leading to a denial of service. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0400 CAN-2005-0749 CAN-2005-0750 CAN-2005-0815 CAN-2005-0839 | |||||||||||||||||||||||||||||||||
| Created: | April 1, 2005 | Updated: | July 1, 2005 | |||||||||||||||||||||||||||||||||
| Description: | More kernel vulnerabilities have been discovered including:
| |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libXpm: new buffer overflows
| Package(s): | libXpm | CVE #(s): | CAN-2005-0605 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2005 | Updated: | March 8, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl | CVE #(s): | CAN-2005-0077 | ||||||||||||||||||||||||
| Created: | January 25, 2005 | Updated: | March 2, 2006 | ||||||||||||||||||||||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libexif: improper validation
| Package(s): | libexif | CVE #(s): | CAN-2005-0664 | |||||||||||||||||||||
| Created: | March 7, 2005 | Updated: | April 15, 2005 | |||||||||||||||||||||
| Description: | Sylvain Defresne discovered that the EXIF library did not properly validate the structure of the EXIF tags. By tricking a user to load an image with a malicious EXIF tag, an attacker could exploit this to crash the process using the library, or even execute arbitrary code with the privileges of the process. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CAN-2004-1308 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 22, 2004 | Updated: | May 19, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The libtiff image manipulation library contains several exploitable buffer overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
limewire: input validation errors
| Package(s): | limewire | CVE #(s): | CAN-2005-0788 CAN-2005-0789 | |||
| Created: | March 31, 2005 | Updated: | April 6, 2005 | |||
| Description: | LimeWire, a Java-based peer-to-peer client that works with the Gnutella file-sharing protocol, has two input validation errors that can allow a remote attacker to read arbitrary files with the permissions that LimeWire is running under. | |||||
| Alerts: |
| |||||
lvm10: creates insecure temporary directory
| Package(s): | lvm10 | CVE #(s): | CAN-2004-0972 | |||||||||||||||
| Created: | November 1, 2004 | Updated: | July 25, 2005 | |||||||||||||||
| Description: | Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mailman: path traversal
| Package(s): | mailman | CVE #(s): | CAN-2005-0202 | ||||||||||||||||||||||||||||||||||||
| Created: | February 9, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
mc: buffer overflow
| Package(s): | mc | CVE #(s): | CAN-2005-0763 | |||||||||
| Created: | March 29, 2005 | Updated: | August 11, 2005 | |||||||||
| Description: | An unfixed buffer overflow has been discovered by Andrew V. Samoilov in mc, the midnight commander, a file browser and manager. | |||||||||||
| Alerts: |
| |||||||||||
MediaWiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CAN-2005-0534 CAN-2005-0535 CAN-2005-0536 | ||||||
| Created: | February 28, 2005 | Updated: | June 13, 2005 | ||||||
| Description: | A security audit of the MediaWiki project discovered that MediaWiki is vulnerable to several cross-site scripting and cross-site request forgery attacks, and that the image deletion code does not sufficiently sanitize input parameters. | ||||||||
| Alerts: |
| ||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: remote access vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2005-0088 | ||||||||||||||||||||||||||||||
| Created: | February 10, 2005 | Updated: | April 9, 2006 | ||||||||||||||||||||||||||||||
| Description: | mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
mysql: several vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 | |||||
| Created: | October 11, 2004 | Updated: | April 6, 2005 | |||||
| Description: | Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837) | |||||||
| Alerts: |
| |||||||