|
|
| |
|
| |
Security
As Fedora Core 2 (FC2) is transferred to the Fedora Legacy Project, some users may
be surprised to find that the project will be focusing only on the i386
platform, leaving users of FC2 on x86_64 platforms to fend for themselves
when it comes to security updates and bugfixes.
For those not familiar with Fedora Legacy, the project provides support for
Red Hat 7.3, Red Hat 9, and Fedora Core releases past their "end-of-life."
With Fedora Core releases, the project uses a "1-2-3 and out" policy. When
Red Hat's Fedora team stops providing support for an FC release, the Fedora
Legacy project begins maintaining the release, for two additional
releases. Note that the idea behind the Legacy project is not to provide
new packages for retired releases, but only to provide security updates and
necessary fixes. Users who want the newest software need to look to newer
FC releases.
Unlike Fedora Core, the Fedora Legacy project is not directly sponsored by
Red Hat, though the group does receive some assistance from Red Hat. We
talked to Jesse Keating, Fedora Legacy Project Leader, about the lack of
support for FC2 on x86_64, what alternatives users have, and whether the
project will be supporting future x86_64 releases.
Keating said that the project lacks the developers to keep up with x86_64 in
addition to maintaining i386 versions of FC:
Primarily it is lack of developers/testers for package testing and
approval. Starting off with the small set we have, and trying to subset
them into x86_64 users is pretty tough. Further reasons include lack of
physical resources (build hardware, rack space, bandwidth), build software
changes, and publishing changes necessary to handle x86_64.
Indeed, it does seem that the Legacy project is a bit short-staffed. The (volunteer) positions page
lists quite a few vacancies.
We also asked Keating how the project was building packages, whether they
used a system similar to Debian buildd or something else. Keating said
that the project is using a version of mach to
build packages, and that they're looking to have a system that can produce
i386 and x86_64 packages.
This allows us to build in a fresh chroot each time, and do multiple builds
of a package for different RH/FC releases. It works pretty well for what
we need it for. In the near future we will look at moving to the new
Fedora Extras build system that is currently in development. Our goal is
to be able to have one build system we can use to produce both 32bit and
64bit packages. Currently 32bit packages have to be built on a 32bit host
and 64bit packages will have to be built on a 64bit host. The main build
hardware that Pogo Linux donated to the project is x86_64 capable (dual
Opteron) but we're using it in a 32bit mode currently. Given the price of
rack space and bandwidth and all things associated we may not be able to
afford a second 64bit build system. So we'll probably have to wait until
the new build software is complete and re-design/deploy our Legacy build
server.
Users who are in no hurry to upgrade to later FC releases can try building
the source RPMs on x86_64. Keating invited those users to offer feedback on
the packages, and said that users "typically" don't run into
issues when trying to compile i386 packages on x86_64.
Keating did say that it's likely that there would be support for x86_64 in
the future, given that there are more users for x86_64 with each new FC
release. Since the Legacy project is strictly a volunteer operation, the
best way to see to it that there is support for x86_64 is for users to get
involved with the project.
Comments (3 posted)
New vulnerabilities
Convert-UUlib: buffer overflow
| Package(s): | Convert-UUlib |
CVE #(s): | |
| Created: | April 26, 2005 |
Updated: | April 27, 2005 |
| Description: |
A vulnerability has been reported in Convert-UUlib where a malformed
parameter can be provided by an attacker allowing a read operation to
overflow a buffer. The vendor credits Mark Martinec and Robert Lewis
with the discovery. |
| Alerts: |
|
Comments (none posted)
eGroupWare: XSS and SQL injection vulnerabilities
| Package(s): | eGroupWare |
CVE #(s): | |
| Created: | April 25, 2005 |
Updated: | April 27, 2005 |
| Description: |
Multiple SQL injection and cross-site scripting vulnerabilities have been
found in several eGroupWare modules. An attacker could possibly use the
SQL injection vulnerabilities to gain information from the database.
Furthermore the cross-site scripting issues give an attacker the ability to
inject and execute malicious script code or to steal cookie based
authentication credentials, potentially compromising the victim's browser. |
| Alerts: |
|
Comments (none posted)
kimgio input validation errors
| Package(s): | kimgio |
CVE #(s): | CAN-2005-1046
|
| Created: | April 22, 2005 |
Updated: | July 19, 2005 |
| Description: |
KDE has issued a security advisory for
kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including
KDE 3.4. kimgio contains a PCX image file format reader that does not
properly perform input validation. A source code audit performed by the KDE
security team discovered several vulnerabilities in the PCX and other image
file format readers, some of them exploitable to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
Kommander untrusted code execution
| Package(s): | kommander |
CVE #(s): | CAN-2005-0754
|
| Created: | April 22, 2005 |
Updated: | May 20, 2005 |
| Description: |
KDE has issued a security advisory for
Kommander. Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0 are
vulnerable. Kommander executes without user confirmation data files from
possibly untrusted locations. As they contain scripts, the user might
accidentally run arbitrary code. |
| Alerts: |
|
Comments (none posted)
lsh: buffer overflow and more
| Package(s): | lsh-utils |
CVE #(s): | CAN-2003-0826
CAN-2005-0814
|
| Created: | April 27, 2005 |
Updated: | April 27, 2005 |
| Description: |
The lsh implementation of SSH2 suffers from a number of vulnerabilities, including an exploitable buffer overflow. |
| Alerts: |
|
Comments (none posted)
openmosixview: insecure temp file
| Package(s): | openmosixview |
CVE #(s): | CAN-2005-0894
|
| Created: | April 21, 2005 |
Updated: | April 27, 2005 |
| Description: |
openMosixview and the openMosixcollector daemon can create an
insecure temporary file, this can be exploited by a local user
to overwrite arbitrary files via symbolic links. |
| Alerts: |
|
Comments (none posted)
Rootkit Hunter: insecure temporary file creation
| Package(s): | rkhunter |
CVE #(s): | CAN-2005-1270
|
| Created: | April 26, 2005 |
Updated: | April 27, 2005 |
| Description: |
Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux
Security Team have reported that the check_update.sh script and the
main rkhunter script insecurely creates several temporary files with
predictable filenames. |
| Alerts: |
|
Comments (none posted)
xine-lib: two heap overflow vulnerabilities
| Package(s): | xine-lib |
CVE #(s): | CAN-2005-1195
|
| Created: | April 26, 2005 |
Updated: | June 2, 2005 |
| Description: |
Heap overflows have been found in the code handling RealMedia RTSP and
Microsoft Media Services streams over TCP (MMST). See Xine Advisory
XSA-2004-8 for details. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
cdrecord: insecure temp file
| Package(s): | cdrecord |
CVE #(s): | CAN-2005-0866
|
| Created: | March 24, 2005 |
Updated: | April 28, 2005 |
| Description: |
The cdrecord utility makes insecure temp files if DEBUG is
enabled in /etc/cdrecord/rscsi. This can allow a local user
to launch a sym link attack and execute code with the user's
privileges. |
| Alerts: |
|
Comments (1 posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cvs: multiple vulnerabilities
| Package(s): | cvs |
CVE #(s): | CAN-2005-0753
|
| Created: | April 18, 2005 |
Updated: | July 13, 2005 |
| Description: |
CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error.
These can be used to launch a remote denial of service or to remotely
execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq |
CVE #(s): | |
| Created: | April 4, 2005 |
Updated: | July 21, 2005 |
| Description: |
Dnsmasq does not properly detect that DNS replies received do not
correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux
Security Audit team also discovered two off-by-one buffer overflows that
could crash DHCP lease files parsing. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
evolution: message crash vulnerability
| Package(s): | evolution |
CVE #(s): | CAN-2005-0806
|
| Created: | March 17, 2005 |
Updated: | August 11, 2005 |
| Description: |
The Evolution mail client can be crashed when reading
certain types of messages. |
| Alerts: |
|
Comments (none posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: client freezes
| Package(s): | gaim |
CVE #(s): | CAN-2005-0472
CAN-2005-0473
|
| Created: | February 22, 2005 |
Updated: | April 27, 2005 |
| Description: |
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow, DoS
| Package(s): | gaim |
CVE #(s): | CAN-2005-0965
CAN-2005-0966
|
| Created: | April 5, 2005 |
Updated: | May 15, 2005 |
| Description: |
Jean-Yves Lefort discovered a buffer overflow in the
gaim_markup_strip_html() function. This caused Gaim to crash when
receiving certain malformed HTML messages. (CAN-2005-0965)
Jean-Yves Lefort also noticed that many functions that handle IRC
commands do not escape received HTML metacharacters; this allowed
remote attackers to cause a Denial of Service by injecting arbitrary
HTML code into the conversation window, popping up arbitrarily many
empty dialog boxes, or even causing Gaim to crash. (CAN-2005-0966) |
| Alerts: |
|
Comments (none posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
geneweb: insecure file operations
| Package(s): | geneweb |
CVE #(s): | CAN-2005-0391
|
| Created: | April 19, 2005 |
Updated: | April 20, 2005 |
| Description: |
Tim Dijkstra discovered a problem during the upgrade of geneweb, a
genealogy software with web interface. The maintainer scripts
automatically converted files without checking their permissions and
content, which could lead to the modification of arbitrary files. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
htdig: unescaped output
| Package(s): | htdig |
CVE #(s): | |
| Created: | April 19, 2005 |
Updated: | April 20, 2005 |
| Description: |
Unescaped output in htsearch and qtest causes security problems. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
info2www: missing input sanitizing
| Package(s): | info2www |
CVE #(s): | CAN-2004-1341
|
| Created: | April 19, 2005 |
Updated: | April 20, 2005 |
| Description: |
Nicolas Gregoire discovered a cross-site scripting vulnerability in
info2www, a converter for info files to HTML. A malicious person could
place a harmless looking link on the web that could cause arbitrary
commands to be executed in a user's browser. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kdelibs: dcopserver vulnerability
| Package(s): | kdelibs |
CVE #(s): | CAN-2005-0396
CAN-2005-0237
CAN-2005-0365
|
| Created: | March 17, 2005 |
Updated: | May 17, 2005 |
| Description: |
The KDE Desktop Communication Protocol daemon (dcopserver)
is vulnerable to lockup by a local user, leading to a denial
of service. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-0400
CAN-2005-0749
CAN-2005-0750
CAN-2005-0815
CAN-2005-0839
|
| Created: | April 1, 2005 |
Updated: | July 1, 2005 |
| Description: |
More kernel vulnerabilities have been discovered including:
- Mathieu Lafon discovered
an information leak in the ext2 file system driver. (CAN-2005-0400)
- Yichen Xie discovered a Denial of Service vulnerability in the ELF
loader. (CAN-2005-0749)
- Ilja van Sprundel discovered that the bluez_sock_create() function
did not check its "protocol" argument for negative values.
(CAN-2005-0750)
- Michal Zalewski discovered that the iso9660 file system driver fails
to check ranges properly in several cases. (CAN-2005-0815)
- Previous kernels did not restrict the use of the N_MOUSE line
discipline in the serial driver. (CAN-2005-0839)
|
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
logwatch: denial of service
| Package(s): | logwatch |
CVE #(s): | CAN-2005-1061
|
| Created: | April 19, 2005 |
Updated: | April 20, 2005 |
| Description: |
A bug was found in the logwatch secure script. If an attacker is able to
inject an arbitrary string into the /var/log/secure file, it is possible to
prevent logwatch from detecting malicious activity. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
mc: buffer overflow
| Package(s): | mc |
CVE #(s): | CAN-2005-0763
|
| Created: | March 29, 2005 |
Updated: | August 11, 2005 |
| Description: |
An unfixed buffer overflow has been discovered by Andrew V. Samoilov
in mc, the midnight commander, a file browser and manager. |
| Alerts: |
|
Comments (none posted)
MediaWiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CAN-2005-0534
CAN-2005-0535
CAN-2005-0536
|
| Created: | February 28, 2005 |
Updated: | June 13, 2005 |
| Description: |
A security audit of the MediaWiki project discovered that MediaWiki is
vulnerable to several cross-site scripting and cross-site request
forgery attacks, and that the image deletion code does not sufficiently
sanitize input parameters. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
monkeyd: multiple vulnerabilities
| Package(s): | monkeyd |
CVE #(s): | |
| Created: | April 15, 2005 |
Updated: | April 20, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
double expansion error in monkeyd, resulting in a format string
vulnerability. Ciaran McCreesh of Gentoo Linux discovered a Denial of
Service vulnerability, a syntax error caused monkeyd to zero out
unallocated memory should a zero byte file be requested. |
| Alerts: |
|
Comments (none posted)
Mozilla Firefox, Mozilla Suite: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2005-0989
|
| Created: | April 19, 2005 |
Updated: | July 18, 2005 |
| Description: |
The following vulnerabilities were found and fixed in the Mozilla Suite
and Mozilla Firefox:
- Vladimir V. Perepelitsa reported a memory disclosure bug in
JavaScript's regular expression string replacement when using an
anonymous function as the replacement argument (CAN-2005-0989).
- moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM
nodes from the content window, allowing privilege escalation via DOM
property overrides.
- Michael Krax reported a possibility to run JavaScript code with
elevated privileges through the use of javascript: favicons.
- Michael Krax also discovered that malicious Search plugins could
run JavaScript in the context of the displayed page or stealthily
replace existing search plugins.
- shutdown discovered a technique to pollute the global scope of a
window in a way that persists from page to page.
- Doron Rosenberg discovered a possibility to run JavaScript with
elevated privileges when the user asks to "Show" a blocked popup that
contains a JavaScript URL.
- Finally, Georgi Guninski reported missing Install object instance
checks in the native implementations of XPInstall-related JavaScript
objects.
The following Firefox-specific vulnerabilities have also been
discovered:
- Kohei Yoshino discovered a new way to abuse the sidebar panel to
execute JavaScript with elevated privileges.
- Omar Khan reported that the Plugin Finder Service can be tricked to
open javascript: URLs with elevated privileges.
|
| Alerts: |
|
Comments (none posted)
MPlayer: heap overflows
| Package(s): | mplayer |
CVE #(s): | |
| Created: | April 20, 2005 |
Updated: | July 12, 2005 |
| Description: |
Heap overflows have been found in the code handling RealMedia RTSP and
Microsoft Media Services streams over TCP (MMST). By setting up a
malicious server and enticing a user to use its streaming data, a remote
attacker could possibly execute arbitrary code on the client computer with
the permissions of the user running MPlayer. |
| Alerts: |
|
Comments (none posted)
MySQL: input validation and temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2005-0709
CAN-2005-0710
CAN-2005-0711
|
| Created: | March 16, 2005 |
Updated: | July 19, 2005 |
| Description: |
MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
|
| Alerts: |
|
Comments (none posted)
MySQL: privilege escalation
| Package(s): | MySQL |
CVE #(s): | CAN-2004-0957
|
| Created: | April 14, 2005 |
Updated: | April 20, 2005 |
| Description: |
MySQL has a vulnerability in which a user with grant privileges
can can grant privileges in other databases. In order to use this
exploit, the database must have an underscore character in the name. |
| Alerts: |
|
Comments (1 posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
OpenOffice.org: .doc parser buffer overflow
| Package(s): | openoffice.org |
CVE #(s): | CAN-2005-0941
|
| Created: | April 13, 2005 |
Updated: | May 13, 2005 |
| Description: |
OpenOffice.org suffers from a buffer overflow in the parsing code for MS Word files; see this advisory for details. Since this vulnerability could conceivably be exploited via files received in email messages, it should be taken seriously. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | June 22, 2005 |
| Description: |
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php4: integer overflow and denial of service
| Package(s): | php4 |
CVE #(s): | CAN-2005-1042
CAN-2005-1043
|
| Created: | April 14, 2005 |
Updated: | July 13, 2005 |
| Description: |
The php4 EXIF module has two vulnerabilities. An
integer overflow in the exif_process_IFD_TAG() function
can be exploited to cause a buffer overflow for the
purpose of arbitrary code execution.
EXIF headers with a large IFD nesting level can be used
to cause a denial of service. Remote exploits are possible. |
| Alerts: |
|
Comments (none posted)
php4: denial of service vulnerabilities
| Package(s): | php4 |
CVE #(s): | CAN-2005-0524
CAN-2005-0525
|
| Created: | April 5, 2005 |
Updated: | May 26, 2005 |
| Description: |
Two DoS vulnerabilities exist in PHP versions 4.2.2, 4.3.9, 4.3.10 and
5.0.3. One in the php_handle_iff function in image.c allows remote
attackers to cause a denial of service (infinite loop) via a -8 size
value. The php_next_marker function in image.c allows remote attackers to
cause a denial of service (infinite loop) via a JPEG image with an invalid
marker value, which causes a negative length value to be passed to
php_stream_seek. This later vulnerability also exists in PHP 3. |
| Alerts: |
|
Comments (none posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
python: illegal function internals access
| Package(s): | python |
CVE #(s): | CAN-2005-0089
|
| Created: | February 3, 2005 |
Updated: | April 22, 2005 |
| Description: |
Python versions 2.2 and 2.3 has a vulnerability in the
SimpleXMLRPCServer module which may allow
remote users to read or change function internals via the
im_* and func_* attributes. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
realplayer: arbitrary code execution
| Package(s): | realplayer helixplayer |
CVE #(s): | CAN-2005-0755
|
| Created: | April 20, 2005 |
Updated: | June 27, 2005 |
| Description: |
RealNetworks, Inc. has fixed a
security vulnerability that offered the potential for an attacker to
run arbitrary or malicious code on a customer's machine. Linux RealPlayer
10 (10.0.0 - 3) and Helix Player (10.0.0 - 3) are vulnerable. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: denial of service
| Package(s): | squid |
CVE #(s): | CAN-2005-0718
|
| Created: | April 14, 2005 |
Updated: | April 29, 2005 |
| Description: |
Squid has a remote denial of service vulnerability that can be
triggered by a remote connection abort during a PUT or POST request,
leading to an eventual server crash. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-0075
CAN-2005-0103
CAN-2005-0104
|
| Created: | January 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
SquirrelMail 1.4.4 has been
released, fixing a number of security issues that have been resolved
since 1.4.3a. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
telnet: buffer overflows
| Package(s): | telnet |
CVE #(s): | CAN-2005-0468
CAN-2005-0469
|
| Created: | March 28, 2005 |
Updated: | August 1, 2005 |
| Description: |
Two buffer overflow flaws were discovered in the way the telnet client
handles messages from a server. An attacker may be able to execute
arbitrary code on a victim's machine if the victim can be tricked into
connecting to a malicious telnet server. |
| Alerts: |
|
Comments (none posted)
UnAce: buffer overflow and directory traversal
| Package(s): | unace |
CVE #(s): | CAN-2005-0160
CAN-2005-0161
|
| Created: | February 28, 2005 |
Updated: | June 17, 2005 |
| Description: |
Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161). |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: missing input sanitizing, integer overflow
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-0638
CAN-2005-0639
|
| Created: | March 21, 2005 |
Updated: | May 4, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw
in the handling of compressed images, where shell meta-characters are not
adequately escaped. CAN-2005-0638
Insufficient validation of image properties in have been discovered which
could potentially result in buffer management errors. CAN-2005-0639
|
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
XV: multiple vulnerabilities
| Package(s): | xv |
CVE #(s): | |
| Created: | April 19, 2005 |
Updated: | July 19, 2005 |
| Description: |
Greg Roelofs has reported multiple input validation errors in XV image
decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has
reported insufficient validation in the PDS (Planetary Data System)
image decoder, format string vulnerabilities in the TIFF and PDS
decoders, and insufficient protection from shell meta-characters in
malformed filenames. Successful exploitation would require a victim to
view a specially created image file using XV, potentially resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|