|
|
| |
|
| |
Security
MD5 collisions
It may be time to retire MD5. The MD5 Message-Digest Algorithm
RFC says that "It is conjectured that it is computationally
infeasible to produce two messages having the same message digest, or to
produce any message having a given prespecified target message
digest." At the time, this may have been true -- the RFC was written
in 1992 -- but a number of researchers are finding that MD5 hashes aren't
as unique as one might like.
Within the last year several researchers have come forward with results
that show it's possible to create meaningful collisions of MD5 hashes. Dan
Kaminsky published "MD5 to
be considered harmful someday" (PDF) in December 2004; this paper
describes the creation of two executables with the same MD5 hash using a tool
called Stripwire (available here). Kaminsky writes
that this would be an "excellent vector for malicious developers to
get unsafe code past a group of auditors, perhaps to acquire a required
third party signature."
Alternatively, build tools themselves could be compromised to embed safe
versions of dangerous payloads in each build. At some later point, the
embedded payload could be safely "activated", without the MD5
changing. This has implications for Tripwire, DRM, and several package
management architectures.
Kaminksy isn't the only one to find ways around MD5. Vlastimil Klima
published Finding MD5 Collisions
- a Toy For a Notebook in March of this year, where he describes
finding MD5 collisions in 8 hours on a notebook PC with a 1.6 GHz
Pentium. Arjen Lenstra, Xiaoyun Wang and Benne de Weger published "a method for
constructing pairs of X.509 certificates where the "to be signed" parts
of the certificates form a collision for MD5. Xiaoyun Wang and Hongbo Yu
published a paper this year on how to break
MD5 (PDF) and other hash functions.
Now Stefan Lucks and Magnus Daum have come up with a method for
creating two documents with the same digital signature. Lucks and Daum
describe creating two postscript documents, using Wang and Yu's attack,
that have meaningful content and the same MD5 hash. They describe a
scenario between "Alice and her boss" where Alice creates two postscript
documents with the same MD5 hash. One, which is presented for a digital
signature, is a letter of recommendation - the other is a document granting
"Alice" access to confidential information.
The files are available for download from the Institute for Cryptology and
IT-Security website. If one opens the files with a text editor, the
content for both the letter of recommendation and the order are present,
but manipulated so that only one letter is displayed in a normal postscript
viewer. Lucks and Daum demonstrate that the MD5 hash collision attacks are
not just hypothetical attacks with no practical applications.
Given the number of practical attacks on MD5, it may be time to move to a
Federal
Information Processing Standards (FIPS) approved hash algorithm, such
as SHA-256, or SHA-512. Note that vulnerabilities have recently
been found in SHA-1, however, and NIST is already planning to phase it out by
2010.
Comments (10 posted)
New vulnerabilities
ettercap: format string vulnerability
| Package(s): | ettercap |
CVE #(s): | CAN-2005-1796
|
| Created: | June 13, 2005 |
Updated: | July 13, 2005 |
| Description: |
The Ettercap suite of networking tools has a
format string vulnerability that can be exploited by a
remote attacker for the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
gaim: remote DoS
| Package(s): | gaim |
CVE #(s): | CAN-2005-1269
|
| Created: | June 10, 2005 |
Updated: | June 14, 2005 |
| Description: |
A remote Denial of Service vulnerability was discovered in Gaim. By
initiating a file transfer with a file name containing certain
international characters (like an accented "a"), a remote attacker
could crash the Gaim client of an arbitrary Yahoo IM member. |
| Alerts: |
|
Comments (none posted)
gaim: denial of service
| Package(s): | gaim |
CVE #(s): | CAN-2005-1934
|
| Created: | June 15, 2005 |
Updated: | July 5, 2005 |
| Description: |
There's yet another remote vulnerability in gaim; this one affects MSN users, who can be subject to denial of service attacks via malicious messages.
|
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | July 12, 2005 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (none posted)
lutelwall: insecure temp file
| Package(s): | lutelwall |
CVE #(s): | CAN-2005-1879
|
| Created: | June 13, 2005 |
Updated: | June 14, 2005 |
| Description: |
The LutelWall firewall configuration tool has a vulnerability that
can allow a local user to create symbolic links in the temp file
directory, possibly overwriting arbitrary files. |
| Alerts: |
|
Comments (none posted)
mozilla firefox: javascript vulnerabilities
| Package(s): | mozilla firefox |
CVE #(s): | CAN-2005-1531
CAN-2005-1532
|
| Created: | June 9, 2005 |
Updated: | July 19, 2005 |
| Description: |
Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly
implement certain security checks for script injection, which allows remote
attackers to execute script via "Wrapped" javascript.
Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly limit
privileges of Javascript eval and Script objects in the calling context,
which allows remote attackers to conduct unauthorized activities via
"non-DOM property overrides," a variant of CAN-2005-1160. |
| Alerts: |
|
Comments (1 posted)
shtool: insecure temp file
| Package(s): | shtool |
CVE #(s): | CAN-2005-1751
CAN-2005-1759
|
| Created: | June 13, 2005 |
Updated: | June 23, 2005 |
| Description: |
GNU shtool, which is also used by ocaml-mysql,
has an insecure temp file vulnerability that can be exploited by a
local user to overwrite arbitrary files. |
| Alerts: |
|
Comments (none posted)
sysreport: information disclosure
| Package(s): | sysreport |
CVE #(s): | CAN-2005-1760
|
| Created: | June 13, 2005 |
Updated: | June 14, 2005 |
| Description: |
The sysreport hardware information utility has a vulnerability that
may allow a plain-text proxy server password to be exposed
in a report to a remote machine. |
| Alerts: |
|
Comments (none posted)
tcpdump: denial of service
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1267
|
| Created: | June 9, 2005 |
Updated: | October 10, 2005 |
| Description: |
Several tcpdump protocol decoders contain programming errors which can
cause them to go into infinite loops. |
| Alerts: |
|
Comments (none posted)
telnet: information disclosure vulnerability
| Package(s): | telnet |
CVE #(s): | CAN-2005-0488
|
| Created: | June 14, 2005 |
Updated: | June 15, 2005 |
| Description: |
Telnet is vulnerable to an information disclosure issue. |
| Alerts: |
|
Comments (none posted)
wget: file overwrites and arbitrary code execution
| Package(s): | wget |
CVE #(s): | CAN-2004-1487
CAN-2004-1488
|
| Created: | June 9, 2005 |
Updated: | September 27, 2005 |
| Description: |
wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite
certain files via a redirection URL containing a ".." that resolves to the
IP address of the malicious server, which bypasses wget's filtering for
".." sequences.
wget 1.8.x and 1.9.x does not filter or quote control characters when
displaying HTTP responses to the terminal, which may allow remote malicious
web servers to inject terminal escape sequences and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cvs: multiple vulnerabilities
| Package(s): | cvs |
CVE #(s): | CAN-2005-0753
|
| Created: | April 18, 2005 |
Updated: | July 13, 2005 |
| Description: |
CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error.
These can be used to launch a remote denial of service or to remotely
execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dbus: information disclosure
| Package(s): | dbus |
CVE #(s): | CAN-2005-0201
|
| Created: | June 8, 2005 |
Updated: | August 30, 2005 |
| Description: |
From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another
user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq |
CVE #(s): | |
| Created: | April 4, 2005 |
Updated: | July 21, 2005 |
| Description: |
Dnsmasq does not properly detect that DNS replies received do not
correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux
Security Audit team also discovered two off-by-one buffer overflows that
could crash DHCP lease files parsing. |
| Alerts: |
|
Comments (none posted)
Dzip: directory traversal
| Package(s): | dzip |
CVE #(s): | |
| Created: | June 6, 2005 |
Updated: | June 8, 2005 |
| Description: |
Dzip is vulnerable to a directory traversal attack when extracting
archives. An attacker could exploit this vulnerability by creating a
specially crafted archive to extract files to arbitrary locations. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: message crash vulnerability
| Package(s): | evolution |
CVE #(s): | CAN-2005-0806
|
| Created: | March 17, 2005 |
Updated: | August 11, 2005 |
| Description: |
The Evolution mail client can be crashed when reading
certain types of messages. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: buffer overflow and SQL injection
| Package(s): | freeradius |
CVE #(s): | CAN-2005-1454
CAN-2005-1455
|
| Created: | May 17, 2005 |
Updated: | June 23, 2005 |
| Description: |
Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS
1.0.2 and earlier may be vulnerable to a buffer overflow. He also
discovered that FreeRADIUS fails to sanitize user-input before using it in
a SQL query, possibly allowing SQL command injection. |
| Alerts: |
|
Comments (1 posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | September 16, 2005 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gxine: format string vulnerability
| Package(s): | gxine |
CVE #(s): | CAN-2005-1692
|
| Created: | May 26, 2005 |
Updated: | July 23, 2005 |
| Description: |
The gxine media player has a format string vulnerability in the
hostname decoding function. A specially crafted file can be used
to cause a user to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gzip: race condition and directory traversal
| Package(s): | gzip |
CVE #(s): | CAN-2005-0988
CAN-2005-1228
|
| Created: | May 4, 2005 |
Updated: | July 13, 2005 |
| Description: |
gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
|
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
ImageMagick: xwd coder denial of service
| Package(s): | ImageMagick |
CVE #(s): | CAN-2005-1739
|
| Created: | May 26, 2005 |
Updated: | July 19, 2005 |
| Description: |
The xwd coder in ImageMagick has a vulnerability that
can be accessed by working on a maliciously created image.
A denial of service can result. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
infozip: privilege escalation, directory-traversal
| Package(s): | infozip |
CVE #(s): | CAN-2003-0282
CAN-2004-1010
CAN-2005-0602
|
| Created: | May 2, 2005 |
Updated: | August 1, 2005 |
| Description: |
InfoZip reports that Zip 2.3 and
(presumably) all previous versions have a buffer-overrun vulnerability
relating to deep directory paths that could potentially lead to local
privilege escalation (e.g., in the case of automated, Zip-based backups).
All versions of UnZip through 5.50 have a number of directory-traversal
vulnerabilities. |
| Alerts: |
|
Comments (1 posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdbg: command injection vulnerability
| Package(s): | kdbg |
CVE #(s): | CAN-2003-0644
|
| Created: | June 2, 2005 |
Updated: | June 8, 2005 |
| Description: |
Versions of the kdbg debugger from 1.1.0 through 1.2.8 have a problem
with permission checking in the .kdbgrc run command file.
A local user may use this to inject malicious commands in the file. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-0400
CAN-2005-0749
CAN-2005-0750
CAN-2005-0815
CAN-2005-0839
|
| Created: | April 1, 2005 |
Updated: | July 1, 2005 |
| Description: |
More kernel vulnerabilities have been discovered including:
- Mathieu Lafon discovered
an information leak in the ext2 file system driver. (CAN-2005-0400)
- Yichen Xie discovered a Denial of Service vulnerability in the ELF
loader. (CAN-2005-0749)
- Ilja van Sprundel discovered that the bluez_sock_create() function
did not check its "protocol" argument for negative values.
(CAN-2005-0750)
- Michal Zalewski discovered that the iso9660 file system driver fails
to check ranges properly in several cases. (CAN-2005-0815)
- Previous kernels did not restrict the use of the N_MOUSE line
discipline in the serial driver. (CAN-2005-0839)
|
| Alerts: |
|
Comments (1 posted)
kernel: ELF loader core dump vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2005-1263
|
| Created: | May 11, 2005 |
Updated: | August 25, 2005 |
| Description: |
Paul Starzetz has posted an
advisory for yet another kernel vulnerability.
In this case, by using a specially manipulated ELF binary, a local attacker
can compromise the system (via the core dump code) and obtain root access.
This vulnerability affects all kernels from 2.2 through 2.6.12-rc4. |
| Alerts: |
|
Comments (none posted)
kernel: local denial of service, possible compromise
| Package(s): | kernel |
CVE #(s): | CAN-2005-0756
CAN-2005-1265
|
| Created: | June 8, 2005 |
Updated: | June 9, 2005 |
| Description: |
The mmap() system call does not perform proper checking of its parameters, leading to a possible kernel crash and possible code execution.
The ptrace() system call does not perform proper checking of addresses (on the x86-64 platform only), leading to a possible kernel crash. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kimgio input validation errors
| Package(s): | kimgio |
CVE #(s): | CAN-2005-1046
|
| Created: | April 22, 2005 |
Updated: | July 19, 2005 |
| Description: |
KDE has issued a security advisory for
kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including
KDE 3.4. kimgio contains a PCX image file format reader that does not
properly perform input validation. A source code audit performed by the KDE
security team discovered several vulnerabilities in the PCX and other image
file format readers, some of them exploitable to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 17, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
| |
|