LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
Firefox buffer overflow and full disclosure
Tom Ferris announced a potentially exploitable buffer overflow in Firefox this week and the discussion surrounding the flaw has focused on the nature of the announcement more than the bug itself. Advocates of full disclosure and those opposed to it have clashed on various internet sites.The bug is in the handling of international domain names (IDN) and the proof of concept released by Ferris is a specially crafted URL that will cause Firefox 1.0.6 and earlier to crash. Unlike other similar bugs, the user does not need to actually follow the link, just parsing the URL in the page will cause Firefox to crash. It is not yet known whether a malicious person can exploit this to execute arbitrary code on the host but Ferris claims that it can be done in his bug report.
A workaround that disables IDN parsing was quickly released by the Mozilla team, and both Red Hat and Fedora released updates to fix the buffer overflow.
Complaints have been heard about the amount of time Ferris gave to the Mozilla team to fix the problem before he announced the flaw on the full-disclosure mailing list. His report states that he reported the problem on September 4, but the entry in bugzilla was made on September 6. He disclosed the problem on September 8 before a fix was available and many people find that to be irresponsible.
Full disclosure is a contentious issue and many people argue that security flaws should be reported to the author of the software, and that they should be given a 'reasonable' amount of time to investigate and fix the problem before it is announced to the world. The presumption is that the delay reduces or eliminates the possibility of an exploit being crafted while the program is vulnerable. The proponents of disclosure point out that it is quite possible that other people, possibly having bad intentions, know about the flaw already and are working on exploits or have already deployed them. Even if there is no known exploit 'in the wild', security conscious users may wish to stop using the affected program until it can be fixed, and without disclosure they do not have the information necessary to take that step.
An additional complication arises because Firefox has been touted as a more secure alternative to Internet Explorer and many less than technically savvy people have installed it. These users do not tend to frequent LWN or other sites that report on security issues and, unfortunately, are likely to ignore the problem even if they do find out about it. This problem is not unique to Firefox, of course, nor to free software in general, but as free software extends its reach, it is a problem that needs to be addressed. A widespread exploit in a free software package, even if the vulnerability has already been fixed, will provide the competition with ample opportunities to suggest that all free software is insecure.
New vulnerabilities
common-lisp-controller: design error
| Package(s): | common-lisp-controller | CVE #(s): | CAN-2005-2657 | ||||||
| Created: | September 14, 2005 | Updated: | November 21, 2005 | ||||||
| Description: | François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before. | ||||||||
| Alerts: |
| ||||||||
mozilla: buffer overflow
| Package(s): | mozilla | CVE #(s): | CAN-2005-2871 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 12, 2005 | Updated: | October 20, 2005 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Mozilla browser, Firefox and Thunderbird have a buffer overflow vulnerability. A local user can be tricked into clicking URL that can cause the local application to crash, and possibly execute arbitrary code. See this article for more information. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
mysql: buffer overflow
| Package(s): | mysql | CVE #(s): | CAN-2005-2558 | |||||||||||||||||||||||||||
| Created: | September 12, 2005 | Updated: | January 12, 2006 | |||||||||||||||||||||||||||
| Description: | The mysql CREATE FUNCTION can be used to create a buffer overflow. A specially crafted long function name can be used by a local attacker to crash the server or execute arbitrary code with the privileges of the server. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tdiary: cross-site request forgery
| Package(s): | tdiary | CVE #(s): | CAN-2005-2411 | |||
| Created: | September 12, 2005 | Updated: | September 13, 2005 | |||
| Description: | The tdiary web log utility has a cross-site request forgery that can be used by remote attackers to alter a user's local information. | |||||
| Alerts: |
| |||||
util-linux: unintentional grant of privileges by umount
| Package(s): | util-linux | CVE #(s): | CAN-2005-2876 | |||||||||||||||||||||||||||||||||
| Created: | September 13, 2005 | Updated: | December 19, 2005 | |||||||||||||||||||||||||||||||||
| Description: | Linux umount command as provided in the util-linux package in versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
xorg-x11: heap overflow
| Package(s): | xorg-x11 | CVE #(s): | CAN-2005-2495 | |||||||||||||||||||||||||||||||||||||||
| Created: | September 12, 2005 | Updated: | March 8, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The pixmap memory allocation code in the X.Org X window system is vulnerable to an integer overflow, a local user can use this to execute arbitrary code with elevated privileges. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
CUPS: multiple vulnerabilities
| Package(s): | CUPS | CVE #(s): | CAN-2004-2154 | ||||||||||||
| Created: | July 14, 2005 | Updated: | September 20, 2005 | ||||||||||||
| Description: | The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache information disclosure if modssl=yes
| Package(s): | apache | CVE #(s): | CAN-2005-2700 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 2, 2005 | Updated: | November 10, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CAN-2005-1268 CAN-2005-2088 | |||||||||||||||||||||||||||||||||||||||
| Created: | July 25, 2005 | Updated: | November 7, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
awstats: command injection vulnerability
| Package(s): | awstats | CVE #(s): | CAN-2005-1527 | |||||||||
| Created: | August 11, 2005 | Updated: | November 10, 2005 | |||||||||
| Description: | AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cpio: directory traversal
| Package(s): | cpio | CVE #(s): | CAN-2005-1111 | |||||||||||||||||||||||||||
| Created: | June 20, 2005 | Updated: | December 26, 2005 | |||||||||||||||||||||||||||
| Description: | There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
cvs: insecure temp file
| Package(s): | cvs | CVE #(s): | CAN-2005-2693 | |||||||||||||||
| Created: | August 23, 2005 | Updated: | September 9, 2005 | |||||||||||||||
| Description: | Insecure temporary file usage was found in the cvsbug program. It is possible that a malicious user could use this to execute arbitrary instructions as the user running cvsbug. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
dhcpcd: denial of service
| Package(s): | dhcpcd | CVE #(s): | CAN-2005-1848 | |||||||||||||||
| Created: | July 13, 2005 | Updated: | September 13, 2005 | |||||||||||||||
| Description: | The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
elm: buffer overflow
| Package(s): | elm | CVE #(s): | CAN-2005-2665 | ||||||
| Created: | August 23, 2005 | Updated: | November 10, 2005 | ||||||
| Description: | A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it. | ||||||||
| Alerts: |
| ||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ethereal: dissector vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366 | ||||||||||||||||||
| Created: | July 28, 2005 | Updated: | October 10, 2005 | ||||||||||||||||||
| Description: | The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
evolution: format string issues
| Package(s): | evolution | CVE #(s): | CAN-2005-2549 CAN-2005-2550 | |||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | March 23, 2006 | |||||||||||||||||||||
| Description: | Evolution has format string issues. SITIC advisory SA05-001 contains more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gaim: buffer overflow
| Package(s): | gaim | CVE #(s): | CAN-2005-2103 | ||||||||||||||||||||||||
| Created: | August 10, 2005 | Updated: | February 27, 2006 | ||||||||||||||||||||||||
| Description: | Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2005-0891 | ||||||||||||||||||||||||||||||||||||
| Created: | March 30, 2005 | Updated: | December 19, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
grip: buffer overflow
| Package(s): | grip | CVE #(s): | CAN-2005-0706 | |||||||||||||||||||||||||||
| Created: | March 10, 2005 | Updated: | September 16, 2005 | |||||||||||||||||||||||||||
| Description: | Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
htdig: cross site scripting
| Package(s): | htdig | CVE #(s): | CAN-2005-0085 | |||||||||||||||
| Created: | February 14, 2005 | Updated: | January 10, 2006 | |||||||||||||||
| Description: | Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster | CVE #(s): | CVE-2005-1108 CVE-2005-1109 | ||||||
| Created: | April 13, 2005 | Updated: | November 5, 2005 | ||||||
| Description: | JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. | ||||||||
| Alerts: |
| ||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdeedu: tempfile handling vulnerabilities
| Package(s): | kdeedu | CVE #(s): | CAN-2005-2101 | ||||||||||||
| Created: | August 15, 2005 | Updated: | September 22, 2005 | ||||||||||||
| Description: | Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked. The script uses known filenames in /tmp which allow an local attacker to overwrite files writeable by the user invoking the conversion script. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-1913 CAN-2005-1761 | ||||||||||||
| Created: | July 1, 2005 | Updated: | September 9, 2005 | ||||||||||||
| Description: | Several vulnerabilities in the 2.6 kernel have been fixed, including a subthread exec problem (CAN-2005-1913) and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761). | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2005-2555 | ||||||||||||||||||
| Created: | August 19, 2005 | Updated: | September 19, 2005 | ||||||||||||||||||
| Description: | David Howells discovered a local Denial of Service vulnerability in
the key session joining function. Under certain user-triggerable
conditions, a semaphore was not released properly, which caused
processes which also attempted to join a key session to hang forever.
(CAN-2005-2098)
David Howells discovered a local Denial of Service vulnerability in the keyring allocator. A local attacker could exploit this to crash the kernel by attempting to add a specially crafted invalid keyring. (CAN-2005-2099) Balazs Scheidler discovered a local Denial of Service vulnerability in the xfrm_compile_policy() function. By calling setsockopt() with an invalid xfrm_user policy message, a local attacker could cause the kernel to write to an array beyond its boundaries, thus causing a kernel crash. (CAN-2005-2456) Tim Yamin discovered that the driver for compressed ISO file systems did not sufficiently validate the input data. By tricking an user into mounting a malicious CD-ROM with a specially crafted compressed ISO file system, he could cause a kernel crash. (CAN-2005-2457) It was discovered that the kernel's embedded zlib compression library was still vulnerable to two old vulnerabilities of the standalone zlib library. This library is used by various drivers and can also be used by third party modules, so the impact varies. (CAN-2005-2458, CAN-2005-2459) Peter Sandstrom discovered a remote Denial of Service vulnerability in the SNMP handler. Certain UDP packages lead to a function call with the wrong argument, which resulted in a crash of the network stack. (CAN-2005-2548) Herbert Xu discovered that the setsockopt() function was not restricted to privileged users. This allowed a local attacker to bypass intended IPSec policies, set invalid policies to exploit flaws like CAN-2005-2456, or cause a Denial of Service by adding policies until kernel memory is exhausted. Now the call is restricted to processes with the CAP_NET_ADMIN capability. (CAN-2005-2555) | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
krb5: double-free flaw
| Package(s): | krb5 | CVE #(s): | CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689 | ||||||||||||||||||||||||||||||
| Created: | July 12, 2005 | Updated: | December 6, 2005 | ||||||||||||||||||||||||||||||
| Description: | The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
libXpm: new buffer overflows
| Package(s): | libXpm | CVE #(s): | CAN-2005-0605 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2005 | Updated: | March 8, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl | CVE #(s): | CAN-2005-1349 | ||||||
| Created: | May 20, 2005 | Updated: | January 27, 2006 | ||||||
| Description: | Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl | CVE #(s): | CAN-2005-0077 | ||||||||||||||||||||||||
| Created: | January 25, 2005 | Updated: | March 2, 2006 | ||||||||||||||||||||||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 |
| Created: | October 29, 2004 | Updated: | June 28, 2006 |
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to imprope | ||