Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
A survey of recent kernel vulnerabilities
There has been a fairly long list of kernel vulnerabilities over the last
few months, but few of them have received much serious attention (outside
of the security groups at numerous distributors, who have been duly issuing
patches as the issues come up). Here's a selection of recent problems.
| CVE | Fixed-in | Description |
|---|
| CAN-2005-2098 |
2.6.12.5
2.6.13 |
The session keyring code had an error path which could
fail to release the session management semaphore. As a result, any
local user could cause processes to hang. |
| CAN-2005-2099 |
2.6.12.5
2.6.13 |
A keyring which failed to instantiate correctly could
leave behind a NULL pointer which would subsequently be dereferenced by
the kernel, causing an oops. |
| CAN-2005-1761 |
2.6.12.1 |
A ptrace() bug on the ia64 architecture
enables local denial of service attacks. (Patch) |
| CAN-2005-1913 |
2.6.12.1 |
The subthread exec code did not properly reparent
timers, leading to an oops caused by a local user when signals are
delivered to the wrong thread. (Patch) |
| CAN-2005-2456 |
2.6.13 |
The XFRM policy parser had an array overflow, enabling
denial of service attacks by local users. (Patch) |
| CAN-2005-2457 |
2.6.13 |
Mounting a malicious compressed ISO filesystem could
lead to a kernel oops |
CAN-2005-2458
CAN-2005-2459 |
2.6.13 |
Two zlib vulnerabilities which can be used to oops the
kernel and create denial of service attacks. |
| CAN-2005-2490 |
2.6.13.1 |
A race condition with user space allows a local
attacker to change the contents of a message passed to the 32-bit
version of sendmsg() on 64-bit architectures. The result is a
locally exploitable buffer overflow. (Patch) |
| CAN-2005-2492 |
2.6.13.1 |
An unchecked user-space dereference in
sendmsg() can be exploited to oops the system. (Patch) |
| CAN-2005-2548 |
2.6.9 |
A hostile UDP packet could cause the 8021Q VLAN code
to oops, leading to remote denial of service attacks.
|
| CAN-2005-2555 |
2.6.13 |
The kernel failed to restrict kernel socket policy
loading to administrative users. (Patch)
|
| CAN-2005-3044 |
2.6.13.2 |
The 32-bit ioctl() handler on x86-64 was
missing an fput() call. This error could be exploited by a
local attacker to corrupt kernel data structures. (Patch) |
| CAN-2005-3053 |
2.6.13 |
The set_mempolicy() system call, used to tweak memory
behavior on NUMA systems, did not properly check the
policy argument. A local attacker could, by supplying a
negative value, could cause a kernel oops. (Patch) |
| CAN-2005-3106 |
2.6.11 |
A race condition between core dumps and exec() could
enable a local attacker to deadlock the system. (Patch) |
| CAN-2005-3107 |
2.6.11 |
Another local deadlock related to core dumps and
ptrace(). (Patch) |
| CAN-2005-3108 |
2.6.11 |
The right sort of I/O mapping could create information
leaks and kernel oopses on the x86-64 platform. It is hard to see
how this one could be exploited by an unprivileged user. (Patch) |
| CAN-2005-3109 |
2.6.11 |
A maliciously created HFS filesystem could oops the
kernel, if the system was configured to allow users to mount such
filesystems. (Patch) |
| CAN-2005-3110 |
2.6.12 |
A race condition in the netfilter ebtables module can
cause a kernel oops on SMP systems. (Patch). |
| CAN-2005-3119 |
2.6.13.4 |
A memory leak in the key request code could be used in
denial of service attacks. (Patch) |
| CAN-2005-3180 |
2.6.13.4 |
The orinoco driver can leak information onto the net. (Patch) |
| CAN-2005-3181 |
2.6.13.4 |
A memory leak in the audit code can be used for denial of service
attacks. (Patch) |
That is a long list of vulnerabilities. The fact that almost all of them
are "only" denial of service problems, and that only one of those is truly
remotely exploitable, is of limited consolation.
One may well wonder why the kernel is the source of so many security holes,
far more than any other package on the system. The complexity of the
kernel and the environment in which it runs, the fact that many
often-harmless bugs (such as memory leaks) turn into security issues for
the kernel, and the high level of auditing which is done on kernel code are
all part of the answer to that question. Unfortunately, the flow of
security issues in the kernel is unlikely to stop anytime soon.
Comments (6 posted)
EFF decodes color printer watermarks
It has been known for some time that high-resolution color printers added
codes to their output which would enable that output to be traced. The EFF
has now found and decoded those marks for a
number of popular printers. It turns out that the scheme used is fairly
simple - an unencrypted code which includes the printing time and the
serial number of the printer. See the EFF's printer
list to see if your printer encodes this information, and this page to
learn how to find and decode the markings.
The moral of the story is clear: if we do not control our devices, they
will not work in our interests. There are plenty of good reasons for
wanting to be able to print anonymously, and there is no doubt that this
sort of watermarking can be used for the suppression of dissent and the
shutting down of whistle-blowers. Thanks to the EFF, we can at least see
this particular bit of technological ratware. But, as the EFF says:
"Even worse, it shows how the government and private industry make
backroom deals to weaken our privacy by compromising everyday equipment
like printers. The logical next question is: what other deals have been or
are being made to ensure that our technology rats on us?"
Comments (5 posted)
Security news
CERT advisory: Snort Back Orifice buffer overflow
If you are running the Snort intrusion detection system along with the
"Back Orifice" preprocessor, you want to read the attached advisory (click
below). Back Orifice suffers from a buffer overflow which can be exploited
by any remote attacker who can get a UDP packet onto your network. The
hole can be closed by upgrading to snort 2.4.3, or by disabling Back
Orifice.
Full Story (comments: 1)
New vulnerabilities
curl/wget: NTLM username buffer overflow
| Package(s): | curl wget |
CVE #(s): | CAN-2005-3185
|
| Created: | October 14, 2005 |
Updated: | November 7, 2005 |
| Description: |
A vulnerability in libcurl's NTLM function can overflow a stack-based
buffer if given too long a user name or domain name in NTLM authentication
is enabled and either a) pass a user and domain name to libcurl that
together are longer than 192 bytes or b) allow (lib)curl to follow HTTP
redirects and the new URL contains a URL with a user and domain name that
together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details. |
| Alerts: |
|
Comments (none posted)
lynx: stack overflow
| Package(s): | lynx |
CVE #(s): | CAN-2005-3120
|
| Created: | October 17, 2005 |
Updated: | November 7, 2005 |
| Description: |
Ulf Harnhammar discovered a stack overflow
bug in Lynx when handling connections to NNTP (news) servers. An attacker
could create a web page redirecting to a malicious news server which could
execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
netpbm: buffer overflow in "pnmtopng"
| Package(s): | netpbm-free |
CVE #(s): | CAN-2005-2978
|
| Created: | October 18, 2005 |
Updated: | October 28, 2005 |
| Description: |
A buffer overflow was found in the "pnmtopng" conversion program. By
tricking an user (or automated system) to process a specially crafted
PNM image with pnmtopng, this could be exploited to execute arbitrary
code with the privileges of the user running pnmtopng. |
| Alerts: |
|
Comments (none posted)
OpenWBEM: arbitrary code execution
| Package(s): | OpenWBEM |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
The SUSE Security Team performed a security review of important parts of the OpenWBEM system. During the audit, several integer wrap arounds and buffer overflows have been discovered and fixed. If exploited, they allow remote attackers to execute arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
Perl, Qt-UnixODBC, CMake: RUNPATH issues
| Package(s): | perl qt-unixodbc CMake |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
Some packages may introduce insecure paths into the list of directories
that are searched for libraries at runtime. Furthermore, packages
depending on the MakeMaker Perl module for build configuration may have
incorrectly copied the LD_RUN_PATH into the DT_RPATH. A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent executable, potentially resulting in privilege escalation.
|
| Alerts: |
|
Comments (none posted)
php: open_basedir directive handling
| Package(s): | php4 |
CVE #(s): | CAN-2005-3054
|
| Created: | October 17, 2005 |
Updated: | October 24, 2005 |
| Description: |
A bug has been found in the handling of the open_basedir directive. Contrary to the specification, the value of open_basedir
was handled as a prefix instead of a proper directory name even if it
was terminated by a slash ('/'). For example, this allowed PHP scripts
to access the directory /home/user10 when open_basedir was configured
to '/home/user1/'. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: arbitrary code execution
| Package(s): | phpmyadmin |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
Maksymilian Arciemowicz reported that in libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated. Systems running PHP in safe mode are not affected. A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abiword: buffer overflow
| Package(s): | abiword |
CVE #(s): | CAN-2005-2964
|
| Created: | September 29, 2005 |
Updated: | November 14, 2005 |
| Description: |
The RTF import module of the AbiWord word processor has a
buffer overflow vulnerability. A user can be tricked into
opening a maliciously crafted RTF file, giving the attacker
the ability to execute code with the permissions of the user. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cfengine: insecure temporary files
| Package(s): | cfengine |
CVE #(s): | CAN-2005-2960
|
| Created: | October 3, 2005 |
Updated: | October 14, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered several insecure temporary
file uses in cfengine, a tool for configuring and maintaining
networked machines, that can be exploited by a symlink attack to
overwrite arbitrary files owned by the user executing cfengine, which
is probably root. |
| Alerts: |
|
Comments (none posted)
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
graphviz: insecure temporary file
| Package(s): | graphviz |
CVE #(s): | CAN-2005-2965
|
| Created: | October 10, 2005 |
Updated: | October 21, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered insecure temporary file
creation in graphviz, a rich set of graph drawing tools, that can be
exploited to overwrite arbitrary files by a local attacker. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
Hylafax: insecure temporary file creation in xferfaxstats
| Package(s): | hylafax |
CVE #(s): | CAN-2005-3069
|
| Created: | September 30, 2005 |
Updated: | October 13, 2005 |
| Description: |
Javier Fernandez-Sanguino has discovered that xferfaxstats cron script
supplied by Hylafax < 4.2.2 insecurely creates temporary files with
predictable filenames. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
koffice: KWord RTF import buffer overflow
| Package(s): | koffice |
CVE #(s): | CAN-2005-2971
|
| Created: | October 12, 2005 |
Updated: | November 7, 2005 |
| Description: |
The KOffice RTF import module suffers from a buffer overflow vulnerability
which could be exploited via a malicious RTF file. See the KDE
advisory for details. |
| Alerts: |
|
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
| |
|