LWN first looked at the CAN-SPAM
act back in 2003. This U.S. law was an attempt to address the spam
problem through legal means. Our impression at the time was that CAN-SPAM
would do little good, and might even do harm by overriding state
legislation and legitimizing certain kinds of commercial email.
One of the provisions of this law was that the U.S. Federal Trade
Commission was required to create a report to Congress on how effective the
law is, and what improvements could be made. That report is now
available [PDF]. The FTC went through a major investigation; among
other things, it used its compulsory powers to require nine ISPs to provide
email information. The bottom line, according to the FTC: the CAN-SPAM act
has been effective in reducing spam.
Your editor's mailbox, now receiving something over 5,000 spams/day, would
beg to differ from this conclusion. In fact, a deeper reading of the
report suggests that CAN-SPAM has not been as effective as one might expect
from reading the headlines, and that the real progress against spam has
been made elsewhere.
So what has CAN-SPAM accomplished? From the report:
First, the substantive provisions of the Act have mandated adoption
a number of commercial email "best practices" that many legitimate
online marketers are now following. Second, the Act has provided law
enforcement agencies and ISPs with an additional tool to use when
bringing suit against spammers. The more than 50 cases brought to
date by the FTC, the Department Justice, state Attorneys General,
and ISPs demonstrate CAN-SPAM's enforcement efficacy.
Both of these claims are probably true. And, doubtless, many LWN readers
are pleased to know that some of their incoming commercial email follows
"best practices." But the spam problem never had much to do with
"legitimate online marketers." There have been suits brought against
spammers, and that can only be helpful in the end. But even lawsuits will
only be so effective in a world filled with spammers. So one might well
wonder how to square these limited gains against this claim from the
report:
One particularly significant development since the enactment
of CAN-SPAM is that the volume of spam has begun to decrease.
MX Logic, an email filtering company, reported that during the
first eight months of 2005, spam accounted for 67 percent of
email passing through its system, a nine percent decrease from
the same period one year earlier. Some ISPs report an even
more dramatic decline. For example, America Online ("AOL")
reported that its members received 75 percent less spam in
2004 than in 2003. Studies from other countries similarly
report a decrease in the amount of spam reaching consumers'
inboxes. As the Executive Director of the Institute for Spam
and Internet Public Policy succinctly stated, "the average
inbox doesn't have that much spam anymore."
(LWN reported on the MX Logic
report last August.) A reading of the above paragraph might well lead one
to the conclusion that the battle against spam has been won, and that
CAN-SPAM did it. Anybody who deals with email in any serious way knows
that this is not the case.
What is going on - and the report recognizes this - is that anti-spam
techniques unrelated to CAN-SPAM have gotten better. The reported 75% drop
for AOL users does not mean that 75% less spam has been sent in that
direction; it does not even mean that there are 75% fewer AOL users, though
one might be tempted to reach that conclusion. The difference is that much
less spam is actually making it all the way to their mailboxes. Your
editor, too, has seen a reduction in spam reaching his inbox; spamassassin
nicely takes care of the bulk of it. But better filtering is not a solution to
the problem; it is more like sweeping it under the carpet. And, in any
case, it was not legislated by CAN-SPAM.
The report notes that a number of tactics adopted by large ISPs have
helped. These include blocking outgoing access to port 25 (which
imposes unfortunate costs on some users), rate-limiting email entering and
leaving the system, and actively disconnecting users with known-compromised
systems. Blacklisting is an effective tool; the report claims that
large ISPs are able to block 80% of spam before it ever enters their mail
server. The FTC also takes credit for helping to shut down open relays.
Another happy result, according to the FTC, is that "users have grown more
tolerant of spam." That's one way to solve the problem.
For the future, the report notes an increase in phishing mail, as well as
in spam containing malware. There are a few recommendations; one of those
is the adoption of SenderID or some other sort of email authentication
mechanism. The FTC would like to see the "US SAFE WEB Act" passed; this
law would make it easier for the FTC to share information with agencies of
other governments. It would also empower the FTC to compel information
from ISPs and others while requiring confidentiality - an extension of
governmental power which, given recent disclosures in the U.S., may not be
entirely welcome. In fact, this recommendation, along with the agency's
desire for email authentication and more rigorous requirements for WHOIS
information, leads to the question of just how badly we want governments to
"solve" the spam problem for us. Given that the most effective techniques
we have so far did not come from governments, perhaps it's time to
recognize that the solutions lie elsewhere.
A buffer overflow has been discovered in dropbear, a lightweight SSH2
server and client, that may allow authenticated users to execute
arbitrary code as the server user (usually root).
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode.
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges.
OpenLDAP and Gauche have a vulnerability involving the library search
path list. A local attacker who belongs to the portage group can
create a shared object in the Portage temporary build directory,
allowing an unauthorized privilege escalation.
Opera before 8.51 allows remote attackers to execute arbitrary code via
shell metacharacters (backticks) in a URL that another product provides in
a command line argument when launching Opera. See the Opera 8.51
changelog for details.
Several vulnerabilities were discovered in the CMS system OTRS. Multiple
SQL injection vulnerabilities in index.pl in Open Ticket Request System
(OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, multiple cross-site
scripting vulnerabilities in index.pl in Open Ticket Request System (OTRS)
1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, and Open Ticket Request System
(OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when
AttachmentDownloadType is set to inline, renders text/html e-mail
attachments as HTML in the browser when the queue moderator attempts to
download the attachment.
John Buswell discovered a flaw in redhat-config-nfs that could lead to
incorrect permissions on exported shares when exporting to multiple
hosts. This could cause an option such as "all_squash" to not be
applied to all of the listed hosts.
Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such as
passwords.
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus.
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
A memory leak was found in the Apache 2 'worker' module in the
handling of aborted TCP connections. By repeatedly triggering this
situation, a remote attacker could drain all available memory, which
eventually led to a Denial of Service.
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor.
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute.
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access.
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user.
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group.
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash.
A buffer overflow has been discovered in ethereal, a commonly used
network traffic analyzer that causes a denial of service and may
potentially allow the execution of arbitrary code.
A number of security flaws have been discovered in Ethereal. On a system
where Ethereal is running, a remote attacker could send malicious packets
to trigger these flaws and cause Ethereal to crash or potentially execute
arbitrary code.
The Firefox browser has multiple vulnerabilities including problems with
XBM image file processing, Unicode
sequence processing, XMLHttp requests, malicious XBL binding,
a JavaScript engine buffer overflow, about: pages,
opening of new windows, and command line URL processing.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points. A local attacker could corrupt the contents of the /etc/mtab file by mounting over a maliciously-named directory using fusermount, potentially allowing the attacker to set unauthorized mount options.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands.
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names.
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine.
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons.
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276)
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code.
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code.
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8
character encodings in filenames of e-mail attachments, which allows
remote attackers to cause a denial of service.
Mantis contains several vulnerabilities, including a remote file inclusion
vulnerability, an SQL injection vulnerability, multiple cross site
scripting vulnerabilities and multiple information disclosure
vulnerabilities.
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result.
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server.
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013).
Greg Roelofs discovered and fixed several buffer overflows in pnmtopng
which is also included in netpbm, a collection of graphic conversion
utilities, that can lead to the execution of arbitrary code via a
specially crafted PNM file.
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code.
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update.
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details.
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
There are multiple vulnerabilities in PHP, including malicious requests may overwrite the GLOBALS array, the parse_str() function may enable the
register_globals setting, cross-site scripting bugs in phpinfo() and a bug in EXIF image parsing that may crash the process.
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8).
The poppler PDF rendering library has a heap overflow vulnerability
that can be exploited by viewing specially crafted PDF files.
An attacker can cause a crash or the execution of arbitrary
code. This vulnerability is related to
a similar vulnerability with xpdf.
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process.
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information.
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client.
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user.
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart.
Tavis Ormandy noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. The SHELLOPTS and PS4 variables are dangerous and are
still passed through to the program running as privileged user. This
can result in the execution of arbitrary commands as privileged user
when a bash script is executed. These vulnerabilities can only be
exploited by users who have been granted limited super user
privileges.
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278)
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash.
Unzip has a race condition vulnerability
in the handling of output files.
During file unpacking, a local attacker can modify the permissions
of arbitrary files in the victim's directory.
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information.
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code.
A buffer overflow has been discovered in the sendmail program of
xmail, an advanced, fast and reliable ESMTP/POP3 mail server that
could lead to the execution of arbitrary code with group mail
privileges.
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges.
Several flaws were discovered in Xpdf. An
attacker could construct a carefully crafted PDF file that could cause Xpdf
to crash or possibly execute arbitrary code when opened.
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened.
