|
|
| |
|
| |
Security
Firefox and the ping attribute
The ping
attribute is an HTML extension proposed by the Web Hypertext Application Technology Working
Group. This attribute may be applied to anchor (" <A>")
tags; its value is a list of URIs. If the user clicks upon the link
created by the <A> tag, the browser will, in addition to
displaying the destination page, also send a request for each of the given
URIs. Essentially, the browser is phoning home - possibly to multiple
homes - to report on the user's action.
As it turns out, future Firefox releases will
implement the ping attribute; by some accounts, this feature will turn
Firefox into spyware. Calling it "spyware" is probably overstating the
case a little, but this feature is still worth some thought.
Many sites perform tracking of outbound clicks now. The normal technique
is to reformat an external link to point at an internal script; that script
logs the click, then returns an HTTP "redirect" response which sends the
browser to the true destination. The redirect technique is arguably worse
than the ping attribute for a couple of reasons. The first is the fact
that redirect-style URLs obscure the true destination. Redirected URLs can
be moderately obfuscated, such as this one taken from a
News.com story:
http://dw.com.com/redir?destUrl=http%3A%2F%2Fwww.nationalskillsregistry.in&siteId=3&\
oId=2100-1029-6028107&ontId=1009&lop=nl.ex
They can also be completely obscure:
http://linuxfr.org/redirect/45255.html
(The above URL takes the reader to the Fedora directory
server page).
Redirected URLs can, in the presence of JavaScript, be imposed entirely by
stealth.
The other problem with using redirect in this way is that it requires a
conversation with the logging server before the browser wanders on to the
place the user actually wanted to be. If the logging server is
sufficiently slow or off the net entirely, the destination becomes
unreachable.
The ping attribute addresses both of these problems. Destination URLs are
not hidden, and the actual phoning home can happen after the destination
page has been displayed. The option of ignoring ping attributes can also
be presented to the user; there is no such option for links using redirect
(though there are some firefox extensions which try hard for specific
sites). So, in theory, ping is an improvement over what came before.
Still, it is hard to avoid a sense of discomfort with this feature.
Firefox is free software, and free software is written with its users'
interests in mind. Free software users have grown accustomed to the idea
that, for example, applications will not be quietly phoning home in the
background. Certainly, Firefox users have no motivation to leave ping enabled -
it potentially compromises their privacy while offering them little in
return. People will disable ping, and distributors will have a strong
motivation to disable it by default in their packages. The Firefox
hackers, by adding this feature, risk appearing to serve a community
other than their users, and that appearance could reflect back on the
reputation of this fine browser in general.
Comments (30 posted)
Security news
Felten: CGMS-A + VEIL = SDMI?
Ed Felten is looking at
the copy protection technologies mandated by the proposed "analog hole"
law in the U.S. " The second technology, VEIL, is a watermark that is
inserted into the video itself. VEIL was originally developed as a way for
TV shows to send signals to toys. If you pointed the toy at the TV screen,
it would detect any VEIL information encoded into the TV program, and react
accordingly. Then somebody got the idea of using VEIL as a 'rights
signaling' technology. The idea is that whenever CGMS-A is signaling
restrictions on copying, a VEIL watermark is put into the video."
Comments (none posted)
New vulnerabilities
albatross: design error
| Package(s): | albatross |
CVE #(s): | CVE-2006-0044
|
| Created: | January 16, 2006 |
Updated: | January 20, 2006 |
| Description: |
A design error has been discovered in the Albatross web application
toolkit that causes user supplied data to be used as part of template
execution and hence enables arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
antiword: insecure temporary file
| Package(s): | antiword |
CVE #(s): | CVE-2005-3126
|
| Created: | January 17, 2006 |
Updated: | January 18, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that two scripts in antiword, utilities to convert Word
files to text and Postscript, create a temporary file in an insecure
fashion. |
| Alerts: |
|
Comments (none posted)
ClamAV: arbitrary code execution
| Package(s): | clamav |
CVE #(s): | CVE-2006-0162
|
| Created: | January 13, 2006 |
Updated: | January 25, 2006 |
| Description: |
A vulnerability in ClamAV v0.80 through
0.87.1, allows remote attackers to execute arbitrary code on vulnerable
ClamAV installations. Authentication is not required to exploit this
vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3356
CVE-2005-4605
CVE-2005-4618
CVE-2005-4639
CVE-2006-0095
CVE-2006-0096
|
| Created: | January 18, 2006 |
Updated: | March 7, 2006 |
| Description: |
The latest set of kernel vulnerabilities includes:
- A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)
- A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)
- An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)
- A buffer overflow in the TwinHan DST
Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)
- A potential key disclosure in dm-crypt. (CVE-2006-0095)
- Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
|
| Alerts: |
|
Comments (none posted)
Kolab Server: broken email-signatures or attachments
| Package(s): | kolab |
CVE #(s): | |
| Created: | January 13, 2006 |
Updated: | January 18, 2006 |
| Description: |
A problem
exists if the Kolab Server transports an email bigger than 8KB and
there is a dot (".") character at the wrong place, kolabfilter will double
this dot and a modified email will be delivered. This can lead to broken
email clear-text signatures or broken attachments. |
| Alerts: |
|
Comments (none posted)
mantis: multiple vulnerabilities
Comments (none posted)
novell-nrm: heap memory corruption
| Package(s): | novell-nrm |
CVE #(s): | CVE-2005-3655
|
| Created: | January 13, 2006 |
Updated: | January 18, 2006 |
| Description: |
A security problem with the Novell Remote Manager may be triggered by
passing a huge or negative size via a HTTP request header to httpstkd. It
is possible to corrupt heap memory and so potentially execute code. See
this iDefense advisory for more details. |
| Alerts: |
|
Comments (none posted)
struts: cross-site scripting vulnerability
| Package(s): | struts |
CVE #(s): | CVE-2005-3745
|
| Created: | January 12, 2006 |
Updated: | March 8, 2006 |
| Description: |
The Struts error display system has a cross-site scripting vulnerability.
An attacker may be able to maliciously craft a URL that can trick
a user into thinking they are looking at a trusted site when they are not. |
| Alerts: |
|
Comments (none posted)
sun-jdk: applet privilege escalation
| Package(s): | sun-jdk sun-jre blackdown-jdk |
CVE #(s): | CVE-2005-3905
CVE-2005-3906
|
| Created: | January 16, 2006 |
Updated: | January 18, 2006 |
| Description: |
Adam Gowdiak discovered multiple vulnerabilities in the Java Runtime
Environment's Reflection APIs that may allow untrusted applets to
elevate privileges. A remote attacker could embed a malicious Java applet
in a web page and entice a victim to view it. This applet can then bypass
security restrictions and execute any command or access any file with the
rights of the user running the web browser. |
| Alerts: |
|
Comments (none posted)
tuxpaint: insecure temporary file
| Package(s): | tuxpaint |
CVE #(s): | CVE-2005-3340
|
| Created: | January 16, 2006 |
Updated: | January 18, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that a script in tuxpaint, a paint program for young
children, creates a temporary files in an insecure fashion. |
| Alerts: |
|
Comments (none posted)
wine: Windows WMF vulnerability
| Package(s): | wine |
CVE #(s): | CVE-2006-0106
|
| Created: | January 13, 2006 |
Updated: | January 25, 2006 |
| Description: |
H D Moore discovered that Wine implements the insecure-by-design
SETABORTPROC GDI Escape function for Windows Metafile (WMF) files. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
auth_ldap: format string vulnerability
| Package(s): | auth_ldap |
CVE #(s): | CVE-2006-0150
|
| Created: | January 10, 2006 |
Updated: | February 28, 2006 |
| Description: |
The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database. A format string flaw was
found in the way auth_ldap logs information. It may be possible for a
remote attacker to execute arbitrary code as the 'apache' user if auth_ldap
is used for user authentication. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bogofilter: buffer overflow
| Package(s): | bogofilter |
CVE #(s): | CVE-2005-4591
|
| Created: | January 11, 2006 |
Updated: | January 11, 2006 |
| Description: |
A buffer overflow was found in the UTF-8 handling code in bogofilter; it can be exploited via a malicious email message. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: denial of service
| Package(s): | ethereal |
CVE #(s): | CVE-2005-3313
|
| Created: | January 5, 2006 |
Updated: | January 11, 2006 |
| Description: |
Ethereal, a network traffic monitor has an IRC protocol dissector
vulnerability, remote attackers can cause a denial of service
by creating an infinite loop. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FUSE: mtab corruption through fusermount
| Package(s): | fuse |
CVE #(s): | CVE-2005-3531
|
| Created: | November 22, 2005 |
Updated: | January 24, 2006 |
| Description: |
Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points. A local attacker could corrupt the contents of the /etc/mtab file by mounting over a maliciously-named directory using fusermount, potentially allowing the attacker to set unauthorized mount options. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
HylaFAX: input validation vulnerability
| Package(s): | hylafax |
CVE #(s): | CVE-2005-3538
CVE-2005-3539
|
| Created: | January 6, 2006 |
Updated: | January 17, 2006 |
| Description: |
The HylaFAX
4.2.4 release corrects issues with previous versions. HylaFAX runs the
notify script on untrusted user input. Furthermore, users can log in
without a password when HylaFAX is installed with the pam USE-flag
disabled. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 17, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libungif: memory corruption
| Package(s): | libungif |
CVE #(s): | CAN-2005-2974
|
| Created: | November 3, 2005 |
Updated: | March 20, 2006 |
| Description: |
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption. |
| Alerts: |
| |
|