LWN.net Logo

Security

Looking forward to Kama Sutra

Your editor recently found a bit of security advice in his mailbox:

A calm, reasoned, policy-based approach that covers all possible threats is what is needed to ensure that a company's corporate servers and workstations are protected.

This advice showed up in a message with a subject line reading "IMAGE YOUR SYSTEM NOW BEFORE THE KAMA SUTRA WORM HITS." It's a good thing these folks (a company called Acronis, which will happily sell you the tools to "image your system") are so calm and reasoned; it might not be fun to be around if they were to go into a panic.

Linux users, of course, remain blissfully unaware of the "Kama Sutra" worm (or "BlackWorm"). At most, it manifests itself as a couple of "give me a kiss" emails which SpamAssassin quickly learns to kiss off by itself. Those who work with Windows, however, may well find themselves more aware of this worm in the near future.

Kama Sutra/BlackWorm, like so many others, spreads via email attachments. It does have a couple of interesting features, however. One is that it goes out of its way to disable antivirus systems on infected systems, making those systems susceptible to other bits of roving malware which might wander by. And, on February 3, it will attempt to destroy files on infected systems. Anybody who is not aware of being infected is likely to find out fairly abruptly at that point.

Estimates of the number of infected systems run as high as 600,000 as of January 31. Most of those systems are in the U.S., India, and, interestingly, Peru; see this page for details. If you would like more information on this worm, including Snort signatures for blocking it, see the ISC BlackWorm page. And, for now, be glad you are running Linux.

Comments (2 posted)

New vulnerabilities

drupal: several vulnerabilities

Package(s):drupal CVE #(s):CVE-2005-3973 CVE-2005-3974 CVE-2005-3975
Created:January 27, 2006 Updated:January 31, 2006
Description: Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. Several cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission (CVE-2005-3974). An interpretation conflict allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension (CVE-2005-3975).
Alerts:
Debian DSA-958-1 2006-01-27

Comments (none posted)

gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 26, 2006 Updated:January 31, 2006
Description: Gallery, a web-based photo management system, has an input sanitizing problem with the user's fullname. An attacker can create a specially crafted fullname and inject script code into a victim's browser window in order to compromise the user's gallery.
Alerts:
Gentoo 200601-13 2006-01-26

Comments (2 posted)

LibAST: privilege escalation

Package(s):libast CVE #(s):CVE-2006-0224
Created:January 30, 2006 Updated:February 15, 2006
Description: Michael Jennings discovered an exploitable buffer overflow in the configuration engine of LibAST. The vulnerability can be exploited to gain escalated privileges if the application using LibAST is setuid/setgid and passes a specifically crafted filename to LibAST's configuration engine.
Alerts:
Debian DSA-976-1 2006-02-15
Mandriva MDKSA-2006:029 2006-02-02
Gentoo 200601-14 2006-01-29

Comments (none posted)

libmail-audit-perl: insecure temporary file creation

Package(s):libmail-audit-perl CVE #(s):CVE-2005-4536
Created:January 31, 2006 Updated:March 20, 2006
Description: Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on.
Alerts:
Debian DSA-960-3 2006-03-20
Debian DSA-960-2 2006-01-31
Debian DSA-960-1 2006-01-31

Comments (none posted)

lsh-utils: local file descriptor leak

Package(s):lsh-utils CVE #(s):CVE-2006-0353
Created:January 26, 2006 Updated:January 31, 2006
Description: The lshd SSH2 protocol server has a file descriptor leak. User shells started by lshd can access randomness generator file descriptors, allowing the server seed file to be truncated. A denial of service is possible, and session keys may become vulnerable to cracking.
Alerts:
Debian DSA-956-1 2006-01-26

Comments (none posted)

mydns: denial of service

Package(s):mydns CVE #(s):CVE-2006-0351
Created:January 31, 2006 Updated:February 2, 2006
Description: MyDNS contains an unspecified flaw that may allow a remote denial of service. An attacker could cause a denial of service by sending malformed DNS queries to the MyDNS server.
Alerts:
Debian DSA-963-1 2006-02-02
Gentoo 200601-16 2006-01-30

Comments (none posted)

nfs-server: buffer overflow

Package(s):nfs-server CVE #(s):CVE-2006-0043
Created:January 26, 2006 Updated:February 15, 2006
Description: The obsoleted nfs-server package has a remotely exploitable buffer overflow vulnerability in the rpc.mountd service's realpath() function. Remote attackers can launch a specially crafted mount request, this leads to a buffer overflow and allows the execution of code with root privileges.
Alerts:
Debian DSA-975-1 2006-02-15
SuSE SUSE-SA:2006:005 2006-01-26

Comments (none posted)

Paros: default administrator password

Package(s):paros CVE #(s):CVE-2005-3280
Created:January 30, 2006 Updated:January 31, 2006
Description: Andrew Christensen discovered that in older versions of Paros the database component HSQLDB is installed with an empty password for the database administrator "sa". Since the database listens globally by default, an attacker can connect and issue arbitrary commands, including execution of binaries installed on the host.
Alerts:
Gentoo 200601-15 2006-01-29

Comments (none posted)

mozilla-thunderbird: GUI display truncation vulnerability

Package(s):mozilla-thunderbird CVE #(s):CVE-2006-0236
Created:January 26, 2006 Updated:January 31, 2006
Description: Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 have a GUI display truncation vulnerability. A user can be tricked into downloading a maliciously created attachment with a hidden filename extension and potentially execute the dangerous payload.
Alerts:
Mandriva MDKSA-2006:021 2006-01-25

Comments (none posted)

trac: cross-site scripting vulnerability

Package(s):trac CVE #(s):CVE-2005-4305
Created:January 26, 2006 Updated:January 31, 2006
Description: Trac, a web-based project management and bug tracking system, has a cross-site scripting attack vulnerability that may be exploited for the purpose of execution of arbitrary JavaScript code.
Alerts:
Gentoo 200601-12 2006-01-26

Comments (1 posted)

unalz: arbitrary code execution

Package(s):unalz CVE #(s):CVE-2005-3862
Created:January 30, 2006 Updated:January 31, 2006
Description: Ulf Härnhammer from the Debian Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive.
Alerts:
Debian DSA-959-1 2006-01-30

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Alerts:
Slackware SSA:2006-129-01 2006-05-10
SuSE SUSE-SR:2006:004 2006-02-24
Fedora-Legacy FLSA:175406 2006-02-18
Gentoo 200602-03 2006-02-06
Fedora FEDORA-2006-052 2006-01-20
Red Hat RHSA-2006:0158-01 2006-01-17
Ubuntu USN-241-1 2006-01-12
Trustix TSLSA-2005-0074 2005-12-23
Mandriva MDKSA-2006:007 2006-01-05
Red Hat RHSA-2006:0159-01 2006-01-05
OpenPKG OpenPKG-SA-2005.029 2005-12-14

Comments (none posted)

auth_ldap: format string vulnerability

Package(s):auth_ldap CVE #(s):CVE-2006-0150
Created:January 10, 2006 Updated:February 28, 2006
Description: The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication.
Alerts:
Fedora-Legacy FLSA:177694 2006-02-27
Debian DSA-952-1 2006-01-23
Mandriva MDKSA-2006:017 2006-01-19
Red Hat RHSA-2006:0179-01 2006-01-10

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

ClamAV: arbitrary code execution

Package(s):clamav CVE #(s):CVE-2006-0162
Created:January 13, 2006 Updated:January 25, 2006
Description: A vulnerability in ClamAV v0.80 through 0.87.1, allows remote attackers to execute arbitrary code on vulnerable ClamAV installations. Authentication is not required to exploit this vulnerability.
Alerts:
Debian DSA-947-2 2006-01-25
Debian DSA-947-1 2006-01-21
Mandriva MDKSA-2006:016 2006-01-16
Gentoo 200601-07 2006-01-13

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

crawl: insecure program execution

Package(s):crawl CVE #(s):
Created:January 23, 2006 Updated:January 25, 2006
Description: Steve Kemp from the Debian Security Audit project discovered a security related problem in crawl, another console based dungeon exploration game in the vein of nethack and rogue. The program executes commands insecurely when saving or loading games which can allow local attackers to gain group games privileges.
Alerts:
Debian DSA-949-1 2006-01-20

Comments (none posted)

curl: buffer overflow

Package(s):curl CVE #(s):CVE-2005-4077
Created:December 8, 2005 Updated:March 27, 2006
Description: The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access.
Alerts:
Gentoo 200603-25 2006-03-27
Debian DSA-919-2 2006-03-10
Trustix TSLSA-2005-0072 2005-12-16
Red Hat RHSA-2005:875-01 2005-12-20
Gentoo 200512-09 2005-12-16
Ubuntu USN-228-1 2005-12-12
Fedora FEDORA-2005-1137 2005-12-12
Fedora FEDORA-2005-1136 2005-12-12
Debian DSA-919-1 2005-12-12
OpenPKG OpenPKG-SA-2005.028 2005-12-10
Mandriva MDKSA-2005:224 2005-12-08
Fedora FEDORA-2005-1129 2005-12-08
Fedora FEDORA-2005-1130 2005-12-08

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Debian DSA-1025-1 2006-04-06
Mandriva MDKSA-2005:187 2005-10-20
Gentoo 200510-06 2005-10-06
Debian DSA-847-1 2005-10-08
SuSE SUSE-SR:2005:022 2005-10-07
Ubuntu USN-193-1 2005-10-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
Alerts:
rPath rPSA-2006-0084-1 2006-05-26
Fedora-Legacy FLSA:164512 2006-05-12
Slackware SSA:2006-045-01 2006-02-15
Debian DSA-939-1 2006-01-13
Ubuntu USN-233-1 2006-01-02
Mandriva MDKSA-2005:236 2005-12-23
Fedora FEDORA-2005-1187 2005-12-20
Fedora FEDORA-2005-1186 2005-12-20

Comments (none posted)

ffmpeg: buffer overflow

Package(s):ffmpeg CVE #(s):CVE-2005-4048
Created:December 15, 2005 Updated:March 17, 2006
Description: The avcodec_default_get_buffer() function of the ffmpeg library has a buffer overflow vulnerability. A user can be tricked into playing a maliciously created PNG movie, allowing the attacker to run arbitrary code with the user's privileges.
Alerts:
Debian DSA-1005-1 2006-03-16
Debian DSA-1004-1 2006-03-16
Debian DSA-992-1 2006-03-10
Gentoo 200603-03 2006-03-04
Gentoo 200602-01 2006-02-05
Gentoo 200601-06 2006-01-10
Ubuntu USN-230-2 2005-12-16
Ubuntu USN-230-1 2005-12-14
Mandriva MDKSA-2005:228 2005-12-14
Mandriva MDKSA-2005:229 2005-12-14
Mandriva MDKSA-2005:232 2005-12-14
Mandriva MDKSA-2005:230 2005-12-14
Mandriva MDKSA-2005:231 2005-12-14

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

flyspray: missing input sanitizing

Package(s):flyspray CVE #(s):CVE-2005-3334
Created:January 24, 2006 Updated:January 25, 2006
Description: Several cross-site scripting vulnerabilities have been discovered in flyspray, a lightweight bug tracking system, which allows attackers to insert arbitrary script code into the index page.
Alerts:
Debian DSA-953-1 2006-01-24

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdk-pixbuf: multiple vulnerabilities

Package(s):gdk-pixbuf gtk2 CVE #(s):CVE-2005-3186 CVE-2005-2976 CVE-2005-2975
Created:November 15, 2005 Updated:March 20, 2006
Description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim.

Alerts:
Fedora-Legacy FLSA:173274 2006-03-16
Debian DSA-913-1 2005-12-01
Debian DSA-911-1 2005-11-29
Trustix TSLSA-2005-0066 2005-11-18
Mandriva MDKSA-2005:214 2005-11-18
Ubuntu USN-216-1 2005-11-16
SuSE SUSE-SA:2005:065 2005-11-16
Gentoo 200511-14 2005-11-16
Fedora FEDORA-2005-1088 2005-11-15
Fedora FEDORA-2005-1087 2005-11-15
Fedora FEDORA-2005-1086 2005-11-15
Fedora FEDORA-2005-1085 2005-11-15
Red Hat RHSA-2005:811-01 2005-11-15
Red Hat RHSA-2005:810-01 2005-11-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

imagemagick: arbitrary command execution

Package(s):imagemagick CVE #(s):CVE-2005-4601 CVE-2006-0082
Created:January 24, 2006 Updated:March 24, 2006
Description: Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus).
Alerts:
SuSE SUSE-SR:2006:006 2006-03-17
Gentoo 200602-13 2006-02-26
Slackware SSA:2006-045-03 2006-02-15
Red Hat RHSA-2006:0178-01 2006-02-14
Gentoo 200602-06 2006-02-13
Debian DSA-957-2 2006-01-31
Mandriva MDKSA-2006:024 2006-01-26
Debian DSA-957-1 2006-01-26
Ubuntu USN-246-1 2006-01-24

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: heap overflow

Package(s):kdelibs CVE #(s):CVE-2006-0019
Created:January 19, 2006 Updated:March 17, 2006
Description: Konqueror's kjs JavaScript interpreter engine has a heap overflow vulnerability. Specially crafted JavaScript code could be placed on a web site, leading to arbitrary code execution. Other kde applications are also subject to this vulnerability.
Alerts:
Fedora-Legacy FLSA:178606 2006-03-16
Slackware SSA:2006-045-05 2006-02-15
Gentoo 200601-11 2006-01-22
Mandriva MDKSA-2006:019 2006-01-20
Fedora FEDORA-2006-050 2006-01-20
SuSE SUSE-SA:2006:003 2006-01-20
Debian DSA-948-1 2005-01-20
Ubuntu USN-245-1 2006-01-20
Red Hat RHSA-2006:0184-01 2006-01-19

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3356 CVE-2005-4605 CVE-2005-4618 CVE-2005-4639 CVE-2006-0095 CVE-2006-0096
Created:January 18, 2006 Updated:March 7, 2006
Description: The latest set of kernel vulnerabilities includes:

  • A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)

  • A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)

  • An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)

  • A buffer overflow in the TwinHan DST Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)

  • A potential key disclosure in dm-crypt. (CVE-2006-0095)

  • Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
Alerts:
Red Hat RHSA-2006:0132-01 2006-03-07
Trustix TSLSA-2006-0004 2006-01-27
Ubuntu USN-244-1 2006-01-18

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-2709 CVE-2005-2973 CVE-2005-3055 CVE-2005-3180 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 CVE-2005-3274 CVE-2005-3275 CVE-2005-3276
Created:November 22, 2005 Updated:March 15, 2006
Description: Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709)

Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973)

Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an "USB Request Block" (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055)

Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180)

A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. (CVE-2005-3271)

Stephen Hemminger discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. (CVE-2005-3272)

David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large "ngidis" argument, a local attacker could cause a kernel crash. (CVE-2005-3273)

Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274)

Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275)

Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276)

Alerts:
Red Hat RHSA-2006:0144-01 2006-03-15
Red Hat RHSA-2006:0140-01 2006-01-19
Red Hat RHSA-2006:0101-01 2006-01-17
Mandriva MDKSA-2005:235 2005-12-21
Debian DSA-922-1 2005-12-14
Debian DSA-921-1 2005-12-14
SuSE SUSE-SA:2005:068 2005-12-14
SuSE SUSE-SA:2005:067 2005-12-06
Mandriva MDKSA-2005:220 2005-11-30
Mandriva MDKSA-2005:219 2005-11-30
Mandriva MDKSA-2005:218 2005-11-30
Fedora FEDORA-2005-1104 2005-11-28
Trustix TSLSA-2005-0064 2005-11-11
Ubuntu USN-219-1 2005-11-22

Comments (2 posted)

kernel multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3527 CVE-2005-3783 CVE-2005-3784 CVE-2005-3805 CVE-2005-3806 CVE-2005-3808
Created:January 20, 2006 Updated:April 18, 2006
Description: Here's another set of vulnerabilities in the Linux kernel:
  • A race condition in the 2.6 kernel could allow a local user to cause a DoS by triggering a core dump in one thread while another thread has a pending SIGSTOP (CVE-2005-3527).
  • The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which could allow local users to cause a DoS (CVE-2005-3783).
  • The auto-reap child process in 2.6 kernels prior to 2.6.15 include processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a crash (CVE-2005-3784).
  • A locking problem in the POSIX timer cleanup handling on exit on kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local user to cause a deadlock involving process CPU timers (CVE-2005-3805).
  • The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to 2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a crash by triggering a free of non-allocated memory (CVE-2005-3806).
  • An integer overflow in 2.6.14 and earlier could allow a local user to cause a hang via 64-bit mmap calls that are not properly handled on a 32-bit system (CVE-2005-3808).
Alerts:
Mandriva MDKSA-2006:072 2006-04-17
Debian DSA-1018-2 2006-04-05
Debian DSA-1018-1 2006-03-26
Debian DSA-1017-1 2006-03-23
Fedora-Legacy FLSA:157459-2 2006-03-16
Fedora-Legacy FLSA:157459-1 2006-03-16
Fedora-Legacy FLSA:157459-4 2006-03-16
Fedora-Legacy FLSA:157459-3 2006-03-16
SuSE SUSE-SA:2006:012 2006-02-27
Mandriva MDKSA-2006:044 2006-02-21
Red Hat RHSA-2006:0191-01 2006-02-01
Mandriva MDKSA-2006:018 2006-01-20

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11