Weekly edition Kernel Security Distributions Contact Us Search Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

# Security

## An introduction to Elliptic Curve Cryptography

March 8, 2006

Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement for RSA public key cryptography largely based on its efficiency, but also because the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems.

Public key cryptography is the basis for tools like ssh as well as Secure Sockets Layer (SSL) for encrypting web traffic. For readers who would like more information, a nice introduction to public key cryptography and the RSA algorithm can be found on Wikipedia.

ECC is based on some very deep math involving elliptic curves in a finite field. It relies on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) in much the same way that RSA depends on the difficulty of factoring the product of two large primes. The best known method for solving ECDLP is fully exponential, whereas the number field sieve (for factoring) is sub-exponential. This allows ECC to use drastically smaller keys to provide the equivalent security; a 160-bit ECC key is equivalent to a 1024-bit RSA key.

Smaller key sizes lead to faster processing, which is very interesting to folks that are implementing encryption on small, mobile devices with limited resources in terms of power, CPU and memory. It is also very desirable for large web servers that will be handling many encrypted sessions. These are the technical considerations driving adoption. The NSA's recommendation makes it very attractive to companies that sell encryption products to the government and many non-governmental entities will also want products that implement ECC.

In order to use elliptic curves as part of a public key cryptosystem, both parties must agree on a set of domain parameters that fully specify the curve that is being used. Various groups, notably the US National Institute for Standards and Technology (NIST) and the Standards for Efficient Cryptography Group (SECG) have recommendations for the domain parameters to be used for various key sizes. The Internet Engineering Task Force (IETF) also has a draft specification for adding ECC to SSL/TLS.

Sun Microsystems has donated ECC code to OpenSSL and the Network Security Services (NSS) library; this allows the Apache web server and Mozilla browsers (and many other programs) to use ECC.

Unfortunately, as with RSA before its patent expired, the ECC landscape is littered with patent claims; some of dubious enforceability due to prior art. Sun claims patents on ECC technology, but has provided a "patent peace" provision in its license that states that it will not enforce its patent claims and asks that anyone holding patents associated with the code not enforce them against Sun.

The wild card in the ECC patent arena seems to be Certicom which claims a large number of ECC patents and has not made a clear statement of its intentions with regard to open source implementations. The NSA licensed Certicom's patents for \$25 million to allow them and their suppliers to use ECC, lending some credence to at least some of the Certicom patents. Other companies also have patents on various pieces of ECC technology.

As is often the case with patents, it is well nigh impossible to determine what the patents cover and if an implementation infringes without going to court. Ironically, the clearest description of what is and is not patented is an RSA Laboratories FAQ entry:

In all of these cases, it is the implementation technique that is patented, not the prime or representation, and there are alternative, compatible implementation techniques that are not covered by the patents.

Of course, this is not legal advice from RSA and may or may not be how it is interpreted by the courts. We will all have to wait and see how it plays out if one or more of the patent holders decides to sue.

[The author wishes to thank his employer, Privacy Networks, for sending him to the RSA 2006 conference which inspired this article.]

New vulnerabilities

## bmv: integer overflow

Package(s):bmv CVE #(s):CVE-2005-3278
Created:March 2, 2006 Updated:March 8, 2006
Description: The bmv PostScript viewer has an integer overflow vulnerability. If a specially crafted PostScript file is read by bmv, it may be possible to execute arbitrary code.
 Debian DSA-981-1 2006-02-26

## flex: buffer overflow

Package(s):flex CVE #(s):CVE-2006-0459
Created:March 7, 2006 Updated:March 28, 2006
Description: Chris Moore discovered a buffer overflow in a particular class of lexicographical scanners generated by flex. This could be exploited to execute arbitrary code by processing specially crafted user-defined input to an application that uses a flex scanner for parsing.
 Debian DSA-1020-1 2006-03-28 Gentoo 200603-07 2006-03-10 Ubuntu USN-260-1 2006-03-06

## freeciv: denial of service

Package(s):freeciv CVE #(s):CVE-2006-0047
Created:March 8, 2006 Updated:March 16, 2006
Description: The freeciv "civserver" application is susceptible to a denial of service vulnerability.
 Gentoo 200603-11 2006-03-16 Debian DSA-994-1 2006-03-13 Mandriva MDKSA-2006:053 2006-03-07

## initscripts: privilege escalation

Package(s):initscripts CVE #(s):CVE-2005-3629
Created:March 7, 2006 Updated:March 15, 2006
Description: A bug was found in the way initscripts handled various environment variables when the /sbin/service command is run. It is possible for a local user with permissions to execute /sbin/service via sudo to execute arbitrary commands as the 'root' user.
 Red Hat RHSA-2006:0015-01 2006-03-15 Red Hat RHSA-2006:0016-01 2006-03-07

Created:March 2, 2006 Updated:March 8, 2006
Description: irssi-text has a remote denial of service vulnerability that is caused by incomplete verification of arguments by the DCC ACCEPT command handler. A remote attacker can crash irssi and cause a denial of service.
 Ubuntu USN-259-1 2006-03-01

## kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-0741 CVE-2006-0555
Created:March 2, 2006 Updated:March 23, 2006
Description: The Linux kernel has multiple vulnerabilities including a sanity check problem with sys_mbind that can lead to a local denial of service, an ELF vulnerability that can crash Intel EM64T systems and an NFS client panic problem that can be triggered by direct I/O from a local user.
 Mandriva MDKSA-2006:059 2006-03-22 Ubuntu USN-263-1 2006-03-13 Trustix TSLSA-2006-0012 2006-03-10 Fedora FEDORA-2006-131 2006-03-02

## Mozilla Thunderbird: remote code execution and DoS

Package(s):mozilla-thunderbird CVE #(s):CVE-2006-0884
Created:March 3, 2006 Updated:May 4, 2006
Description: The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier allows user-complicit attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail.
 Debian DSA-1051-1 2006-05-04 Mandriva MDKSA-2006:052 2006-03-02

## WordPress: SQL injection

Package(s):wordpress CVE #(s):
Created:March 6, 2006 Updated:March 8, 2006
Description: Patrik Karlsson reported that WordPress 1.5.2 makes use of an insufficiently filtered User Agent string in SQL queries related to comments posting. This vulnerability was already fixed in the 2.0-series of WordPress.
 Gentoo 200603-01 2006-03-04

## zoo: stack-based buffer overflow

Package(s):zoo CVE #(s):CVE-2006-0855
Created:March 7, 2006 Updated:March 16, 2006
Description: Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10 and earlier allows user-complicit attackers to execute arbitrary code via a crafted ZOO file that causes the combine function to return a longer string than expected.
 Gentoo 200603-12 2006-03-16 Debian DSA-991-1 2006-03-10 Gentoo 200603-05 2006-03-06

Updated vulnerabilities

Created:February 6, 2006 Updated:April 17, 2006
Description: Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host.
 Gentoo 200604-07 2006-04-14 Debian DSA-1031-1 2006-04-08 Debian DSA-1030-1 2006-04-08 Debian DSA-1029-1 2006-04-08 Gentoo 200602-02 2006-02-06

## apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
 Slackware SSA:2006-129-01 2006-05-10 SuSE SUSE-SR:2006:004 2006-02-24 Fedora-Legacy FLSA:175406 2006-02-18 Gentoo 200602-03 2006-02-06 Fedora FEDORA-2006-052 2006-01-20 Red Hat RHSA-2006:0158-01 2006-01-17 Ubuntu USN-241-1 2006-01-12 Trustix TSLSA-2005-0074 2005-12-23 Mandriva MDKSA-2006:007 2006-01-05 Red Hat RHSA-2006:0159-01 2006-01-05 OpenPKG OpenPKG-SA-2005.029 2005-12-14

## blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
 Debian-Testing DTSA-29-1 2006-06-15 Debian DSA-1039-1 2006-04-24 Gentoo 200601-08 2006-01-13 Ubuntu USN-238-2 2006-01-06 Ubuntu USN-238-1 2006-01-06

## bluez-hcidump: buffer overflow

Package(s):bluez-hcidump CVE #(s):CVE-2006-0670
Created:February 18, 2006 Updated:March 10, 2006
Description: A buffer overflow in l2cap.c in hcidump allows remote attackers to cause a denial of service (crash) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet.
 Debian DSA-990-1 2006-03-10 Ubuntu USN-256-1 2006-02-21 Mandriva MDKSA-2006:041 2006-02-17

## BomberClone: remote execution of arbitrary code

Package(s):bomberclone CVE #(s):CVE-2006-0460
Created:February 17, 2006 Updated:March 14, 2006
Description: Stefan Cornelius of the Gentoo Security team discovered multiple missing buffer checks in BomberClone's code. By sending overly long error messages to the game via network, a remote attacker may exploit buffer overflows to execute arbitrary code with the rights of the user running BomberClone.
 Debian DSA-997-1 2006-03-13 Gentoo 200602-09 2006-02-16

## bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
 rPath rPSA-2007-0004-1 2007-01-09 Debian DSA-741-1 2005-07-07 Red Hat RHSA-2005:474-01 2005-06-16 OpenPKG OpenPKG-SA-2005.008 2005-06-10 SuSE SUSE-SR:2005:015 2005-06-07 Debian DSA-730-1 2005-05-27 Mandriva MDKSA-2005:091 2005-05-18 Ubuntu USN-127-1 2005-05-17

## ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
 Gentoo 200608-27 2006-08-29 Debian DSA-1088-1 2006-06-03 Debian DSA-1083-1 2006-05-31 Gentoo 200512-11 2005-12-20 Debian-Testing DTSA-23-1 2005-12-05

## cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:March 17, 2010
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
 CentOS CESA-2010:0145 2010-03-17 Red Hat RHSA-2010:0145-01 2010-03-15 rPath rPSA-2007-0094-1 2007-05-07 Red Hat RHSA-2007:0245-02 2007-05-01 Ubuntu USN-234-1 2006-01-02

## curl: buffer overflow

Package(s):curl CVE #(s):CVE-2005-4077
Created:December 8, 2005 Updated:March 27, 2006
Description: The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access.
 Gentoo 200603-25 2006-03-27 Debian DSA-919-2 2006-03-10 Trustix TSLSA-2005-0072 2005-12-16 Red Hat RHSA-2005:875-01 2005-12-20 Gentoo 200512-09 2005-12-16 Ubuntu USN-228-1 2005-12-12 Fedora FEDORA-2005-1137 2005-12-12 Fedora FEDORA-2005-1136 2005-12-12 Debian DSA-919-1 2005-12-12 OpenPKG OpenPKG-SA-2005.028 2005-12-10 Mandriva MDKSA-2005:224 2005-12-08 Fedora FEDORA-2005-1129 2005-12-08 Fedora FEDORA-2005-1130 2005-12-08

## cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
 Fedora-Legacy FLSA:156290 2006-04-04 Red Hat RHSA-2005:408-01 2005-05-17 Fedora FEDORA-2005-339 2005-04-27 OpenPKG OpenPKG-SA-2005.005 2005-04-05 Conectiva CLA-2005:937 2005-03-17 Mandrake MDKSA-2005:051 2005-03-04 Ubuntu USN-87-1 2005-02-28 SuSE SUSE-SA:2005:009 2005-02-24 Gentoo 200502-29 2005-02-23

## dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
 Debian DSA-1025-1 2006-04-06 Mandriva MDKSA-2005:187 2005-10-20 Gentoo 200510-06 2005-10-06 Debian DSA-847-1 2005-10-08 SuSE SUSE-SR:2005:022 2005-10-07 Ubuntu USN-193-1 2005-10-04

## emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
 Fedora-Legacy FLSA:152898 2006-05-12 Debian DSA-685-1 2005-02-17 Mandrake MDKSA-2005:038 2005-02-15 Gentoo 200502-20 2005-02-15 Fedora FEDORA-2005-146 2005-02-14 Fedora FEDORA-2005-145 2005-02-14 Red Hat RHSA-2005:133-01 2005-02-15 Red Hat RHSA-2005:110-01 2005-02-15 Red Hat RHSA-2005:134-01 2005-02-10 Red Hat RHSA-2005:112-01 2005-02-10 Fedora FEDORA-2005-116 2005-02-08 Fedora FEDORA-2005-115 2005-02-08 Debian DSA-671-1 2005-02-08 Debian DSA-670-1 2005-02-08 Ubuntu USN-76-1 2005-02-07

## enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
 rPath rPSA-2006-0083-1 2006-05-26 Fedora-Legacy FLSA:152892 2005-12-17 Red Hat RHSA-2005:040-01 2005-02-15 Mandrake MDKSA-2005:033 2005-02-10 Gentoo 200502-03 2005-02-02 Red Hat RHSA-2005:039-01 2005-02-01 Fedora FEDORA-2005-096 2005-01-31 Fedora FEDORA-2005-092 2005-01-28 Fedora FEDORA-2005-091 2005-01-28 Fedora FEDORA-2005-016 2005-01-26 Fedora FEDORA-2005-015 2005-01-26 Ubuntu USN-68-1 2005-01-24 Debian DSA-654-1 2005-01-21

## evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
 Debian DSA-1016-1 2006-03-23 SuSE SUSE-SA:2005:054 2005-09-16 Red Hat RHSA-2005:267-01 2005-08-29 Gentoo 200508-12 2005-08-23 Mandriva MDKSA-2005:141 2005-08-17 Fedora FEDORA-2005-742 2005-08-11 Fedora FEDORA-2005-743 2005-08-11

## fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
 rPath rPSA-2006-0084-1 2006-05-26 Fedora-Legacy FLSA:164512 2006-05-12 Slackware SSA:2006-045-01 2006-02-15 Debian DSA-939-1 2006-01-13 Ubuntu USN-233-1 2006-01-02 Mandriva MDKSA-2005:236 2005-12-23 Fedora FEDORA-2005-1187 2005-12-20 Fedora FEDORA-2005-1186 2005-12-20

## ffmpeg: buffer overflow

Package(s):ffmpeg CVE #(s):CVE-2005-4048
Created:December 15, 2005 Updated:March 17, 2006
Description: The avcodec_default_get_buffer() function of the ffmpeg library has a buffer overflow vulnerability. A user can be tricked into playing a maliciously created PNG movie, allowing the attacker to run arbitrary code with the user's privileges.
 Debian DSA-1005-1 2006-03-16 Debian DSA-1004-1 2006-03-16 Debian DSA-992-1 2006-03-10 Gentoo 200603-03 2006-03-04 Gentoo 200602-01 2006-02-05 Gentoo 200601-06 2006-01-10 Ubuntu USN-230-2 2005-12-16 Ubuntu USN-230-1 2005-12-14 Mandriva MDKSA-2005:228 2005-12-14 Mandriva MDKSA-2005:229 2005-12-14 Mandriva MDKSA-2005:232 2005-12-14 Mandriva MDKSA-2005:230 2005-12-14 Mandriva MDKSA-2005:231 2005-12-14

## Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
 SuSE SUSE-SA:2006:026 2006-05-30 Fedora-Legacy FLSA:2076 2004-11-05 Conectiva CLA-2004:880 2004-10-27 Fedora FEDORA-2004-303 2004-09-21 Gentoo 200409-24 2004-09-20

## gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
 Red Hat RHSA-2006:0354-01 2006-08-10 Red Hat RHSA-2006:0368-01 2006-07-20 Mandriva MDKSA-2005:215 2005-11-23 Fedora FEDORA-2005-1033 2005-10-27 Fedora FEDORA-2005-1032 2005-10-27 Red Hat RHSA-2005:801-01 2005-10-18 Red Hat RHSA-2005:763-01 2005-10-11 Red Hat RHSA-2005:709-01 2005-10-05 Red Hat RHSA-2005:673-01 2005-10-05 Red Hat RHSA-2005:659-01 2005-09-28 Fedora FEDORA-2005-498 2005-06-29 Fedora FEDORA-2005-497 2005-06-29 Gentoo 200506-01 2005-06-01 Trustix TSLSA-2005-0025 2005-05-31 Mandriva MDKSA-2005:095 2005-05-30 Ubuntu USN-136-2 2005-05-27 Ubuntu USN-136-1 2005-05-27 Ubuntu USN-135-1 2005-05-27 Gentoo 200505-15 2005-05-20

## gdk-pixbuf: multiple vulnerabilities

Package(s):gdk-pixbuf gtk2 CVE #(s):CVE-2005-3186 CVE-2005-2976 CVE-2005-2975
Created:November 15, 2005 Updated:March 20, 2006
Description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim.

 Fedora-Legacy FLSA:173274 2006-03-16 Debian DSA-913-1 2005-12-01 Debian DSA-911-1 2005-11-29 Trustix TSLSA-2005-0066 2005-11-18 Mandriva MDKSA-2005:214 2005-11-18 Ubuntu USN-216-1 2005-11-16 SuSE SUSE-SA:2005:065 2005-11-16 Gentoo 200511-14 2005-11-16 Fedora FEDORA-2005-1088 2005-11-15 Fedora FEDORA-2005-1087 2005-11-15 Fedora FEDORA-2005-1086 2005-11-15 Fedora FEDORA-2005-1085 2005-11-15 Red Hat RHSA-2005:811-01 2005-11-15 Red Hat RHSA-2005:810-01 2005-11-15

## gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
 Fedora FEDORA-2009-1189 2009-01-29 Fedora FEDORA-2009-1187 2009-01-29 Debian DSA-753-1 2005-07-12 Mandriva MDKSA-2005:102 2005-06-15 Red Hat RHSA-2005:499-01 2005-06-13 Gentoo 200506-09 2005-06-11 Ubuntu USN-138-1 2005-06-09

## gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
 Mandriva MDKSA-2006:051 2006-02-28 Fedora-Legacy FLSA:136323 2006-01-09 Gentoo 200410-10:02 2004-10-10 OpenPKG OpenPKG-SA-2004.055 2004-12-23 Ubuntu USN-5-1 2004-10-27 Gentoo 200410-10 2004-10-10

## gnupg: false positive signature verification

Package(s):gnupg CVE #(s):CVE-2006-0455
Created:February 17, 2006 Updated:March 10, 2006
Description: Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP replacement, verifies external signatures of files successfully even though they don't contain a signature at all. See this update from the gnuPG team for more information.
 SuSE SUSE-SA:2006:014 2006-03-10 SuSE SUSE-SR:2006:005 2006-03-03 SuSE SUSE-SA:2006:013 2006-03-01 Trustix TSLSA-2006-0008 2006-02-17 SuSE SUSE-SA:2006:009 2006-02-20 Gentoo 200602-10 2006-02-18 OpenPKG OpenPKG-SA-2006.001 2006-02-18 Mandriva MDKSA-2006:043 2006-02-17 Fedora FEDORA-2006-116 2006-02-17 Ubuntu USN-252-1 2006-02-17 Debian DSA-978-1 2006-02-17

## gnutls: denial of service

Package(s):gnutls CVE #(s):CVE-2006-0645
Created:February 13, 2006 Updated:March 6, 2006
Description: Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution.
 Debian DSA-986-1 2006-03-06 Debian DSA-985-1 2006-03-06 Fedora-Legacy FLSA:181014 2006-02-27 Gentoo 200602-08 2006-02-16 Ubuntu USN-251-1 2006-02-16 Mandriva MDKSA-2006:039 2006-02-13 Fedora FEDORA-2006-107 2006-02-10 Red Hat RHSA-2006:0207-01 2006-02-10

## grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
 Fedora FEDORA-2008-9604 2008-11-19 Fedora FEDORA-2008-9521 2008-11-19 Fedora-Legacy FLSA:152919 2005-09-15 Mandriva MDKSA-2005:074 2005-04-20 Mandriva MDKSA-2005:075 2005-04-20 Gentoo 200504-07 2005-04-08 Mandrake MDKSA-2005:066 2005-04-01 Red Hat RHSA-2005:304-01 2005-03-28 Gentoo 200503-21 2005-03-17 Fedora FEDORA-2005-203 2005-03-09 Fedora FEDORA-2005-202 2005-03-09

## gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
 OpenPKG OpenPKG-SA-2007.002 2007-01-08 Mandriva MDKSA-2006:027 2006-01-30 Mandriva MDKSA-2006:026 2006-01-30 Fedora-Legacy FLSA:158801 2005-11-14 Fedora-Legacy FLSA:157696 2005-08-10 Ubuntu USN-161-1 2005-08-04 Ubuntu USN-158-1 2005-08-01

## heimdal: privilege escalation

Package(s):heimdal CVE #(s):CVE-2006-0582
Created:February 13, 2006 Updated:March 17, 2006
Description: A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them.
 Gentoo 200603-14 2006-03-17 Debian DSA-977-1 2006-02-16 Ubuntu USN-247-1 2006-02-10

## imagemagick: arbitrary command execution

Package(s):imagemagick CVE #(s):CVE-2005-4601 CVE-2006-0082
Created:January 24, 2006 Updated:March 24, 2006
Description: Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus).
 SuSE SUSE-SR:2006:006 2006-03-17 Gentoo 200602-13 2006-02-26 Slackware SSA:2006-045-03 2006-02-15 Red Hat RHSA-2006:0178-01 2006-02-14 Gentoo 200602-06 2006-02-13 Debian DSA-957-2 2006-01-31 Mandriva MDKSA-2006:024 2006-01-26 Debian DSA-957-1 2006-01-26 Ubuntu USN-246-1 2006-01-24

## imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
 Fedora-Legacy FLSA:184074 2006-04-04 Fedora-Legacy FLSA:152912 2005-05-12 Red Hat RHSA-2005:114-01 2005-02-18

## ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
 Fedora-Legacy FLSA:190941 2006-06-06 Red Hat RHSA-2006:0267-01 2006-04-25 Debian DSA-965-1 2006-02-06 Mandriva MDKSA-2006:020 2006-01-25 SuSE SUSE-SA:2005:070 2005-12-20 Gentoo 200512-04 2005-12-12 Ubuntu USN-221-1 2005-12-01

## kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
 Red Hat RHSA-2006:0582-01 2006-08-10 Debian DSA-815-1 2005-09-16 Slackware SSA:2005-251-01 2005-09-09 Ubuntu USN-176-1 2005-09-07 Mandriva MDKSA-2005:160 2005-09-06

## kdelibs: heap overflow

Package(s):kdelibs CVE #(s):CVE-2006-0019
Created:January 19, 2006 Updated:March 17, 2006
Description: Konqueror's kjs JavaScript interpreter engine has a heap overflow vulnerability. Specially crafted JavaScript code could be placed on a web site, leading to arbitrary code execution. Other kde applications are also subject to this vulnerability.
 Fedora-Legacy FLSA:178606 2006-03-16 Slackware SSA:2006-045-05 2006-02-15 Gentoo 200601-11 2006-01-22 Mandriva MDKSA-2006:019 2006-01-20 Fedora FEDORA-2006-050 2006-01-20 SuSE SUSE-SA:2006:003 2006-01-20 Debian DSA-948-1 2005-01-20 Ubuntu USN-245-1 2006-01-20 Red Hat RHSA-2006:0184-01 2006-01-19

## kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
 Gentoo 200611-21 2006-11-27 Debian DSA-804-2 2005-11-10 Debian DSA-804-1 2005-09-08 Red Hat RHSA-2005:612-01 2005-07-27 Ubuntu USN-150-1 2005-07-21 Mandriva MDKSA-2005:122 2005-07-20 Fedora FEDORA-2005-594 2005-07-19

## kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
 Debian DSA-1082-1 2006-05-29 Debian DSA-1069-1 2006-05-20 Debian DSA-1070-1 2006-05-21 Debian DSA-1067-1 2006-05-20 Conectiva CLA-2005:945 2005-03-31 Fedora FEDORA-2005-262 2005-03-28 SuSE SUSE-SA:2005:018 2005-03-24

## kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3356 CVE-2005-4605 CVE-2005-4618 CVE-2005-4639 CVE-2006-0095 CVE-2006-0096
Created:January 18, 2006 Updated:March 7, 2006
Description: The latest set of kernel vulnerabilities includes:

• A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)

• A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)

• An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)

• A buffer overflow in the TwinHan DST Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)

• A potential key disclosure in dm-crypt. (CVE-2006-0095)

• Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
 Red Hat RHSA-2006:0132-01 2006-03-07 Trustix TSLSA-2006-0004 2006-01-27 Ubuntu USN-244-1 2006-01-18

## kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-2709 CVE-2005-2973 CVE-2005-3055 CVE-2005-3180 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 CVE-2005-3274 CVE-2005-3275 CVE-2005-3276
Created:November 22, 2005 Updated:March 15, 2006
Description: Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709)

Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973)

Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an "USB Request Block" (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055)

Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180)

A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. (CVE-2005-3271)

Stephen Hemminger discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. (CVE-2005-3272)

David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large "ngidis" argument, a local attacker could cause a kernel crash. (CVE-2005-3273)

Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274)

Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275)

Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276)

 Red Hat RHSA-2006:0144-01 2006-03-15 Red Hat RHSA-2006:0140-01 2006-01-19 Red Hat RHSA-2006:0101-01 2006-01-17 Mandriva MDKSA-2005:235 2005-12-21 Debian DSA-922-1 2005-12-14 Debian DSA-921-1 2005-12-14 SuSE SUSE-SA:2005:068 2005-12-14 SuSE SUSE-SA:2005:067 2005-12-06 Mandriva MDKSA-2005:220 2005-11-30 Mandriva MDKSA-2005:219 2005-11-30 Mandriva MDKSA-2005:218 2005-11-30 Fedora FEDORA-2005-1104 2005-11-28 Trustix TSLSA-2005-0064 2005-11-11 Ubuntu USN-219-1 2005-11-22

## kernel multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3527 CVE-2005-3783 CVE-2005-3784 CVE-2005-3805 CVE-2005-3806 CVE-2005-3808
Created:January 20, 2006 Updated:April 18, 2006
Description: Here's another set of vulnerabilities in the Linux kernel:
• A race condition in the 2.6 kernel could allow a local user to cause a DoS by triggering a core dump in one thread while another thread has a pending SIGSTOP (CVE-2005-3527).
• The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which could allow local users to cause a DoS (CVE-2005-3783).
• The auto-reap child process in 2.6 kernels prior to 2.6.15 include processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a crash (CVE-2005-3784).
• A locking problem in the POSIX timer cleanup handling on exit on kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local user to cause a deadlock involving process CPU timers (CVE-2005-3805).
• The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to 2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a crash by triggering a free of non-allocated memory (CVE-2005-3806).
• An integer overflow in 2.6.14 and earlier could allow a local user to cause a hang via 64-bit mmap calls that are not properly handled on a 32-bit system (CVE-2005-3808).
 Mandriva MDKSA-2006:072 2006-04-17 Debian DSA-1018-2 2006-04-05 Debian DSA-1018-1 2006-03-26 Debian DSA-1017-1 2006-03-23 Fedora-Legacy FLSA:157459-2 2006-03-16 Fedora-Legacy FLSA:157459-1 2006-03-16 Fedora-Legacy FLSA:157459-4 2006-03-16 Fedora-Legacy FLSA:157459-3 2006-03-16 SuSE SUSE-SA:2006:012 2006-02-27 Mandriva MDKSA-2006:044 2006-02-21 Red Hat RHSA-2006:0191-01 2006-02-01 Mandriva MDKSA-2006:018 2006-01-20

## xpdf heap based buffer overflow

Package(s):kpdf xpdf kdegraphics poppler CVE #(s):CVE-2006-0301
Created:February 3, 2006 Updated:March 17, 2006
Description: Another heap based buffer overflow has been found in xpdf and other programs that share the same code. This one is in Splash.cc and it can cause crashes and possibly arbitrary code execution.
 Fedora-Legacy FLSA:175404 2006-03-16 Mandriva MDKSA-2006:054 2006-03-08 Gentoo 200602-12 2006-02-21 Debian DSA-979-1 2006-02-17 Ubuntu USN-249-1 2006-02-13 Slackware SSA:2006-045-04 2006-02-15 Slackware SSA:2006-045-09 2006-02-15 Debian DSA-974-1 2006-02-15 Debian DSA-972-1 2006-02-15 Debian DSA-971-1 2006-02-14 Red Hat RHSA-2006:0206-01 2006-02-13 Red Hat RHSA-2006:0201-01 2006-02-13 Gentoo 200602-05 2006-02-12 Gentoo 200602-04 2006-02-12 Fedora FEDORA-2006-104 2006-02-10 Fedora FEDORA-2006-103 2006-02-10 Fedora FEDORA-2006-105 2006-02-10 Mandriva MDKSA-2006:032 2006-02-02 Mandriva MDKSA-2006:031 2006-02-02

## libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
 Fedora-Legacy FLSA:178989 2006-03-01 Gentoo 200501-38:03 2005-01-26 Red Hat RHSA-2005:072-01 2005-02-15 Mandrake MDKSA-2005:030 2005-02-08 Red Hat RHSA-2005:069-01 2005-02-01 Gentoo 200501-38 2005-01-26 Ubuntu USN-70-1 2005-01-25 Debian DSA-658-1 2005-01-25

Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
 Debian DSA-813-1 2005-09-15 Red Hat RHSA-2005:627-01 2005-08-09 Debian DSA-769-1 2005-07-29

## libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
 Mandriva MDKSA-2006:114 2006-06-27 Red Hat RHSA-2006:0194-01 2006-02-01 Fedora-Legacy FLSA:152838 2005-07-15 Red Hat RHSA-2004:638-01 2004-12-17 Ubuntu USN-33-1 2004-11-29 Debian DSA-602-1 2004-11-29 Debian DSA-601-1 2004-11-29 Mandrake MDKSA-2004:132 2004-11-15 Ubuntu USN-25-1 2004-11-15 Fedora FEDORA-2004-412 2004-11-11 Fedora FEDORA-2004-411 2004-11-11 Ubuntu USN-21-1 2004-11-09 Debian DSA-591-1 2004-11-09 Debian DSA-589-1 2004-11-09 Gentoo 200411-08 2004-11-03 OpenPKG OpenPKG-SA-2004.049 2004-10-30 Ubuntu USN-11-1 2004-10-28

## libmail-audit-perl: insecure temporary file creation

Package(s):libmail-audit-perl CVE #(s):CVE-2005-4536
Created:January 31, 2006 Updated:March 20, 2006
Description: Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on.
 Debian DSA-960-3 2006-03-20 Debian DSA-960-2 2006-01-31 Debian DSA-960-1 2006-01-31

## libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
 rPath rPSA-2006-0183-1 2006-10-05 Mandriva MDKSA-2005:190 2005-10-20 Gentoo 200508-22 2005-08-31 Debian DSA-785-1 2005-08-25

## libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:December 15, 2008
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
 Gentoo 200812-15 2008-12-14 Red Hat RHSA-2006:0205-01 2006-02-13

## libungif: memory corruption

Package(s):libungif CVE #(s):CAN-2005-2974
Created:November 3, 2005 Updated:March 20, 2006
Description: The libungif library has a vulnerability in the GIF file colormap handling code. A maliciously crafted GIF file can cause out of bounds memory writing and register corruption.
 Fedora-Legacy FLSA:174479 2006-03-16 SuSE SUSE-SR:2005:026 2005-11-11 Mandriva MDKSA-2005:207 2005-11-09 Debian DSA-890-1 2005-11-09 Ubuntu USN-214-1 2005-11-07 Gentoo 200511-03 2005-11-04 Red Hat RHSA-2005:828-01 2005-11-03 Fedora FEDORA-2005-1046 2005-11-03 Fedora FEDORA-2005-1045 2005-11-03

## libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
 Fedora FEDORA-2009-8594 2009-08-15 Fedora FEDORA-2009-8582 2009-08-15 Fedora-Legacy FLSA:1324 2004-07-19 Conectiva CLA-2004:836 2004-03-31 Gentoo 200403-01 2004-03-06 Trustix TSLSA-2004-0010 2004-03-05 OpenPKG OpenPKG-SA-2004.003 2004-03-05 Netwosix NW-2004-0004 2004-03-04 Debian DSA-455-1 2004-03-03 Mandrake MDKSA-2004:018 2004-03-03 Red Hat RHSA-2004:091-02 2004-03-03 Whitebox WBSA-2004:090-01 2004-03-01 Red Hat RHSA-2004:090-01 2004-02-26 Fedora FEDORA-2004-087 2004-02-25 Red Hat RHSA-2004:091-01 2004-02-26

## libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
 Fedora FEDORA-2009-8594 2009-08-15 Fedora FEDORA-2009-8582 2009-08-15 Ubuntu USN-89-1 2005-02-28 Red Hat RHSA-2004:650-01 2004-12-16 Conectiva CLA-2004:890 2004-11-18 Red Hat RHSA-2004:615-01 2004-11-12 Mandrake MDKSA-2004:127 2004-11-04 Debian DSA-582-1 2004-11-02 Gentoo 200411-05 2004-11-02 Trustix TSLSA-2004-0055 2004-10-29 OpenPKG OpenPKG-SA-2004.050 2004-10-31 Ubuntu USN-10-1 2004-10-28 Fedora FEDORA-2004-353 2004-10-28

## libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
 Fedora-Legacy FLSA:168264 2006-03-07 Fedora-Legacy FLSA:152803 2006-01-09 Fedora FEDORA-2005-815 2005-08-26 Fedora FEDORA-2005-808 2005-08-25 Red Hat RHSA-2005:198-01 2005-06-08 Red Hat RHSA-2005:473-01 2005-05-24 Red Hat RHSA-2005:412-01 2005-05-11 Debian DSA-723-1 2005-05-09 Mandriva MDKSA-2005:081 2005-05-05 Mandriva MDKSA-2005:080 2005-04-28 Red Hat RHSA-2005:044-01 2005-04-06 Red Hat RHSA-2005:331-01 2005-03-30 Fedora FEDORA-2005-273 2005-03-29 Fedora FEDORA-2005-272 2005-03-29 Ubuntu USN-97-1 2005-03-16 Gentoo 200503-15 2005-03-12 Ubuntu USN-92-1 2005-03-07 Gentoo 200503-08 2005-03-04

## lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
 Gentoo 200909-15 2009-09-12 Fedora-Legacy FLSA:152832 2005-12-17 OpenPKG OpenPKG-SA-2005.026 2005-12-03 Fedora FEDORA-2005-1079 2005-11-14 Fedora FEDORA-2005-1078 2005-11-14 Gentoo 200511-09 2005-11-13 Mandriva MDKSA-2005:211 2005-11-12 Red Hat RHSA-2005:839-01 2005-11-11

## mailman: denial of service

Package(s):mailman CVE #(s):CVE-2005-3573
Created:December 2, 2005 Updated:March 8, 2006
Description: Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service.
 Red Hat RHSA-2006:0204-01 2006-03-07 Debian DSA-955-1 2006-01-25 Ubuntu USN-242-1 2006-01-16 Mandriva MDKSA-2005:222 2005-12-02

## metamail: buffer overflow

Package(s):metamail CVE #(s):CVE-2006-0709
Created:February 21, 2006 Updated:March 17, 2006
Description: A buffer overflow bug was found in the way Metamail processes certain mail messages. An attacker could create a carefully-crafted message such that when it is opened by a victim and parsed through Metamail, it runs arbitrary code as the victim.
 Gentoo 200603-16 2006-03-17 Debian DSA-995-1 2006-03-13 Mandriva MDKSA-2006:047 2006-02-22 Red Hat RHSA-2006:0217-01 2006-02-21

## mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
 Fedora-Legacy FLSA:152896 2006-04-04 Conectiva CLA-2005:926 2005-03-02 Debian DSA-689-1 2005-02-23 Red Hat RHSA-2005:100-01 2005-02-15 Gentoo 200502-14 2005-02-13 Trustix TSLSA-2005-0003 2005-02-11 Ubuntu USN-80-1 2005-02-11 Red Hat RHSA-2005:104-01 2005-02-10 Fedora FEDORA-2005-140 2005-02-10 Fedora FEDORA-2005-139 2005-02-10

## mozilla: multiple vulnerabilities

Package(s):mozilla CVE #(s):CVE-2005-4134 CVE-2006-0292 CVE-2006-0296
Created:February 2, 2006 Updated:May 4, 2006
Description: Mozilla has three new vulnerabilities. The Javascript interpreter has a problem with dereferencing objects. A user can visit a specially crafted web page which can crash the browser or cause it to execute arbitrary code.

The XULDocument.persist() function has a bug that can be triggered by viewing specially crafted web sites, RDF data can be injected into the localstore.rdf file, allowing arbitrary javascript code to be executed.

The Mozilla history saving mechanism is vulnerable to a denial of service attack, visiting sites with extra-long titles can cause a crash or very slow startup the next time the browser is run.

 Ubuntu USN-275-1 2006-04-27 Debian DSA-1046-1 2006-04-27 Fedora-Legacy FLSA:180036 2006-02-23 Mandriva MDKSA-2006:037 2006-02-07 Mandriva MDKSA-2006:036 2006-02-07 Fedora FEDORA-2006-076 2006-02-02 Fedora FEDORA-2006-075 2006-02-02 Red Hat RHSA-2006:0200-01 2006-02-02 Red Hat RHSA-2006:0199-01 2006-02-02

## nbd: arbitrary code execution

Package(s):nbd CVE #(s):CVE-2005-3534
Created:January 6, 2006 Updated:March 7, 2011
Description: Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.
 SuSE SUSE-SR:2006:001 2006-01-13 Ubuntu USN-237-1 2006-01-06

## ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
 Fedora-Legacy FLSA:152904 2006-05-12 Fedora FEDORA-2005-435 2005-08-16 Red Hat RHSA-2005:371-01 2005-05-17 Mandrake MDKSA-2005:028 2005-02-01 Gentoo 200501-44 2005-01-30

## ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
 Red Hat RHSA-2006:0393-01 2006-08-10 Mandriva MDKSA-2005:156 2005-09-06 Debian DSA-801-1 2005-09-05 Ubuntu USN-175-1 2005-09-01 Fedora FEDORA-2005-812 2005-08-26

## openmotif: buffer overflows

Package(s):openmotif CVE #(s):CVE-2005-3964
Created:December 29, 2005 Updated:July 27, 2006
Description: The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code.
 Fedora FEDORA-2006-854 2006-07-26 Red Hat RHSA-2006:0272-01 2006-04-04 Gentoo 200512-16 2005-12-28

## OpenSSH: double shell expansion

Package(s):openssh CVE #(s):CVE-2006-0225
Created:January 23, 2006 Updated:July 20, 2006
Description: OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp.
 Red Hat RHSA-2006:0298-01 2006-07-20 Red Hat RHSA-2006:0044-01 2006-03-07 Ubuntu USN-255-1 2006-02-21 Gentoo 200602-11 2006-02-20 Fedora-Legacy FLSA:168935 2006-02-18 OpenPKG OpenPKG-SA-2006.003 2006-02-18 Slackware SSA:2006-045-06 2006-02-15 SuSE SUSE-SA:2006:008 2006-02-14 Mandriva MDKSA-2006:034 2006-02-06 Fedora FEDORA-2006-056 2006-01-23

## pcre3: arbitrary code execution

Package(s):pcre3 CVE #(s):CAN-2005-2491
Created:August 23, 2005 Updated:March 10, 2006
Description: A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library.
 Red Hat RHSA-2006:0197-01 2006-03-09 Fedora-Legacy FLSA:168516 2006-03-07 Debian DSA-821-1 2005-09-28 Debian DSA-819-1 2005-09-23 Debian DSA-817-1 2005-09-22 Gentoo 200509-08 2005-09-12 Red Hat RHSA-2005:358-01 2005-09-08 Red Hat RHSA-2005:761-02 2005-09-08 Trustix TSLSA-2005-0045 2005-08-26 OpenPKG OpenPKG-SA-2005.018 2005-09-05 SuSE SUSE-SA:2005:051 2005-09-05 Gentoo 200509-02 2005-09-03 Debian DSA-800-1 2005-09-02 Ubuntu USN-173-4 2005-08-31 Slackware SSA:2005-242-01 2005-08-31 SuSE SUSE-SA:2005:049 2005-08-30 SuSE SUSE-SA:2005:048 2005-08-30 Ubuntu USN-173-3 2005-08-30 Mandriva MDKSA-2005:155 2005-08-29 Mandriva MDKSA-2005:154 2005-08-26 Mandriva MDKSA-2005:153 2005-08-26 Mandriva MDKSA-2005:151 2005-08-25 Mandriva MDKSA-2005:152 2005-08-25 Gentoo 200508-17 2005-08-25 Ubuntu USN-173-2 2005-08-24 Fedora FEDORA-2005-803 2005-08-24 Fedora FEDORA-2005-802 2005-08-24 Ubuntu USN-173-1 2005-08-23

## perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
 Red Hat RHSA-2006:0605-01 2006-08-10 Fedora FEDORA-2005-353 2005-05-02 Red Hat RHSA-2005:103-01 2005-02-15 Gentoo 200502-13 2005-02-11 SuSE SUSE-SR:2005:004 2005-02-11 Mandrake MDKSA-2005:031 2005-02-08 Red Hat RHSA-2005:105-01 2005-02-07 Ubuntu USN-72-1 2005-02-02

## PHP: safe_mode bypass

Package(s):php CVE #(s):CVE-2005-3391
Created:February 8, 2006 Updated:March 10, 2006
Description: A vulnerability in the PHP GD extension (prior to version 4.4.1) can enable a remote attacker to bypass safe_mode restrictions.
 Mandriva MDKSA-2006:035-1 2006-03-09 Slackware SSA:2006-045-07 2006-02-15 Mandriva MDKSA-2006:035 2006-02-07

## php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2006-0207 CVE-2006-0208
Created:February 2, 2006 Updated:March 23, 2006
Description: PHP has a response splitting vulnerability, remote attackers can inject arbitrary HTTP headers via an unknown method, possibly using a Set-Cookie header. Also, a number of cross-site scripting vulnerabilities can be used by remote attackers to inject arbitrary web scripts or html pages.
 Gentoo 200603-22 2006-03-22 Ubuntu USN-261-1 2006-03-10 Mandriva MDKSA-2006:028 2006-02-01

## phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
Created:December 22, 2005 Updated:February 11, 2008
Description: The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem.
 Debian DSA-925-1 2005-12-22

Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The \$GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the \$HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
 Debian DSA-1207-2 2006-11-19 Debian DSA-1207-1 2006-11-09 SuSE SUSE-SA:2006:004 2006-01-26 Gentoo 200512-03 2005-12-11

## postgresql: improper validation with Asserts enabled

Package(s):postgresql CVE #(s):CVE-2006-0678
Created:February 27, 2006 Updated:February 28, 2006
Description: PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553.
 Ubuntu USN-258-1 2006-02-27

## pound: HTTP Request Smuggling Attack

Package(s):pound CVE #(s):CVE-2005-3751
Created:January 10, 2006 Updated:June 8, 2006
Description: HTTP requests with conflicting Content-Length and Transfer-Encoding headers could lead to HTTP Request Smuggling Attack, which can be exploited to bypass packet filters or poison web caches.
 Gentoo 200606-05 2006-06-07 Debian DSA-934-1 2006-01-09

## pstotext: remote execution of arbitrary code

Package(s):pstotext netpbm CVE #(s):CAN-2005-2471
Created:August 1, 2005 Updated:March 28, 2006
Description: Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option. An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext. See this Secunia advisory for more information.
 Debian DSA-1021-1 2006-03-28 Debian DSA-792-1 2005-08-31 Red Hat RHSA-2005:743-01 2005-08-22 Fedora FEDORA-2005-728 2005-08-17 Fedora FEDORA-2005-727 2005-08-17 Ubuntu USN-164-1 2005-08-11 Mandriva MDKSA-2005:133 2005-08-09 Gentoo 200508-04 2005-08-05 Gentoo 200507-29 2005-07-31

## Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
 Gentoo 200509-09:02 2005-09-17 Debian DSA-856-1 2005-10-10 Gentoo 200509-09 2005-09-17

## scorched3d: multiple vulnerabilities

Package(s):scorched3d CVE #(s):
Created:November 15, 2005 Updated:August 11, 2006
Description: Luigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several buffer overflows. A remote attacker could exploit these vulnerabilities to crash a game server or execute arbitrary code with the rights of the game server user.
 Gentoo 200511-12:03 2005-11-15 Gentoo 200511-12 2005-11-15

## spamassassin: denial of service

Package(s):spamassassin CVE #(s):CVE-2005-3351
Created:November 9, 2005 Updated:March 7, 2006
Description: Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field.
 Red Hat RHSA-2006:0129-01 2006-03-07 Mandriva MDKSA-2005:221 2005-12-02 Fedora FEDORA-2005-1066 2005-11-09 Fedora FEDORA-2005-1065 2005-11-09

## squid: authentication handling

Package(s):squid CVE #(s):CAN-2005-2917
Created:September 30, 2005 Updated:March 15, 2006
Description: Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart.
 Red Hat RHSA-2006:0045-01 2006-03-15 Red Hat RHSA-2006:0052-01 2006-03-07 Fedora-Legacy FLSA:152809 2006-02-18 Mandriva MDKSA-2005:181 2005-10-11 Ubuntu USN-192-1 2005-09-30 Debian DSA-828-1 2005-09-30

## squirrelmail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CVE-2006-0188 CVE-2006-0195 CVE-2006-0377
Created:February 28, 2006 Updated:June 8, 2006
Description: Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188)

Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195)

CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377)

 Fedora-Legacy FLSA:190884 2006-06-06 Red Hat RHSA-2006:0283-01 2006-05-03 Gentoo 200603-09 2006-03-12 Debian DSA-988-1 2006-03-08 Fedora FEDORA-2006-133 2006-03-03 Mandriva MDKSA-2006:049 2006-02-27

## struts: cross-site scripting vulnerability

Package(s):struts CVE #(s):CVE-2005-3745
Created:January 12, 2006 Updated:March 8, 2006
Description: The Struts error display system has a cross-site scripting vulnerability. An attacker may be able to maliciously craft a URL that can trick a user into thinking they are looking at a trusted site when they are not.
 Red Hat RHSA-2006:0161-01 2006-03-07 Red Hat RHSA-2006:0157-01 2006-01-11

## sudo: vulnerability via scripts

Package(s):sudo CVE #(s):CAN-2005-4158 CVE-2006-0151
Created:December 16, 2005 Updated:September 1, 2006
Description: Perl and Python scripts run via Sudo can be subverted.
 Mandriva MDKSA-2006:159 2006-08-31 Debian DSA-946-2 2006-04-08 Slackware SSA:2006-045-08 2006-02-15 SuSE SUSE-SR:2006:002 2006-01-20 Debian DSA-946-1 2006-01-20 Ubuntu USN-235-2 2006-01-09 Ubuntu USN-235-1 2006-01-05 Mandriva MDKSA-2005:234 2005-12-20 Fedora FEDORA-2005-1147 2005-12-16

## tar: buffer overflow

Package(s):tar CVE #(s):CVE-2006-0300
Created:February 22, 2006 Updated:April 10, 2006
Description: A buffer overflow (exploitable via a carefully-crafted archive file) has been discovered in GNU tar, versions 1.14 and above.
 Fedora-Legacy FLSA:183571-2 2006-04-04 Gentoo 200603-06 2006-03-10 Debian DSA-987-1 2006-03-07 OpenPKG OpenPKG-SA-2006.006 2006-03-05 Red Hat RHSA-2006:0232-01 2006-03-01 Trustix TSLSA-2006-0010 2006-02-24 Ubuntu USN-257-1 2006-02-23 Mandriva MDKSA-2006:046 2006-02-21

## File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
 Fedora-Legacy FLSA:183571-1 2006-04-04 Red Hat RHSA-2006:0195-01 2006-02-21 Conectiva CLA-2002:538 2002-10-29 Mandrake MDKSA-2002:066 2002-10-10 Mandrake MDKSA-2002:065 2002-10-10 EnGarde ESA-20021003-022 2002-10-03 Gentoo unzip-20021001 2002-10-01 Gentoo tar-20021001 2002-10-01 Red Hat RHSA-2002:096-24 2002-09-18

## tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

 Fedora-Legacy FLSA:156139 2006-04-04 Debian DSA-850-1 2005-10-09 Mandriva MDKSA-2005:087 2005-05-11 Red Hat RHSA-2005:417-02 2005-05-11 Red Hat RHSA-2005:421-02 2005-05-11 Gentoo 200505-06 2005-05-09 Ubuntu USN-119-1 2005-05-06 Fedora FEDORA-2005-351 2005-05-02

## tetex: integer overflows

Package(s):tetex CVE #(s):CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
Created:January 19, 2006 Updated:May 23, 2006
Description: The teTeX PDF parsing library has an integer overflow vulnerability. A carefully crafted PDF file can be used by an attacker to crash teTeX and possibly execute arbitrary code.
 Slackware SSA:2006-142-01 2006-05-23 Fedora-Legacy FLSA:152868 2006-05-12 Gentoo 200603-02 2006-03-04 Red Hat RHSA-2006:0160-01 2006-01-19

## texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
 Ubuntu USN-194-2 2006-01-09 Fedora FEDORA-2005-991 2005-10-14 Fedora FEDORA-2005-990 2005-10-14 Mandriva MDKSA-2005:175 2005-10-06 Ubuntu USN-194-1 2005-10-06 Gentoo 200510-04 2005-10-05

## tin: buffer overflow

Package(s):tin CVE #(s):CVE-2006-0804
Created:February 19, 2006 Updated:November 24, 2006
Description: An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier which can lead to a buffer overflow.
 Gentoo 200611-18 2006-11-24 OpenPKG OpenPKG-SA-2006.005 2006-02-19

## unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
 Red Hat RHSA-2007:0203-02 2007-05-01 Fedora-Legacy FLSA:180159 2006-04-04 Debian DSA-1012-1 2006-03-21 Mandriva MDKSA-2006:050 2006-02-27 Ubuntu USN-248-2 2006-02-15 Ubuntu USN-248-1 2006-02-13 Fedora FEDORA-2006-098 2006-02-06

## up-imapproxy: format string vulnerabilities

Package(s):up-imapproxy CVE #(s):CAN-2005-2661
Created:October 10, 2005 Updated:March 7, 2006
Description: up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
 Gentoo 200603-04 2006-03-06 Debian DSA-852-1 2005-10-09

## uw-imap: buffer overflow

Package(s):uw-imap CVE #(s):CAN-2005-2933
Created:October 11, 2005 Updated:April 10, 2006
Description: "infamous41md" discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code.
 Fedora-Legacy FLSA:184098 2006-04-04 Fedora-Legacy FLSA:170411 2006-04-04 Fedora FEDORA-2005-1112 2005-12-08 Fedora FEDORA-2005-1115 2005-12-08 Red Hat RHSA-2005:850-01 2005-12-06 Red Hat RHSA-2005:848-01 2005-12-06 Mandriva MDKSA-2005:194 2005-10-26 Trustix TSLSA-2005-0055 2005-10-07 Mandriva MDKSA-2005:189 2005-10-20 SuSE SUSE-SR:2005:023 2005-10-14 Gentoo 200510-10 2005-10-11 Debian DSA-861-1 2005-10-11

## vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
 Red Hat RHSA-2006:0117-01 2006-03-15 Red Hat RHSA-2005:361-01 2005-10-05 Fedora FEDORA-2005-320 2005-04-15

## w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
 Red Hat RHSA-2007:0208-02 2007-05-01 Ubuntu USN-220-1 2005-12-01 Mandriva MDKSA-2005:210 2005-11-09 Fedora FEDORA-2005-953 2005-10-07 Fedora FEDORA-2005-952 2005-10-07

## xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
 Fedora-Legacy FLSA:152873 2006-04-04 Debian DSA-657-1 2005-01-25 Mandrake MDKSA-2004:105 2004-10-06 Slackware SSA:2004-266-04 2004-09-22 Gentoo 200409-30 2004-09-22

## xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
 Gentoo 200404-20 2004-04-27 Slackware SSA:2004-111-01 2004-04-20 Mandrake MDKSA-2004:033 2004-04-19 Debian DSA-477-1 2004-04-06

Created:October 10, 2005 Updated:May 15, 2006
Description: Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code.
 Fedora-Legacy FLSA:152923 2006-05-12 Gentoo 200510-26 2005-10-30 Mandriva MDKSA-2005:192 2005-10-20 Red Hat RHSA-2005:802-01 2005-10-18 Debian DSA-859-1 2005-10-10 Debian DSA-858-1 2005-10-10 Fedora FEDORA-2005-981 2005-10-10

## xorg-x11: heap overflow

Package(s):xorg-x11 CVE #(s):CAN-2005-2495
Created:September 12, 2005 Updated:March 8, 2006
Description: The pixmap memory allocation code in the X.Org X window system is vulnerable to an integer overflow, a local user can use this to execute arbitrary code with elevated privileges.
 Fedora-Legacy FLSA:168264-2 2006-03-07 Slackware SSA:2005-269-02 2005-09-26 SuSE SUSE-SA:2005:056 2005-09-26 Debian DSA-816-1 2005-09-19 Fedora FEDORA-2005-894 2005-09-16 Fedora FEDORA-2005-893 2005-09-16 Trustix TSLSA-2005-0049 2005-09-16 Red Hat RHSA-2005:501-01 2005-09-15 Mandriva MDKSA-2005:164 2005-09-13 Red Hat RHSA-2005:396-01 2005-09-13 Red Hat RHSA-2005:329-01 2005-09-12 Ubuntu USN-182-1 2005-09-12 Gentoo 200509-07 2005-09-12

## xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
 Fedora FEDORA-2007-1219 2007-03-14 Gentoo 200506-06 2005-06-09 Red Hat RHSA-2005:026-01 2005-03-16 Red Hat RHSA-2005:066-01 2005-02-15 Red Hat RHSA-2005:057-01 2005-02-15 Red Hat RHSA-2005:053-01 2005-02-15 Red Hat RHSA-2005:034-01 2005-02-15 Fedora-Legacy FLSA:2353 2005-02-10 Fedora-Legacy FLSA:2352 2005-02-10 Gentoo 200502-10 2005-02-09 Red Hat RHSA-2005:049-01 2005-02-01 SuSE SUSE-SR:2005:002 2005-01-26 Red Hat RHSA-2005:059-01 2005-01-26 Mandrake MDKSA-2005:020 2005-01-25 Mandrake MDKSA-2005:019 2005-01-25 Mandrake MDKSA-2005:016 2005-01-25 Mandrake MDKSA-2005:021 2005-01-25 Mandrake MDKSA-2005:018 2005-01-25 Mandrake MDKSA-2005:017 2005-01-25 Fedora FEDORA-2005-061 2005-01-25 Fedora FEDORA-2005-062 2005-01-25 Fedora FEDORA-2005-059 2005-01-25 Fedora FEDORA-2005-060 2005-01-25 Conectiva CLA-2005:921 2005-01-25 Fedora FEDORA-2004-049 2005-01-24 Fedora FEDORA-2004-048 2005-01-24 Gentoo 200501-32 2005-01-23 Gentoo 200501-31 2005-01-23 Gentoo 200501-30 2005-01-22 Gentoo 200501-28 2005-01-21 Fedora FEDORA-2005-052 2005-01-20 Fedora FEDORA-2005-051 2005-01-20 Ubuntu USN-64-1 2005-01-19 Debian DSA-645-1 2005-01-19 Debian DSA-648-1 2005-01-19

## xpdf: potential vulnerabilities

Package(s):xpdf gpdf CVE #(s):CVE-2006-1244
Created:February 27, 2006 Updated:April 13, 2006
Description: Derek Noonburg has fixed several potential vulnerabilities in xpdf, which are also present in gpdf, the Portable Document Format (PDF) viewer with Gtk bindings.
 Ubuntu USN-270-1 2006-04-13 Debian DSA-1019-1 2006-03-24 Debian DSA-998-1 2006-03-14 Debian DSA-984-1 2006-03-02 Debian DSA-983-1 2006-02-28 Debian DSA-982-1 2006-02-27

## xpdf: heap overflows

Package(s):xpdf gpdf kpdf poppler CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 11, 2006 Updated:March 10, 2006
Description: Xpdf, the associated poppler library, and other applications using that library are susceptible to a new set of buffer overflows discovered by Chris Evans and infamous41md. These overflows could be exploited, via a malicious PDF file, to execute arbitrary code on the target system.
 Fedora-Legacy FLSA:176751 2006-03-07 Mandriva MDKSA-2006:030 2006-02-02 Debian DSA-962-1 2006-02-01 Debian DSA-961-1 2006-02-01 Gentoo 200601-17 2006-01-30 Debian-Testing DTSA-28-1 2005-01-25 Debian DSA-950-1 2006-01-23 Trustix TSLSA-2006-0002 2006-01-13 Debian DSA-940-1 2006-01-13 Mandriva MDKSA-2006:012 2006-01-12 Fedora FEDORA-2005-028 2006-01-12 Fedora FEDORA-2005-029 2006-01-12 Debian DSA-938-1 2006-01-12 Debian DSA-937-1 2006-01-12 SuSE SUSE-SA:2006:001 2006-01-11 Red Hat RHSA-2006:0177-01 2006-01-11 Red Hat RHSA-2006:0163-01 2006-01-11 Mandriva MDKSA-2006:011 2006-01-10 Mandriva MDKSA-2006:010 2006-01-10 Debian DSA-936-1 2006-01-11

## xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
 Debian DSA-1136-1 2006-08-02 Mandriva MDKSA-2005:138-1 2005-09-19 Debian DSA-780-1 2005-08-22 SuSE SUSE-SR:2005:019 2005-08-19 Fedora FEDORA-2005-732 2005-08-17 Fedora FEDORA-2005-733 2005-08-17 Gentoo 200508-08 2005-08-16 Fedora FEDORA-2005-730 2005-08-15 Fedora FEDORA-2005-729 2005-08-15 Mandriva MDKSA-2005:136 2005-08-11 Mandriva MDKSA-2005:135 2005-08-11 Mandriva MDKSA-2005:134 2005-08-11 Mandriva MDKSA-2005:138 2005-08-11 Red Hat RHSA-2005:708-01 2005-08-10 Red Hat RHSA-2005:706-01 2005-08-09 Red Hat RHSA-2005:671-01 2005-08-09 Red Hat RHSA-2005:670-01 2005-08-09 Ubuntu USN-163-1 2005-08-09

## xpdf: integer overflows

Package(s):xpdf, poppler, cupsys, tetex-bin CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 5, 2006 Updated:November 30, 2006
Description: xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin.
 Fedora FEDORA-2006-1220 2006-11-30 Debian DSA-932-1 2006-01-09 Debian DSA-931-1 2006-01-09 Ubuntu USN-236-2 2006-01-09 Mandriva MDKSA-2006:008 2006-01-06 Mandriva MDKSA-2006:006 2006-01-05 Mandriva MDKSA-2006:005 2006-01-05 Mandriva MDKSA-2006:004 2006-01-05 Mandriva MDKSA-2006:003 2006-01-05 Ubuntu USN-236-1 2006-01-05

## zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-1849
Created:July 21, 2005 Updated:April 11, 2006
Description: zlib has a vulnerability that can cause code that executes it to crash if a corrupted file is opened.