LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
GPG signature verification trouble
Keeping secrets is only one of the applications of encryption technology. Another useful thing that can be done with cryptographic algorithms is signing of documents. Once something has been signed with an appropriate private key, anybody with access to the corresponding public key can confirm that (1) the document originated with the holder of the private key, and (2) that document has not been modified by anybody since it was signed. Thus, public-key signatures can add a level of assurance to ordinary communications; it can also play a crucial part in the creation of legally binding communications or contracts.All of this depends on the signature mechanism working as advertised, however. So a couple of recently discovered bugs in GnuPG are a little disconcerting.
The first problem was discovered by the Gentoo project in February. The GnuPG tools which perform signature verification did not always set their exit code properly. So any program which used GnuPG to automatically verify signatures, and which relied solely on the exit code (which is not the recommended mode of operation, but which should work) could accept a signature which failed to verify. Thus, for example, a script which automatically downloads and installs package updates could be fooled into installing a third-party package. This problem was fixed in GnuPG version 1.4.2.1.
As part of its response to this bug, the GnuPG developers took a closer look at the signature verification code. There, they found a rather more serious vulnerability: GnuPG can fail to detect injected data. In particular, when attached signatures are being used, arbitrary data can be added to the beginning or the end of the text, and GnuPG will fail to detect the change. This problem is fixed in version 1.4.2.2; all prior versions are vulnerable.
The fact that this vulnerability was able to persist for so long is a bit discouraging. Code like GnuPG is (one hopes!) subject to a relatively high degree of review. The developers want to be sure that the system they ship is secure, and outside researchers have plenty of reasons for wanting to find holes. But, despite this review, a fairly large hole remained in the code for years. The sad fact is that, while code review can help to find problems, it is not enough.
New vulnerabilities
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 | CVE #(s): | CVE-2006-0042 | |||||||||
| Created: | March 14, 2006 | Updated: | April 18, 2006 | |||||||||
| Description: | An algorithm weakness has been discovered in Apache2::Request, the generic request library for Apache2 which can be exploited remotely and cause a denial of service via CPU consumption. | |||||||||||
| Alerts: |
| |||||||||||
crossfire: arbitrary code execution
| Package(s): | crossfire | CVE #(s): | CVE-2006-1010 | ||||||
| Created: | March 14, 2006 | Updated: | April 24, 2006 | ||||||
| Description: | It was discovered that Crossfire, a multiplayer adventure game, performs insufficient bounds checking on network packets when run in "oldsocketmode", which may possibly lead to the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
cube: multiple vulnerabilities
| Package(s): | cube | CVE #(s): | CVE-2006-1100 CVE-2006-1101 CVE-2006-1102 | |||
| Created: | March 13, 2006 | Updated: | March 14, 2006 | |||
| Description: | Luigi Auriemma reported that Cube is vulnerable to a buffer overflow in the sgetstr() function (CVE-2006-1100) and that the sgetstr() and getint() functions fail to verify the length of the supplied argument, possibly leading to the access of invalid memory regions (CVE-2006-1101). Furthermore, he discovered that a client crashes when asked to load specially crafted mapnames (CVE-2006-1102). | |||||
| Alerts: |
| |||||
gnupg: incorrect signature verification
| Package(s): | gnupg | CVE #(s): | CVE-2006-0049 | ||||||||||||||||||||||||||||||
| Created: | March 13, 2006 | Updated: | May 15, 2006 | ||||||||||||||||||||||||||||||
| Description: | Another vulnerability has been found in GnuPG. "Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
kpdf: insufficient patching
| Package(s): | kpdf kdegraphics | CVE #(s): | CVE-2006-0746 | |||||||||
| Created: | March 14, 2006 | Updated: | March 17, 2006 | |||||||||
| Description: | Certain patches for kpdf do not include all relevant patches from xpdf that were associated with CVE-2005-3627. See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
libcrypt-cbc-perl: programming error
| Package(s): | libcrypt-cbc-perl | CVE #(s): | CVE-2006-0898 | ||||||
| Created: | March 13, 2006 | Updated: | March 17, 2006 | ||||||
| Description: | Lincoln Stein discovered that the Perl Crypt::CBC module produces weak ciphertext when used with block encryption algorithms with blocksize > 8 bytes. | ||||||||
| Alerts: |
| ||||||||
lurker: several vulnerabilities
| Package(s): | lurker | CVE #(s): | CVE-2006-1062 CVE-2006-1063 CVE-2006-1064 | |||
| Created: | March 14, 2006 | Updated: | March 14, 2006 | |||
| Description: | Several security related problems have been discovered in lurker, an
archive tool for mailing lists with integrated search engine.
| |||||
| Alerts: |
| |||||
Ubuntu installer: plain text passwords in log file
| Package(s): | base-config passwd | CVE #(s): | ||||
| Created: | March 13, 2006 | Updated: | March 14, 2006 | |||
| Description: | Karl Øie discovered that the Ubuntu 5.10 installer failed to clean passwords in the installer log files. Since these files were world-readable, any local user could see the password of the first user account, which has full sudo privileges by default. | |||||
| Alerts: |
| |||||
webcalendar: multiple vulnerabilities
| Package(s): | webcalendar | CVE #(s): | CVE-2005-3949 CVE-2005-3961 CVE-2005-3982 | |||
| Created: | March 15, 2006 | Updated: | May 15, 2006 | |||
| Description: | The PHP-based webcalendar package suffers from three vulnerabilities: a set of SQL injection problems (CVE-2005-3949), an input sanitizing failure allowing local files to be overwritten (CVE-2005-3961), and a response splitting vulnerability (CVE-2005-3982). | |||||
| Alerts: |
| |||||
zoph: SQL injection vulnerability
| Package(s): | zoph | CVE #(s): | CVE-2006-0402 | |||
| Created: | March 9, 2006 | Updated: | March 14, 2006 | |||
| Description: | The Zoph web-based photo management system has an SQL injection vulnerability. Insufficient input sanitization in the photo searching code can be used by an attacker for an SQL injection attack. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
ADOdb: PostgresSQL command injection
| Package(s): | adodb | CVE #(s): | CVE-2006-0410 | |||||||||||||||
| Created: | February 6, 2006 | Updated: | April 17, 2006 | |||||||||||||||
| Description: | Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2005-3352 | |||||||||||||||||||||||||||||||||
| Created: | December 14, 2005 | Updated: | May 10, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
blender: integer overflow
| Package(s): | blender | CVE #(s): | CVE-2005-4470 | |||||||||||||||
| Created: | January 6, 2006 | Updated: | June 15, 2006 | |||||||||||||||
| Description: | Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
bluez-hcidump: buffer overflow
| Package(s): | bluez-hcidump | CVE #(s): | CVE-2006-0670 | |||||||||
| Created: | February 17, 2006 | Updated: | March 10, 2006 | |||||||||
| Description: | A buffer overflow in l2cap.c in hcidump allows remote attackers to cause a denial of service (crash) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet. | |||||||||||
| Alerts: |
| |||||||||||
bmv: integer overflow
| Package(s): | bmv | CVE #(s): | CVE-2005-3278 | |||
| Created: | March 2, 2006 | Updated: | March 8, 2006 | |||
| Description: | The bmv PostScript viewer has an integer overflow vulnerability. If a specially crafted PostScript file is read by bmv, it may be possible to execute arbitrary code. | |||||
| Alerts: |
| |||||
BomberClone: remote execution of arbitrary code
| Package(s): | bomberclone | CVE #(s): | CVE-2006-0460 | ||||||
| Created: | February 17, 2006 | Updated: | March 14, 2006 | ||||||
| Description: | Stefan Cornelius of the Gentoo Security team discovered multiple missing buffer checks in BomberClone's code. By sending overly long error messages to the game via network, a remote attacker may exploit buffer overflows to execute arbitrary code with the rights of the user running BomberClone. | ||||||||
| Alerts: |
| ||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
curl: buffer overflow
| Package(s): | curl | CVE #(s): | CVE-2005-4077 | |||||||||||||||||||||||||||||||||||||||
| Created: | December 8, 2005 | Updated: | March 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
dia: missing input sanitizing
| Package(s): | dia | CVE #(s): | CAN-2005-2966 | ||||||||||||||||||
| Created: | October 4, 2005 | Updated: | April 6, 2006 | ||||||||||||||||||
| Description: | Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
evolution: format string issues
| Package(s): | evolution | CVE #(s): | CAN-2005-2549 CAN-2005-2550 | |||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | March 23, 2006 | |||||||||||||||||||||
| Description: | Evolution has format string issues. SITIC advisory SA05-001 contains more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
fetchmail: multidrop bug
| Package(s): | fetchmail | CVE #(s): | CVE-2005-4348 | ||||||||||||||||||||||||
| Created: | December 20, 2005 | Updated: | May 27, 2006 | ||||||||||||||||||||||||
| Description: | Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ffmpeg: buffer overflow
| Package(s): | ffmpeg | CVE #(s): | CVE-2005-4048 | |||||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2005 | Updated: | March 17, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The avcodec_default_get_buffer() function of the ffmpeg library has a buffer overflow vulnerability. A user can be tricked into playing a maliciously created PNG movie, allowing the attacker to run arbitrary code with the user's privileges. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
flex: buffer overflow
| Package(s): | flex | CVE #(s): | CVE-2006-0459 | |||||||||
| Created: | March 7, 2006 | Updated: | March 28, 2006 | |||||||||
| Description: | Chris Moore discovered a buffer overflow in a particular class of lexicographical scanners generated by flex. This could be exploited to execute arbitrary code by processing specially crafted user-defined input to an application that uses a flex scanner for parsing. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
freeciv: denial of service
| Package(s): | freeciv | CVE #(s): | CVE-2006-0047 | |||||||||
| Created: | March 8, 2006 | Updated: | March 16, 2006 | |||||||||
| Description: | The freeciv "civserver" application is susceptible to a denial of service vulnerability. | |||||||||||
| Alerts: |
| |||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CVE-2005-3186 CVE-2005-2976 CVE-2005-2975 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | November 15, 2005 | Updated: | March 20, 2006 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
gnupg: false positive signature verification
| Package(s): | gnupg | CVE #(s): | CVE-2006-0455 | |||||||||||||||||||||||||||||||||
| Created: | February 17, 2006 | Updated: | March 10, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP replacement, verifies external signatures of files successfully even though they don't contain a signature at all. See this update from the gnuPG team for more information. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
heimdal: privilege escalation
| Package(s): | heimdal | CVE #(s): | CVE-2006-0582 | |||||||||
| Created: | February 13, 2006 | Updated: | March 17, 2006 | |||||||||
| Description: | A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them. | |||||||||||
| Alerts: |
| |||||||||||
imagemagick: arbitrary command execution
| Package(s): | imagemagick | CVE #(s): | CVE-2005-4601 CVE-2006-0082 | |||||||||||||||||||||||||||
| Created: | January 24, 2006 | Updated: | March 24, 2006 | |||||||||||||||||||||||||||
| Description: | Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
initscripts: privilege escalation
| Package(s): | initscripts | CVE #(s): | CVE-2005-3629 | ||||||
| Created: | March 7, 2006 | Updated: | March 15, 2006 | ||||||
| Description: | A bug was found in the way initscripts handled various environment variables when the /sbin/service command is run. It is possible for a local user with permissions to execute /sbin/service via sudo to execute arbitrary commands as the 'root' user. | ||||||||
| Alerts: |
| ||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2005-3732 | |||||||||||||||||||||
| Created: | December 1, 2005 | Updated: | June 8, 2006 | |||||||||||||||||||||
| Description: | ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
irssi-text: denial of service
| Package(s): | irssi-text | CVE #(s): | CVE-2006-0458 | |||
| Created: | March 2, 2006 | Updated: | March 8, 2006 | |||
| Description: | irssi-text has a remote denial of service vulnerability that is caused by incomplete verification of arguments by the DCC ACCEPT command handler. A remote attacker can crash irssi and cause a denial of service. | |||||
| Alerts: |
| |||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdelibs: heap overflow
| Package(s): | kdelibs | CVE #(s): | CVE-2006-0019 | |||||||||||||||||||||||||||
| Created: | January 19, 2006 | Updated: | March 17, 2006 | |||||||||||||||||||||||||||
| Description: | Konqueror's kjs JavaScript interpreter engine has a heap overflow vulnerability. Specially crafted JavaScript code could be placed on a web site, leading to arbitrary code execution. Other kde applications are also subject to this vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2005-2709 CVE-2005-2973 CVE-2005-3055 CVE-2005-3180 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 CVE-2005-3274 CVE-2005-3275 CVE-2005-3276 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | November 22, 2005 | Updated: | March 15, 2006 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973) Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an "USB Request Block" (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055) Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180) A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. (CVE-2005-3271) Stephen Hemminger discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. (CVE-2005-3272) David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large "ngidis" argument, a local attacker could cause a kernel crash. (CVE-2005-3273) Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274) Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275) Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276) | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-0741 CVE-2006-0555 | ||||||||||||
| Created: | March 2, 2006 | Updated: | March 23, 2006 | ||||||||||||
| Description: | The Linux kernel has multiple vulnerabilities including a sanity check problem with sys_mbind that can lead to a local denial of service, an ELF vulnerability that can crash Intel EM64T systems and an NFS client panic problem that can be triggered by direct I/O from a local user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2005-3527 CVE-2005-3783 CVE-2005-3784 CVE-2005-3805 CVE-2005-3806 CVE-2005-3808 | ||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2006 | Updated: | April 18, 2006 | ||||||||||||||||||||||||||||||||||||
| Description: | Here's another set of vulnerabilities in the Linux kernel:
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
xpdf heap based buffer overflow
| Package(s): | kpdf xpdf kdegraphics poppler | CVE #(s): | CVE-2006-0301 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 3, 2006 | Updated: | March 17, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Another heap based buffer overflow has been found in xpdf and other programs that share the same code. This one is in Splash.cc and it can cause crashes and possibly arbitrary code execution. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libXpm: new buffer overflows
| Package(s): | libXpm | CVE #(s): | CAN-2005-0605 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2005 | Updated: | March 8, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): |