|
|
| |
|
| |
Security
Red Hat Magazine is carrying an
article by Mark J. Cox looking at the security record of the Red Hat
Enterprise Linux 4 release in its first year. It certainly will be
interesting reading for RHEL users, who can get a sense for how Red Hat
views the security performance of its flagship distribution. One need not
be an RHEL customer, however, to find items of interest in this report.
RHEL 4 marks the beginning of Red Hat's classification scheme for
vulnerabilities. Severity classifications are an acknowledgment of an
important aspect of Linux security: large numbers of advisories and updates
are issued, but very few of the problems being fixed constitute real
threats for most users. Every temporary file vulnerability should be
fixed, for example, but it is a rare system which is compromised by way of
a temporary file exploit. Red Hat's classifications can help to focus
administrators' minds on the important problems. Perhaps more importantly,
the classifications should help "analysts" and other commenters to look
beyond the sheer volume of advisories and look at the ones which really
matter.
Red Hat defines a "critical" vulnerability in this way:
By definition a critical vulnerability is one that could
potentially be exploited remotely and automatically by a worm. We
stretch the definition to also include those flaws that affect web
browsers or plug-ins where a user only needs to visit a malicious
web site in order to be exploited.
By this definition, there were 19 critical vulnerabilities disclosed for
RHEL 4 in its first year. The list of involved packages is
interesting: HelixPlayer, mozilla, firefox, kdelibs, lynx, gaim, kopete,
thunderbird, and mod_auth_pgsql. All but one of the critical
vulnerabilities, in other words, were in complex, graphical clients (though
classifying lynx as such is a bit of a stretch). As a result of this
distribution, a default RHEL server installation suffered from zero
critical vulnerabilities in it first year. Workstation installations,
instead, had a fair number.
Red Hat claims to have issued updates for all critical vulnerabilities
within two days of their public disclosure.
The report also looks at exploits - the company is aware of 28
publicly-circulating exploits for software shipped in RHEL 4. It is
claimed that the security technologies packaged with RHEL 4, including
the "Exec-Shield" stack protection and address randomization techniques,
impede or block about half of those. The "Lupper" worm could get past
those barriers, but would be unable to execute its payload as a result of
the SELinux policies in effect. The report does acknowledge, however, that
a modified version of the worm would have been able to circumvent SELinux.
Anybody wanting to poke holes in this report could certainly do so. Not
everybody will agree with how Red Hat classifies all of its
vulnerabilities. It would be nice if that classification - or the entire
report - could be done by an impartial outside party. One might also note
that the response time for older RHEL versions can be longer; consider a
recent cron vulnerability which was fixed for RHEL 4 last
October, but the RHEL 3
update only arrived last week. Since part of RHEL's claim to value is
its long-term support, the idea that updates will be slower in coming as
the distribution ages is a little disconcerting. (In fairness: the gap is
much smaller for more important problems: the patches for the recent firefox vulnerability for
RHEL 2, 3, and 4 all came out on the same day).
The important thing, however, is that this report got written and published
at all. While most distributors make a strong effort on security, few of
them take the time to look at their record and tell the world about it.
Full disclosure does not stop with individual vulnerabilities; Linux users
benefit from a view of the larger picture as well. Red Hat is to be
commended for putting this information together; hopefully other
distributors will follow suit.
Comments (2 posted)
Brief items
Sun has announced the release of the first set of specifications for its "open source DRM" effort. It is an exercise in Orwellian naming: we have "Project DReaM" for "DRM/everywhere available," a system called "Mother May I," and the whole thing is found at OpenMediaCommons.org. Nonetheless, they got Lawrence Lessig to add a favorable statement. Code for a prototype "conditional access system" implementation has been posted.
Comments (29 posted)
It's been a while since we had a good sendmail vulnerability...but we need
wait no longer. Sendmail 8.13.6 has just
been released in response to a security issue which could lead to a remote
root exploit. This looks like a good one to fix in a hurry. Distributor
updates have been seen so far from:
Comments (22 posted)
It would appear that one of the bugs found in the recent Coverity scan was
a local root exploit in the X.org server
(version 1.0.0 and later). The X11R6.9.0 and X11R7.0 releases are also
vulnerable, though older releases are not. A 1.0.2 release has been made available with the
fix; expect updates from distributors in the near future as well.
Comments (15 posted)
New vulnerabilities
beagle: untrusted search path vulnerability
| Package(s): | beagle |
CVE #(s): | CVE-2006-1296
|
| Created: | March 21, 2006 |
Updated: | March 22, 2006 |
| Description: |
Untrusted search path vulnerability in Beagle 0.2.2.1 might allow local
users to gain privileges via a malicious beagle-info program in the current
working directory, or possibly directories specified in the PATH. |
| Alerts: |
|
Comments (none posted)
cairo: denial of service
| Package(s): | cairo |
CVE #(s): | CVE-2006-0528
|
| Created: | March 21, 2006 |
Updated: | March 31, 2006 |
| Description: |
The cairo library (libcairo), as used in GNOME Evolution and possibly other
products, allows remote attackers to cause a denial of service (persistent
client crash) via an attached text file that contains "Content-Disposition:
inline" in the header, and a very long line in the body, which causes the
client to repeatedly crash until the e-mail message is manually removed,
possibly due to a buffer overflow, as demonstrated using an XML
attachment. |
| Alerts: |
|
Comments (none posted)
crossfire: buffer overflow
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1236
|
| Created: | March 20, 2006 |
Updated: | March 22, 2006 |
| Description: |
A buffer overflow has been discovered in the crossfire game which allows
remote attackers to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2006-1225
CVE-2006-1226
CVE-2006-1227
CVE-2006-1228
|
| Created: | March 17, 2006 |
Updated: | March 22, 2006 |
| Description: |
The Drupal Security Team discovered several vulnerabilities in Drupal,
a fully-featured content management and discussion engine.
- Due to missing input sanitizing a remote attacker could inject headers
of outgoing e-mail messages and use Drupal as a spam proxy. (CVE-2006-1225)
- Missing input sanity checks allows attackers to inject arbitrary web
script or HTML. (CVE-2006-1226)
- Menu items created with the menu.module lacked access control, which
might allow remote attackers to access administrator pages. (CVE-2006-1227)
- Markus Petrux discovered a bug in the session fixation which may allow
remote attackers to gain Drupal user privileges. (CVE-2006-1228)
|
| Alerts: |
|
Comments (none posted)
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2006-0024
|
| Created: | March 16, 2006 |
Updated: | March 22, 2006 |
| Description: |
The Macromedia Flash Player plugin has an arbitrary code execution
vulnerability that may be triggered by opening a
maliciously created Macromedia Flash file. |
| Alerts: |
|
Comments (none posted)
ilohamail: missing input sanitizing
| Package(s): | ilohamail |
CVE #(s): | CVE-2005-1120
|
| Created: | March 20, 2006 |
Updated: | March 22, 2006 |
| Description: |
Ulf Härnhammar from the Debian Security Audit Project discovered that
ilohamail, a lightweight multilingual web-based IMAP/POP3 client, does not
always sanitize input provided by users which allows remote attackers to
inject arbitrary web script or HTML. |
| Alerts: |
|
Comments (none posted)
kernel-patch-vserver: missing attribute support
| Package(s): | kernel-patch-vserver util-vserver |
CVE #(s): | CVE-2005-4347
CVE-2005-4418
|
| Created: | March 21, 2006 |
Updated: | March 22, 2006 |
| Description: |
Several vulnerabilities have been discovered in the Debian vserver support
for Linux. Bjørn Steinbrink discovered that the chroot barrier is not set
correctly with util-vserver which may result in unauthorized escapes from a
vserver to the host system. (CVE-2005-4347) The default policy of
util-vserver is set to trust all unknown capabilities instead of
considering them as insecure. (CVE-2005-4418) |
| Alerts: |
|
Comments (none posted)
PEAR-Auth: potential authentication bypass
| Package(s): | pear-auth |
CVE #(s): | CVE-2006-0868
|
| Created: | March 17, 2006 |
Updated: | March 22, 2006 |
| Description: |
PEAR-Auth, versions 1.2.4 and before, did not correctly validate data
passed to the DB and LDAP containers. A remote attacker could possibly
exploit this vulnerability to bypass the authentication mechanism by
injecting specially crafted input to the underlying storage containers. |
| Alerts: |
|
Comments (none posted)
PeerCast: buffer overflow
| Package(s): | peercast |
CVE #(s): | CVE-2006-1148
|
| Created: | March 21, 2006 |
Updated: | March 22, 2006 |
| Description: |
Multiple stack-based buffer overflows in the procConnectArgs function in
servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute
arbitrary code via an HTTP GET request with a long (1) parameter name or
(2) value in a URL, which triggers the overflow in the nextCGIarg function
in servhs.cpp. |
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable race condition
| Package(s): | sendmail |
CVE #(s): | CVE-2006-0058
|
| Created: | March 22, 2006 |
Updated: | March 24, 2006 |
| Description: |
Sendmail suffers from a race condition which may be exploitable by a remote attacker to run arbitrary code as root. Sendmail 8.13.6 contains a fix for the problem. See this CERT advisory for (a little) more information. |
| Alerts: |
|
Comments (none posted)
snmptrapfmt: temporary file vulnerability
| Package(s): | snmptrapfmt |
CVE #(s): | CVE-2006-0050
|
| Created: | March 22, 2006 |
Updated: | March 22, 2006 |
| Description: |
The snmptrapfmt utility contains a temporary file vulnerability which could be exploited by a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
wzdftpd: missing input sanitizing
| Package(s): | wzdftpd |
CVE #(s): | CVE-2005-3081
|
| Created: | March 17, 2006 |
Updated: | March 22, 2006 |
| Description: |
"kcope" discovered that the wzdftpd FTP server lacks input sanitizing
for the SITE command, which may lead to the execution of arbitrary
shell commands. |
| Alerts: |
|
Comments (none posted)
xorg-x11-server: privilege escalation
| Package(s): | xorg-x11-server |
CVE #(s): | CVE-2006-0745
|
| Created: | March 20, 2006 |
Updated: | March 22, 2006 |
| Description: |
Coverity scanned the X.Org source code for problems and reported their
findings to the X.Org development team. Upon analysis, Alan Coopersmith, a
member of the X.Org development team, noticed a couple of serious security
issues in the findings. In particular, the Xorg server can be exploited
for root privilege escalation by passing a path to malicious modules using
the -modulepath command line argument. Also, the Xorg server can be
exploited to overwrite any root writable file on the filesystem with the
-logfile command line argument. See this
bulletin for more details. |
| Alerts: |
|
Comments (none posted)
xpvm: insecure temp file
| Package(s): | xpvm |
CVE #(s): | CAN-2005-2240
|
| Created: | March 16, 2006 |
Updated: | March 22, 2006 |
| Description: |
The xpvm graphical console and monitor for PVM
has an insecure temporary file vulnerability. Local attackers
can create or overwrite arbitrary files with the privilege
of the user who is running xpvm. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
Ubuntu installer: plain text passwords in log file
| Package(s): | base-config passwd |
CVE #(s): | |
| Created: | March 13, 2006 |
Updated: | March 15, 2006 |
| Description: |
Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
passwords in the installer log files. Since these files were
world-readable, any local user could see the password of the first
user account, which has full sudo privileges by default. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
cube: multiple vulnerabilities
| Package(s): | cube |
CVE #(s): | CVE-2006-1100
CVE-2006-1101
CVE-2006-1102
|
| Created: | March 13, 2006 |
Updated: | March 15, 2006 |
| Description: |
Luigi Auriemma reported that Cube is vulnerable to a buffer overflow in
the sgetstr() function (CVE-2006-1100) and that the sgetstr() and
getint() functions fail to verify the length of the supplied argument,
possibly leading to the access of invalid memory regions
(CVE-2006-1101). Furthermore, he discovered that a client crashes when
asked to load specially crafted mapnames (CVE-2006-1102). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
flex: buffer overflow
| Package(s): | flex |
CVE #(s): | CVE-2006-0459
|
| Created: | March 7, 2006 |
Updated: | March 28, 2006 |
| Description: |
Chris Moore discovered a buffer overflow in a particular class of
lexicographical scanners generated by flex. This could be exploited to
execute arbitrary code by processing specially crafted user-defined
input to an application that uses a flex scanner for parsing. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeciv: denial of service
| Package(s): | freeciv |
CVE #(s): | CVE-2006-0047
|
| Created: | March 8, 2006 |
Updated: | March 16, 2006 |
| Description: |
The freeciv "civserver" application is susceptible to a denial of service vulnerability. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
heimdal: privilege escalation
| Package(s): | heimdal |
CVE #(s): | CVE-2006-0582
|
| Created: | February 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
A privilege escalation flaw has been found in the heimdal rsh (remote
shell) server. This allowed an authenticated attacker to overwrite
arbitrary files and gain ownership of them. |
| Alerts: |
|
Comments (none posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
initscripts: privilege escalation
| Package(s): | initscripts |
CVE #(s): | CVE-2005-3629
|
| Created: | March 7, 2006 |
Updated: | March 15, 2006 |
| Description: |
A bug was found in the way initscripts handled various environment
variables when the /sbin/service command is run. It is possible for a local
user with permissions to execute /sbin/service via sudo to execute
arbitrary commands as the 'root' user. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: heap overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-0019
|
| Created: | January 19, 2006 |
Updated: | March 17, 2006 |
| Description: |
Konqueror's kjs JavaScript interpreter engine has a heap overflow
vulnerability. Specially crafted JavaScript code could be placed on
a web site, leading to arbitrary code execution.
Other kde applications are also subject to this vulnerability. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-0741
CVE-2006-0555
|
| Created: | March 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
The Linux kernel has multiple vulnerabilities including
a sanity check problem with sys_mbind that can lead to a local
denial of service, an ELF vulnerability that can crash
Intel EM64T systems and an NFS client panic problem that
can be triggered by direct I/O from a local user. |
| Alerts: |
|
Comments (none posted)
kernel multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3527
CVE-2005-3783
CVE-2005-3784
CVE-2005-3805
CVE-2005-3806
CVE-2005-3808
|
| Created: | January 20, 2006 |
Updated: | April 18, 2006 |
| Description: |
Here's another set of vulnerabilities in the Linux kernel:
- A race condition in the 2.6 kernel could allow a local user to cause a
DoS by triggering a core dump in one thread while another thread has a
pending SIGSTOP (CVE-2005-3527).
- The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using
CLONE_THREAD, does not use the thread group ID to check whether it is
attaching to itself, which could allow local users to cause a DoS
(CVE-2005-3783).
- The auto-reap child process in 2.6 kernels prior to 2.6.15 include
processes with ptrace attached, which leads to a dangling ptrace
reference and allows local users to cause a crash (CVE-2005-3784).
- A locking problem in the POSIX timer cleanup handling on exit on
kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local
user to cause a deadlock involving process CPU timers (CVE-2005-3805).
- The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to
2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances,
which allows local users to corrupt kernel memory or cause a crash by
triggering a free of non-allocated memory (CVE-2005-3806).
- An integer overflow in 2.6.14 and earlier could allow a local user to
cause a hang via 64-bit mmap calls that are not properly handled on a
32-bit system (CVE-2005-3808).
|
| Alerts: |
|
Comments (none posted)
kpdf: insufficient patching
| Package(s): | kpdf kdegraphics |
CVE #(s): | CVE-2006-0746
|
| Created: | March 14, 2006 |
Updated: | March 17, 2006 |
| Description: |
Certain patches for kpdf do not include all relevant patches from xpdf that
were associated with CVE-2005-3627.
See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf heap based buffer overflow
| Package(s): | kpdf xpdf kdegraphics poppler |
CVE #(s): | CVE-2006-0301
|
| Created: | February 3, 2006 |
Updated: | March 17, 2006 |
| Description: |
Another heap based buffer overflow has been
found in xpdf and other programs that share the same code. This one is
in Splash.cc and it can cause crashes and possibly arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 |
CVE #(s): | CVE-2006-0042
|
| Created: | March 14, 2006 |
Updated: | April 18, 2006 |
| Description: |
An algorithm weakness has been discovered in Apache2::Request, the
generic request library for Apache2 which can be exploited remotely
and cause a denial of service via CPU consumption. |
| Alerts: |
|
Comments (5 posted)
libcrypt-cbc-perl: programming error
| Package(s): | libcrypt-cbc-perl |
CVE #(s): | CVE-2006-0898
|
| Created: | March 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
Lincoln Stein discovered that the Perl Crypt::CBC module produces weak
ciphertext when used with block encryption algorithms with blocksize >
8 bytes. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libmail-audit-perl: insecure temporary file creation
| Package(s): | libmail-audit-perl |
CVE #(s): | CVE-2005-4536
|
| Created: | January 31, 2006 |
Updated: | March 20, 2006 |
| Description: |
Niko Tyni discovered that the Mail::Audit module, a Perl library for
creating simple mail filters, logs to a temporary file with a predictable
filename in an insecure fashion when logging is turned on. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libungif: memory corruption
| Package(s): | libungif |
CVE #(s): | CAN-2005-2974
|
| Created: | November 3, 2005 |
Updated: | March 20, 2006 |
| Description: |
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lurker: several vulnerabilities
| Package(s): | lurker |
CVE #(s): | CVE-2006-1062
CVE-2006-1063
CVE-2006-1064
|
| Created: | March 14, 2006 |
Updated: | March 15, 2006 |
| Description: |
Several security related problems have been discovered in lurker, an
archive tool for mailing lists with integrated search engine.
- Lurker's mechanism for specifying configuration files was vulnerable to
being overridden. As lurker includes sections of unparsed config files in
its output, an attacker could manipulate lurker into reading any file
readable by the www-data user. (CVE-2006-1062)
- It is possible for a remote attacker to create or overwrite files in
any writable directory that is named "mbox". (CVE-2006-1063)
- Missing input sanitizing allows an attacker to inject arbitrary web
script or HTML. (CVE-2006-1064)
|
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
metamail: buffer overflow
| Package(s): | metamail |
CVE #(s): | CVE-2006-0709
|
| Created: | February 21, 2006 |
Updated: | March 17, 2006 |
| Description: |
A buffer overflow bug was found in the way Metamail processes certain mail
messages. An attacker could create a carefully-crafted message such that
when it is opened by a victim and parsed through Metamail, it runs
arbitrary code as the victim. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0884
|
| Created: | March 3, 2006 |
Updated: | May 4, 2006 |
| Description: |
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail. |
| Alerts: |
|
Comments (1 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-0207
CVE-2006-0208
|
| Created: | February 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
PHP has a response splitting vulnerability, remote attackers can inject
arbitrary HTTP headers via an unknown method, possibly using a
Set-Cookie header.
Also, a number of cross-site scripting vulnerabilities can be used by
remote attackers to inject arbitrary web scripts or html pages. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
squid: authentication handling
| Package(s): | squid |
CVE #(s): | CAN-2005-2917
|
| Created: | September 30, 2005 |
Updated: | March 15, 2006 |
| Description: |
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-0188
CVE-2006-0195
CVE-2006-0377
|
| Created: | February 28, 2006 |
Updated: | June 8, 2006 |
| Description: |
Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site scripting
(XSS) issue, but it is different than what is normally identified as
XSS. (CVE-2006-0188)
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to
1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks
via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2)
a newline in a "url" specifier, which is processed by certain web browsers
including Internet Explorer. (CVE-2006-0195)
CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote
attackers to inject arbitrary IMAP commands via newline characters in the
mailbox parameter of the sqimap_mailbox_select command, aka "IMAP
injection." (CVE-2006-0377) |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
tar: buffer overflow
| Package(s): | tar |
CVE #(s): | CVE-2006-0300
|
| Created: | February 22, 2006 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow (exploitable via a carefully-crafted archive file) has been discovered in GNU tar, versions 1.14 and above. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
tetex: integer overflows
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
uw-imap: buffer overflow
| Package(s): | uw-imap |
CVE #(s): | CAN-2005-2933
|
| Created: | October 11, 2005 |
Updated: | April 10, 2006 |
| Description: |
"infamous41md" discovered a buffer overflow in uw-imap, the University
of Washington's IMAP Server that allows attackers to execute arbitrary
code. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
webcalendar: multiple vulnerabilities
| Package(s): | webcalendar |
CVE #(s): | CVE-2005-3949
CVE-2005-3961
CVE-2005-3982
|
| Created: | March 15, 2006 |
Updated: | May 15, 2006 |
| Description: |
The PHP-based webcalendar package suffers from three vulnerabilities: a set of SQL injection problems (CVE-2005-3949), an input sanitizing failure allowing local files to be overwritten (CVE-2005-3961), and a response splitting vulnerability (CVE-2005-3982). |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: potential vulnerabilities
| Package(s): | xpdf gpdf |
CVE #(s): | CVE-2006-1244
|
| Created: | February 27, 2006 |
Updated: | April 13, 2006 |
| Description: |
Derek Noonburg has fixed several potential vulnerabilities in xpdf,
which are also present in gpdf, the Portable Document Format (PDF)
viewer with Gtk bindings. |
| Alerts: |
|
Comments (none posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
zoo: stack-based buffer overflow
| Package(s): | zoo |
CVE #(s): | CVE-2006-0855
|
| Created: | March 7, 2006 |
Updated: | March 16, 2006 |
| Description: |
Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10
and earlier allows user-complicit attackers to execute arbitrary code via a
crafted ZOO file that causes the combine function to return a longer string
than expected. |
| Alerts: |
|
Comments (none posted)
zoph: SQL injection vulnerability
| Package(s): | zoph |
CVE #(s): | CVE-2006-0402
|
| Created: | March 9, 2006 |
Updated: | March 15, 2006 |
| Description: |
The Zoph web-based photo management system has an SQL injection vulnerability. Insufficient input sanitization in the photo searching
code can be used by an attacker for an SQL injection attack. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|