LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
SQL injection vulnerabilities in PostgreSQL
A recent urgent update to PostgreSQL vividly demonstrates the problems with validating user input that are the foundation of SQL injection attacks. Widely used techniques to escape characters in user input can still allow SQL injection when coupled with multibyte character encodings. While this problem was first discovered in PostgreSQL, today's security fix announcement for MySQL indicates a similar problem there as well.
As discussed in the LWN SQL injection article, inserting strings of user input into SQL queries can be hazardous. Many applications do little or no validation of strings entered by a user before dropping them into a query; this negligence can lead to a compromise of the entire database. Better behaved programs attempt to escape various troublesome characters (typically single-quote and backslash), but because of the multibyte-encoding problem, problems can remain.
It is not just database clients that need to validate user input, the database server needs to validate as well as the first bug shows. PostgreSQL allows the "\'" (backslash + single-quote) sequence to be used to represent a single-quote character in a query as well as the two single-quote character sequence ("''") that is the SQL standard. Unfortunately, the escaping code used by database clients often ignores the character encoding and just looks for bytes with a 0x27 ("'") value and replaces them with an escaped version. The security hole comes about because illegal multibyte character sequences can be used to enable quotes to slip past the escaping process. An example provided in the technical information describes how this can be done.
In the UTF8 encoding, the byte value 0xc8 introduces a two-byte character; the second byte must be within the range 0xa0-0xff. However, PostgreSQL would accept any value for the second byte and treat both bytes as a single character. A malicious user could enter "0xc8'text", which would be converted by the well meaning client to "0xc8''text" (or "0xc8\'text"); the server would then treat the 0xc8' or 0xc8\ sequence as a single character, leaving an unescaped single-quote in the input, effectively injecting the attacker-supplied text.
The second issue stems from certain far-eastern encodings where the value 0x5c ("\") is a valid value for the second byte of a two-byte character. In the SJIS encoding for example, the two-byte sequence 0x95 0x5c is a valid character, but a client that is not encoding-aware may try to escape the 'backslash' that it sees by doubling it. Adding single-quotes into the mix provides a means for a SQL injection. "0x95 0x5c'text" could become "0x95 0x5c\''text", which effectively inserts an unescaped single-quote into the query. It is interesting to note that 0x27 ("'") is not a valid value for the second byte of a two-byte character and, if PostgreSQL had rigidly adhered to the SQL standard and only accepted "''" to escape single-quotes, this issue would not exist.
There is a straightforward fix for the first problem: do not accept illegal multibyte character sequences and refuse to process queries that contain them. Unfortunately, the second problem is more complicated and there is no single simple fix on the database server side. If database clients did their escaping in an encoding aware manner, this problem would not exist; expecting this from all clients is hopeless, however. The PostgreSQL developers chose to disallow "\'" for any encoding that allows embedded 0x5c characters. This closes the hole for all clients that use "''" to escape single-quotes but still allows for injections for clients that use "\'". This change is likely to break those clients altogether, however.
Both of these problems could have been avoided by using prepared statements with placeholders (i.e. 'SELECT * FROM tbl WHERE id=?'). Even if the libraries did not implement the quoting correctly, the SQL engine would still not allow the parameter to be treated as anything but data for that particular spot in the query, thereby avoiding the injection. Another way to avoid this kind of problem is to use stored procedures. As these bugs show, it can be very difficult to appropriately filter and/or validate user input.
New vulnerabilities
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2006-2362 | |||||||||
| Created: | May 27, 2006 | Updated: | August 29, 2006 | |||||||||
| Description: | The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
cherrypy: information disclosure
| Package(s): | cherrypy | CVE #(s): | CVE-2006-0847 | |||
| Created: | May 31, 2006 | Updated: | May 31, 2006 | |||
| Description: | The CherryPy web development framework (prior to version 2.1.1) has a directory traversal vulnerability which could lead to undesired information disclosure. | |||||
| Alerts: |
| |||||
dovecot: information disclosure
| Package(s): | dovecot | CVE #(s): | CVE-2006-2414 | ||||||
| Created: | May 31, 2006 | Updated: | June 14, 2006 | ||||||
| Description: | The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes. | ||||||||
| Alerts: |
| ||||||||
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick | CVE #(s): | CVE-2006-2440 | |||||||||
| Created: | May 25, 2006 | Updated: | September 5, 2006 | |||||||||
| Description: | The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result. | |||||||||||
| Alerts: |
| |||||||||||
kernel: netfilter memory corruption
| Package(s): | kernel | CVE #(s): | CVE-2006-2444 | ||||||||||||
| Created: | May 25, 2006 | Updated: | July 5, 2006 | ||||||||||||
| Description: | The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2006-1343 | ||||||||||||||||||
| Created: | May 31, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||
| Description: | The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CVE-2006-2656 | |||||||||||||||
| Created: | May 26, 2006 | Updated: | June 8, 2006 | |||||||||||||||
| Description: | The tiffsplit command has a problem in the way that it handles fixed-size buffers, a stack overflow can result. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
lynx: denial of service
| Package(s): | lynx | CVE #(s): | CVE-2004-1617 | |||||||||
| Created: | May 26, 2006 | Updated: | June 1, 2006 | |||||||||
| Description: | The lynx text-mode web browser has a problem understanding invalid html involving the TEXTAREA tag. An infinite loop can happen, resulting in a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2006-1990 CVE-2006-1991 CVE-2006-3017 | |||||||||||||||||||||||||||||||||
| Created: | May 25, 2006 | Updated: | August 18, 2006 | |||||||||||||||||||||||||||||||||
| Description: | The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service. A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils | CVE #(s): | CVE-2006-1174 | |||||||||||||||
| Created: | May 25, 2006 | Updated: | June 12, 2007 | |||||||||||||||
| Description: | The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
tiff: denial of service
| Package(s): | tiff | CVE #(s): | CVE-2006-2120 | |||
| Created: | May 27, 2006 | Updated: | May 31, 2006 | |||
| Description: | The tiff image library is vulnerable to a denial of service attack. Images with specially crafted Yr/Yg/Yb values that exceed the YCR/YCG/YCB values can cause a crash of the associated application. | |||||
| Alerts: |
| |||||
typespeed: buffer overflow
| Package(s): | typespeed | CVE #(s): | CVE-2006-1515 | ||||||
| Created: | May 31, 2006 | Updated: | June 19, 2006 | ||||||
| Description: | The typespeed game has a buffer overflow in its network data processing code which could possibly be exploited to execute arbitrary code. | ||||||||
| Alerts: |
| ||||||||
vixie-cron: privilege escalation
| Package(s): | cron | CVE #(s): | CVE-2006-2607 | ||||||||||||
| Created: | May 31, 2006 | Updated: | July 13, 2006 | ||||||||||||
| Description: | The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Updated vulnerabilities
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
awstats: missing input sanitizing
| Package(s): | awstats | CVE #(s): | CVE-2006-2237 | ||||||||||||||||||
| Created: | May 19, 2006 | Updated: | June 20, 2006 | ||||||||||||||||||
| Description: | Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
zoo: archive problem
| Package(s): | bin | CVE #(s): | ||||
| Created: | May 23, 2006 | Updated: | May 24, 2006 | |||
| Description: | A security problem is zoo's fullpath() function could cause problems if zoo was run in an automated way, or if a user were to open a malicious zoo archive manually. | |||||
| Alerts: |
| |||||
blender: integer overflow
| Package(s): | blender | CVE #(s): | CVE-2005-4470 | |||||||||||||||
| Created: | January 6, 2006 | Updated: | June 15, 2006 | |||||||||||||||
| Description: | Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
busybox: insecure password generation
| Package(s): | busybox | CVE #(s): | CVE-2006-1058 | |||||||||
| Created: | May 5, 2006 | Updated: | May 2, 2007 | |||||||||
| Description: | The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
cscope: buffer overflows
| Package(s): | cscope | CVE #(s): | CVE-2004-2541 | ||||||
| Created: | May 22, 2006 | Updated: | June 12, 2006 | ||||||
| Description: | A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target. | ||||||||
| Alerts: |
| ||||||||
curl: heap-based buffer overflow
| Package(s): | curl | CVE #(s): | CVE-2006-1061 | ||||||||||||
| Created: | March 21, 2006 | Updated: | June 28, 2006 | ||||||||||||
| Description: | Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dia: format string vulnerabilities
| Package(s): | dia | CVE #(s): | CVE-2006-2453 CVE-2006-2480 | ||||||||||||||||||
| Created: | May 24, 2006 | Updated: | June 8, 2006 | ||||||||||||||||||
| Description: | The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
fetchmail: multidrop bug
| Package(s): | fetchmail | CVE #(s): | CVE-2005-4348 | ||||||||||||||||||||||||
| Created: | December 20, 2005 | Updated: | May 27, 2006 | ||||||||||||||||||||||||
| Description: | Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla | CVE #(s): | CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 14, 2006 | Updated: | June 9, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in Firefox and related products including Thunderbird, SeaMonkey and the Mozilla Suite. This CERT Advisory contains additional information. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
freeradius: authentication bypass
| Package(s): | freeradius | CVE #(s): | CVE-2006-1354 | ||||||||||||||||||
| Created: | March 24, 2006 | Updated: | June 5, 2006 | ||||||||||||||||||
| Description: | An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdm: improper file permissions
| Package(s): | gdm | CVE #(s): | CVE-2006-1057 | |||||||||||||||
| Created: | April 19, 2006 | Updated: | May 2, 2007 | |||||||||||||||
| Description: | The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
hostapd: insufficient boundary checks
| Package(s): | hostapd | CVE #(s): | CVE-2006-2213 | ||||||
| Created: | May 22, 2006 | Updated: | May 25, 2006 | ||||||
| Description: | Matteo Rosi and Leonardo Maccari discovered that hostapd, a wifi network authenticator daemon, performs insufficient boundary checks on a key length value, which might be exploited to crash the service. | ||||||||
| Alerts: |
| ||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2005-3732 | |||||||||||||||||||||
| Created: | December 1, 2005 | Updated: | June 8, 2006 | |||||||||||||||||||||
| Description: | ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864 | |||||||||||||||||||||
| Created: | May 12, 2006 | Updated: | July 13, 2006 | |||||||||||||||||||||
| Description: | Multiple vulnerabilities in the Linux have been found.
| |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-1859 CVE-2006-1860 | ||||||||||||
| Created: | May 19, 2006 | Updated: | May 24, 2006 | ||||||||||||
| Description: | Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16
allows attackers to cause a denial of service (memory consumption) via
unspecified actions related to an "uninitialized return value," aka "slab
leak."
lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel-patch-vserver: privilege escalation
| Package(s): | kernel-patch-vserver | CVE #(s): | CVE-2006-2110 | |||
| Created: | May 22, 2006 | Updated: | May 24, 2006 | |||
| Description: | Jan Rekorajski discovered that the kernel patch for virtual private servers does not limit context capabilities to the root user within the virtual server, which might lead to privilege escalation for some virtual server specific operations. | |||||
| Alerts: |
| |||||
kphone: insecure file creation
| Package(s): | kphone | CVE #(s): | CVE-2006-2442 | ||||||
| Created: | May 22, 2006 | Updated: | May 25, 2006 | ||||||
| Description: | Sven Dreyer discovered that KPhone, a Voice over IP client for KDE, creates a configuration file world-readable, which could leak sensitive information like SIP passwords. | ||||||||
| Alerts: |
| ||||||||
libextractor: heap-based buffer overflows
| Package(s): | libextractor | CVE #(s): | CVE-2006-2458 | ||||||
| Created: | May 22, 2006 | Updated: | May 31, 2006 | ||||||
| Description: | Luigi Auriemma has found two heap-based buffer overflows in libextractor 0.5.13 and earlier: one of them occurs in the asf_read_header function in the ASF plugin, and the other occurs in the parse_trak_atom function in the Qt plugin. | ||||||||
| Alerts: |
| ||||||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap | CVE #(s): | CAN-2005-2641 | ||||||||||||
| Created: | August 25, 2005 | Updated: | October 6, 2006 | ||||||||||||
| Description: | libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libtiff: denial of service
| Package(s): | libtiff | CVE #(s): | CVE-2006-2024 | ||||||||||||||||||||||||
| Created: | April 28, 2006 | Updated: | May 31, 2006 | ||||||||||||||||||||||||
| Description: | Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mailman: denial of service
| Package(s): | mailman | CVE #(s): | CVE-2006-0052 | |||||||||||||||
| Created: | March 30, 2006 | Updated: | June 9, 2006 | |||||||||||||||
| Description: | Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123: buffer overflows
| Package(s): | mpg123 | CVE #(s): | CVE-2006-1655 | |||||||||
| Created: | May 24, 2006 | Updated: | July 3, 2006 | |||||||||
| Description: | mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities. | |||||||||||
| Alerts: |
| |||||||||||
MySQL: logging bypass
| Package(s): | mysql | CVE #(s): | CVE-2006-0903 | ||||||||||||
| Created: | April 4, 2006 | Updated: | May 21, 2008 | ||||||||||||
| Description: | MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mysql: information leaks
| Package(s): | mysql mysql-dfsg | CVE #(s): | CVE-2006-1516 CVE-2006-1517 | ||||||||||||||||||||||||||||||
| Created: | May 8, 2006 | Updated: | June 23, 2006 | ||||||||||||||||||||||||||||||
| Description: | Stefano Di Paola discovered an information leak in the login packet
parser. By sending a specially crafted malformed login packet, a
remote attacker could exploit this to read a random piece of memory,
which could potentially reveal sensitive data. (CVE-2006-1516)
Stefano Di Paola also found a similar information leak in the parser for the COM_TABLE_DUMP request. (CVE-2006-1517) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
nagios: buffer overflow
| Package(s): | nagios | CVE #(s): | CVE-2006-2162 | ||||||||||||||||||
| Created: | May 8, 2006 | Updated: | May 31, 2006 | ||||||||||||||||||
| Description: | A buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ntp: uses wrong gid
| Package(s): | ntp | CVE #(s): | CAN-2005-2496 | |||||||||||||||
| Created: | August 26, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
OpenLDAP: boundary error
| Package(s): | openldap | CVE #(s): | ||||
| Created: | May 23, 2006 | Updated: | May 24, 2006 | |||
| Description: | According to this Secunia advisory, a weakness exists in OpenLDAP which is caused due to a boundary error in slurpd within the handling of the status file. This can be exploited to cause a stack-based buffer overflow via an overly long hostname read from the status file. The weakness has been reported to be in OpenLDAP version 2.3.21 and earlier. | |||||
| Alerts: |
| |||||
openmotif: buffer overflows
| Package(s): | openmotif | CVE #(s): | CVE-2005-3964 | |||||||||
| Created: | December 29, 2005 | Updated: | July 27, 2006 | |||||||||
| Description: | The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
OpenSSH: double shell expansion
| Package(s): | openssh | CVE #(s): |