LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
The OLPC and BIOS upgrades
The One Laptop Per Child project will, if successful, place special laptop computers into the hands of millions of children all over the world. Most of these children will have never worked with a computer before. The consequences of providing Linux-based systems to this many children are likely to be huge. If this project is done right, these kids will grow up seeing free software as the preferred thing to use. Done wrong, it could turn them (and the adults around them) against Linux in a big way.Many aspects of the OLPC systems are interesting; one of those is that they will use LinuxBIOS as their onboard, boot-time firmware. LinuxBIOS will bring a high degree of flexibility to the system, and some complexity as well. There is a real possibility that, as the result of some late bug or security problem, an in-field upgrade to LinuxBIOS will be called for. In addition, some users may want to hack on the firmware and install their own version - after all, the source is available. For both reasons, the OLPC systems will be able to rewrite their BIOS on demand.
There is a potential problem there, however. If it is too easy to rewrite the BIOS, no end of unpleasant things could happen. In the worst case, some sort of OLPC-based worm could, over a brief period, turn all online systems into expensive bricks. Or, perhaps even worse, the mass implantation of a low-level back door could be performed. For this reason, the OLPC design requires the user to give explicit permission before the BIOS can be rewritten. In particular, a specific sequence of keys on the keyboard must be held down before rewriting the BIOS will be possible.
Ivan Krstić has recently been thinking about the BIOS issue; in particular, he is worried that the keyboard-based interlock still leaves the system open to phishing attacks. The target user base for the OLPC, remember, will be very young. If something pops up on their screen telling them to push a certain set of keys, some of them may well do it. Adults may be immune to this sort of attack, but children need to be treated with more care.
So Ivan floated a proposal for a different way of doing things. It does away with the keyboard interlock; instead, the operating system is always forbidden to rewrite the BIOS. The BIOS, however, can rewrite itself, and would do so upon finding a new BIOS image in a specific place in the filesystem. That image would have to be cryptographically signed, however, so attackers would, presumably, be unable to get a new BIOS image written. Ivan says:
Voila. This is now a completely secure BIOS solution which requires
no TPM, allows fully automatic upgrades without the user's
cooperation (such as pressing keys), and fully protects both
against phishing and automated attacks -- in fact, it's
vector-independent.
Some who responded were not entirely happy with this approach, however. The potential for performing BIOS upgrades (even if properly signed) without the user's knowledge or consent is troubling. If a bug is found in the signature verification code, the fully automated mass bricking scenario becomes real again. Users who want to put in their own version of the BIOS will be frustrated - they cannot be given the signing key without compromising the entire mechanism (though this problem can be mitigated through the addition of a unique key for each system). Some countries may be unwilling to buy and distribute the OLPC systems without the ability to create and install their own BIOS images. And so on; see the list archive for the full discussion thread.
There was no obvious consensus reached on the list - and no immediate decision to change the OLPC hardware design. It is an issue requiring some additional thought, however. The OLPC systems are designed, in general, to be easy to fix when a user breaks things - they are meant to be experimented with. A BIOS-level bricking, however, is decidedly not easy to fix; it is not a scenario which can be allowed to come about. So it will be interesting to see what solution the OLPC designers arrive at in the end.
(Update: the OLPC project has decided to implement the new mechanism as originally described in the article).
New vulnerabilities
AlsaPlayer: multiple buffer overflows
| Package(s): | alsaplayer | CVE #(s): | CVE-2006-4089 | ||||||
| Created: | August 28, 2006 | Updated: | September 19, 2006 | ||||||
| Description: | AlsaPlayer contains three buffer overflows: in the function that handles the HTTP connections, the GTK interface, and the CDDB querying mechanism. An attacker could exploit the first vulnerability by enticing a user to load a malicious URL resulting in the execution of arbitrary code with the permissions of the user running AlsaPlayer. | ||||||||
| Alerts: |
| ||||||||
gtetrinet: buffer overflows
| Package(s): | gtetrinet | CVE #(s): | CVE-2006-3125 | ||||||
| Created: | August 30, 2006 | Updated: | September 6, 2006 | ||||||
| Description: | A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code. | ||||||||
| Alerts: |
| ||||||||
lesstif: libXm library privilege escalation
| Package(s): | lesstif | CVE #(s): | CVE-2006-4124 | |||
| Created: | August 29, 2006 | Updated: | August 30, 2006 | |||
| Description: | The libXm library in LessTif 0.95.0 and earlier allows local users to gain privileges via the DEBUG_FILE environment variable, which is used to create world-writable files when libXm is run from a setuid program. | |||||
| Alerts: |
| |||||
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 | CVE #(s): | CVE-2006-4197 | ||||||||||||||||||
| Created: | August 30, 2006 | Updated: | October 23, 2006 | ||||||||||||||||||
| Description: | Several buffer overflows have been discovered in the libmusicbrainz CD index library. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
MySQL: privilege violations
| Package(s): | mysql | CVE #(s): | CVE-2006-4031 CVE-2006-4226 | |||||||||||||||||||||
| Created: | August 25, 2006 | Updated: | May 21, 2008 | |||||||||||||||||||||
| Description: | MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226). | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
streamripper: buffer overflow
| Package(s): | streamripper | CVE #(s): | CVE-2006-3124 | ||||||
| Created: | August 28, 2006 | Updated: | September 6, 2006 | ||||||
| Description: | Ulf Harnhammer from the Debian Security Audit Project discovered that streamripper, a utility to record online radio-streams, performs insufficient sanitizing of data received from the streaming server, which might lead to buffer overflows and the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
wireshark: several vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2006-4330 CVE-2006-4331 CVE-2006-4332 CVE-2006-4333 | ||||||||||||||||||
| Created: | August 25, 2006 | Updated: | November 2, 2006 | ||||||||||||||||||
| Description: | There are multiple problems in Wireshark, versions 0.7.9 to 0.99.2. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
X.org: local privilege escalations
| Package(s): | xorg-x11 | CVE #(s): | CVE-2006-4447 | |||||||||
| Created: | August 28, 2006 | Updated: | April 30, 2007 | |||||||||
| Description: | Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine. | |||||||||||
| Alerts: |
| |||||||||||
Updated vulnerabilities
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick | CVE #(s): | CVE-2006-2440 | |||||||||
| Created: | May 25, 2006 | Updated: | September 5, 2006 | |||||||||
| Description: | The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result. | |||||||||||
| Alerts: |
| |||||||||||
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
audacious: buffer overflow
| Package(s): | audacious | CVE #(s): | CVE-2006-3581 CVE-2006-3582 | ||||||
| Created: | August 2, 2006 | Updated: | September 13, 2006 | ||||||
| Description: | Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. | ||||||||
| Alerts: |
| ||||||||
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2005-4807 | ||||||
| Created: | August 17, 2006 | Updated: | October 19, 2006 | ||||||
| Description: | The GNU assembler (gas) in binutils is vulnerable to a buffer overflow. If a user can be tricked into assembling a specially crafted file with gcc or gas, arbitrary code can be executed with the privileges of the user. | ||||||||
| Alerts: |
| ||||||||
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2006-2362 | |||||||||
| Created: | May 27, 2006 | Updated: | August 29, 2006 | |||||||||
| Description: | The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
busybox: insecure password generation
| Package(s): | busybox | CVE #(s): | CVE-2006-1058 | |||||||||
| Created: | May 5, 2006 | Updated: | May 2, 2007 | |||||||||
| Description: | The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
fbi: incorrect filtering
| Package(s): | fbi | CVE #(s): | CVE-2006-3119 | ||||||
| Created: | July 24, 2006 | Updated: | August 24, 2006 | ||||||
| Description: | Toth Andras discovered that the fbgs framebuffer postscript/PDF viewer contains a typo, which prevents the intended filter against malicious postscript commands from working correctly. This might lead to the deletion of user data when displaying a postscript file. | ||||||||
| Alerts: |
| ||||||||
mozilla: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird | CVE #(s): | CVE-2006-3113 CVE-2006-3677 CVE-2006-3801 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 27, 2006 | Updated: | September 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This CERT advisory contains details on multiple vulnerabilities in Mozilla products, including Firefox, SeaMonkey and Thunderbird. The most serious vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
freeradius: several vulnerabilities
| Package(s): | freeradius | CVE #(s): | CVE-2005-4745 CVE-2005-4746 | ||||||
| Created: | August 8, 2006 | Updated: | April 24, 2007 | ||||||
| Description: | Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service. | ||||||||
| Alerts: |
| ||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdm: improper file permissions
| Package(s): | gdm | CVE #(s): | CVE-2006-1057 | |||||||||||||||
| Created: | April 19, 2006 | Updated: | May 2, 2007 | |||||||||||||||
| Description: | The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
heartbeat: out-of-bounds read
| Package(s): | heartbeat | CVE #(s): | CVE-2006-3121 | |||||||||
| Created: | August 15, 2006 | Updated: | August 25, 2006 | |||||||||
| Description: | Yan Rong Ge discovered out-of-boundary memory access in heartbeat, the subsystem for High-Availability Linux. This could be used by a remote attacker to cause a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
imagemagick: buffer overflow
| Package(s): | imagemagick | CVE #(s): | CVE-2006-4144 | ||||||||||||||||||
| Created: | August 17, 2006 | Updated: | August 29, 2006 | ||||||||||||||||||
| Description: | The imagemagick SGI file format decoder is vulnerable to a buffer overflow. If a user can be tricked into processing a specially crafted SGI image, arbitrary code may be executed with the privileges of the user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kdebase: privilege escalation
| Package(s): | kdebase | CVE #(s): | CVE-2006-2449 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 15, 2006 | Updated: | August 28, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The KDE Display Manager(KDM) is vulnerable to a local symlink attack. A local user can use this to read arbitrary files that they do not have permission to access. See this KDE advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service by memory consumption
| Package(s): | kernel | CVE #(s): | CVE-2006-2936 | |||||||||||||||
| Created: | July 17, 2006 | Updated: | November 14, 2007 | |||||||||||||||
| Description: | The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel-source-2.6.8 | CVE #(s): | CVE-2006-3626 | |||||||||
| Created: | July 27, 2006 | Updated: | August 23, 2006 | |||||||||
| Description: | The kernel process filesystem has a race condition that can be exploited for the purpose of privilege escalation. This affects multiple architectures. | |||||||||||
| Alerts: |
| |||||||||||
krb5: local privilege escalation
| Package(s): | krb5 | CVE #(s): | CVE-2006-3083 | |||||||||||||||||||||||||||
| Created: | August 9, 2006 | Updated: | September 8, 2006 | |||||||||||||||||||||||||||
| Description: | Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: denial of service
| Package(s): | libgd2 | CVE #(s): | CVE-2006-2906 | |||||||||||||||
| Created: | June 14, 2006 | Updated: | January 16, 2007 | |||||||||||||||
| Description: | Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libmms: buffer overflows
| Package(s): | libmms | CVE #(s): | CVE-2006-2200 | |||||||||||||||||||||
| Created: | July 6, 2006 | Updated: | December 25, 2006 | |||||||||||||||||||||
| Description: | Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap | CVE #(s): | CAN-2005-2641 | ||||||||||||
| Created: | August 25, 2005 | Updated: | October 6, 2006 | ||||||||||||
| Description: | libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libpng: buffer overflow
| Package(s): | libpng | CVE #(s): | CVE-2006-3334 | |||||||||
| Created: | July 19, 2006 | Updated: | November 17, 2006 | |||||||||
| Description: | In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow. | |||||||||||
| Alerts: |
| |||||||||||
libtiff: buffer overflows
| Package(s): | libtiff | CVE #(s): | CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465 | |||||||||||||||||||||||||||||||||
| Created: | August 2, 2006 | Updated: | September 5, 2006 | |||||||||||||||||||||||||||||||||
| Description: | An audit of the libtiff library (done by Tavis Ormandy at Google) turned up several buffer overflow vulnerabilities. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CVE-2006-2193 | ||||||||||||||||||
| Created: | June 15, 2006 | Updated: | September 5, 2006 | ||||||||||||||||||
| Description: | The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
libvncserver: authentication bypass
| Package(s): | libvncserver | CVE #(s): | CVE-2006-2450 | |||||||||
| Created: | August 4, 2006 | Updated: | March 19, 2007 | |||||||||
| Description: | LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server. | |||||||||||
| Alerts: |
| |||||||||||
libwmf: integer overflow
| Package(s): | libwmf | CVE #(s): | CVE-2006-3376 | |||||||||||||||||||||||||||
| Created: | July 13, 2006 | Updated: | November 6, 2006 | |||||||||||||||||||||||||||
| Description: | libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
mutt: IMAP namespace buffer overflow
| Package(s): | mutt | CVE #(s): | CVE-2006-3242 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2006 | Updated: | October 24, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user. See this Secunia advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
MySQL: logging bypass
| Package(s): | mysql | CVE #(s): | CVE-2006-0903 | ||||||||||||
| Created: | April 4, 2006 | Updated: | May 21, 2008 | ||||||||||||
| Description: | MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ncompress: buffer underflow
| Package(s): | ncompress | CVE #(s): | CVE-2006-1168 | ||||||||||||
| Created: | August 10, 2006 | Updated: | October 9, 2006 | ||||||||||||
| Description: | The ncompress compression utility has a missing boundary check. A local user can use a maliciously created file to cause a a .bss buffer underflow. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org | CVE #(s): | CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 | ||||||||||||||||||||||||||||||||||||
| Created: | June 30, 2006 | Updated: | January 4, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | ||||
| Created: | August 18, 2006 | Updated: | August 23, 2006 | |||
| Description: | Several vulnerabilities have been fixed in PHP 4.4.4 and 5.1.5.
| |||||
| Alerts: |
| |||||
php: arbitrary code execution
| Package(s): | php | CVE #(s): | CVE-2006-4020 | ||||||||||||
| Created: | August 22, 2006 | Updated: | September 21, 2006 | ||||||||||||
| Description: | A vulnerability was discovered in the sscanf function that could allow attackers in certain circumstances to execute arbitrary code via argument swapping which incremented an index past the end of an array and triggered a buffer over-read. | ||||||||||||||
| Alerts: |
| ||||||||||||||
phpbb2: missing input sanitizing
| Package(s): | phpbb2 | CVE #(s): | CVE-2006-1896 | |||
| Created: | May 22, 2006 | Updated: | February 11, 2008 | |||
| Description: | It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users. | |||||
| Alerts: |
| |||||
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 | CVE #(s): | CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537 | |||
| Created: | December 22, 2005 | Updated: | February 11, 2008 | |||
| Description: | The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem. | |||||
| Alerts: |
| |||||
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin | CVE #(s): | CVE-2005-4079 CVE-2005-3665 | ||||||||||||
| Created: | December 12, 2005 | Updated: | November 20, 2006 | ||||||||||||
| Description: | Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8). | ||||||||||||||
| Alerts: |
| ||||||||||||||
postgresql: SQL injection
| Package(s): | postgresql | CVE #(s): | CVE-2006-2313 CVE-2006-2314 | |||||||||||||||||||||||||||||||||||||||
| Created: | May 24, 2006 | Updated: | June 6, 2007 | |||||||||||||||||||||||||||||||||||||||
| Description: | The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ruby: multiple vulnerabilities
| Package(s): | ruby | CVE #(s): | CVE-2006-3694 | ||||||||||||||||||||||||
| Created: | July 24, 2006 | Updated: | August 28, 2006 | ||||||||||||||||||||||||
| Description: | Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving the alias function and "directory operations". | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
sendmail: denial of service
| Package(s): | sendmail | CVE #(s): | CVE-2006-1173 | |||||||||||||||||||||||||||||||||
| Created: | June 15, 2006 | Updated: | November 1, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Sendmail has a vulnerability in the way it handles multi-part MIME messages. A remote attacker can create a specially crafted email message that can be used to crash the sendmail process, causing a denial of service. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils | CVE #(s): | CVE-2006-1174 | |||||||||||||||
| Created: | May 25, 2006 | Updated: | June 12, 2007 | |||||||||||||||
| Description: | The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
squirrelmail: insecure permissions
| Package(s): | squirrelmail | CVE #(s): | CVE-2006-4019 |
| Created: | August 14, 2006 | Updated: | September 26, 2006 |
| Description: | Squirrelmail c | ||