|
|
| |
|
| |
Security
The One Laptop Per Child project will, if
successful, place special laptop computers into the hands of millions of
children all over the world. Most of these children will have never worked
with a computer before. The consequences of providing Linux-based systems
to this many children are likely to be huge. If this project is done
right, these kids will grow up seeing free software as the preferred thing
to use. Done wrong, it could turn them (and the adults around them)
against Linux in a big way.
Many aspects of the OLPC systems are interesting; one of those is that they
will use LinuxBIOS
as their onboard, boot-time firmware. LinuxBIOS will bring a high degree
of flexibility to the system, and some complexity as well. There is a real
possibility that, as the result of some late bug or security problem, an
in-field upgrade to LinuxBIOS will be called for. In addition, some users
may want to hack on the firmware and install their own version - after all,
the source is available. For both reasons, the OLPC systems will be able
to rewrite their BIOS on demand.
There is a potential problem there, however. If it is too easy to rewrite
the BIOS, no end of unpleasant things could happen. In the worst case,
some sort of OLPC-based worm could, over a brief period, turn all online
systems into expensive bricks. Or, perhaps even worse, the mass
implantation of a low-level back door could be performed. For this reason,
the OLPC design requires the user to give explicit permission before the
BIOS can be rewritten. In particular, a specific sequence of keys on the
keyboard must be held down before rewriting the BIOS will be possible.
Ivan Krstić has recently been thinking about the BIOS issue; in
particular, he is worried that the keyboard-based interlock still leaves
the system open to phishing attacks. The target user base for the OLPC,
remember, will be very young. If something pops up on their screen telling
them to push a certain set of keys, some of them may well do it. Adults
may be immune
to this sort of attack, but children need to be treated with more care.
So Ivan floated
a proposal for a different way of doing things. It does away with the
keyboard interlock; instead, the operating system is always forbidden to
rewrite the BIOS. The BIOS, however, can rewrite itself, and would do so
upon finding a new BIOS image in a specific place in the filesystem. That
image would have to be cryptographically signed, however, so attackers
would, presumably, be unable to get a new BIOS image written. Ivan says:
Voila. This is now a completely secure BIOS solution which requires
no TPM, allows fully automatic upgrades without the user's
cooperation (such as pressing keys), and fully protects both
against phishing and automated attacks -- in fact, it's
vector-independent.
Some who responded were not entirely happy with this approach, however.
The potential for performing BIOS upgrades (even if properly signed)
without the user's knowledge or consent is troubling. If a bug is found in
the signature verification code, the fully automated mass bricking scenario
becomes real again. Users who want to put in their own version of the BIOS
will be frustrated - they cannot be given the signing key without
compromising the entire mechanism (though this problem can be mitigated
through the addition of a unique key for each system). Some countries may
be unwilling to buy
and distribute the OLPC systems without the ability to create and install
their own BIOS images. And so on; see the
list archive for the full discussion thread.
There was no obvious consensus reached on the list - and no immediate
decision to change the OLPC hardware design. It is an issue requiring some
additional thought, however. The OLPC systems are designed, in general, to
be easy to fix when a user breaks things - they are meant to be
experimented with. A BIOS-level bricking, however, is decidedly not easy
to fix; it is not a scenario which can be allowed to come about. So it will
be interesting to see what solution the OLPC designers arrive at in the
end.
(Update: the OLPC project has decided to implement the new mechanism as originally described in the article).
Comments (18 posted)
New vulnerabilities
AlsaPlayer: multiple buffer overflows
| Package(s): | alsaplayer |
CVE #(s): | CVE-2006-4089
|
| Created: | August 28, 2006 |
Updated: | September 19, 2006 |
| Description: |
AlsaPlayer contains three buffer overflows: in the function that handles
the HTTP connections, the GTK interface, and the CDDB querying mechanism.
An attacker could exploit the first vulnerability by enticing a user to
load a malicious URL resulting in the execution of arbitrary code with the
permissions of the user running AlsaPlayer. |
| Alerts: |
|
Comments (none posted)
gtetrinet: buffer overflows
| Package(s): | gtetrinet |
CVE #(s): | CVE-2006-3125
|
| Created: | August 30, 2006 |
Updated: | September 6, 2006 |
| Description: |
A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
lesstif: libXm library privilege escalation
| Package(s): | lesstif |
CVE #(s): | CVE-2006-4124
|
| Created: | August 29, 2006 |
Updated: | August 30, 2006 |
| Description: |
The libXm library in LessTif 0.95.0 and earlier allows local users to gain
privileges via the DEBUG_FILE environment variable, which is used to create
world-writable files when libXm is run from a setuid program. |
| Alerts: |
|
Comments (none posted)
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 |
CVE #(s): | CVE-2006-4197
|
| Created: | August 30, 2006 |
Updated: | October 23, 2006 |
| Description: |
Several buffer overflows have been discovered in the libmusicbrainz CD index library. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
streamripper: buffer overflow
| Package(s): | streamripper |
CVE #(s): | CVE-2006-3124
|
| Created: | August 28, 2006 |
Updated: | September 6, 2006 |
| Description: |
Ulf Harnhammer from the Debian Security Audit Project discovered that
streamripper, a utility to record online radio-streams, performs
insufficient sanitizing of data received from the streaming server,
which might lead to buffer overflows and the execution of arbitrary
code. |
| Alerts: |
|
Comments (none posted)
wireshark: several vulnerabilities
Comments (none posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
audacious: buffer overflow
| Package(s): | audacious |
CVE #(s): | CVE-2006-3581
CVE-2006-3582
|
| Created: | August 2, 2006 |
Updated: | September 13, 2006 |
| Description: |
Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. |
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2005-4807
|
| Created: | August 17, 2006 |
Updated: | October 19, 2006 |
| Description: |
The GNU assembler (gas) in binutils is vulnerable to a buffer overflow.
If a user can be tricked into assembling a specially crafted file with
gcc or gas, arbitrary code can be executed with the privileges of the user. |
| Alerts: |
|
Comments (3 posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2006-2362
|
| Created: | May 27, 2006 |
Updated: | August 29, 2006 |
| Description: |
The GNU Binutils has a buffer overflow vulnerability in libbfd.
Maliciously crafted Tektronix Hex Format files with improper length
characters can cause a crash and possibly lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
fbi: incorrect filtering
| Package(s): | fbi |
CVE #(s): | CVE-2006-3119
|
| Created: | July 24, 2006 |
Updated: | August 24, 2006 |
| Description: |
Toth Andras discovered that the fbgs framebuffer postscript/PDF viewer
contains a typo, which prevents the intended filter against malicious
postscript commands from working correctly. This might lead to the
deletion of user data when displaying a postscript file. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
heartbeat: out-of-bounds read
| Package(s): | heartbeat |
CVE #(s): | CVE-2006-3121
|
| Created: | August 15, 2006 |
Updated: | August 25, 2006 |
| Description: |
Yan Rong Ge discovered out-of-boundary memory access in heartbeat, the
subsystem for High-Availability Linux. This could be used by a remote
attacker to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflow
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-4144
|
| Created: | August 17, 2006 |
Updated: | August 29, 2006 |
| Description: |
The imagemagick SGI file format decoder is vulnerable to a buffer
overflow. If a user can be tricked into processing a specially crafted
SGI image, arbitrary code may be executed with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-2440
|
| Created: | May 25, 2006 |
Updated: | September 5, 2006 |
| Description: |
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result. |
| Alerts: |
|
Comments (none posted)
kdebase: privilege escalation
| Package(s): | kdebase |
CVE #(s): | CVE-2006-2449
|
| Created: | June 15, 2006 |
Updated: | August 28, 2006 |
| Description: |
The KDE Display Manager(KDM) is vulnerable to a local symlink attack.
A local user can use this to read arbitrary files that they do not
have permission to access. See this KDE
advisory for more information. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel-source-2.6.8 |
CVE #(s): | CVE-2006-3626
|
| Created: | July 27, 2006 |
Updated: | August 23, 2006 |
| Description: |
The kernel process filesystem has a race condition that can be
exploited for the purpose of privilege escalation.
This affects multiple architectures. |
| Alerts: |
|
Comments (1 posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflows
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | |
| Created: | August 18, 2006 |
Updated: | August 23, 2006 |
| Description: |
Several vulnerabilities have been fixed in PHP 4.4.4 and 5.1.5.
- Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
- Fixed overflows inside str_repeat() and wordwrap() functions on 64bit
systems.
- Fixed possible open_basedir/safe_mode bypass in cURL extension and on
PHP 5.1.5 with realpath cache.
- Fixed overflow in GD extension on invalid GIF images.
- Fixed a buffer overflow inside sscanf() function.
- Fixed an out of bounds read inside stripos() function.
- Fixed memory_limit restriction on 64 bit system.
|
| Alerts: |
|
Comments (none posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CVE-2006-4020
|
| Created: | August 22, 2006 |
Updated: | September 21, 2006 |
| Description: |
A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via argument
swapping which incremented an index past the end of an array and triggered
a buffer over-read. |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
ruby: multiple vulnerabilities
| Package(s): | ruby |
CVE #(s): | CVE-2006-3694
|
| Created: | July 24, 2006 |
Updated: | August 28, 2006 |
| Description: |
Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote
attackers to bypass "safe level" checks via unspecified vectors involving
the alias function and "directory operations". |
| Alerts: |
|
Comments (none posted)
sendmail: denial of service
| Package(s): | sendmail |
CVE #(s): | CVE-2006-1173
|
| Created: | June 15, 2006 |
Updated: | November 1, 2006 |
| Description: |
Sendmail has a vulnerability in the way it handles multi-part MIME messages.
A remote attacker can create a specially crafted email message that can
be used to crash the sendmail process, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
squirrelmail: insecure permissions
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-4019
|
| Created: | August 14, 2006 |
Updated: | September 26, 2006 |
| Description: |
Squirrelmail contains a vulnerability that allows authenticated users to
read and write other users' preferences and attachments. |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
trac: missing input sanitizing
| Package(s): | trac |
CVE #(s): | CVE-2006-3695
|
| Created: | August 18, 2006 |
Updated: | August 23, 2006 |
| Description: |
Felix Wiemann discovered that trac, an enhanced Wiki and issue
tracking system for software development projects, can be used to
disclose arbitrary local files. To fix this problem, python-docutils
needs to be updated as well. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-2802
|
| Created: | June 9, 2006 |
Updated: | September 29, 2006 |
| Description: |
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input
module. By tricking an user into opening a malicious remote media
location, a remote attacker could exploit this to crash Xine library
frontends (like totem-xine, gxine, or xine-ui) and possibly even
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
Resources
Ross Anderson's well regarded book Security Engineering is now available online. From Bruce Schneier's introduction:
Security engineering is different from any other kind of programming. It's a point I made over and over again: in my own book, Secrets and Lies, in my monthly newsletter Crypto-Gram, and in my other writings. And it's a point Ross makes in every chapter of this book. This is why, if you're doing any security engineering ... if you're
even thinking of doing any security engineering, you need to read this book. It's the
first, and only, end-to-end modern security design and engineering book ever written.
Comments (6 posted)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|