Security updates for embedded systems
The
Avaya
S8500 Media Server is a product which "
allows for a distributed
enterprise over an IP infrastructure in the mid-market space (up to 3200
ports)." Whatever that means. It fits in a 1U rack space; it also,
as it happens, runs Linux - Red Hat Enterprise Linux, in particular. So,
when Red Hat recently produced a security update for its kernel, Avaya sent
out
an
advisory of its own. As it turns out, however, Avaya has classified
this set of vulnerabilities as being of "low" concern, so, by the company's
posted policy, there will be no software update coming anytime soon.
Instead, the fixes will be packaged up with the next regular operating
system update.
In the mean time, however, Avaya has a helpful suggestion:
For all system products which use vulnerable versions of the
kernel, Avaya recommends that customers restrict local and network
access to the server. This restriction should be enforced through
the use of physical security, firewalls, ACLs, VPNs, and other
generally-accepted networking practices until such time as an
update becomes available and can be installed
Restricting network access will certainly make a network server product
more secure, but it might just interfere with the tasks said server was
purchased to perform in the first place.
In a separate episode, your editor was recently wandering around on the net
in search of a fix for some obnoxious behavior exhibited by his DSL
router. As it turns out, this router runs Linux.
One can telnet into it and wander around. It's always amusing to discover
that one is running even more Linux systems than had been previously
thought. This one is built upon a MontaVista distribution, and is running
a 2.4.17 kernel.
As LWN readers may have noticed, there have been a few security issues
discovered in the 2.4 kernel after 2.4.17 was released. Quite a few. The
support services sold by MontaVista to its customers must certainly include
security updates, but there does not appear to be any mechanism for getting
those updates through to the end customers who will actually be running
vulnerable software. That is true even in your editor's case, where the
router was obtained directly from the local huge telecom company, which
should have good records regarding the equipment at its customers' homes.
Said large telecom company tends to be held in rather low esteem by its
customers, but, even so, one might expect that it would make a minimal
attempt to keep those customers (who are, in the end, connected to its
network) secure.
The end result is that your editor's DSL router - a Linux system with all
the power BusyBox can deliver - almost certainly contains known security
holes. It has writable flash storage, and can run programs uploaded to
it. This is a rather discouraging situation when one considers that,
for many users, this router will be the front gate to their home or small
business network. The potential for mass mayhem is real.
In both cases, we are seeing situations where Linux systems have been
deployed into security-relevant roles, but the security update mechanism
has not kept up with them. As Linux pushes its way into more low-end
consumer-grade devices, this problem will multiply. Who thinks about
applying security updates to their telephone? And which manufacturers of
cheap consumer electronics will concern themselves with pushing security
updates to their customers?
Linux systems can be quite secure, especially when they are pared down to a
minimal set of functions. But one of the things that keeps Linux secure is
the quick closing of known security holes, and the quick dissemination of
those fixes to deployed Linux systems. Without that support structure in
place, Linux systems (like all others) become vulnerable to holes
discovered after they were built.
Embedded systems tend to lack that support structure. When the system is,
say, a music player with no connection to the wider world, there is no
particular cause for concern. Network-connected devices, however, are
subject to attack. Fortunately, network-connected devices should also be
able to detect and install security updates - though setting up such a
mechanism in a way which does not create privacy concerns can be a
challenge. It should be a solvable problem.
The use of Linux in embedded systems is a cool thing - especially if those
systems are designed to allow improvements by their users. It is one more
step toward World Domination. But that cause could be set back
significantly by a single Linux-based router or cellphone worm. We do not
yet know how to create systems which will remain secure indefinitely into
the future. Until that problem is solved, we must maintain structures
which can close vulnerabilities as they are discovered. Purveyors of
embedded systems ignore that need at their peril.
Comments (31 posted)
Various notes, all about Python
Dave Jones's
How user space sucks
talk at OLS this year received quite a bit of attention. It is
simultaneously discouraging and encouraging to know that so many of our
applications behave
as inefficiently as they do. Discouraging because we should be doing
better than that; encouraging because there are obviously easy fixes to be
made.
Jeff Waugh recently brought back memories of that talk with a weblog
entry on how Python behaves. For the curious: start up an interactive
Python interpreter, then examine it from another window with
strace. That Python interpreter, seemingly doing nothing, is, in
fact, busily waking up ten times per second so that it can do nothing in a
more active way. The offending code (in the readline library) is easy to
find; it wakes up every 100ms just in case somebody might have registered a
hook to look for events outside of the input file descriptor. As it turns
out, the Python GTK library does the
same thing so that it can check for pending signals.
So a system
running a number of Python GTK applications (and some systems have many)
will be experiencing the load of each one of them doing nothing every
100ms.
This sort of behavior uses CPU time needlessly and it keeps the processor
from sleeping - thus draining laptop batteries more quickly. Not good
behavior - and a bit of low-hanging fruit that, one hopes will get fixed in
the near future.
Meanwhile, the Python developers are working toward a major new release
with the first Python 2.5 release candidate in
testing for the last few weeks. For a full description of what's in Python
2.5, see A.M. Kuchling's
excellent summary. New language features include conditional
expressions (something like the "? :" notation used in C, but
with a very different syntax), partial function application (forms of
functions with some of the arguments supplied ahead of time), a number of
exception handling improvements, a "with" statement intended to
provide robust cleanup handling, and a number of performance improvements.
There is also a long list of new modules and enhancements to existing
modules.
The Python developers have long talked, often not entirely seriously, about
"Python 3000," the upcoming major update to the language. While the Python
language has evolved considerably over the 2.x series, it has done so in a
compatible manner - older Python programs continue to run (though Python
extensions written in other languages have tended to break). With Python
3000, the plan is that anything can happen, and there will be no guarantee
(or even, perhaps, hope) that unmodified Python 2.x programs will work.
Python 3000 has been, as they say, Py in the sky for some time. But it
looks like that situation might change before too long; some serious plans
for the Python 3000 series have been laid down, and development may happen
soon. Very soon, according to Python
benevolent dictator for life Guido van Rossum:
We are now officially starting parallel development of 2.6 and
3.0. I really don't expect that we'll be able to merge the easily
into the 3.0 branch much longer, so effectively 3.0 will be a fork
of 2.5.
He goes on to suggest that much of the work for Python 2.6 may be oriented
toward helping programs (and programmers) make the jump to the eventual
3000 release. So Python 2.6 may not contain a whole lot of new
features, but it could have a bunch of new warnings for things that will
break in the future - and fixes to the standard modules to avoid those
warnings.
The first alpha Python 3000 release is expected sometime next year; it
could be a year or so after that before the stable release (to be
Python 3.0) is ready. Current plans are to continue to develop and
support 2.x for some time - well into the 3.x series.
What will be in Python 3000 3.0? Python Enhancement Proposal
3100 has the details, as they are understood at the moment. These
include the removal of old-style classes, various expression syntax
changes, a new set syntax, use of Unicode throughout (but no non-ASCII
characters used in the language itself), and much more.
Python hackers who are concerned about changes to the language might want
to take a look at PEP 3099, a
document listing the things that will not change. These include no
implicit self, no programmable syntax, no overly complex parser,
and so on. There will be no braces added in Python 3.0, preserving
the grouping by indentation that is such a strong characteristic of the
language; for some amusement, fire up Python and type:
from __future__ import braces
In the end, for all its changes, the Python language will still be very
much true to its original goals: a straightforward language with one clear
way to carry out most tasks. Python 3.0 will also be developed in an
evolutionary manner - no massive rewrite or multi-year series of
pronouncements from the language designer. As a result, Python 3.0
should, despite its rather later start, be in use well before Perl 6.
Finally, for a different and interesting project, PyPy is worth
a look. These developers are writing an entirely new Python interpreter -
in Python. There are a lot of goals driving this work, one of which is the
ability to compile the interpreter into a runtime system which is highly
targeted for its intended purpose. Different builds can use different
memory management algorithms, for example. The developers believe that
they will eventually be able to build Python systems which run faster than
the current C interpreter - though, at this point, they are running about
three times slower. It is an active project, however, which is making
rapid progress; expect interesting things from that direction.
Comments (21 posted)
Eclipse signs up Black Duck
Black Duck Software was
profiled
on LWN by Pamela Jones just over one year ago. This company sells a
product which enables companies to verify the sources of software in
products that they ship; in particular, it seems oriented toward helping
proprietary software vendors avoid unwitting violation of licenses like the
GPL. This product includes "code prints" of thousands of free software
releases; these prints can be compared against a program to determine if any of
that program's code came from one of those projects. It seems like a
product which could bring some peace of mind to company managers who worry
about whether their programmers might be using free code in projects which
are not intended for free release.
Whether the database of code prints (much of which is obtained through a
"special relationship" with SourceForge) constitutes a derived product from the
free software code it is "compiled" from is an interesting question - but
one for a different article.
Today's topic involves this
Black Duck press release stating that the Eclipse project has purchased
Black Duck's "protexIP" product to verify licenses in the Eclipse code
base. From the PR:
"Companies worldwide are capitalizing on applications developed by
the Eclipse community, and many software vendors sell products that
are dependent on Eclipse," said Mike Milinkovich, executive
director of Eclipse Foundation. "For that reason, it is absolutely
vital for us to analyze our code before we release it to our
community."
At first blush, it might seem a little strange that a free software project
would purchase a proprietary tool to help ensure that no free code is
incorporated by mistake. There are, however, a couple of reasons why
Eclipse might want to take this step:
- Eclipse is distributed under the Eclipse Public
License. It is a free license, with copyleft-type requirements,
but it is not a GPL-compatible license. So the incorporation of any
GPL-licensed code into Eclipse would be a bad idea.
- Black Duck has been expanding its database with thousands of "code
prints" claimed from proprietary programs. Thus, the product should
be able to detect attempts to use proprietary code in cases where that
code has been fingerprinted by Black Duck.
So, if there are people within Eclipse who are worried about those types of
code contamination, perhaps using Black Duck's products will help them to
sleep a bit better at night.
One wonders, however, about what sort of commercial pressures might have
pushed Eclipse to make this decision. While Black Duck would, beyond
doubt, like to see this adoption as the beginning of a trend in the free
software world, some of us may feel a little differently. It would be a
sad day if we came to the point that free software projects had to buy this
sort of service to be taken seriously in the commercial world. Releasing
software is a remarkably easy process - at least, for those of us who are
not under the control of large corporate legal departments. Loading up the
process with expensive validation bureaucracy in the name of license
compliance seems like a step in the wrong direction.
Comments (3 posted)
Page editor: Jonathan Corbet
Security
AJAX and security
September 6, 2006
This article was contributed by Jake Edge.
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used
by web application developers to provide a user experience similar to that of
a local application. Unfortunately, AJAX also provides a number of serious
security issues that should be considered and, at least partly because the
technique is relatively new, many of the tutorials and other documentation
completely disregard the security implications. Developing secure code
rarely gets the attention it deserves and new technologies are typically
slow to develop 'best practices' and to disseminate that information
throughout their community. This can only lead to exploits in the future.
Traditional web applications are synchronous in nature, a user clicks a button
or link which sends a request to the server; the server replies with a page
of HTML and the browser displays the new page. AJAX applications do some
amount of work in the background, making requests of the server, sometimes
without explicit user input. These applications do not refresh the entire
page as they receive replies from the server; they only modify parts of the
page or their internal state which gives users a much smoother, less page
oriented experience.
One of the best known examples of an AJAX
application is Google Maps. While the
user is viewing a particular section of the map, the client requests
other sections of the map that are not yet visible and this allows the user
to seamlessly scroll the map to view off-screen sections. Auto-completion for
text fields, automatically updating form elements and form submission without
a page refresh are other common uses for AJAX in these
'Web 2.0' applications.
In order to handle the asynchronous server requests, AJAX programs use the
Javascript XmlHttpRequest (XHR) object. The name of this object is really
where the X in AJAX comes from as XML is not necessarily used in the
XHR request or response. A client sends a request to a specific URL
on the same server as the original page and can receive any kind of reply
from the server. These replies are often snippets of HTML, but can also
be XML, Javascript Object Notation (JSON), image data or anything else
that Javascript can process.
Various queries and requests that were once handled internally on the
server are now exposed as a de facto API for AJAX applications. This
drastically increases the attack surface of these programs because there
are so many additional ways to potentially inject malicious content.
Filtering user input correctly is, as always, the single most important
safeguard for a web application; this is an area that traditional web
applications have regularly failed to handle correctly. It is difficult
to see how adding additional ways to get user input into the application
is going to help this problem.
SQL injection and
Cross-site scripting (XSS)
are two attacks that can be made against an application that does not
filter user input correctly. AJAX techniques allow for additional
ways to exploit these vectors in the background, undetectable by the user.
The Myspace samy
worm
(more technical description
here)
is an example of the kinds of things that can be done. At the recent Black
Hat Briefings, there was a session describing a port sniffer written in
Javascript that could potentially discover internal network details behind
a firewall and report them to a malicious site.
The requirement that XHR objects refer only to URLs on the same server is
an excellent security choice. Unfortunately, it is probably the single
biggest complaint that web designers have about AJAX. Because they often
want to display information from various sources on the same page, the
restriction is considered to be 'too strict' and to get around it, AJAX
bridges came about.
An AJAX bridge proxies requests to other servers, returning the remote
server's response. This allows XHR objects to refer to URLs on the
server that returned the page, but still retrieve content from other
servers elsewhere in the web. Unfortunately, this can lead to various
abuses. Depending on how it is written, the bridge can provide a means
to attack the third party site via SQL injection or XSS and allow the
malicious user to hide behind a level of indirection. Various monitoring
tools could detect the attack and shut down access for the aggregating
site, effectively causing a denial of service attack. By proxying requests,
a site is implicitly trusting its users not to abuse the APIs of third
parties.
Many of these attacks are not new, nor do they require AJAX to function, but
by incorporating AJAX techniques into web applications, they are made easier.
At one time, it was considered reasonable to turn off Javascript for many
or all sites, but with the prevalence of Web 2.0 applications, this just
is not possible for most web users. Web application developers need to be
vigilant in rooting out the bugs that allow these attacks to succeed.
Comments (9 posted)
New vulnerabilities
capi4hylafax: missing input sanitizing
| Package(s): | capi4hylafax |
CVE #(s): | CVE-2006-3126
|
| Created: | September 1, 2006 |
Updated: | October 18, 2006 |
| Description: |
Lionel Elie Mamane discovered a security vulnerability in capi4hylafax,
tools for faxing over a CAPI 2.0 device, that allows remote attackers to
execute arbitrary commands on the fax receiving system. |
| Alerts: |
|
Comments (none posted)
cheesetracker: buffer overflow
| Package(s): | cheesetracker |
CVE #(s): | CVE-2006-3814
|
| Created: | September 4, 2006 |
Updated: | October 27, 2006 |
| Description: |
Luigi Auriemma discovered a buffer overflow in the loading component
of cheesetracker, a sound module tracking program, which could allow a
maliciously constructed input file to execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
ImageMagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-3743
CVE-2006-3744
|
| Created: | September 6, 2006 |
Updated: | September 26, 2006 |
| Description: |
The latest set of buffer overflow vulnerabilities in ImageMagick can be found in the Sun Raster and XCF decoders. |
| Alerts: |
|
Comments (2 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
MySQL: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2006-4380
CVE-2006-4389
|
| Created: | September 1, 2006 |
Updated: | September 6, 2006 |
| Description: |
MySQL before 4.1.13 allows local users to cause a denial of service
(persistent replication slave crash) via a query with multiupdate and
subselects. (CVE-2006-4380)
There is a bug in the MySQL-Max (and MySQL) init script where the script
was not waiting for the mysqld daemon to fully stop. This impacted the
restart behavior during updates, as well as scripted setups that
temporarily stopped the server to backup the database files. |
| Alerts: |
|
Comments (none posted)
openssl: insufficient signature checking
| Package(s): | openssl |
CVE #(s): | CVE-2006-4339
|
| Created: | September 5, 2006 |
Updated: | November 15, 2006 |
| Description: |
Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google
Security discovered that the OpenSSL library did not sufficiently check the
padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3
(which is widely used for CAs). This could be exploited to forge signatures
without the need of the secret key. |
| Alerts: |
|
Comments (none posted)
openttd: denial of service
| Package(s): | openttd |
CVE #(s): | CVE-2006-1998
CVE-2006-1999
|
| Created: | September 6, 2006 |
Updated: | September 6, 2006 |
| Description: |
A flaw in the openttd error handling code leaves the system vulnerable to a remote denial of service attack. Version 0.4.8 fixes the problem. |
| Alerts: |
|
Comments (none posted)
sendmail: denial of service
| Package(s): | sendmail |
CVE #(s): | CVE-2006-4434
|
| Created: | August 31, 2006 |
Updated: | September 6, 2006 |
| Description: |
The sendmail mail transfer agent has a programming error.
A remote attacker can send specially crafted email messages
with extra long header lines to sendmail.
The sendmail process will crash, leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
AlsaPlayer: multiple buffer overflows
| Package(s): | alsaplayer |
CVE #(s): | CVE-2006-4089
|
| Created: | August 28, 2006 |
Updated: | September 19, 2006 |
| Description: |
AlsaPlayer contains three buffer overflows: in the function that handles
the HTTP connections, the GTK interface, and the CDDB querying mechanism.
An attacker could exploit the first vulnerability by enticing a user to
load a malicious URL resulting in the execution of arbitrary code with the
permissions of the user running AlsaPlayer. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
audacious: buffer overflow
| Package(s): | audacious |
CVE #(s): | CVE-2006-3581
CVE-2006-3582
|
| Created: | August 2, 2006 |
Updated: | September 13, 2006 |
| Description: |
Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. |
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2005-4807
|
| Created: | August 17, 2006 |
Updated: | October 19, 2006 |
| Description: |
The GNU assembler (gas) in binutils is vulnerable to a buffer overflow.
If a user can be tricked into assembling a specially crafted file with
gcc or gas, arbitrary code can be executed with the privileges of the user. |
| Alerts: |
|
Comments (3 posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gtetrinet: buffer overflows
| Package(s): | gtetrinet |
CVE #(s): | CVE-2006-3125
|
| Created: | August 30, 2006 |
Updated: | September 6, 2006 |
| Description: |
A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-2440
|
| Created: | May 25, 2006 |
Updated: | September 5, 2006 |
| Description: |
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | September 8, 2006 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
lesstif: libXm library privilege escalation
| Package(s): | lesstif |
CVE #(s): | CVE-2006-4124
|
| Created: | August 29, 2006 |
Updated: | August 30, 2006 |
| Description: |
The libXm library in LessTif 0.95.0 and earlier allows local users to gain
privileges via the DEBUG_FILE environment variable, which is used to create
world-writable files when libXm is run from a setuid program. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 |
CVE #(s): | CVE-2006-4197
|
| Created: | August 30, 2006 |
Updated: | October 23, 2006 |
| Description: |
Several buffer overflows have been discovered in the libmusicbrainz CD index library. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | November 17, 2006 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflows
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | October 9, 2006 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CVE-2006-4020
|
| Created: | August 22, 2006 |
Updated: | September 21, 2006 |
| Description: |
A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via argument
swapping which incremented an index past the end of an array and triggered
a buffer over-read. |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities