LWN.net Logo

Security

Rainbow tables for password cracking

November 8, 2006

This article was contributed by Jake Edge.

An announcement about a new site offering free 'rainbow tables' on the bugtraq mailing list sparked our interest; what are these tables and what can they be used for? It turns out that rainbow tables are the result of pre-computing various one-way hash functions to facilitate decrypting them. In effect, the right set of tables makes a one-way hash function reversible for certain inputs and the inputs of interest are passwords.

Many applications use one-way hash functions (such as MD5 or SHA1) to store passwords because they hide the password value from prying eyes, but it is easy to compare hashed passwords when a user logs in. This relies on the fact that it is difficult to reverse the hash function and produce the original password, but the application can just apply the hash function to the password presented and compare the output to the stored hash. Operating systems, database management systems, web and other applications often use this method to store their users' passwords.

For those that might want to crack a password, a straightforward, but very time consuming method would be to brute force it. Generate the hashed values for each string in the password search space and compare it to the hashed value of interest; when they match, the password is cracked. If one needed to crack passwords regularly, it might make sense to store the password to hash mappings so that it would just take a lookup to find any previously cracked password. The storage requirements of that kind of table, for any plausible set of potential passwords (say 1-8 alphanumeric characters) are huge. Rainbow tables are a way to reduce the storage requirements substantially while still preserving much of the speed benefits of using a lookup table.

To create a rainbow table, you must first come up with a reduction function that takes a hash as input and maps it to a password in the search space. You then start with a password and repeatedly hash and reduce it several thousand times creating a chain of passwords. You discard all but the first and last password and store that pair. To reverse a particular hash value, you reduce the hash value and look for that password as the end of one of the chains. If you do not find it, then you hash and reduce again. Once you find a matching end of the chain, you use the first password to recreate the chain and the cracked password is the second to last in the chain.

This ingenious scheme comes from a paper presented at the CRYPTO 2003 conference. The paper is a bit dense if you are unfamiliar with the references cited, so the author has a simplified explanation as well.

Rainbow tables are specific to a particular hash algorithm and password search space and that is where the free rainbow tables site comes in handy. There are currently two tables available there, one for MD5 and one for the older Windows DES-based password algorithm. The MD5 version is 36Gb in size and will crack 99.9% of lowercase alphanumeric passwords that are eight characters or less in length. The site also has links to other sites with tables as well as to the Project RainbowCrack site which has source for various programs to generate and use the tables.

The best defense against rainbow tables is 'salt', which has been a part of UNIX passwords since near the beginning of time (UNIX epoch time anyway). Salt is a random string that is added to the password before hashing it and then stored with the password. Linux MD5 passwords store the salt between two dollar signs in the password field in /etc/shadow. This random string effectively multiplies the number of tables required to do a dictionary lookup by the number of individual salt values available. Even just eight bits of salt (and Linux uses much more than that) would require nine terabytes of rainbow table.

While this technique is not particularly effective at recovering OS passwords (at least on Linux), there are quite a number of web applications that store straight MD5 passwords without any salt (and some, sadly, store plaintext passwords). Other applications may do that as well. If the password hashes become exposed via a SQL injection or other flaw, rainbow tables could be just the ticket to breaking into those systems.

Comments (7 posted)

New vulnerabilities

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriva MDKSA-2006:198 2006-11-06
Ubuntu USN-376-2 2006-11-06
Ubuntu USN-376-1 2006-11-03

Comments (none posted)

ingo1: missing input sanitizing

Package(s):ingo1 CVE #(s):CVE-2006-5449
Created:November 3, 2006 Updated:November 27, 2006
Description: It was discovered that the Ingo email filter rules manager performs insufficient escaping of user-provided data in created procmail rules files, which allows the execution of arbitrary shell commands.
Alerts:
Gentoo 200611-22 2006-11-27
Debian DSA-1204-1 2006-11-02

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4572 CVE-2006-4997
Created:November 6, 2006 Updated:January 17, 2007
Description: Some vulnerabilities were discovered in the Linux 2.6 kernel:

There are possibly exploitable bugs in the netfilter for IPv6 code. (CVE-2006-4572)

The ATM subsystem of the Linux kernel could allow a remote attacker to cause a Denial of Service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed. (CVE-2006-4997)

Alerts:
Red Hat RHSA-2007:0013-01 2007-01-17
Red Hat RHSA-2007:0012-01 2007-01-17
Debian DSA-1237-1 2006-12-17
rPath rPSA-2006-0204-1 2006-11-09
Mandriva MDKSA-2006:197 2006-11-03

Comments (none posted)

libpam-ldap: insecure password control

Package(s):libpam-ldap CVE #(s):CVE-2006-5170
Created:November 3, 2006 Updated:December 21, 2006
Description: Steve Rigler discovered that the PAM module for authentication against LDAP servers processes PasswordPolicyReponse control messages incorrectly, which might lead to an attacker being able to login into a suspended system account.
Alerts:
Gentoo 200612-19 2006-12-20
SuSE SUSE-SR:2006:027 2006-11-24
Red Hat RHSA-2006:0719-01 2006-11-15
Mandriva MDKSA-2006:201 2006-11-07
Trustix TSLSA-2006-0061 2006-11-03
Debian DSA-1203-1 2006-11-02

Comments (none posted)

libX11: file descriptor leak

Package(s):libX11 CVE #(s):CVE-2006-5397
Created:November 7, 2006 Updated:November 8, 2006
Description: The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.
Alerts:
Mandriva MDKSA-2006:199 2006-11-06

Comments (1 posted)

Mozilla products: multiple vulnerabilities

Package(s):thunderbird firefox seamonkey CVE #(s):CVE-2006-5463 CVE-2006-5747 CVE-2006-5748 CVE-2006-5464
Created:November 8, 2006 Updated:December 11, 2006
Description: Numerous vulnerabilities have been found in the Mozilla JavaScript and HTML rendering code, leading to possible remote code execution attacks. This CERT advisory contains details.
Alerts:
Gentoo 200612-08 2006-12-10
Gentoo 200612-07 2006-12-10
Gentoo 200612-06 2006-12-10
Debian DSA-1227-1 2006-12-04
Debian DSA-1225-2 2006-12-03
Debian DSA-1225-1 2006-12-03
Debian DSA-1224-1 2006-12-03
Ubuntu USN-381-1 2006-11-16
Ubuntu USN-382-1 2006-11-16
SuSE SUSE-SA:2006:068 2006-11-16
Slackware SSA:2006-313-01 2006-11-10
rPath rPSA-2006-0206-1 2006-11-09
Mandriva MDKSA-2006:206 2006-11-09
Mandriva MDKSA-2006:205 2006-11-09
Fedora FEDORA-2006-1199 2006-11-08
Red Hat RHSA-2006:0735-01 2006-11-08
Red Hat RHSA-2006:0734-01 2006-11-08
Red Hat RHSA-2006:0733-02 2006-11-08
Fedora FEDORA-2006-1194 2006-11-08
Fedora FEDORA-2006-1192 2006-11-08
Fedora FEDORA-2006-1191 2006-11-08
Fedora FEDORA-2006-1191 2006-11-08

Comments (none posted)

openssh: privilege separation issue

Package(s):openssh CVE #(s):CVE-2006-5794
Created:November 8, 2006 Updated:April 5, 2007
Description: From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. This bug is not known to be exploitable in the absence of additional vulnerabilities."
Alerts:
Fedora FEDORA-2007-395 2007-04-03
Fedora FEDORA-2006-1215 2006-11-20
Fedora FEDORA-2006-1214 2006-11-20
SuSE SUSE-SR:2006:026 2006-11-17
Trustix TSLSA-2006-0063 2006-11-15
Red Hat RHSA-2006:0738-01 2006-11-15
rPath rPSA-2006-0207-1 2006-11-09
Mandriva MDKSA-2006:204 2006-11-08
OpenPKG OpenPKG-SA-2006.032 2006-11-08

Comments (none posted)

php: buffer overflows

Package(s):php CVE #(s):CVE-2006-5465
Created:November 3, 2006 Updated:November 15, 2006
Description: The Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. Of course the whole purpose of these functions is to be filled with user input. (The overflow can only be when UTF-8 is used)
Alerts:
SuSE SUSE-SA:2006:067 2006-11-15
rPath rPSA-2006-0205-1 2006-11-09
Red Hat RHSA-2006:0731-01 2006-11-10
Red Hat RHSA-2006:0730-01 2006-11-06
Debian DSA-1206-1 2006-11-06
Fedora FEDORA-2006-1169 2006-11-06
Fedora FEDORA-2006-1168 2006-11-06
Slackware SSA:2006-307-01 2006-11-06
OpenPKG OpenPKG-SA-2006.028 2006-11-06
Ubuntu USN-375-1 2006-11-02
Mandriva MDKSA-2006:196 2006-11-02

Comments (none posted)

postgresql: several vulnerabilities

Package(s):postgresql-8.1 CVE #(s):CVE-2006-5540 CVE-2006-5541 CVE-2006-5542
Created:November 3, 2006 Updated:November 8, 2006
Description: Michael Fuhr discovered an incorrect type check when handling unknown literals. By attempting to coerce such a literal to the ANYARRAY type, a local authenticated attacker could cause a server crash. (CVE-2006-5541)

Josh Drake and Alvaro Herrera reported a crash when using aggregate functions in UPDATE statements. A local authenticated attacker could exploit this to crash the server backend. This update disables this construct, since it is not very well defined and forbidden by the SQL standard. (CVE-2006-5540)

Sergey Koposov discovered a flaw in the duration logging. This could cause a server crash under certain circumstances. (CVE-2006-5542)

Alerts:
Ubuntu USN-369-2 2006-11-01

Comments (none posted)

rpm: arbitrary code execution

Package(s):rpm CVE #(s):CVE-2006-5466
Created:November 6, 2006 Updated:August 28, 2007
Description: An error was found in the RPM library's handling of query reports. In some locales, certain RPM packages would cause the library to crash. If a user was tricked into querying a specially crafted RPM package, the flaw could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Fedora FEDORA-2007-668 2007-08-27
Gentoo 200611-08 2006-11-13
Mandriva MDKSA-2006:200 2006-11-07
Ubuntu USN-378-1 2006-11-04

Comments (none posted)

texinfo: buffer overflow

Package(s):texinfo CVE #(s):CVE-2006-4810
Created:November 8, 2006 Updated:November 27, 2006
Description: Texinfo contains a buffer overflow which could be exploited (via a specially-crafted info file) to run arbitrary code.
Alerts:
rPath rPSA-2006-0219-1 2006-11-27
Debian DSA-1219-1 2006-11-27
Gentoo 200611-16 2006-11-21
OpenPKG OpenPKG-SA-2006.034 2006-11-15
Ubuntu USN-379-1 2006-11-09
Fedora FEDORA-2006-1203 2006-11-09
Fedora FEDORA-2006-1202 2006-11-09
Red Hat RHSA-2006:0727-01 2006-11-08
Mandriva MDKSA-2006:203 2006-11-08

Comments (none posted)

thttpd: insecure temporary files

Package(s):thttpd CVE #(s):CVE-2006-4248
Created:November 3, 2006 Updated:December 1, 2006
Description: Marco d'Itri discovered that thttpd, a small, fast and secure webserver, makes use of insecure temporary files when its logfiles are rotated, which might lead to a denial of service through a symlink attack.
Alerts:
Debian DSA-1205-2 2006-12-01
Debian DSA-1205-1 2006-11-02

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark ethereal CVE #(s):CVE-2006-4574 CVE-2006-4805 CVE-2006-5468 CVE-2006-5469 CVE-2006-5740
Created:November 3, 2006 Updated:November 14, 2006
Description: There are multiple vulnerabilities in Wireshark (formerly Ethereal):
  • Off-by-one error in the MIME Multipart dissector in Wireshark 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger an assertion error related to unexpected length values. CVE-2006-4574
  • epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in Wireshark 0.9.8 through 0.99.3 allows remote attackers to cause a denial of service (memory consumption and crash) via an encoded XOT packet that produces a zero length value when it is decoded. CVE-2006-4805
  • Unspecified vulnerability in the HTTP dissector in Wireshark 0.99.3 allows remote attackers to cause a denial of service (crash) via unspecified vectors. CVE-2006-5468
  • Unspecified vulnerability in the WBXML dissector in Wireshark 0.10.11 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger a null dereference. CVE-2006-5469
  • Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.3 allows remote attackers to cause a denial of service (crash) via a crafted LDAP packet. CVE-2006-5740
Alerts:
SuSE SUSE-SA:2006:065 2006-11-14
Red Hat RHSA-2006:0726-01 2006-11-09
Mandriva MDKSA-2006:195 2006-11-02
Debian DSA-1201-1 2006-10-31
rPath rPSA-2006-0202-1 2006-11-01
Fedora FEDORA-2006-1140 2006-11-01
Fedora FEDORA-2006-1141 2006-11-01

Comments (none posted)

wv: integer overflow

Package(s):wv CVE #(s):CVE-2006-4513
Created:November 2, 2006 Updated:December 7, 2006
Description: The wv library has an integer overflow vulnerability in the DOC file parser. If a user can be tricked into opening a maliciously crafted MSWord file, a remote attacker can execute arbitrary code with the privileges of the user.
Alerts:
Gentoo 200612-01 2006-12-07
Mandriva MDKSA-2006:202 2006-11-07
Ubuntu USN-374-1 2006-11-01

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

asterisk: arbitrary code execution

Package(s):asterisk CVE #(s):CVE-2006-5444
Created:October 19, 2006 Updated:December 6, 2006
Description: The Asterisk telephony PBX application has a heap overflow vulnerability in the skinny channel driver. A remote attacker can use this to arbitrarily execute code with the privileges of the Asterisk user. See this vulnerability report for more information.
Alerts:
Debian DSA-1229-1 2006-12-06
SuSE SUSE-SA:2006:069 2006-11-16
Gentoo 200610-15 2006-10-30
OpenPKG OpenPKG-SA-2006.024 2006-10-19

Comments (none posted)

bind: denial of service

Package(s):bind CVE #(s):CVE-2006-4095 CVE-2006-4096
Created:September 7, 2006 Updated:February 1, 2007
Description: Bind has two denial of service vulnerabilities.

Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.

An INSIST failure can be triggered by sending a large number of recursive queries.

Alerts:
Fedora FEDORA-2007-164 2007-01-31
Gentoo 200609-11 2006-09-15
Slackware SSA:2006-257-01 2006-09-15
Fedora FEDORA-2006-966 2006-09-11
Debian DSA-1172-1 2006-09-09
Mandriva MDKSA-2006:163 2006-09-08
rPath rPSA-2006-0166-1 2006-09-08
Ubuntu USN-343-1 2006-09-07
OpenPKG OpenPKG-SA-2006.019 2006-09-07

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

ffmpeg: buffer overflows

Package(s):ffmpeg CVE #(s):CVE-2006-4799 CVE-2006-4800
Created:September 14, 2006 Updated:May 28, 2007
Description: the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200609-09 2006-09-13

Comments (2 posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 2007-04-23
Debian DSA-1145-1 2006-08-08

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gdb: buffer overflow

Package(s):gdb CVE #(s):CVE-2006-4146
Created:September 15, 2006 Updated:June 12, 2007
Description: A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
Alerts:
Red Hat RHSA-2007:0469-01 2007-06-11
Red Hat RHSA-2007:0229-02 2007-05-01
Ubuntu USN-356-1 2006-10-02
Fedora FEDORA-2006-975 2006-09-14

Comments (none posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gzip: multiple vulnerabilities

Package(s):gzip CVE #(s):CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
Created:September 19, 2006 Updated:June 1, 2007
Description: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash.

Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code.

Alerts:
Fedora FEDORA-2007-557 2007-05-31
Gentoo 200611-24 2006-11-28
Fedora-Legacy FLSA:211760 2006-11-13
Fedora FEDORA-2006-989 2006-10-10
SuSE SUSE-SA:2006:056 2006-09-26
Gentoo 200609-13 2006-09-23
Trustix TSLSA-2006-0052 2006-09-22
Mandriva MDKSA-2006:167 2006-09-20
Slackware SSA:2006-262-01 2006-09-20
OpenPKG OpenPKG-SA-2006.020 2006-09-20
Debian DSA-1181-1 2006-09-19
rPath rPSA-2006-0170-1 2006-09-19
Ubuntu USN-349-1 2006-09-19
Red Hat RHSA-2006:0667-01 2006-09-19

Comments (1 posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: buffer overflows

Package(s):ImageMagick CVE #(s):CVE-2006-5456
Created:October 31, 2006 Updated:March 8, 2007
Description: Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c.
Alerts:
Slackware SSA:2007-066-06 2007-03-08
rPath rPSA-2007-0029-1 2007-02-08
rPath rPSA-2006-0218-1 2006-11-27
Gentoo 200611-19 2006-11-24
Fedora FEDORA-2006-1285 2006-11-22
Fedora FEDORA-2006-1286 2006-11-22
Debian DSA-1213-1 2006-11-19
SuSE SUSE-SA:2006:066 2006-11-14
Gentoo 200611-07 2006-11-13
Ubuntu USN-372-1 2006-11-01
Mandriva MDKSA-2006:193 2006-10-30

Comments (2 posted)

kdelibs: integer overflow

Package(s):kdelibs CVE #(s):CVE-2006-4811
Created:October 18, 2006 Updated:March 5, 2007
Description: The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code.
Alerts:
Gentoo 200703-06 2007-03-04
Gentoo 200611-02 2006-11-06
Red Hat RHSA-2006:0725-01 2006-11-01
Debian DSA-1200-1 2006-10-30
Slackware SSA:2006-298-01 2006-10-26
rPath rPSA-2006-0195-2 2006-10-18
Mandriva MDKSA-2006:186 2006-10-19
rPath rPSA-2006-0195-1 2006-10-18
Red Hat RHSA-2006:0720-01 2006-10-18

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4623
Created:October 18, 2006 Updated:November 14, 2007
Description: The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data.
Alerts:
Ubuntu USN-489-1 2007-07-19
rPath rPSA-2006-0194-1 2006-10-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:December 3, 2007
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Alerts:
Red Hat RHSA-2007:1049-01 2007-12-03
Mandriva MDKSA-2006:182 2006-10-11
Red Hat RHSA-2006:0689-01 2006-10-05
Debian DSA-1184-2 2006-09-26
Debian DSA-1184-1 2006-09-25
Debian DSA-1183-1 2006-09-25
Ubuntu USN-347-1 2006-09-18

Comments (none posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Alerts:
Slackware SSA:2006-357-05 2006-12-25
Gentoo 200607-07 2006-07-20
Mandriva MDKSA-2006:121 2006-07-12
Mandriva MDKSA-2006:117-1 2006-07-12
Ubuntu USN-315-1 2006-07-12
Mandriva MDKSA-2006:117 2006-07-06
Ubuntu USN-309-1 2006-07-05

Comments (none posted)

libpng: buffer overflow

Package(s):libpng CVE #(s):CVE-2006-3334
Created:July 19, 2006 Updated:November 17, 2006
Description: In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow.
Alerts:
Mandriva MDKSA-2006:213 2006-11-16
rPath rPSA-2006-0133-1 2006-07-19
Gentoo 200607-06 2006-07-19

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2193
Created:June 15, 2006 Updated:September 1, 2008
Description: The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code.
Alerts:
Fedora FEDORA-2006-952 2006-09-05
SuSE SUSE-SA:2006:044 2006-08-01
Gentoo 200607-03 2006-07-09
SuSE SUSE-SR:2006:014 2006-06-20
Trustix TSLSA-2006-0036 2006-06-16
Mandriva MDKSA-2006:102 2006-06-14
Red Hat RHSA-2008:0848-01 2008-08-28
CentOS CESA-2008:0848 2008-08-30

Comments (none posted)

libvncserver: authentication bypass

Package(s):libvncserver CVE #(s):CVE-2006-2450
Created:August 4, 2006 Updated:March 19, 2007
Description: LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server.
Alerts:
Gentoo 200703-19 2007-03-18
Gentoo 200608-12 2006-08-07
Gentoo 200608-05 2006-08-04

Comments (none posted)

libwmf: integer overflow

Package(s):libwmf CVE #(s):CVE-2006-3376
Created:July 13, 2006 Updated:November 6, 2006
Description: libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability.
Alerts:
OpenPKG OpenPKG-SA-2006.031 2006-11-06
Debian DSA-1194-1 2006-10-09
Gentoo 200608-17 2006-08-10
Ubuntu USN-333-1 2006-08-09
Mandriva MDKSA-2006:132 2006-07-28
Fedora FEDORA-2006-831 2006-07-18
Fedora FEDORA-2006-832 2006-07-18
Fedora FEDORA-2006-805 2006-07-12
Fedora FEDORA-2006-804 2006-07-12

Comments (none posted)

linux-restricted-modules: nVidia driver vulnerability

Package(s):linux-restricted-modules CVE #(s):CVE-2006-5379
Created:November 6, 2006 Updated:January 11, 2007
Description: Derek Abdine discovered that the NVIDIA Xorg driver did not correctly verify the size of buffers used to render text glyphs. When displaying very long strings of text, the Xorg server would crash. If a user were tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.
Alerts:
Mandriva MDKSA-2007:007 2007-01-10
Gentoo 200611-03 2006-11-07
Ubuntu USN-377-1 2006-11-03

Comments (none posted)

mono: symlink vulnerability

Package(s):mono CVE #(s):CVE-2006-5072
Created:October 4, 2006 Updated:December 1, 2006
Description: The mono System.CodeDom.Compiler classes suffer from a temporary file symlink vulnerability which could be used to overwrite files, or, in this case, even inject arbitrary code into a running mono application.
Alerts:
SuSE SUSE-SA:2006:073 2006-12-01
Gentoo 200611-23 2006-11-28
Mandriva MDKSA-2006:188 2006-10-27
Fedora FEDORA-2006-1012 2006-10-06
Ubuntu USN-357-1 2006-10-04

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CVE-2006-4565 CVE-2006-4566 CVE-2006-4571 CVE-2006-4253 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569
Created:September 15, 2006 Updated:November 14, 2006
Description: Two flaws were found in the way Firefox/Thunderbird processed certain regular expressions. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)

A number of flaws were found in Firefox/Thunderbird. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4571)

A flaw was found in the handling of JavaScript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4253)

A flaw was found in the Firefox/Thunderbird auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567)

Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568)

Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569)

Alerts:
Debian DSA-1210-1 2006-11-14
Gentoo 200610-04 2006-10-16
Ubuntu USN-361-1 2006-10-10
Debian DSA-1192-1 2006-10-06
Gentoo 200610-01 2006-10-04
Debian DSA-1191-1 2006-10-05
Ubuntu USN-354-1 2006-10-02
Gentoo 200609-19 2006-09-28
Mandriva MDKSA-2006:169 2006-09-22
Ubuntu USN-352-1 2006-09-25
Ubuntu USN-351-1 2006-09-22
SuSE SUSE-SA:2006:054 2006-09-22
Ubuntu USN-350-1 2006-09-21
Mandriva MDKSA-2006:168 2006-09-20
Red Hat RHSA-2006:0677-01 2006-09-15
Red Hat RHSA-2006:0676-01 2006-09-15
Red Hat RHSA-2006:0675-01 2006-09-15
rPath rPSA-2006-0169-1 2006-09-15
Slackware SSA:2006-257-03 2006-09-15
Fedora FEDORA-2006-977 2006-09-14
Fedora FEDORA-2006-976 2006-09-14

Comments (none posted)

mutt: race conditions

Package(s):mutt CVE #(s):CVE-2006-5297 CVE-2006-5298
Created:October 30, 2006 Updated:November 1, 2006
Description: A race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems. (CVE-2006-5297)

The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and earlier does not properly verify that temporary files have been created with restricted permissions, which might allow local users to create files with weak permissions via a race condition between the mktemp and safe_fopen function calls. (CVE-2006-5298)

Alerts:
Ubuntu USN-373-1 2006-11-01
Mandriva MDKSA-2006:190 2006-10-27

Comments (none posted)

mysql: format string bug

Package(s):mysql CVE #(s):CVE-2006-3469
Created:July 21, 2006 Updated:July 30, 2008
Description: Jean-David Maillefer discovered a format string bug in the date_format() function's error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server.
Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Slackware SSA:2006-211-01 2006-07-31
Ubuntu USN-321-1 2006-07-21

Comments (none posted)

MySQL: privilege violations

Package(s):mysql CVE #(s):CVE-2006-4031 CVE-2006-4226
Created:August 25, 2006 Updated:July 30, 2008
Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Red Hat RHSA-2008:0364-01 2008-05-21
Red Hat RHSA-2007:0152-01 2007-04-03
Red Hat RHSA-2007:0083-01 2007-02-19
Fedora FEDORA-2006-1298 2006-11-27
Fedora FEDORA-2006-1297 2006-11-27
Ubuntu USN-338-1 2006-09-05
Mandriva MDKSA-2006:149 2006-08-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

openldap: security bypass

Package(s):openldap CVE #(s):CVE-2006-4600
Created:September 29, 2006 Updated:June 12, 2007
Description: slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN).
Alerts:
Red Hat RHSA-2007:0430-01 2007-06-11
Red Hat RHSA-2007:0310-02 2007-05-01
Trustix TSLSA-