LWN.net Logo

Security

A Firefox PDF plugin XSS vulnerability

January 3, 2007

This article was contributed by Jake Edge.

A particularly nasty cross-site scripting (XSS) vulnerability has surfaced that impacts Firefox users who have installed the Adobe Reader (Acrobat/PDF) plugin. Proof of concept exploits have been published on Bugtraq as well as several blogs (here for example). Adobe has fixed the problem in Acrobat version 8; which is only available for Windows, no word yet on a fix for the Linux plugin (which is based on Acrobat version 7).

The technique was first disclosed last week at the 23rd Chaos Communication Congress by Stefano Di Paola and Giorgio Fedon in their Subverting AJAX presentation. Sven Vetsch discovered another wrinkle and publicized it on his blog. The crux of the vulnerability is a link with a URL of the following form:

    http://host/path/to/file.pdf#anystring=javascript:malicious_code_here
The host and path to file are legitimate URL paths to a PDF file that is hosted somewhere on the net, quite possibly at a site that is trusted by the user. The attacker need not have any access to the PDF file, but can have his code executed while appearing to be a simple download from the affected site. It is the ability to turn any PDF hosted on any site into an XSS attack that makes this vulnerability so insidious.

The vulnerability exploits a feature of the Adobe plugin that is not shared with other mechanisms for viewing PDFs from the web (including using the acroread external program that is also supplied by Adobe). Arguments can be passed to the plugin via the information after the '#' and can be used to specify a specific page or search string in the PDF. It can also be used to populate PDF forms using '#FDF=URL' arguments and the information for the forms is retrieved from the URL. Evidently Adobe does not check for FDF or two other similar argument types (which is why 'anystring=' works) and blindly asks the browser to fetch the URL specified. If the URL is javascript code as described above, the plugin does not detect that case and in effect forces the browser to execute it.

Any site hosting a PDF file is vulnerable and there is little that the site can do; there is no indication that the request is anything out of the ordinary because the string after the '#' is not passed as part of the request. Concerned sites could stop hosting PDF files, but that seems rather unlikely. Other server-side solutions are being discussed as there is a concern that users are unlikely to upgrade their browser plugins. Hosting sites would much rather that they be in control of whether their PDF files can appear in links with malicious content. Most XSS problems can be handled by proper server side filtering of user supplied content, but this particular vulnerability is different.

So far there are no reports of other PDF plugins that follow Adobe's lead in retrieving URLs that appear in links to PDF files. In this author's experience, PDF viewing utilities are separate programs that get invoked by the browser after it downloads a PDF file. For xpdf and kpdf (and presumably others), this works just fine but Adobe chose to provide a means of more closely integrating PDF viewing into the browser. Unfortunately, the fact that this plugin is closed source implies that users, especially Linux users, must wait for Adobe to fix the problem. We cannot fix it ourselves.

One could certainly imagine a similar mistake being made by one of the other PDF viewer development teams; Adobe is hardly alone in making bad choices in developing software. However, the fix for an open source PDF viewer would likely be available within hours of the report. Adobe was notified about this problem on 15 October according to the advisory, but there is still no fix for Linux. Disabling the plugin would seem to be prudent.

Fixing the affected software is just the start of the task of fixing the overall problem. As mentioned above, users are not particularly good at picking up security fixes even when they know about them. Getting the message out on this particular problem is a big hurdle. The alternative is to educate users so that they can recognize maliciously crafted links to PDFs and that is almost certainly a harder task.

The potential for a widespread outbreak exploiting this vulnerability is fairly high and this will probably not be the last we will hear about it. It certainly has the possibility of damaging the reputation of PDF amongst even casual web users and that is probably keeping some folks at Adobe awake at nights.

Comments (20 posted)

New vulnerabilities

cacti: multiple vulnerabilities

Package(s):cacti CVE #(s):CVE-2006-6799
Created:January 1, 2007 Updated:January 26, 2007
Description: The network monitoring and graphing frontend Cacti has three vulnerabilities. The cmd.php script allows command line usage and is also installed in a web-accessible location. The cmd.php input is insufficiently sanitized, a passed-in URL can be used to inject arbitrary SQL code. The cmd.php script can be used by a remote attacker to execute arbitrary shell commands via improperly sanitized results from SQL queries.
Alerts:
Gentoo 200701-23 2007-01-26
Debian DSA-1250-1 2007-01-17
Mandriva MDKSA-2007:015 2007-01-15
SuSE SUSE-SA:2007:007 2007-01-12
OpenPKG OpenPKG-SA-2007.001 2007-01-01

Comments (none posted)

denyhosts: denial of service

Package(s):denyhosts CVE #(s):CVE-2006-6301
Created:January 3, 2007 Updated:January 3, 2007
Description: A botched regular expression allows a remote attacker to add arbitrary hosts to the denyhosts blacklist, causing those hosts to be unable to make ssh connections to the target system.
Alerts:
Gentoo 200701-01 2007-01-03

Comments (2 posted)

elog: multiple vulnerabilities

Package(s):elog CVE #(s):CVE-2006-5063 CVE-2006-5790 CVE-2006-5791 CVE-2006-6318
Created:December 28, 2006 Updated:January 3, 2007
Description: elog, a web-based electronic logbook has multiple vulnerabilities that may lead to arbitrary code execution. Log entry editing in HTML has a cross-site scripting vulnerability. A number of format string vulnerabilities may be used for the execution of arbitrary code. There are cross-site scripting vulnerabilities related to the creation of new logbook entries. There is insufficient error handling in config the file parsing that may be used for a denial of service attack.
Alerts:
Debian DSA-1242-1 2006-12-27

Comments (none posted)

mono: source disclosure attack

Package(s):mono CVE #(s):CVE-2006-6104
Created:December 21, 2006 Updated:January 17, 2007
Description: The Mono ASP.NET server XSP has a source disclosure attack vulnerability. A malicious user can use this to acquire the source code of a server-side application.
Alerts:
Gentoo 200701-12 2007-01-16
Fedora FEDORA-2007-067 2007-01-12
Fedora FEDORA-2007-068 2007-01-12
SuSE SUSE-SA:2007:002 2007-01-04
Ubuntu USN-397-1 2006-12-20
Mandriva MDKSA-2006:234 2006-12-20

Comments (none posted)

openser: buffer overflow

Package(s):openser CVE #(s):
Created:December 26, 2006 Updated:January 3, 2007
Description: A buffer overflow was discovered in the "parse_expression" function of the "permissions" module of the SIP router OpenSER, versions up to and including 1.1.0. The OpenSER "permissions" module is used to determine if a SIP call has appropriate permission to be established. The "parse_expression" function is used during parsing of the modules local allow/deny configuration files.
Alerts:
OpenPKG OpenPKG-SA-2006.042 2006-12-26

Comments (none posted)

w3m: denial of service

Package(s):w3m CVE #(s):
Created:December 28, 2006 Updated:January 15, 2007
Description: The W3M textual web browser has a format string vulnerability. If the run-time options -dump or -backend are used, W3M can be made to crash if certain escape sequences occur in the Common Name of a web site X.509 certificate.
Alerts:
Fedora FEDORA-2007-077 2007-01-15
Fedora FEDORA-2007-078 2007-01-15
Gentoo 200701-06 2007-01-12
SuSE SUSE-SA:2007:005 2007-01-10
Ubuntu USN-399-1 2007-01-03
OpenPKG OpenPKG-SA-2006.044 2006-12-28

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

apache-mod_auth_kerb: off-by-one error

Package(s):apache-mod_auth_kerb CVE #(s):CVE-2006-5989
Created:November 24, 2006 Updated:January 23, 2007
Description: An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows remote attackers to cause a denial of service (crash) via a crafted Kerberos message that triggers a heap-based buffer overflow in the component array.
Alerts:
Gentoo 200701-14 2007-01-22
Debian DSA-1247-1 2007-01-08
Red Hat RHSA-2006:0746-01 2006-12-06
Fedora FEDORA-2006-1341 2006-11-29
Mandriva MDKSA-2006:218 2006-11-23

Comments (none posted)

bind: denial of service

Package(s):bind CVE #(s):CVE-2006-4095 CVE-2006-4096
Created:September 7, 2006 Updated:February 1, 2007
Description: Bind has two denial of service vulnerabilities.

Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.

An INSIST failure can be triggered by sending a large number of recursive queries.

Alerts:
Fedora FEDORA-2007-164 2007-01-31
Gentoo 200609-11 2006-09-15
Slackware SSA:2006-257-01 2006-09-15
Fedora FEDORA-2006-966 2006-09-11
Debian DSA-1172-1 2006-09-09
Mandriva MDKSA-2006:163 2006-09-08
rPath rPSA-2006-0166-1 2006-09-08
Ubuntu USN-343-1 2006-09-07
OpenPKG OpenPKG-SA-2006.019 2006-09-07

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dbus: denial of service

Package(s):dbus CVE #(s):CVE-2006-6107
Created:December 15, 2006 Updated:February 12, 2007
Description: Unspecified vulnerability in the match_rule_equal function in bus/signals.c in D-Bus before 1.0.2 allows local applications to remove match rules for other applications and cause a denial of service (lost process messages).
Alerts:
rPath rPSA-2006-0233-1 2007-02-09
Red Hat RHSA-2007:0008-01 2007-02-08
Ubuntu USN-401-1 2007-01-04
OpenPKG OpenPKG-SA-2006.041 2006-12-21
Fedora FEDORA-2006-1475 2006-12-19
Mandriva MDKSA-2006:233 2006-12-18
Fedora FEDORA-2006-1464 2006-12-14

Comments (none posted)

dovecot: index cache file handling error

Package(s):dovecot CVE #(s):CVE-2006-5973
Created:November 29, 2006 Updated:May 8, 2007
Description: The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable.
Alerts:
Fedora FEDORA-2006-1504 2006-12-27
Fedora FEDORA-2006-1396 2006-12-18
rPath rPSA-2006-0220-1 2006-11-30
Ubuntu USN-387-1 2006-11-28

Comments (none posted)

elinks: arbitrary file access

Package(s):elinks CVE #(s):CVE-2006-5925
Created:November 16, 2006 Updated:February 1, 2007
Description: The elinks text-mode browser has an arbitrary file access vulnerability in the Elinks SMB protocol handler. If a user can be tricked into visiting a specially crafted web page, arbitrary files may be read or written with the user's permissions.
Alerts:
Gentoo 200701-27 2007-01-30
OpenPKG OpenPKG-SA-2006.043 2006-12-26
Debian DSA-1240-1 2006-12-21
Gentoo 200612-16 2006-12-14
Debian DSA-1228-1 2006-12-05
Debian DSA-1226-1 2006-12-03
Fedora FEDORA-2006-1278 2006-11-21
Fedora FEDORA-2006-1277 2006-11-21
Mandriva MDKSA-2006:216 2006-11-20
Red Hat RHSA-2006:0742-01 2006-11-15

Comments (none posted)

ffmpeg: buffer overflows

Package(s):ffmpeg CVE #(s):CVE-2006-4799 CVE-2006-4800
Created:September 14, 2006 Updated:May 28, 2007
Description: the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200609-09 2006-09-13

Comments (2 posted)

Mozilla stuff: multiple vulnerabilities

Package(s):firefox thunderbird seamonkey CVE #(s):CVE-2006-6497 CVE-2006-6498 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CVE-2006-6504 CVE-2006-6505
Created:December 20, 2006 Updated:March 12, 2007
Description: The Mozilla Project has released new versions of firefox, thunderbird, and seamonkey to address the usual pile of security issues; see this announcement or this CERT advisory for details.
Alerts:
Debian DSA-1265-1 2007-03-10
Debian DSA-1258-1 2007-02-07
Debian DSA-1253-1 2006-01-27
Ubuntu USN-398-4 2007-01-27
SuSE SUSE-SA:2007:006 2007-01-12
Mandriva MDKSA-2007:011 2007-01-11
Mandriva MDKSA-2007:010 2007-01-11
Gentoo 200701-04 2007-01-10
Ubuntu USN-400-1 2007-01-04
Gentoo 200701-03 2007-01-04
Gentoo 200701-02 2007-01-04
Ubuntu USN-398-2 2007-01-03
Ubuntu USN-398-3 2007-01-04
Ubuntu USN-398-1 2007-01-02
Fedora FEDORA-2006-004 2007-01-02
rPath rPSA-2006-0234-2 2006-12-22
SuSE SUSE-SA:2006:080 2006-12-29
Slackware SSA:2006-357-03 2006-12-25
Slackware SSA:2006-357-01 2006-12-25
Slackware SSA:2006-357-02 2006-12-25
rPath rPSA-2006-0234-1 2006-12-22
Fedora FEDORA-2006-1499 2006-12-21
Fedora FEDORA-2006-1491 2006-12-20
Fedora FEDORA-2006-1492 2006-12-20
Red Hat RHSA-2006:0759-01 2006-12-19
Red Hat RHSA-2006:0760-01 2006-12-19
Red Hat RHSA-2006:0758-01 2006-12-19

Comments (none posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 2007-04-23
Debian DSA-1145-1 2006-08-08

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

ftpd: privilege escalation

Package(s):ftpd CVE #(s):CVE-2006-5778
Created:November 10, 2006 Updated:February 14, 2007
Description: Ftpd is vulnerable to a privilege escalation attack, an incorrect seteuid() call can be used by an FTP user to gain unauthorized access to files or directories.
Alerts:
Gentoo 200611-05:02 2006-11-10
Debian DSA-1217-1 2006-11-20
Gentoo 200611-05 2006-11-10

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gdb: buffer overflow

Package(s):gdb CVE #(s):CVE-2006-4146
Created:September 15, 2006 Updated:June 12, 2007
Description: A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
Alerts:
Red Hat RHSA-2007:0469-01 2007-06-11
Red Hat RHSA-2007:0229-02 2007-05-01
Ubuntu USN-356-1 2006-10-02
Fedora FEDORA-2006-975 2006-09-14

Comments (none posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gnupg: stack overwrite

Package(s):gnupg CVE #(s):CVE-2006-6235
Created:December 12, 2006 Updated:March 13, 2007
Description: A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
Alerts:
Fedora FEDORA-2007-316 2007-03-12
Fedora FEDORA-2007-315 2007-03-12
SuSE SUSE-SA:2006:075 2006-12-13
Mandriva MDKSA-2006:228 2006-12-11

Comments (3 posted)

gv: stack-based buffer overflow

Package(s):gv CVE #(s):CVE-2006-5864
Created:November 20, 2006 Updated:April 9, 2007
Description: Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header.
Alerts:
Gentoo 200704-06 2007-04-06
Gentoo 200703-24 2007-03-26
Debian DSA-1243-1 2006-12-28
Debian DSA-1214-2 2006-12-27
Mandriva MDKSA-2006:229 2006-12-13
rPath rPSA-2006-0230-1 2006-12-12
Fedora FEDORA-2006-1438 2006-12-11
Fedora FEDORA-2006-1437 2006-12-11
Ubuntu USN-390-3 2006-12-06
Ubuntu USN-390-2 2006-12-06
Mandriva MDKSA-2006:214-1 2006-12-04
Ubuntu USN-390-1 2006-11-30
Gentoo 200611-20 2006-11-24
Debian DSA-1214-1 2006-11-20
Mandriva MDKSA-2006:214 2006-11-17

Comments (none posted)

gzip: multiple vulnerabilities

Package(s):gzip CVE #(s):CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
Created:September 19, 2006 Updated:June 1, 2007
Description: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash.

Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code.

Alerts:
Fedora FEDORA-2007-557 2007-05-31
Gentoo 200611-24 2006-11-28
Fedora-Legacy FLSA:211760 2006-11-13
Fedora FEDORA-2006-989 2006-10-10
SuSE SUSE-SA:2006:056 2006-09-26
Gentoo 200609-13 2006-09-23
Trustix TSLSA-2006-0052 2006-09-22
Mandriva MDKSA-2006:167 2006-09-20
Slackware SSA:2006-262-01 2006-09-20
OpenPKG OpenPKG-SA-2006.020 2006-09-20
Debian DSA-1181-1 2006-09-19
rPath rPSA-2006-0170-1 2006-09-19
Ubuntu USN-349-1 2006-09-19
Red Hat RHSA-2006:0667-01 2006-09-19

Comments (1 posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

imagemagick: buffer overflows

Package(s):imagemagick CVE #(s):CVE-2006-5868
Created:November 28, 2006 Updated:February 16, 2007
Description: Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Red Hat RHSA-2007:0015-01 2007-02-15
Mandriva MDKSA-2006:223 2006-12-01
Ubuntu USN-386-1 2006-11-28

Comments (1 posted)

ImageMagick: buffer overflows

Package(s):ImageMagick CVE #(s):CVE-2006-5456
Created:October 31, 2006 Updated:March 8, 2007
Description: Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c.
Alerts:
Slackware SSA:2007-066-06 2007-03-08
rPath rPSA-2007-0029-1 2007-02-08
rPath rPSA-2006-0218-1 2006-11-27
Gentoo 200611-19 2006-11-24
Fedora FEDORA-2006-1285 2006-11-22
Fedora FEDORA-2006-1286 2006-11-22
Debian DSA-1213-1 2006-11-19
SuSE SUSE-SA:2006:066 2006-11-14
Gentoo 200611-07 2006-11-13
Ubuntu USN-372-1 2006-11-01
Mandriva MDKSA-2006:193 2006-10-30

Comments (2 posted)

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriva MDKSA-2006:198 2006-11-06
Ubuntu USN-376-2 2006-11-06
Ubuntu USN-376-1 2006-11-03

Comments (none posted)

kdegraphics: stack overflow

Package(s):kdegraphics CVE #(s):CVE-2006-6297
Created:December 12, 2006 Updated:January 13, 2007
Description: A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as used by konqueror, digikam, and other KDE image browsers, allows remote attackers to cause a denial of service (stack consumption) via a crafted EXIF section in a JPEG file, which results in an infinite recursion.
Alerts:
Gentoo 200701-05 2007-01-12
Mandriva MDKSA-2006:227 2006-12-11

Comments (none posted)

kdelibs: integer overflow

Package(s):kdelibs CVE #(s):CVE-2006-4811
Created:October 18, 2006 Updated:March 5, 2007
Description: The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code.
Alerts:
Gentoo 200703-06 2007-03-04
Gentoo 200611-02 2006-11-06
Red Hat RHSA-2006:0725-01 2006-11-01
Debian DSA-1200-1 2006-10-30
Slackware SSA:2006-298-01 2006-10-26
rPath rPSA-2006-0195-2 2006-10-18
Mandriva MDKSA-2006:186 2006-10-19
rPath rPSA-2006-0195-1 2006-10-18
Red Hat RHSA-2006:0720-01 2006-10-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4623
Created:October 18, 2006 Updated:November 14, 2007
Description: The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data.
Alerts:
Ubuntu USN-489-1 2007-07-19
rPath rPSA-2006-0194-1 2006-10-17

Comments (none posted)

kernel: bridging code buffer overflow

Package(s):kernel CVE #(s):CVE-2006-5751
Created:December 6, 2006 Updated:January 3, 2007
Description: A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix.
Alerts:
Mandriva MDKSA-2007:002 2007-01-02
SuSE SUSE-SA:2006:079 2006-12-21
Fedora FEDORA-2006-1471 2006-12-18
Fedora FEDORA-2006-1470 2006-12-18
Ubuntu USN-395-1 2006-12-13
Debian DSA-1233-1 2006-12-10
rPath rPSA-2006-0226-1 2006-12-06

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:December 3, 2007
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Alerts:
Red Hat RHSA-2007:1049-01 2007-12-03
Mandriva MDKSA-2006:182 2006-10-11
Red Hat RHSA-2006:0689-01 2006-10-05
Debian DSA-1184-2 2006-09-26
Debian DSA-1184-1 2006-09-25
Debian DSA-1183-1 2006-09-25
Ubuntu USN-347-1 2006-09-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4572 CVE-2006-4997
Created:November 6, 2006 Updated:January 17, 2007
Description: Some vulnerabilities were discovered in the Linux 2.6 kernel:

There are possibly exploitable bugs in the netfilter for IPv6 code. (CVE-2006-4572)

The ATM subsystem of the Linux kernel could allow a remote attacker to cause a Denial of Service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed. (CVE-2006-4997)

Alerts:
Red Hat RHSA-2007:0013-01 2007-01-17
Red Hat RHSA-2007:0012-01 2007-01-17
Debian DSA-1237-1 2006-12-17
rPath rPSA-2006-0204-1 2006-11-09
Mandriva MDKSA-2006:197 2006-11-03

Comments (none posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-5757
Created:November 13, 2006 Updated:November 14, 2007
Description: From the MOKB-05-11-2006 advisory: "The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. When performing a read operation on a corrupted ISO9660 fs stream, the isofs_get_blocks() function will enter an infinite loop when __find_get_block_slow() callback from sb_getblk() fails ("due to various races between file io on the block device and getblk")."
Alerts:
Fedora FEDORA-2007-599 2007-06-21
Fedora FEDORA-2006-1223 2006-11-12
Fedora FEDORA-2006-1221 2006-11-10

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

koffice: integer overflow

Package(s):koffice CVE #(s):CVE-2006-6120
Created:November 30, 2006 Updated:February 20, 2007
Description: The KOffice office suite has an integer overflow vulnerability. If an attacker can trick a user into opening a specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or possibly execute arbitrary code with the user's privileges.
Alerts:
Red Hat RHSA-2007:0010-01 2007-02-20
Slackware SSA:2006-357-04 2006-12-25
Gentoo 200612-05 2006-12-10
Mandriva MDKSA-2006:222 2006-12-01
Ubuntu USN-388-1 2006-11-29

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libgsf: heap buffer overflow

Package(s):libgsf CVE #(s):CVE-2006-4514
Created:November 30, 2006 Updated:January 11, 2007
Description: The GNOME library libgsf, which is used for writing structured file formats, has a heap buffer overflow that can be exploited for the purpose of executing arbitrary code.
Alerts:
Red Hat RHSA-2007:0011-01 2007-01-11
SuSE SUSE-SA:2006:076 2006-12-14
rPath rPSA-2006-0232-1 2006-12-14
Gentoo 200612-13 2006-12-12
Fedora FEDORA-2006-1417 2006-12-07
Fedora FEDORA-2006-1399 2006-12-05
Ubuntu USN-391-1 2006-12-04
Mandriva MDKSA-2006:220 2006-11-30
Debian DSA-1221-1 2006-11-30

Comments (none posted)

libmodplug: boundary errors

Package(s):libmodplug CVE #(s):CVE-2006-4192
Created:December 11, 2006 Updated:September 28, 2007
Description: Luigi Auriemma has reported various boundary errors in load_it.cpp and a boundary error in the "CSoundFile::ReadSample()" function in sndfile.cpp. A remote attacker can entice a user to read crafted modules or ITP files, which may trigger a buffer overflow resulting in the execution of arbitrary code with the privileges of the user running the application.
Alerts:
Ubuntu USN-521-1 2007-09-27
Mandriva MDKSA-2007:001 2007-01-02
Gentoo 200612-04 2006-12-10

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2193
Created:June 15, 2006 Updated:September 1, 2008
Description: The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code.
Alerts:
Fedora FEDORA-2006-952 2006-09-05
SuSE SUSE-SA:2006:044 2006-08-01
Gentoo 200607-03 2006-07-09
SuSE SUSE-SR:2006:014 2006-06-20
Trustix TSLSA-2006-0036 2006-06-16
Mandriva MDKSA-2006:102 2006-06-14
Red Hat RHSA-2008:0848-01 2008-08-28
CentOS CESA-2008:0848 2008-08-30

Comments (none posted)

libvncserver: authentication bypass

Package(s):libvncserver CVE #(s):CVE-2006-2450
Created:August 4, 2006 Updated:March 19, 2007
Description: LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server.
Alerts:
Gentoo 200703-19 2007-03-18
Gentoo 200608-12 2006-08-07
Gentoo 200608-05 2006-08-04

Comments (none posted)

linux-restricted-modules: nVidia driver vulnerability

Package(s):linux-restricted-modules CVE #(s):CVE-2006-5379
Created:November 6, 2006 Updated:January 11, 2007
Description: Derek Abdine discovered that the NVIDIA Xorg driver did not correctly verify the size of buffers used to render text glyphs. When displaying very long strings of text, the Xorg server would crash. If a user were tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.
Alerts:
Mandriva MDKSA-2007:007 2007-01-10
Gentoo 200611-03 2006-11-07
Ubuntu USN-377-1 2006-11-03

Comments (none posted)

mysql: format string bug

Package(s):mysql CVE #(s):CVE-2006-3469
Created:July 21, 2006 Updated:July 30, 2008
Description: Jean-David Maillefer discovered a format string bug in the date_format() function's error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server.
Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Slackware SSA:2006-211-01 2006-07-31
Ubuntu USN-321-1 2006-07-21

Comments (none posted)

MySQL: privilege violations

Package(s):mysql CVE #(s):CVE-2006-4031 CVE-2006-4226
Created:August 25, 2006 Updated:July 30, 2008
Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Red Hat RHSA-2008:0364-01 2008-05-21
Red Hat RHSA-2007:0152-01 2007-04-03
Red Hat RHSA-2007:0083-01 2007-02-19
Fedora FEDORA-2006-1298 2006-11-27
Fedora FEDORA-2006-1297 2006-11-27
Ubuntu USN-338-1 2006-09-05
Mandriva MDKSA-2006:149 2006-08-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

openldap: security bypass

Package(s):openldap CVE #(s):CVE-2006-4600
Created:September 29, 2006 Updated:June 12, 2007
Description: slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN).
Alerts:
Red Hat RHSA-2007:0430-01 2007-06-11
Red Hat RHSA-2007:0310-02 2007-05-01
Trustix TSLSA-2006-0055 2006-10-06
rPath rPSA-2006-0176-1 2006-09-29
Mandriva MDKSA-2006:171 2006-09-28

Comments (none posted)

openoffice.org: several vulnerabilities

Package(s):openoffice.org CVE #(s):CVE-2006-2198 CVE-2006-2199 <