Collections of subverted machines, called
botnets are typically
associated with Windows; thousands of zombie desktops sending spam and
causing other internet mayhem. Unfortunately, it is increasingly clear
that Linux boxes (as well as MacOS X and other UNIX boxes) are
participating in botnets, but in a bit of a twist, it is mostly servers
that have been subverted. Botnets are an enormous problem that
Vint Cerf recently
estimated
may involve up to one quarter of all internet connected computers. This
translates to a botnet controller's fondest wish: 150 million zombie machines
to rent to the highest bidder.
Desktops are usually infected with a bot by an email-borne virus or a
trojan attached to some application that the user installs, much like
adware and spyware infect machines. The bot software then connects to a
'command and control' (C&C) infrastructure, that often use Internet Relay
Chat (IRC) servers, to get instructions on what they should do. The 'owner'
of a botnet (known as a bot herder) can then instruct the bots to do whatever
they, or more likely their client, want. Because the traffic
generated from a botnet comes from all over the Internet, it is difficult
or impossible to recognize it for what it is. This allows botnets to be
used for spamming, distributed denial of service (DDOS) attacks, click fraud and
other malicious activities in a largely untraceable way.
The desktop infection methods are not typically as useful for Linux boxes
and so bot herders have turned to web application exploits as a means
for collecting subverted machines. Attacking servers has the additional
advantage that they are usually machines with much greater resources:
faster network connectivity, more storage, faster processors, etc. The attacks
are largely targeted at everyone's favorite Internet security whipping
boy, PHP applications. Open source PHP applications are the
main target as they are ubiquitous and typically easy to exploit as
some recent
research
indicates. An additional benefit of targeting a higher level application
is that it is a cross-platform exploit; the operating system and web server
software are immaterial if the target is a PHP application.
The easiest type of vulnerability to exploit is often
Remote File
Inclusion (RFI) which allows an attacker to run code on a
vulnerable server with the permissions of the webserver. Generally,
those permissions are sufficient to allow the bot to do anything the herder
might wish it to; sending email and other network traffic is not normally a privileged
activity. Even a cursory glance at the Bugtraq mailing list will reveal
numerous RFI vulnerabilities; they are reported regularly and each can lead
to bot exploitation if not patched.
Many different types of malware can be installed on a vulnerable machine,
depending on the intent of the herder. As with the exploit itself, the
installed code tends to be written in a scripting language so that it is
cross-platform. The malware can range from simple test tools
that indicate vulnerable servers to sophisticated shells that allow the
attacker to effectively login to the server and perform any allowed operation.
The most serious damage that these botnets have caused is to our
inbox; bots seem to be the preferred way to deliver spam these days.
Diligent anti-spam efforts tend to get spamming accounts or systems shut
down within hours but there is no easy way to shut down a spam-delivering botnet. A less
visible, but potentially more damaging effect is DDOS
attacks
on internet sites. By attacking a site and working their way up the
chain of DNS servers and registrars, a botnet can silence a site the herder
does not like or hold sites hostage until they pay a ransom.
Past efforts to thwart botnets have often focused on destroying the C&C
servers by shutting down the affected IRC sites, but botnets are
moving toward using HTTP for C&C which allows that traffic to hide amongst
the sea of similar traffic; it also has the advantage of getting through
most firewalls. Botnets will be a serious problem going forward, and Linux
systems are not immune to participation in them. The
financial incentive is large and the means of prevention are weak, at least
so far. As we have learned by trying to deal with spam, money makes our
adversaries much more inventive which makes long-term solutions hard to
come by.
For those who are interested in the Solaris telnet vulnerability, Gadi
Evron has put together a comprehensive summary of the problem, how Sun
responded, where to get fixes, etc. "Whatever my thoughts are on how silly, sad or funny this vulnerability is
(quaint really), how they use telnet (?!) and how Sun should be smacked on
the back of the head for it, I have to honestly admit Sun's response and
the level they were open to the community and industry on this without
too many PR/legal blocks getting in their way are very encouraging..."
Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and
ImageMagick allows user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via a PALM image that is not
properly handled by the ReadPALMImage function in coders/palm.c.
Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1)
the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4)
LocalSiteMap action.
The Smb4K
0.8.0 release announcement notes that several security weaknesses in
the utility programs (stack overflows / the use of strcpy instead of
strncpy / a design error in smb4k_kill) and in the Smb4KFileIO class (use
of mktemp instead of mkstemp for creation of the temporary files which
could lead to both a race and an information leak / a race in the code that
handles the lock file). Fixes for all of these issues are included in Smb4K
0.8.0 and in the patches that have been prepared for Smb4K 0.7.5 and
0.6.10a. Other versions are not supported anymore.
From the Gentoo advisory: Randy Smith, Christian Estan and Somesh Jha discovered that the rule
matching algorithm of Snort can be exploited in a way known as a
"backtracking attack" to perform numerous time-consuming operations. Version 2.6.1.2 contains the fix.
According to this
vendor security advisory, a vulnerability exists in the SessionPlugin
extension of the Wiki engine TWiki, version up to and including 4.1.0. The
vulnerability allows local users to cause TWiki to execute arbitrary Perl
code with the privileges of the web server process by creating CGI session
files on the local filesystem.
Wordpress does not properly verify that the m parameter value has the
string data type, which allows remote attackers to obtain sensitive
information via an invalid m[] parameter, as demonstrated by obtaining the
path, and obtaining certain SQL information such as the table
prefix. (CVE-2007-0262)
WordPress before 2.1 allows remote attackers to cause a denial of service
(bandwidth or thread consumption) via pingback service calls with a source
URI that corresponds to a large file, which triggers a long download
session without a timeout constraint. (CVE-2007-0539)
WordPress allows remote attackers to determine the existence of arbitrary
files, and possibly read portions of certain files, via pingback service
calls with a source URI that corresponds to a local pathname, which
triggers different fault codes for existing and non-existing files, and in
certain configurations causes a brief file excerpt to be published as a
blog comment. (CVE-2007-0541)
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges.
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
The bind package is vulnerable to two remote denial of service attacks in
which attackers can cause the bind daemon to to crash or exit unexpectedly
by providing malformed data to the daemon in a DNS request.
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack.
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate.
Unspecified vulnerability in the match_rule_equal function in bus/signals.c
in D-Bus before 1.0.2 allows local applications to remove match rules for
other applications and cause a denial of service (lost process messages).
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable.
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions.
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory).
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges.
The Mozilla Project has released new versions of firefox, thunderbird, and
seamonkey to address the usual pile of security issues; see this announcement or this CERT advisory for details.
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories.
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory.
From the Red Hat advisory: A bug was found in the way the gtk2 GdkPixbufLoader() function processed
invalid input. Applications linked against gtk2 could crash if they
loaded a malformed image file.
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header.
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code.
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user).
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges.
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c.
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges.
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478.
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538)
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued.
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")."
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures.
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges.
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges.
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application.
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
The http_open function in httpget.c in mpg123 before 0.64 allows remote
attackers to cause a denial of service (infinite loop) by closing the HTTP
connection early.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN).
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort."
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities."
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms.
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485).
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used)
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users.
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem.
PostgreSQL has two vulnerabilities that allow an authenticated attacker
with the permissions to run arbitrary SQL to launch a denial-of-service
attack or possibly read out random chunks of memory. Since attacks to
require authenticated access, the security hole is only considered medium
risk. See announcement for additional
information.
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash.
A vulnerability exists in the FTP server ProFTPD, versions up to and
including 1.3.0a. The vulnerability is caused by a stack-based buffer
overflow in the "pr_ctrls_recv_request" function of the "Controls"
feature. This is an optional feature of ProFTPD server which is by default
disabled in OpenPKG and probably other distributions.
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges.
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called.
The start-stop-daemon command from thttpd performs a chdir / command,
this allows all files that are readable by the thttpd
process to be remotely accessed by unauthenticated users.
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
Multiple format string vulnerabilities in (1) the cdio_log_handler function
in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and
the (2) cdio_log_handler and (3) vcd_log_handler functions in
modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in
VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to
execute arbitrary code via format string specifiers in an invalid URI, as
demonstrated by a udp://-- URI in an M3U file.
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked.
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine.
A number of integer overflows have turned up in the X.org server. Some of these overflows involve calls to alloca(), and thus make corruption of the stack relatively easy. This vulnerability is exploitable by anybody who can make a connection to the server, meaning that it is a local root exploit in most settings. See this advisory for details.
