Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
A PostgreSQL flaw
February 21, 2007
This article was contributed by Jake Edge.
An announcement of possibly
insecure practices in user-defined PostgreSQL functions seems at first
blush to be
a fairly straightforward advisory; a deeper look reveals some serious
implications. It is a problem that echoes a textbook security hole in
UNIX setuid programs; it would appear that the developers did
not consider that history when adding a setuid-like capability to PostgreSQL.
Unfortunately, it also appears that the fix that the advisory recommends
is not up to the task of resolving the issue. Anyone using SECURITY DEFINER
functions in PostgreSQL probably has quite a large job ahead of them to
clear up this particular mess.
PostgreSQL functions can be be declared as "SECURITY DEFINER" functions, which
causes them to run with the privileges of the owner rather than those of
the invoker. PostgreSQL binds the operators and functions called at
runtime and searches each element in the schema path to find them.
Unfortunately, the
user invoking the function can control the schema search
path and, by defining operators or other functions that are used by
the SECURITY DEFINER function, the invoker can run any code with the
permissions of the owner.
The once common, now hopefully largely eradicated, UNIX parallel was a
vulnerability in setuid programs that invoked other programs via
exec(). If the
program did not either sanitize its PATH environment variable or fully
specify the path to the executable, it was vulnerable to attackers who
would put their own code in the path, with the same name as the executable,
ahead of the standard program. When the setuid program executed, it would
grab the wrong binary and the attacker could run arbitrary code with
the permissions of the owner of the setuid program. Another important
requirement is that all elements of the sanitized PATH and the directory
of the binary are not writable by non-privileged users.
So, much like the solution to the UNIX issue, the advisory suggests that
SECURITY DEFINER functions specify a sanitized schema path. The
equivalent to a fully specified path is not recommended as it is
"likely to induce mistakes and will furthermore
make the source code harder to read and maintain." Unfortunately, it
turns out that because of the way PostgreSQL processes the function
definitions, the only solution is to schema-qualify each and every function
and operator reference in the function. In addition, setting a schema
search path in a function is not local to the function, it changes the global
search path for the whole program; functions that do this should restore
the original search path on exit.
It turns out that the references in a function are resolved as PostgreSQL
creates an execution plan for the function. This is prior to actually
executing the "set search path" operation in the function and so it will bind to
functions and operators in the user controlled schema path as described
here.
The only alternative is the laborious and error-prone task of
schema-qualifying function and operator references in SECURITY DEFINER
functions.
This is a very unfortunate outcome for a feature that was meant to promote
more secure database usage. The idea is to separate the database privileges
into different users but to still allow users with few privileges to
perform a restricted set of privileged operations. It is surprising that
the UNIX setuid issues from the dawn of time_t were not more
closely studied when this feature was implemented. It would also seem that
the PostgreSQL developers will need to rework how the execution plan and
search path interact to fix this design flaw.
Comments (4 posted)
New vulnerabilities
clamav: directory traversal, denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-0897
CVE-2007-0898
|
| Created: | February 20, 2007 |
Updated: | March 7, 2007 |
| Description: |
Clam AntiVirus ClamAV before 0.90 does not close open file descriptors
under certain conditions, which allows remote attackers to cause a denial
of service (file descriptor consumption and failed scans) via CAB archives
with a cabinet header record length of zero, which causes a function to
return without closing a file descriptor. (CVE-2007-0897)
Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before
0.90 allows remote attackers to overwrite arbitrary files via a .. (dot
dot) in the id MIME header parameter in a multi-part
message. (CVE-2007-0898) |
| Alerts: |
|
Comments (none posted)
ekiga: format string vulnerability
| Package(s): | ekiga |
CVE #(s): | CVE-2007-1006
CVE-2007-0999
|
| Created: | February 21, 2007 |
Updated: | March 30, 2007 |
| Description: |
Ekiga contains a format string vulnerability in the code which processes
control messages from remote peers.
If a user was running Ekiga and listening for incoming calls, a remote
attacker could send a crafted call request, and execute arbitrary code with
the user's privileges. |
| Alerts: |
|
Comments (none posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
gnomemeeting: format string flaw
| Package(s): | gnomemeeting |
CVE #(s): | CVE-2007-1007
|
| Created: | February 20, 2007 |
Updated: | March 5, 2007 |
| Description: |
A format string flaw was found in the way GnomeMeeting processes certain
messages. If a user is running GnomeMeeting, a remote attacker who can
connect to GnomeMeeting could trigger this flaw and potentially execute
arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
gnucash: temporary file vulnerability
| Package(s): | gnucash |
CVE #(s): | CVE-2007-0007
|
| Created: | February 21, 2007 |
Updated: | February 27, 2007 |
| Description: |
Gnucash (2.0.4 and prior) suffers from a set of symbolic link vulnerabilities. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0007
CVE-2007-0006
|
| Created: | February 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service
vulnerability. A remote attacker can cause the key_alloc_serial
function's key serial number collision avoidance code to have a
null dereference, resulting in a crash. |
| Alerts: |
|
Comments (1 posted)
MoinMoin: cross-site scripting and information leak
| Package(s): | moin moinmoin |
CVE #(s): | CVE-2007-0901
CVE-2007-0902
|
| Created: | February 21, 2007 |
Updated: | February 21, 2007 |
| Description: |
MoinMoin suffers from a pair of vulnerabilities. An attacker who tricks a MoinMoin user into viewing a specially-crafted URL can execute arbitrary JavaScript with the user's privileges. There is also an information disclosure vulnerability which can tell an attacker about the versions of software running on the system. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2007-0906
CVE-2007-0907
CVE-2007-0908
CVE-2007-0909
CVE-2007-0910
CVE-2007-0988
|
| Created: | February 20, 2007 |
Updated: | March 21, 2007 |
| Description: |
A number of buffer overflow flaws were found in the PHP session extension,
the str_replace() function, and the imap_mail_compose() function.
If very long strings under the control of an attacker are passed to the
str_replace() function then an integer overflow could occur in memory
allocation. If a script uses the imap_mail_compose() function to create a
new MIME message based on an input body from an untrusted source, it could
result in a heap overflow. An attacker who is able to access a PHP
application affected by any these issues could trigger these flaws and
possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906)
If unserializing untrusted data on 64-bit platforms, the zend_hash_init()
function can be forced to enter an infinite loop, consuming CPU resources
for a limited length of time, until the script timeout alarm aborts
execution of the script. (CVE-2007-0988)
If the wddx extension is used to import WDDX data from an untrusted source,
certain WDDX input packets may allow a random portion of heap memory to be
exposed. (CVE-2007-0908)
If the odbc_result_all() function is used to display data from a database,
and the contents of the database table are under the control of an
attacker, a format string vulnerability is possible which could lead to the
execution of arbitrary code. (CVE-2007-0909)
A one byte memory read will always occur before the beginning of a buffer,
which could be triggered for example by any use of the header() function in
a script. However it is unlikely that this would have any effect.
(CVE-2007-0907)
Several flaws in PHP could allows attackers to "clobber" certain
super-global variables via unspecified vectors. (CVE-2007-0910) |
| Alerts: |
|
Comments (none posted)
spamassassin: denial of service
| Package(s): | spamassassin |
CVE #(s): | CVE-2007-0451
|
| Created: | February 16, 2007 |
Updated: | March 14, 2007 |
| Description: |
Version 3.1.8 of Spamassassin fixes some bugs and a malformed HTML denial
of service vulnerability. |
| Alerts: |
|
Comments (none posted)
sun-jdk: arbitrary code execution
| Package(s): | sun-jdk |
CVE #(s): | CVE-2007-0243
|
| Created: | February 19, 2007 |
Updated: | April 25, 2007 |
| Description: |
A anonymous researcher discovered that an error in the handling of a GIF
image with a zero width field block leads to a memory corruption flaw. An
attacker could entice a user to run a specially crafted Java applet or
application that would load a crafted GIF image, which could result in
escalation of privileges and unauthorized access to system resources. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2007-0493
CVE-2007-0494
|
| Created: | January 26, 2007 |
Updated: | March 14, 2007 |
| Description: |
The bind package is vulnerable to two remote denial of service attacks in
which attackers can cause the bind daemon to to crash or exit unexpectedly
by providing malformed data to the daemon in a DNS request. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 9, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflow
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-0770
|
| Created: | February 12, 2007 |
Updated: | February 16, 2007 |
| Description: |
Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and
ImageMagick allows user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via a PALM image that is not
properly handled by the ReadPALMImage function in coders/palm.c. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 8, 2007 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgtop2: buffer overflow
| Package(s): | libgtop2 |
CVE #(s): | CVE-2007-0235
|
| Created: | January 15, 2007 |
Updated: | August 9, 2007 |
| Description: |
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | September 28, 2007 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
|
|
|