TrustCommerce
E-Commerce & credit card processing - the Open Source way!
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
GnuPG signed message spoofing vulnerability
March 7, 2007
This article was contributed by Jake Edge.
An advisory about a problem
in GNU Privacy Guard (GnuPG) would normally cause worries about an
implementation flaw leading to insecurely encrypted data. Thankfully, this
particular vulnerability does not fall into that category and data encrypted
using GnuPG is not at risk from it; it is, instead, a hole which allows
attackers to spoof signatures.
This vulnerability highlights an interesting
interaction between GnuPG and the applications that use it. The flaw is not
so much in how GnuPG does its work, rather it is in how it presents it.
GnuPG is an implementation of the OpenPGP
standard which governs messages encrypted with public-key encryption.
The standard is described in
RFC 2440 and is descended
from the original
Pretty
Good Privacy (PGP) program that Phil Zimmerman released (much to the
chagrin of the US Government) in 1991. Many different mail programs use
GnuPG (or the related
GnuPG Made Easy
(GPGME) library) to handle encrypted email;
these programs include most open source
email clients (KMail, Evolution, Thunderbird via the EnigMail plugin, mutt,
etc.). All are vulnerable to the spoof - as is the gpg command-line
tool, depending on how it is used.
One of the features of OpenPGP is digital signing of
messages so that the recipient can ensure that the message they
receive is the same as the one that was sent. It is this digital
signature that is vulnerable to this attack as it can be spoofed; making it
appear that unsigned text is covered by a valid signature. An attacker
can insert malicious text into an existing message and have it appear
to have been sent by the signer.
OpenPGP messages consist of a set of "packets" that correspond to different
sections of a message (plaintext, encrypted, signature, compressed,
ascii-armored, etc). Taking two valid OpenPGP messages and concatenating
them produces a longer, but still valid, OpenPGP message. The simplest
way to exploit the flaw is to take a plaintext packet and add it to the
front of a signed plaintext packet. If the user attempts to verify
the message by invoking gpg < msgfile, they will see the contents
of both of the plaintext packets followed by a statement that the
signature was verified. Nothing in the output indicates the presence of
two packets with different signature status.
If this were the only issue, there would be a relatively easy, but not
completely satisfying, workaround; do not redirect stdin from a
file when using gpg. When
it is invoked as gpg msgfile, GnuPG writes each individual plaintext
packet into a separate file and, depending on the filenames specified in
the packet, the above example would either create two
files or prompt asking whether to overwrite when it encounters
the second packet. That prompt, or the presence of two files, might be
enough to alert the observant user to an anomaly, but is hardly foolproof.
Unfortunately, mail clients typically invoke gpg via the output
end of a pipe which allows them to be spoofed.
GnuPG does provide the --status-fd mode to prevent just this kind of
attack by producing more status information on the specified file descriptor.
The status information is not particularly user-friendly and might not
alert a casual user to the spoof, but it certainly can be used by a program
to detect the spoof. This is how GnuPG recommends that it be used by other
programs but the developers of many mail clients ignored that advice with
the result that their code is vulnerable.
Normally this might be considered a problem for the mail
client developers to solve, but the GnuPG team decided to make changes to
GnuPG and GPGME to alleviate the problem.
Updated versions of GnuPG will no longer process multiple messages in a
single invocation, avoiding the mingling of packets with
different signature status. GPGME has been changed to avoid the spoofing
even when it is using a vulnerable version of GnuPG. It is likely that the
various mail clients will need to be updated eventually as well because
they may well rely on GnuPG to process multiple messages in a single pass.
The mail clients may not correctly process all of the email types that they
did in the past, but they will not be vulnerable to this kind of attack.
The advisory has a wealth of information about the flaw and various ways that
it can be exploited; it is well worth a read for those interested. This is
an interesting bug because it lives between the GnuPG software and its
users (both human and program). The GnuPG developers could have pushed this
off as a problem for those users, but took a more helpful approach. If the
command-line version (gpg < msgfile) of the flaw did not exist,
it seems possible that they would have chosen differently and the mail client
development teams would instead be scrambling to release updates.
Comments (13 posted)
Security news
The Month of PHP Bugs
The Month of PHP Bugs (March)
has been announced.
" This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability manag[e]ment process used by the PHP Security Response Team."
Comments (1 posted)
New vulnerabilities
GnuPG: unsigned data injection vulnerability
| Package(s): | gnupg |
CVE #(s): | CVE-2007-1263
|
| Created: | March 6, 2007 |
Updated: | March 30, 2007 |
| Description: |
Core Security Technologies has reported
that GnuPG and GnuPG clients are vulnerable to an unsigned data injection
vulnerability. |
| Alerts: |
|
Comments (none posted)
mod_jk: stack overflow
| Package(s): | mod_jk |
CVE #(s): | CVE-2007-0774
|
| Created: | March 5, 2007 |
Updated: | May 30, 2007 |
| Description: |
A stack overflow flaw was found in the URI handler of mod_jk. A remote
attacker could visit a carefully crafted URL being handled by mod_jk and
trigger this flaw, which could lead to the execution of arbitrary code as the
'apache' user. |
| Alerts: |
|
Comments (none posted)
mod_python: information disclosure
| Package(s): | libapache2-mod-python |
CVE #(s): | CVE-2004-2680
|
| Created: | March 7, 2007 |
Updated: | March 8, 2007 |
| Description: |
From the Ubuntu advisory: Miles Egan discovered that mod_python, when used in output filter mode,
did not handle output larger than 16384 bytes, and would display freed
memory, possibly disclosing private data. |
| Alerts: |
|
Comments (none posted)
snort: remote arbitrary code execution
| Package(s): | snort |
CVE #(s): | CVE-2006-5276
|
| Created: | March 2, 2007 |
Updated: | September 7, 2007 |
| Description: |
The Snort intrusion detection system is vulnerable to a buffer overflow
in the DCE/RPC preprocessor code. Remote attackers can send
specially crafted fragmented SMB or DCE/RPC packets which can be used
to allow the the remote execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
STLport: buffer overflows
| Package(s): | STLport |
CVE #(s): | CVE-2007-0803
|
| Created: | March 7, 2007 |
Updated: | March 7, 2007 |
| Description: |
STLport (prior to version 5.0.3) suffers from two remotely exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
tcpdump: denial of service
| Package(s): | tcpdump |
CVE #(s): | CVE-2007-1218
|
| Created: | March 5, 2007 |
Updated: | November 15, 2007 |
| Description: |
Off-by-one buffer overflow in the parse_elements function in the 802.11
printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote
attackers to cause a denial of service (crash) via a crafted 802.11
frame. NOTE: this was originally referred to as heap-based, but it might be
stack-based. |
| Alerts: |
|
Comments (none posted)
util-linux: information disclosure
| Package(s): | util-linux |
CVE #(s): | CVE-2007-0822
|
| Created: | March 7, 2007 |
Updated: | March 7, 2007 |
| Description: |
Users can confuse util-linux by way of removable drives, leading to crashes and the possibility of information disclosure via the resulting core dumps. |
| Alerts: |
|
Comments (1 posted)
wordpress: cross-site scripting
| Package(s): | wordpress |
CVE #(s): | CVE-2007-1049
|
| Created: | March 5, 2007 |
Updated: | March 21, 2007 |
| Description: |
A Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in
the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0
before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary
web script or HTML via the file parameter to wp-admin/templates.php, and
possibly other vectors involving the action variable. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2007-0493
CVE-2007-0494
|
| Created: | January 26, 2007 |
Updated: | March 14, 2007 |
| Description: |
The bind package is vulnerable to two remote denial of service attacks in
which attackers can cause the bind daemon to to crash or exit unexpectedly
by providing malformed data to the daemon in a DNS request. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
chmlib: remote execution of arbitrary code
| Package(s): | chmlib |
CVE #(s): | CVE-2007-0619
|
| Created: | February 27, 2007 |
Updated: | February 28, 2007 |
| Description: |
When certain CHM files that contain tables and objects stored in pages are
parsed by CHMlib, an unsanitized value is passed to the alloca() function
resulting in a shift of the stack pointer to arbitrary memory locations.
An attacker could entice a user to open a specially crafted CHM file,
resulting in the execution of arbitrary code with the permissions of the
user viewing the file. |
| Alerts: |
|
Comments (none posted)
clamav: directory traversal, denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-0897
CVE-2007-0898
|
| Created: | February 20, 2007 |
Updated: | March 7, 2007 |
| Description: |
Clam AntiVirus ClamAV before 0.90 does not close open file descriptors
under certain conditions, which allows remote attackers to cause a denial
of service (file descriptor consumption and failed scans) via CAB archives
with a cabinet header record length of zero, which causes a function to
return without closing a file descriptor. (CVE-2007-0897)
Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before
0.90 allows remote attackers to overwrite arbitrary files via a .. (dot
dot) in the id MIME header parameter in a multi-part
message. (CVE-2007-0898) |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
ekiga: format string vulnerability
| Package(s): | ekiga |
CVE #(s): | CVE-2007-1006
CVE-2007-0999
|
| Created: | February 21, 2007 |
Updated: | March 30, 2007 |
| Description: |
Ekiga contains a format string vulnerability in the code which processes
control messages from remote peers.
If a user was running Ekiga and listening for incoming calls, a remote
attacker could send a crafted call request, and execute arbitrary code with
the user's privileges. |
| Alerts: |
|
Comments (none posted)
enigmail: memory allocation errors
| Package(s): | enigmail |
CVE #(s): | CVE-2006-5877
|
| Created: | February 23, 2007 |
Updated: | February 28, 2007 |
| Description: |
Mikhail Markin reported that enigmail incorrectly handled memory
allocations for certain large encrypted attachments. This caused
Thunderbird to crash and thus caused the entire message to be
inaccessible. |
| Alerts: |
|
Comments (none posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 9, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnomemeeting: format string flaw
| Package(s): | gnomemeeting |
CVE #(s): | CVE-2007-1007
|
| Created: | February 20, 2007 |
Updated: | March 5, 2007 |
| Description: |
A format string flaw was found in the way GnomeMeeting processes certain
messages. If a user is running GnomeMeeting, a remote attacker who can
connect to GnomeMeeting could trigger this flaw and potentially execute
arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 8, 2007 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0007
CVE-2007-0006
|
| Created: | February 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service
vulnerability. A remote attacker can cause the key_alloc_serial
function's key serial number collision avoidance code to have a
null dereference, resulting in a crash. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-0772
|
| Created: | February 23, 2007 |
Updated: | November 14, 2007 |
| Description: |
The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial
of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free
of an incorrect pointer. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgtop2: buffer overflow
| Package(s): | libgtop2 |
CVE #(s): | CVE-2007-0235
|
| Created: | January 15, 2007 |
Updated: | August 9, 2007 |
| Description: |
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | September 28, 2007 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
| |
|