SE-PostgreSQL uses SELinux for database security
Security Enhanced Linux (SELinux) adds layers of security on top of the
traditional discretionary
access control (DAC) offered by UNIX-like systems to provide more
fine-grained control over the operating system objects and data. The Security Enhanced
PostgreSQL (SE-PostgreSQL) project seeks to provide the
same kinds of fine-grained access controls to the PostgreSQL database engine,
integrating those policies with SELinux. SE-PostgreSQL has just released
its 1.0 beta and is encouraging users to report any bugs before the final
1.0 release.
Traditionally, database systems use a permissions model that is similar to,
but separate from, the underlying operating system permissions. Users are created within
the database and granted access to various database capabilities, some of
which they can pass on to others (which is a feature of DAC). In addition,
database management systems (DBMS) have a privileged user that bypasses all of the
permissions checks. For a system running SELinux, this situation is less
than desirable, as most, if not all, of the carefully crafted policies, for
restricting data access, are ignored by the DBMS. SE-PostgreSQL works with
SELinux to apply its policies on top of the DBMS permissions, allowing
the administrator the fine-grained access control, afforded by SELinux,
within PostgreSQL.
SELinux relies upon "security contexts", which are attached to each object
in the operating system: files, directories, sockets, processes, users,
etc. These contexts are permanently attached to the various objects and
the SELinux policies then dictate how the contexts interact and what kind
of operations are allowed to be performed. More information about SELinux
and its enforcement mechanisms can be found on the project's webpage as well as in this introductory LWN article.
In a standard PostgreSQL installation, a Linux user can present the
credentials (username and password) of any database user and perform
the
database operations allowed for that user. Using SE-PostgreSQL, SELinux
security contexts are associated with each table, row and column of the
database. The SELinux policy arbitrator in the kernel is consulted for
each database operation and they are either allowed or denied based on the
combination of the user context and the database object context. The
PostgreSQL user must still have the ability to perform the requested action
as the PostgreSQL permissions are checked
before the SELinux policies are even consulted. This two-tiered
permissions system is probably unnecessary, so SE-PostgreSQL could completely
replace the database permissions in secure installations.
Because security contexts are attached to objects in the operating system,
SE-PostgreSQL can alleviate a common problem with data migrating from the
filesystem into the database. If filesystem data that requires an elevated
level of security is inserted into a database table, that row will inherit
the security context of the data. This will prevent users or processes
with lower access capabilities from accessing it.
Also, depending on the security context of the user querying the database,
certain columns or rows may not be available and SE-PostgreSQL intercepts
the queries and results, filtering them appropriately. Users will be able
to see the query results they are allowed to access and no others.
Another related project is PostgreSQL Access Control
Extension (PGACE), which provides an interface for PostgreSQL to use
the facilities of a secure operating system. This allows SE-PostgreSQL to use the
SELinux facilities, but will also allow PostgreSQL to use the Trusted
Solaris or other security-oriented operating system facilities. It is
meant to provide a common framework of hooks that PostgreSQL can call to
determine whether to permit or deny access. It is similar in spirit to the
Linux Security Modules (LSM) interface which allows different
security implementations to be used by the kernel.
The development of SE-PostgreSQL was supported by the Exploratory
Software Project of Japan's Information-Technology Promotion Agency.
This project is aimed at funding young developers with new ideas and
SE-PostgreSQL would certainly qualify. For security conscious companies
using SELinux and PostgreSQL, a look at this project should be high on the
list.
Comments (2 posted)
Security news
Samsung printer drivers open up the system
A LinuxFR reader has sent out
an alert (in French)
about the Samsung
SCX-4200
printer driver for Linux. It appears that the driver author had some
trouble with the Linux permission model; the response was to make a few
applications run setuid root. A quick look at the install script shows
that the affected programs are xsane, xscanimage, and the major
OpenOffice.org components. The script also replaces some CUPS executables
and does some other fun things. This seems like code to
avoid for anybody wanting to run a remotely secure system.
Comments (22 posted)
HP joins the RHEL5 security certification party
HP
announced
yesterday that it has been awarded Evaluation Assurance Level 4 (EAL4+)
security certification for Red Hat Enterprise Linux 5 (RHEL5) running on various
server and workstation platforms. HP/RHEL5 is certified with the same set
of protection profiles used by
in the earlier IBM/RHEL5
certification. "
HP has
been awarded EAL4+, the highest level of assurance for an unmodified,
commercial operating system, for Labeled Security Protection Profile
(LSPP), Controlled Access Protection Profile, and Role-Based Access Control
Protection Profile for Red Hat Enterprise Linux 5 on HP Integrity, ProLiant
and BladeSystem platforms as well as select workstations and desktops."
Comments (none posted)
New vulnerabilities
curl: insufficient verification methods
| Package(s): | curl |
CVE #(s): | CVE-2007-3564
|
| Created: | July 17, 2007 |
Updated: | July 19, 2007 |
| Description: |
The GnuTLS certificate verification methods implemented in Curl did not
check for expiration and activation dates. When performing validations,
tools using libcurl3-gnutls would incorrectly allow connections to sites
using expired certificates. |
| Alerts: |
|
Comments (2 posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | May 12, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
|
Comments (none posted)
flac123: arbitrary code execution
| Package(s): | flac123 |
CVE #(s): | CVE-2007-3507
|
| Created: | July 13, 2007 |
Updated: | October 22, 2007 |
| Description: |
A stack-based buffer overflow in the local__vcentry_parse_value function in
vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows
user-assisted remote attackers to execute arbitrary code via a large
comment value_length. |
| Alerts: |
|
Comments (none posted)
flash-plugin: input validation flaw
| Package(s): | flash-plugin |
CVE #(s): | CVE-2007-3456
|
| Created: | July 12, 2007 |
Updated: | August 10, 2007 |
| Description: |
The Firefox flash-plugin module has an input validation flaw
involving the display of certain content. If a user can be tricked
into opening a specially crafted Adobe Flash file, it may be possible
to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
LedgerSMB: authentication bypass
| Package(s): | LedgerSMB |
CVE #(s): | |
| Created: | July 18, 2007 |
Updated: | July 18, 2007 |
| Description: |
The problem occurs because of a flaw in the redirect code which was
replaced in order to support additional environments. The redirection
code in this case can be accessed through the login module and tricked
into providing access without proper authentication.
|
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
mysql: multiple vulnerabilities
Comments (none posted)
tomcat: cross-site scripting
| Package(s): | tomcat |
CVE #(s): | CVE-2007-2449
CVE-2007-2450
|
| Created: | July 17, 2007 |
Updated: | March 28, 2008 |
| Description: |
Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the 'examples' web application not be installed on
a production system.
The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450). |
| Alerts: |
|
Comments (1 posted)
xnview: buffer overflow
| Package(s): | xnview |
CVE #(s): | CVE-2007-2194
|
| Created: | July 12, 2007 |
Updated: | July 18, 2007 |
| Description: |
The XnView image processing utility is vulnerable to a stack-based
buffer overflow due to improper handling of XPM image files.
If an attacker can trick a user into viewing a specially crafted
image file, it may be possible to execute code with the privileges
of the user. |
| Alerts: |
|
Comments (none posted)
X.org: temp file vulnerability
| Package(s): | X.org |
CVE #(s): | CVE-2007-3103
|
| Created: | July 12, 2007 |
Updated: | July 31, 2007 |
| Description: |
The X.Org X11 xfs font server has a temp file vulnerability in the
startup script. A local user can modify the permissions of the script
in order to elevate their local privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache2: information disclosure
| Package(s): | apache |
CVE #(s): | CVE-2007-1862
|
| Created: | June 20, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users." |
| Alerts: |
|
Comments (2 posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-3304
CVE-2006-5752
|
| Created: | June 27, 2007 |
Updated: | February 18, 2008 |
| Description: |
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752) |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk |
CVE #(s): | CVE-2007-1561
CVE-2007-1594
|
| Created: | April 3, 2007 |
Updated: | August 27, 2007 |
| Description: |
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code. |
| Alerts: |
|
Comments (none posted)
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2007-3372
|
| Created: | June 28, 2007 |
Updated: | September 18, 2007 |
| Description: |
Avahi is vulnerable to a local denial of service that can be caused by
making an erroneous call to the assert() function. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-2650
|
| Created: | June 5, 2007 |
Updated: | July 20, 2007 |
| Description: |
A vulnerability in the OLE2 parser in ClamAV was found that could allow a
remote attacker to cause a denial of service via resource consumption with
a carefully crafted OLE2 file. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dar: weak cryptography
| Package(s): | dar |
CVE #(s): | CVE-2007-3528
|
| Created: | July 6, 2007 |
Updated: | July 11, 2007 |
| Description: |
From the National
Vulnerability Database: "The blowfish mode in DAR before 2.3.4
uses weak Blowfish-CBC cryptography by (1) discarding random bits by the
blowfish::make_ivec function in libdar/crypto.cpp that results in
predictable and repeating IV values, and (2) direct use of a password for
keying, which makes it easier for context-dependent attackers to decrypt
files." |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
emacs21: denial of service
| Package(s): | emacs21 |
CVE #(s): | CVE-2007-2833
|
| Created: | June 21, 2007 |
Updated: | August 29, 2007 |
| Description: |
The emacs21 editor has a denial of service vulnerability.
emacs21 can be made to crash by viewing "certain types of images". |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server |
CVE #(s): | CVE-2007-3257
|
| Created: | June 18, 2007 |
Updated: | November 7, 2007 |
| Description: |
From the GNOME
bugzilla: "The "SEQUENCE" value in the GData of the IMAP code
(camel-imap-folder.c) is converted from a string using strtol. This allows
for negative values. The imap_rescan uses this value as an int. It checks
for !seq and seq>summary.length. It doesn't check for seq <
0. Although seq is used as the index of an array." |
| Alerts: |
|
Comments (1 posted)
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail |
CVE #(s): | CVE-2007-1558
|
| Created: | May 8, 2007 |
Updated: | August 7, 2007 |
| Description: |
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail. |
| Alerts: |
|
Comments (none posted)
fail2ban: log injection vulnerability
| Package(s): | fail2ban |
CVE #(s): | |
| Created: | June 22, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.8 is susceptible to a log injection vulnerability. See this
ossec.net entry for more information. |
| Alerts: |
|
Comments (none posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
file: integer overflow
| Package(s): | file |
CVE #(s): | CVE-2007-2799
|
| Created: | June 1, 2007 |
Updated: | October 19, 2007 |
| Description: |
Colin Percival from FreeBSD reported that the previous fix for the
file_printf() buffer overflow introduced a new integer overflow. A remote
attacker could entice a user to run the file program on an overly large
file (more than 1Gb) that would trigger an integer overflow on 32-bit
systems, possibly leading to the execution of arbitrary code with the
rights of the user running file. |
| Alerts: |
|
Comments (3 posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird |
CVE #(s): | CVE-2007-1362
CVE-2007-2867
CVE-2007-2868
CVE-2007-2869
CVE-2007-2870
CVE-2007-2871
|
| Created: | June 4, 2007 |
Updated: | August 29, 2007 |
| Description: |
Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user
into opening a malicious web page, an attacker could cause a persistent
denial of service. (CVE-2007-2869)
Nicolas Derouet discovered flaws in cookie handling. By tricking a user
into opening a malicious web page, an attacker could force the browser to
consume large quantities of disk or memory while processing long cookie
paths. (CVE-2007-1362)
A flaw was discovered in the same-origin policy handling of the
addEventListener JavaScript method. A malicious web site could exploit
this to modify the contents, or steal confidential data (such as
passwords), of other web pages. (CVE-2007-2870)
Chris Thomas discovered a flaw in XUL popups. A malicious web site
could exploit this to spoof or obscure portions of the browser UI,
such as the location bar. (CVE-2007-2871) |
| Alerts: |
|
Comments (3 posted)
freetype: arbitrary code execution
| Package(s): | freetype |
CVE #(s): | CVE-2007-2754
|
| Created: | May 24, 2007 |
Updated: | July 19, 2007 |
| Description: |
The Freetype font rendering library versions 2.3.4 and below
has an integer sign error. Remote attackers may be able to
create a specially crafted TrueType Font file with a negative
n_points value that will cause an integer overflow and heap-based
buffer overflow, allowing the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gd: denial of service
| Package(s): | gd |
CVE #(s): | CVE-2007-2756
|
| Created: | June 14, 2007 |
Updated: | February 28, 2008 |
| Description: |
Libgd2 has a denial of service vulnerability involving the incorrect
validation of PNG callback results. If an application that is linked
against libgd2 is used to process a specially-crafted PNG file,
a denial of service involving CPU resource consumption can be
caused. |
| Alerts: |
|
Comments (none posted)
gfax: insecure temporary files
| Package(s): | gfax |
CVE #(s): | CVE-2007-2839
|
| Created: | July 6, 2007 |
Updated: | July 11, 2007 |
| Description: |
Steve Kemp from the Debian Security Audit project discovered that gfax, a
GNOME frontend for fax programs, uses temporary files in an unsafe manner
which may be exploited to execute arbitrary commands with the privileges of
the root user. |
| Alerts: |
|
Comments (none posted)
gimp: multiple vulnerabilities
| Package(s): | gimp |
CVE #(s): | CVE-2007-2949
|
| Created: | June 28, 2007 |
Updated: | February 27, 2008 |
| Description: |
The gimp image editor has several vulnerabilities, including
a problem where it can open PSD files with excessive dimensions
and a possible stack overflow in the Sunras loader. |
| Alerts: |
|
Comments (none posted)
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer |
CVE #(s): | CVE-2007-3410
|
| Created: | June 27, 2007 |
Updated: | September 17, 2007 |
| Description: |
A buffer overflow flaw was found in the way HelixPlayer processed
Synchronized Multimedia Integration Language (SMIL) files. It was possible
for a malformed SMIL file to execute arbitrary code with the permissions of
the user running HelixPlayer. (CVE-2007-3410) |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
ImageMagick: integer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-1797
|
| Created: | April 4, 2007 |
Updated: | April 17, 2008 |
| Description: |
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667. |
| Alerts: |
|
Comments (none posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2007-1841
|
| Created: | April 10, 2007 |
Updated: | August 28, 2007 |
| Description: |
A flaw was discovered in the IPSec key exchange server "racoon". Remote
attackers could send a specially crafted packet and disrupt established
IPSec tunnels, leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
jasper: denial of service
| Package(s): | jasper |
CVE #(s): | CVE-2007-2721
|
| Created: | June 1, 2007 |
Updated: | November 6, 2007 |
| Description: |
The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote
user-assisted attackers to cause a denial of service (crash) and possibly
corrupt the heap via malformed image files. |
| Alerts: |
|
Comments (none posted)
kdebase: information leak
| Package(s): | kdebase |
CVE #(s): | CVE-2007-2022
|
| Created: | June 13, 2007 |
Updated: | September 19, 2007 |
| Description: |
A problem with the interaction between the Flash Player and the Konqueror
web browser was found. The problem could lead to key presses leaking to the
Flash Player applet instead of the browser.
NOTE: CVE number may be incorrect, see CVE entry |
| Alerts: |
|
Comments (1 posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-1357
|
| Created: | April 16, 2007 |
Updated: | November 14, 2007 |
| Description: |
The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before
2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of
service (crash) via an AppleTalk frame that is shorter than the specified
length, which triggers a BUG_ON call when an attempt is made to perform a
checksum. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
