LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Our devices are spilling our secrets
Recent news about a certain much-anticipated work of fiction being posted to the internet, in advance of its scheduled release, was not terribly surprising. The method used was, perhaps, a bit crude, and certainly time consuming, but it got the job done. Unbeknownst to the anonymous poster, their camera helpfully provided some extra information that might be used to track them down. Our devices are collecting all kinds of data about our habits and they are increasingly divulging that data in unexpected ways.
In the case of the Harry Potter book, the camera serial number was recorded in the Exchangeable image file format (Exif) data of the JPEG files of each page. Based on that information, Canon, the camera's manufacturer, may be able to match the camera to its original purchaser. If the camera has been serviced in the three years since it was released, that would also create an entry matching the serial number to the owner at that time. Neither of those conclusively links a person to the "crime", if it even is a crime, but they could give any investigators a good place to start.
It could have been a lot worse - some camera models have GPS capability built-in with Exif fields available to store that information on each shot. Perhaps the photo shoot happened deep enough inside some building that the GPS would not work, but over the hours it took to do that project, it seems quite possible that at least one shot would get tagged. It would be pretty easy to track down where the photos were taken if some were tagged with latitude and longitude coordinates. If it did not bring the police around, it certainly might have brought legions of Potter fans, eager to acquire the book early.
GPS data encoded into each photograph that you take, is a useful feature, keeping track of where the photos were taken some years down the road after (human) memory has failed. The other Exif data, much of which is detailed information about camera settings, is probably quite useful to photographers and is much simpler than trying to keep a record of exposure settings as you take pictures. Gathering and storing the data is quite helpful, it is the unexpected disclosure that causes problems.
It would be easy to ignore this problem, writing it off to an ignorant user, who should have scrubbed the Exif data before posting, but the problem comes in other guises as well. The US Secret Service evidently wants to be able to track your printer output, presumably as part of their anti-counterfeiting responsibilities, so they have convinced laser printer manufacturers to secretly add the now-famous yellow dots to each color page that is printed. Some of these codes have been cracked by the Electronic Frontier Foundation (EFF) and others, and have been found to contain model and serial numbers along with a timestamp of the print time.
It is much harder to blame ignorant users when the device manufacturer actively tries to hide the fact that identifying information is being leaked. Worse yet, it appears that inquiring about this practice and asking how to turn it off can lead to a visit from the Secret Service. There is nothing quite like a visit from a federal agent to stifle dissent. The folks at Seeing Yellow have lots more information, including a plan to overwhelm the agency through sheer numbers of people asking how to turn this "feature" off.
Imagine a world where the government required each person to carry a device that: knew its location via GPS, had the ability to take pictures and wireless connectivity. It is a scenario that would be ripe for abuse. In many ways, lots of people already, voluntarily, live in that world as cell phones have all those characteristics. It is not inconceivable that the cell phone manufacturers have already had a visit, from the Department of Homeland Security (DHS) or some other three-letter agency of the government, asking for help in the "War on Terror." The devices are certainly capable of reporting location (possibly with a helpful photo of people in the vicinity) back to the carrier and through them to the DHS. Probably, hopefully, that is not (yet?) happening, but there is no real technical barrier.
If we ratchet the paranoia level down a notch, cell phones, in particular smart phones, still pose an enormous target for the criminal world. Subverting phones that have cameras and GPS, to run them under the control of an attacker, makes an incredible surveillance tool. By using the same kinds of techniques that are used to spread viruses and spyware today, it should not be difficult to get targets to willingly perform actions that will lead to the subversion of their phone. From there, the attacker can get all of the call records, photos, calendar items and contacts while directing the phone to transmit its location every minute to the attacker.
Not only could this kind of information be used by stalkers, muggers and other criminals, this same capability could be used by lovers or employers to track people, keeping tabs on their movements and contacts. Rather than hire a private investigator, a jealous husband or wife might just borrow the other's phone, surf to a spyware site, and install a tracking program themselves. The opportunities are endless and exceedingly frightening for anyone concerned about privacy in today's world.
There are no easy answers on how to protect oneself against these unintentional data leaks. The organizations and individuals interested in collecting the data are doubly interested in concealing the fact that they are doing it, but, worse still, it is difficult for users to detect. If a cell phone is sending a short burst of encrypted information every minute, how would the average user, or even a sophisticated lab, detect and decode that data? If someone had not stumbled upon the yellow dots, we might be printing traceable documents, in blissful ignorance, to this day. What other, similar kinds of tracking are going on that we do not yet know about?
Free software can certainly help with this problem, but it is no panacea. Being able to replace the software in a device, with code that can be scrutinized and built before installing, is a good way to know what the device will do. Getting code that is vouched for by a trusted group, also serves to alleviate privacy leakage concerns. That is not the end of the story, unfortunately, as the hardware itself may be the culprit. Laser printer hardware is likely responsible for the identifying information in the output, making it rather difficult to replace. It is extremely difficult to know what the hardware in other devices might be doing behind our backs.
The truly paranoid will not be willing to trust any hardware they did not build themselves, perhaps from individual transistors, while trying to figure out how to trust the compiler. For the rest of us, open platforms, like OpenMoko, with free software and hardware, may provide reasons to believe that our data is protected; unless, of course, the device gets stolen or lost - encryption anyone?
New vulnerabilities
gpdf: integer overflow
| Package(s): | cups poppler xpdf | CVE #(s): | CVE-2007-3387 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 31, 2007 | Updated: | November 28, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
drupal: cross site request forgery
| Package(s): | drupal | CVE #(s): | ||||
| Created: | July 27, 2007 | Updated: | August 1, 2007 | |||
| Description: | From DRUPAL-SA-2007-017: "Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site." | |||||
| Alerts: |
| |||||
festival: privilege escalation
| Package(s): | festival | CVE #(s): | ||||
| Created: | July 26, 2007 | Updated: | August 1, 2007 | |||
| Description: | The festival text-to-speech converter has a privilege escalation vulnerability. The festival daemon runs with root privileges, a local attacker can connect to to the daemon and execute arbitrary commands as root. | |||||
| Alerts: |
| |||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdm: denial of service
| Package(s): | gdm | CVE #(s): | CVE-2007-3381 | |||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | September 20, 2007 | |||||||||||||||||||||
| Description: | JLANTHEA reported a denial of service flaw in the way that gdm listens on its Unix domain socket. Any local user can crash the locally running X session. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libvorbis: multiple memory corruption flaws
| Package(s): | libvorbis | CVE #(s): | CVE-2007-3106 CVE-2007-4029 | ||||||||||||||||||||||||||||||
| Created: | July 27, 2007 | Updated: | January 22, 2008 | ||||||||||||||||||||||||||||||
| Description: | This iSEC Partners security advisory has details on multiple memory corruption flaws in libvorbis. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
qt: arbitrary code execution
| Package(s): | qt | CVE #(s): | CVE-2007-3388 | |||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | December 10, 2007 | |||||||||||||||||||||||||||
| Description: | Format string bugs were found in several Qt warning messages. Applications using Qt for processing certain data types could trigger them if the data caused Qt to print warnings. The bugs potentially allow to execute arbitrary code via specially crafted files (CVE-2007-3388). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
unrar: integer signedness error
| Package(s): | unrar | CVE #(s): | CVE-2007-3726 | |||
| Created: | July 31, 2007 | Updated: | August 1, 2007 | |||
| Description: | Integer signedness error in the SET_VALUE function in rarvm.cpp in unrar 3.70 beta 3, as used in products including WinRAR and RAR for OS X, allows user-assisted remote attackers to cause a denial of service (crash) via a crafted RAR archive that causes a negative signed number to be cast to a large unsigned number. | |||||
| Alerts: |
| |||||
vim: arbitrary code execution
| Package(s): | vim | CVE #(s): | CVE-2007-2953 | ||||||||||||||||||
| Created: | July 30, 2007 | Updated: | September 20, 2007 | ||||||||||||||||||
| Description: | vim is vulnerable to a user-assisted attack in which vim may execute arbitrary code when helptags is run on data that has been maliciously crafted. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Updated vulnerabilities
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk | CVE #(s): | CVE-2007-1561 CVE-2007-1594 | |||||||||
| Created: | April 3, 2007 | Updated: | August 27, 2007 | |||||||||
| Description: | The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. | |||||||||||
| Alerts: |
| |||||||||||
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer | CVE #(s): | CVE-2007-3410 | ||||||||||||
| Created: | June 27, 2007 | Updated: | September 17, 2007 | ||||||||||||
| Description: | A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) | ||||||||||||||
| Alerts: |
| ||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
X.org: temp file vulnerability
| Package(s): | X.org | CVE #(s): | CVE-2007-3103 | |||||||||||||||
| Created: | July 12, 2007 | Updated: | July 31, 2007 | |||||||||||||||
| Description: | The X.Org X11 xfs font server has a temp file vulnerability in the startup script. A local user can modify the permissions of the script in order to elevate their local privileges. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
avahi: denial of service
| Package(s): | avahi | CVE #(s): | CVE-2007-3372 | ||||||
| Created: | June 28, 2007 | Updated: | September 18, 2007 | ||||||
| Description: | Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function. | ||||||||
| Alerts: |
| ||||||||
bind: DNS cache poisoning
| Package(s): | bind | CVE #(s): | CVE-2007-2926 | |||||||||||||||||||||||||||||||||||||||
| Created: | July 24, 2007 | Updated: | August 20, 2007 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the way BIND generates outbound DNS query ids. If an attacker is able to acquire a finite set of query IDs, it becomes possible to accurately predict future query IDs. Future query ID prediction may allow an attacker to conduct a DNS cache poisoning attack, which can result in the DNS server returning incorrect client query data. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
bochs: buffer overflow
| Package(s): | bochs | CVE #(s): | CVE-2007-2893 | ||||||||||||
| Created: | July 20, 2007 | Updated: | November 19, 2007 | ||||||||||||
| Description: | A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow." | ||||||||||||||
| Alerts: |
| ||||||||||||||
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2006-5453 CVE-2006-5454 CVE-2006-5455 | ||||||
| Created: | November 10, 2006 | Updated: | August 28, 2007 | ||||||
| Description: | Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before being passed back to users. Users can gain unauthorized access to read attachment descriptions while using diff mode. HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification. Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users. | ||||||||
| Alerts: |
| ||||||||
centericq: buffer overflows
| Package(s): | centericq | CVE #(s): | CVE-2007-3713 | |||||||||
| Created: | July 20, 2007 | Updated: | December 17, 2007 | |||||||||
| Description: | Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160. | |||||||||||
| Alerts: |
| |||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | ||||||||||||
| Created: | May 8, 2007 | Updated: | May 21, 2008 | ||||||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||||||||||||||
| Alerts: |
| ||||||||||||||
emacs21: denial of service
| Package(s): | emacs21 | CVE #(s): | CVE-2007-2833 | ||||||||||||
| Created: | June 21, 2007 | Updated: | August 29, 2007 | ||||||||||||
| Description: | The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images". | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail | CVE #(s): | CVE-2007-1558 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2007 | Updated: | August 7, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server | CVE #(s): | CVE-2007-3257 | ||||||||||||||||||||||||||||||||||||
| Created: | June 18, 2007 | Updated: | November 7, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array." | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
fail2ban: log injection vulnerability
| Package(s): | fail2ban | CVE #(s): | |||||||
| Created: | June 22, 2007 | Updated: | July 30, 2007 | ||||||
| Description: | fail2ban 0.8 is susceptible to a log injection vulnerability. See this ossec.net entry for more information. | ||||||||
| Alerts: |
| ||||||||
fail2ban: denial of service
| Package(s): | fail2ban | CVE #(s): | CVE-2006-6302 | |||
| Created: | February 16, 2007 | Updated: | July 30, 2007 | |||
| Description: | fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address. | |||||
| Alerts: |
| |||||
file: integer overflow
| Package(s): | file | CVE #(s): | CVE-2007-2799 | ||||||||||||||||||||||||||||||
| Created: | June 1, 2007 | Updated: | October 19, 2007 | ||||||||||||||||||||||||||||||
| Description: | Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird | CVE #(s): | CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2007 | Updated: | August 29, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869) Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362) A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | May 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac123: arbitrary code execution
| Package(s): | flac123 | CVE #(s): | CVE-2007-3507 | ||||||
| Created: | July 13, 2007 | Updated: | October 22, 2007 | ||||||
| Description: | A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length. | ||||||||
| Alerts: |
| ||||||||
flash-plugin: input validation flaw
| Package(s): | flash-plugin | CVE #(s): | CVE-2007-3456 | ||||||||||||
| Created: | July 12, 2007 | Updated: | August 10, 2007 | ||||||||||||
| Description: | The Firefox flash-plugin module has an input validation flaw involving the display of certain content. If a user can be tricked into opening a specially crafted Adobe Flash file, it may be possible to execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gcc: file overwrite vulnerability
| Package(s): | gcc | CVE #(s): | CVE-2006-3619 | ||||||||||||
| Created: | September 6, 2006 | Updated: | March 14, 2008 | ||||||||||||
| Description: | The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gd: buffer overflow
| Package(s): | gd | CVE #(s): | CVE-2007-0455 | ||||||||||||||||||||||||||||||
| Created: | February 7, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||||||||||||||
| Description: | The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gd: denial of service
| Package(s): | gd | CVE #(s): | CVE-2007-2756 | ||||||||||||||||||
| Created: | June 14, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||
| Description: | Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gimp: multiple vulnerabilities
| Package(s): | gimp | CVE #(s): | CVE-2007-2949 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gimp image editor has several vulnerabilities, including a problem where it can open PSD files with excessive dimensions and a possible stack overflow in the Sunras loader. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith | CVE #(s): | CVE-2006-6175 | |||
| Created: | January 17, 2007 | Updated: | March 7, 2008 | |||
| Description: | Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user). | |||||
| Alerts: |
| |||||
ImageMagick: integer overflows
| Package(s): | imagemagick | CVE #(s): |