LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Securing our votes
This has been a bad few weeks to be a voting machine vendor. Three separate governments, California, Florida and the UK looked at the devices and have come to remarkably similar conclusions. The machines they looked at are poorly designed, poorly implemented and subject to a wide variety of security threats. None of the studies mentioned it, but it is likely that the machines looked great.
The most comprehensive study was done by California Secretary of State Debra Bowen's office. That study looked at three electronic voting systems, each from a different manufacturer. Each system had three separate teams investigating, one looking at the source code, a "red team" that had physical access to the device and an accessibility team. Their conclusions were not surprising to anyone who has paid attention to this issue over the years.
All three of the voting machine systems were found to be sorely deficient by all three teams. Even accessibility, which is one of the major benefits touted by electronic voting advocates, was found lacking:
Though it is certainly terrible not to meet the needs of some individual voters, safeguarding the election process and accurately reporting the vote totals need to be higher priorities. Since they obviously had not successfully completed the accessibility task, one would hope they were able to secure the voting process. Unfortunately, they could not get the primary job done right either.
The red team reports were released first and the conclusions were devastating:
The teams were able to defeat the physical security of the voting machines, modify or overwrite the software in the machines as well as subvert the tabulation machines in order to provide incorrect vote counts. All of this just by having access to the machines themselves; the same access that election officials, poll workers and, to a lesser extent, voters, have.
Several days later, the source code teams' reports were released and, at that point, were almost anti-climactic. Unsurprisingly, they found numerous, hideous source code flaws in all three systems. Buffer overflows, hard coded passwords ('diebold' being a particularly difficult one to guess), misuse of encryption, integer overflows (wrapping vote counts to negative or zero perhaps); the list goes on an on. It is as if the voting machine vendors are completely unaware of the last twenty (or thirty or forty) years of software security flaws.
In reality, they are most likely not unaware, they are just arrogant. Diebold, Hart and Sequoia (the companies whose machines were studied) do not depend solely on their technical "prowess" to win bids for providing voting machines, politics plays a huge role. These are well connected companies. It also helps that they are all uniformly bad, there are literally no secure choices for a government agency to make.
Florida's study only covered Diebold equipment, but it echoed the findings in the California study. Avi Rubin of Johns Hopkins University, who participated in a 2003 study of Diebold's voting machine, notes:
One of the bigger problems found was that Diebold assigned cryptographic keys to each voting machine that is derived from an MD5 hash of the machine's serial number. Rubin again:
The UK also released reports on the outcome of electronic voting trials held in May. The overall summary of the trial, was, once again, not very favorable:
This was not the result of security professionals analyzing the systems for flaws, but was instead noted in actual trials of the equipment in an election.
The California study was quite well done and well thought out, except for one thing: it was done long after the equipment was bought and used in elections. This is the kind of study that needs to be done before buying the equipment. Due to the conclusions of the study, Bowen revoked the certification of the equipment from all three vendors, but immediately had to conditionally re-certify them as a practical matter. Even with a six month lead time, replacement systems (either electronic or of some other kind) could not be deployed before the 2008 California presidential primary voting.
The reaction to the California study by the manufacturers was typical. It is the same reaction they have had to each and every study done of the security of their devices: trivialize it. Each released a statement in reaction to the study conclusions, essentially admitting the flaws, but claiming that any "laboratory study" would find vulnerabilities. According to these vendors, it is impossible to make a secure voting system.
As they certainly know, no one is asking these vendors to break the laws of physics or to produce perfectly secure code. It would appear that they expend far more effort in deflecting criticism and lobbying various legislative bodies than they spend trying to secure their code and equipment. It is not necessary that the equipment be tamper-proof, merely that tampering can be detected. At least minimal precautions, perhaps to the level taught to computer science undergraduates, should be taken with the software.
This is not anywhere near as hard a problem as the vendors make it out to be. Many of the techniques needed to secure voting machinery are well known and well understood, at least outside of the vendors' labs. This is an area where open source methods could be and should be applied. Organizations like BlackBoxVoting.org and the NSF Accurate project should be working on solutions. Private companies have shown themselves to be completely incompetent at producing secure voting equipment, it is time for another solution to be tried.
New vulnerabilities
gd: multiple vulnerabilities
| Package(s): | gd | CVE #(s): | CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478 | |||||||||||||||||||||||||||
| Created: | August 6, 2007 | Updated: | February 28, 2008 | |||||||||||||||||||||||||||
| Description: | Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473) Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3474) The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. (CVE-2007-3475) Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. (CVE-2007-3476) The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. (CVE-2007-3477) Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. (CVE-2007-3478) | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gimp: integer overflows
| Package(s): | gimp | CVE #(s): | CVE-2006-4519 | |||
| Created: | August 2, 2007 | Updated: | August 8, 2007 | |||
| Description: | The Gimp has multiple integer overflow vulnerabilities. If a user can be tricked into opening specially crafted DICOM, PNM, PSD, PSP, RAS, XBM, or XWD images, integer overflows can occur and arbitrary code can be executed with the user's privileges. | |||||
| Alerts: |
| |||||
java-1.5.0-sun: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2007-3503 CVE-2007-3655 CVE-2007-3698 CVE-2007-3922 | ||||||||||||||||||||||||||||||
| Created: | August 6, 2007 | Updated: | June 24, 2008 | ||||||||||||||||||||||||||||||
| Description: | The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow vulnerability within the parsing code for JNLP files. A remote attacker could create a malicious JNLP file that could trigger this flaw and execute arbitrary code when opened. (CVE-2007-3655) The JSSE component did not correctly process SSL/TLS handshake requests. A remote attacker who is able to connect to a JSSE-based service could trigger this flaw leading to a denial-of-service. (CVE-2007-3698) A flaw was found in the applet class loader. An untrusted applet could use this flaw to circumvent network access restrictions, possibly connecting to services hosted on the machine that executed the applet. (CVE-2007-3922) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
mediawiki: cross-site scripting
| Package(s): | mediawiki | CVE #(s): | CVE-2007-1054 | |||
| Created: | August 7, 2007 | Updated: | August 8, 2007 | |||
| Description: | A cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded value of the rs parameter, which is processed by Internet Explorer. | |||||
| Alerts: |
| |||||
moodle: cross-site scripting
| Package(s): | moodle | CVE #(s): | CVE-2007-3555 | ||||||
| Created: | August 7, 2007 | Updated: | January 16, 2008 | ||||||
| Description: | A cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1 allows remote attackers to inject arbitrary web script or HTML via a style expression in the search parameter. | ||||||||
| Alerts: |
| ||||||||
openssl: private key attack
| Package(s): | openssl | CVE #(s): | CVE-2007-3108 | ||||||||||||||||||||||||
| Created: | August 7, 2007 | Updated: | May 13, 2008 | ||||||||||||||||||||||||
| Description: | OpenSSL could allow a local user in certain circumstances to divulge information about private keys being used. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
xpdf: bounds checking issues
| Package(s): | xpdf | CVE #(s): | ||||
| Created: | August 3, 2007 | Updated: | August 8, 2007 | |||
| Description: | XPDF had several bounds checking issues that were fixed in version 3.02 according to this change log. A patch can be found here. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk | CVE #(s): | CVE-2007-1561 CVE-2007-1594 | |||||||||
| Created: | April 3, 2007 | Updated: | August 27, 2007 | |||||||||
| Description: | The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. | |||||||||||
| Alerts: |
| |||||||||||
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer | CVE #(s): | CVE-2007-3410 | ||||||||||||
| Created: | June 27, 2007 | Updated: | September 17, 2007 | ||||||||||||
| Description: | A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) | ||||||||||||||
| Alerts: |
| ||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
avahi: denial of service
| Package(s): | avahi | CVE #(s): | CVE-2007-3372 | ||||||
| Created: | June 28, 2007 | Updated: | September 18, 2007 | ||||||
| Description: | Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function. | ||||||||
| Alerts: |
| ||||||||
bind: DNS cache poisoning
| Package(s): | bind | CVE #(s): | CVE-2007-2926 | |||||||||||||||||||||||||||||||||||||||
| Created: | July 24, 2007 | Updated: | August 20, 2007 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the way BIND generates outbound DNS query ids. If an attacker is able to acquire a finite set of query IDs, it becomes possible to accurately predict future query IDs. Future query ID prediction may allow an attacker to conduct a DNS cache poisoning attack, which can result in the DNS server returning incorrect client query data. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
bochs: buffer overflow
| Package(s): | bochs | CVE #(s): | CVE-2007-2893 | ||||||||||||
| Created: | July 20, 2007 | Updated: | November 19, 2007 | ||||||||||||
| Description: | A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow." | ||||||||||||||
| Alerts: |
| ||||||||||||||
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2006-5453 CVE-2006-5454 CVE-2006-5455 | ||||||
| Created: | November 10, 2006 | Updated: | August 28, 2007 | ||||||
| Description: | Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before being passed back to users. Users can gain unauthorized access to read attachment descriptions while using diff mode. HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification. Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users. | ||||||||
| Alerts: |
| ||||||||
centericq: buffer overflows
| Package(s): | centericq | CVE #(s): | CVE-2007-3713 | |||||||||
| Created: | July 20, 2007 | Updated: | December 17, 2007 | |||||||||
| Description: | Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160. | |||||||||||
| Alerts: |
| |||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gpdf: integer overflow
| Package(s): | cups poppler xpdf | CVE #(s): | CVE-2007-3387 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 31, 2007 | Updated: | November 28, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | ||||||||||||
| Created: | May 8, 2007 | Updated: | May 21, 2008 | ||||||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||||||||||||||
| Alerts: |
| ||||||||||||||
drupal: cross site request forgery
| Package(s): | drupal | CVE #(s): | ||||
| Created: | July 27, 2007 | Updated: | August 1, 2007 | |||
| Description: | From DRUPAL-SA-2007-017: "Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site." | |||||
| Alerts: |
| |||||
emacs21: denial of service
| Package(s): | emacs21 | CVE #(s): | CVE-2007-2833 | ||||||||||||
| Created: | June 21, 2007 | Updated: | August 29, 2007 | ||||||||||||
| Description: | The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images". | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail | CVE #(s): | CVE-2007-1558 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2007 | Updated: | August 7, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server | CVE #(s): | CVE-2007-3257 | ||||||||||||||||||||||||||||||||||||
| Created: | June 18, 2007 | Updated: | November 7, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array." | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
festival: privilege escalation
| Package(s): | festival | CVE #(s): | ||||
| Created: | July 26, 2007 | Updated: | August 1, 2007 | |||
| Description: | The festival text-to-speech converter has a privilege escalation vulnerability. The festival daemon runs with root privileges, a local attacker can connect to to the daemon and execute arbitrary commands as root. | |||||
| Alerts: |
| |||||
file: integer overflow
| Package(s): | file | CVE #(s): | CVE-2007-2799 | ||||||||||||||||||||||||||||||
| Created: | June 1, 2007 | Updated: | October 19, 2007 | ||||||||||||||||||||||||||||||
| Description: | Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird | CVE #(s): | CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2007 | Updated: | August 29, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869) Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362) A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | May 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac123: arbitrary code execution
| Package(s): | flac123 | CVE #(s): | CVE-2007-3507 | ||||||
| Created: | July 13, 2007 | Updated: | October 22, 2007 | ||||||
| Description: | A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length. | ||||||||
| Alerts: |
| ||||||||
flash-plugin: input validation flaw
| Package(s): | flash-plugin | CVE #(s): | CVE-2007-3456 | ||||||||||||
| Created: | July 12, 2007 | Updated: | August 10, 2007 | ||||||||||||
| Description: | The Firefox flash-plugin module has an input validation flaw involving the display of certain content. If a user can be tricked into opening a specially crafted Adobe Flash file, it may be possible to execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gcc: file overwrite vulnerability
| Package(s): | gcc | CVE #(s): | CVE-2006-3619 | ||||||||||||
| Created: | September 6, 2006 | Updated: | March 14, 2008 | ||||||||||||
| Description: | The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gd: buffer overflow
| Package(s): | gd | CVE #(s): | CVE-2007-0455 | ||||||||||||||||||||||||||||||
| Created: | February 7, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||||||||||||||
| Description: | The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gd: denial of service
| Package(s): | gd | CVE #(s): | CVE-2007-2756 | ||||||||||||||||||
| Created: | June 14, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||
| Description: | Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gdm: denial of service
| Package(s): | gdm | CVE #(s): | CVE-2007-3381 | |||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | September 20, 2007 | |||||||||||||||||||||
| Description: | JLANTHEA reported a denial of service flaw in the way that gdm listens on its Unix domain socket. Any local user can crash the locally running X session. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
gimp: multiple vulnerabilities
| Package(s): | gimp | CVE #(s): | CVE-2007-2949 | ||||||||||||||||||||||||||||||||
| Created: | June 28, 2007 | Updated: | February 27, 2008 | ||||||||||||||||||||||||||||||||
| Description: | The gimp image editor has several vulnerabilities, including a problem where it can open PSD files with excessive dimensions and a possible stack overflow in the Sunras loader. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||