Centralizing policy rules with PolicyKit
By Jake Edge
November 14, 2007
Linux security policy is very simple at its core: the root user can do
anything, while all other users can do very little. Unfortunately,
administrators want to be able to allow other users to do a limited subset
of the things root is permitted to do. Various solutions have been
implemented to try and solve this problem, with a recent one being PolicyKit.
Mounting removable filesystems, CDs, USB devices, and the like, is a classic
example of a root-only task that some non-privileged users might be allowed
to perform. In the past, various mechanisms using groups or mount options in /etc/fstab have been used with some
success, but the mechanisms were specific to mounting and did not provide
the flexibility that some administrators would like. Network configuration -
particularly for wireless networking - is another common task that users might
be allowed to do.
PolicyKit is an attempt to centralize these kinds of decisions into a
single policy file that the administrator can use to set the kinds of
access regular users should be allowed. Previous solutions required
changing each utility to handle policy, each in its own unique format and
file(s). PolicyKit is meant to avoid all of that, creating a single place,
with a consistent syntax (the now ubiquitous XML), that details the policy rules for that system.
The PolicyKit philosophy decouples the "mechanism" of performing the
privileged operation from the user interface used to request it.
A GUI network configuration tool might allow a user to choose a different
network to associate with, but would have no direct means to make that
change. It would, instead, contact a privileged network
management daemon through an interprocess communication mechanism
(such as D-Bus). That daemon would use the PolicyKit API to determine
whether to grant the request.
In order to make that decision, PolicyKit needs three pieces of
information, the subject, object, and action. The subject is the user and
process requesting the action, while the object is what entity the action
is being requested on. In a network configuration example, the subject
would be a uid, along with additional identifying information such as
SELinux security context, the action would be to change the association,
and the object would be the network device.
The mechanism code calls the PolicyKit library, passing the subject,
object, and action, receiving back a decision. The decision could be a
simple yes or no, or it could, instead, require that the user authenticate -
either as themselves or as root - before allowing the operation.
Re-authentication can be required on sensitive actions, such as those that malware
or malicious users might want to perform, to provide an additional layer of
security. All of this policy is governed by the entries in the PolicyKit
configuration file. Once the decision has been rendered, it is up to the
mechanism to enforce it. This may require coordination with the UI,
especially if authentication is required.
Administrators can modify the PolicyKit configuration by way of an XML
file, usually PolicyKit.conf. The man
page gives a few examples of entries like the following:
<match action="org.freedesktop.hal.storage.mount-fixed">
<match user="davidz">
<return result="yes"/>
</match>
<match user="freddy">
<return result="no"/>
</match>
</match>
As should be relatively easy to see, this configuration would allow the user
"davidz" to perform the action "mount-fixed" while disallowing the user
"freddy". Depending on the default value for that action, as specified in
the mechanism's configuration, users not listed could be denied,
allowed, or be required to authenticate.
Configuration for mechanisms, which lists the supported actions along
with a default policy, is
specified in a separate XML file. The mechanism could generate the file on
startup and remove it on exit, completely removing the action from the
system when it is inactive. Action configuration also includes the message
strings that will be displayed by the UI when authenticating or denying users.
PolicyKit has been added to Fedora 8, but is, as yet, mostly unused. There are plans to
integrate various GNOME configuration tools with PolicyKit for Fedora 9 and
a GNOME
API has been created to assist with that. One would guess that a KDE
API is in the wings as well.
PolicyKit is not meant to replace SELinux or other security mechanisms, it
is simply a means to allow users more privileges in a centralized, easily
audited, way. PolicyKit works within the existing access control
framework, using whatever privileges have been given to the mechanism. In
the end, PolicyKit just provides advice to another program, it is up to
that program to enforce the decision, while the OS can and does enforce its
own rules upon that process.
Comments (8 posted)
New vulnerabilities
3proxy: denial of service
| Package(s): | 3proxy |
CVE #(s): | CVE-2007-5622
|
| Created: | November 9, 2007 |
Updated: | November 14, 2007 |
| Description: |
Double-free vulnerability in the ftpprchild function in ftppr in 3proxy 0.5
through 0.5.3i allows remote attackers to cause a denial of service (daemon
crash) via multiple OPEN commands to the FTP proxy. |
| Alerts: |
|
Comments (none posted)
Django: denial of service
| Package(s): | Django |
CVE #(s): | CVE-2007-5712
|
| Created: | November 12, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the CVE notice:
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers. |
| Alerts: |
|
Comments (none posted)
emacs: command execution via local variables
| Package(s): | emacs |
CVE #(s): | CVE-2007-5795
|
| Created: | November 14, 2007 |
Updated: | February 5, 2008 |
| Description: |
From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe. The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands. |
| Alerts: |
|
Comments (1 posted)
gforge: multiple vulnerabilities
| Package(s): | gforge |
CVE #(s): | CVE-2007-3921
|
| Created: | November 8, 2007 |
Updated: | November 14, 2007 |
| Description: |
The GForge collaborative development tool uses temp files in an insecure
manner. Local users can use this to truncate files with the privileges
of the gforge user, they can also use this to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
glib2: multiple vulnerabilities
| Package(s): | glib2 |
CVE #(s): | |
| Created: | November 8, 2007 |
Updated: | November 14, 2007 |
| Description: |
The glib2 library has multiple (currently unspecified)
vulnerabilities in PCRE. |
| Alerts: |
|
Comments (none posted)
horde3: multiple vulnerabilities
| Package(s): | horde3 |
CVE #(s): | CVE-2006-3548
CVE-2006-3549
CVE-2006-4256
CVE-2007-1473
CVE-2007-1474
|
| Created: | November 12, 2007 |
Updated: | November 14, 2007 |
| Description: |
From the Debian advisory:
Several remote vulnerabilities have been discovered in the Horde web
application framework. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2006-3548:
Moritz Naumann discovered that Horde allows remote attackers
to inject arbitrary web script or HTML in the context of a logged
in user (cross site scripting).
CVE-2006-3549:
Moritz Naumann discovered that Horde does not properly restrict
its image proxy, allowing remote attackers to use the server as a
proxy.
CVE-2006-4256:
Marc Ruef discovered that Horde allows remote attackers to
include web pages from other sites, which could be useful for
phishing attacks.
CVE-2007-1473:
Moritz Naumann discovered that Horde allows remote attackers
to inject arbitrary web script or HTML in the context of a logged
in user (cross site scripting).
CVE-2007-1474:
iDefense discovered that the cleanup cron script in Horde
allows local users to delete arbitrary files.
|
| Alerts: |
|
Comments (none posted)
inotify-tools: arbitrary code execution
| Package(s): | inotify-tools |
CVE #(s): | CVE-2007-5037
|
| Created: | November 12, 2007 |
Updated: | December 28, 2007 |
| Description: |
From the Fedora advisory:
A vulnerability has been reported in inotify-tools, which can potentially be
exploited by malicious users to compromise an application using the library.
Successful exploitation may allow the execution of arbitrary code with
privileges of the application using the affected library.
NOTE: The programs shipped with inotify-tools are reportedly not affected.
The vulnerability is reported in versions prior to 3.11. |
| Alerts: |
|
Comments (none posted)
kernel: remote denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-6058
CVE-2007-4997
|
| Created: | November 9, 2007 |
Updated: | June 13, 2008 |
| Description: |
The Minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
other versions, allows local users to cause a denial of service (hang) via
a malformed minix file stream that triggers an infinite loop in the
minix_bmap function. NOTE: this issue might be due to an integer overflow
or signedness error.
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows
remote attackers to cause a denial of service (crash) via a crafted SKB
length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set, aka an "off-by-two error." |
| Alerts: |
|
Comments (1 posted)
link-grammar: stack-based buffer overflow
| Package(s): | link-grammar |
CVE #(s): | CVE-2007-5395
|
| Created: | November 13, 2007 |
Updated: | December 17, 2007 |
| Description: |
Stack-based buffer overflow in the separate_word function in tokenize.c in
Link Grammar 4.1b and possibly other versions, as used in AbiWord Link
Grammar 4.2.4, allows remote attackers to execute arbitrary code via a long
word, as reachable through the separate_sentence function. |
| Alerts: |
|
Comments (none posted)
madwifi: denial of service
| Package(s): | madwifi |
CVE #(s): | CVE-2007-5448
|
| Created: | November 8, 2007 |
Updated: | January 11, 2008 |
| Description: |
The MadWifi driver for Atheros Wireless Lan cards
does not process beacon frames correctly. This can be
used by a remote attacker to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2007-5707
|
| Created: | November 8, 2007 |
Updated: | April 9, 2008 |
| Description: |
The OpenLDAP Lightweight Directory Access Protocol suite has a problem
with handling of malformed objectClasses LDAP attributes by the slapd
daemon. Both local and remote attackers can use this to crash slapd,
causing a denial of service. |
| Alerts: |
|
Comments (none posted)
php: denial of service
| Package(s): | php |
CVE #(s): | CVE-2007-4887
|
| Created: | November 12, 2007 |
Updated: | November 20, 2007 |
| Description: |
From the CVE entry:
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability. |
| Alerts: |
|
Comments (none posted)
poppler and xpdf: multiple vulnerabilities
| Package(s): | poppler xpdf |
CVE #(s): | CVE-2007-4352
CVE-2007-5392
CVE-2007-5393
|
| Created: | November 8, 2007 |
Updated: | February 26, 2008 |
| Description: |
The xpdf and poppler PDF libraries contain several vulnerabilities which can lead to arbitrary command execution via hostile PDF files. Numerous other applications which use these libraries (PDF viewers, CUPS, etc.) will be affected by the vulnerabilities as well. |
| Alerts: |
|
Comments (none posted)
tomboy: execution of arbitrary code
| Package(s): | tomboy |
CVE #(s): | CVE-2005-4790
|
| Created: | November 9, 2007 |
Updated: | March 26, 2008 |
| Description: |
Jan Oravec reported that the "/usr/bin/tomboy" script sets the
"LD_LIBRARY_PATH" environment variable incorrectly, which might result
in the current working directory (.) to be included when searching for
dynamically linked libraries of the Mono Runtime application.
Note that the tomboy vulnerability was added in 2007. |
| Alerts: |
|
Comments (none posted)
zope-cmfplone: arbitrary code execution
| Package(s): | zope-cmfplone |
CVE #(s): | CVE-2007-5741
|
| Created: | November 12, 2007 |
Updated: | December 28, 2007 |
| Description: |
From the Debian advisory:
It was discovered that Plone, a web content management system, allows
remote attackers to execute arbitrary code via specially crafted web
browser cookies.
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache2: information disclosure
| Package(s): | apache |
CVE #(s): | CVE-2007-1862
|
| Created: | June 20, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users." |
| Alerts: |
|
Comments (2 posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-3304
CVE-2006-5752
|
| Created: | June 27, 2007 |
Updated: | February 18, 2008 |
| Description: |
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752) |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CVE-2007-3847
CVE-2007-4465
|
| Created: | September 25, 2007 |
Updated: | February 15, 2008 |
| Description: |
A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the AddDefaultCharset directive has been removed
from the configuration, a cross-site-scripting attack may be possible
against browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465) |
| Alerts: |
|
Comments (none posted)
bochs: buffer overflow
| Package(s): | bochs |
CVE #(s): | CVE-2007-2893
|
| Created: | July 20, 2007 |
Updated: | November 19, 2007 |
| Description: |
A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in
iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users
of the guest operating system to write to arbitrary memory locations and
gain privileges on the host operating system via vectors that cause TXCNT
register values to exceed the device memory size, aka "RX Frame heap
overflow." |
| Alerts: |
|
Comments (none posted)
cacti: denial of service
| Package(s): | cacti |
CVE #(s): | CVE-2007-3112
CVE-2007-3113
|
| Created: | September 18, 2007 |
Updated: | February 18, 2008 |
| Description: |
A vulnerability in Cacti 0.8.6i and earlier versions allows remote
authenticated users to cause a denial of service (CPU consumption) via
large values of the graph_start, graph_end, graph_height, or graph_width
parameters. |
| Alerts: |
|
Comments (none posted)
centericq: buffer overflows
| Package(s): | centericq |
CVE #(s): | CVE-2007-3713
|
| Created: | July 20, 2007 |
Updated: | December 17, 2007 |
| Description: |
Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow
remote attackers to execute arbitrary code via unspecified vectors. NOTE:
the provenance of this information is unknown; the details are obtained
solely from third party information. NOTE: this might overlap
CVE-2007-0160. |
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2007-4510
CVE-2007-4560
|
| Created: | September 3, 2007 |
Updated: | February 13, 2008 |
| Description: |
Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510:
It was discovered that the RTF and RFC2397 parsers can be tricked
into dereferencing a NULL pointer, resulting in denial of service.
CVE-2007-4560:
It was discovered clamav-milter performs insufficient input
sanitizing, resulting in the execution of arbitrary shell commands.
|
| Alerts: |
|
Comments (none posted)
conga: denial of service
| Package(s): | conga |
CVE #(s): | CVE-2007-4136
|
| Created: | November 7, 2007 |
Updated: | November 22, 2007 |
| Description: |
A flaw was found in ricci during a code audit. A remote attacker who is
able to connect to ricci could cause ricci to temporarily refuse additional
connections, a denial of service (CVE-2007-4136). |
| Alerts: |
|
Comments (none posted)
coolkey: temporary file vulnerability
| Package(s): | coolkey |
CVE #(s): | CVE-2007-4129
|
| Created: | November 7, 2007 |
Updated: | November 7, 2007 |
| Description: |
Steve Grubb discovered a flaw in the way coolkey created a temporary
directory. A local attacker could perform a symlink attack and cause
arbitrary files to be overwritten. (CVE-2007-4129)
|
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
cups: buffer overflow
| Package(s): | cups |
CVE #(s): | CVE-2007-4351
|
| Created: | October 31, 2007 |
Updated: | November 19, 2007 |
| Description: |
The CUPS code charged with dealing with TCP-based Internet Printer Protocol connections suffers from a buffer overflow which could possibly be exploitable remotely. The vulnerability is only present if remote hosts are allowed to connect to the IPP port, which is usually not the default setting. |
| Alerts: |
|
Comments (none posted)
gpdf: integer overflow
| Package(s): | cups poppler xpdf |
CVE #(s): | CVE-2007-3387
|
| Created: | July 31, 2007 |
Updated: | November 28, 2007 |
| Description: |
The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. |
| Alerts: |
|
Comments (1 posted)
debian-goodies: privilege escalation
| Package(s): | debian-goodies |
CVE #(s): | CVE-2007-3912
|
| Created: | October 5, 2007 |
Updated: | March 24, 2008 |
| Description: |
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart. |
| Alerts: |
|
Comments (none posted)
dovecot: privilege escalation
| Package(s): | dovecot |
CVE #(s): | CVE-2007-4211
|
| Created: | August 15, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions." |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2007-5593
CVE-2007-5594
CVE-2007-5595
CVE-2007-5596
CVE-2007-5597
|
| Created: | October 24, 2007 |
Updated: | December 7, 2007 |
| Description: |
From the Fedora advisory:
- Upgrade to 5.3, fixes:
- HTTP response splitting.
- Arbitrary code execution.
- Cross-site scripting.
- Cross-site request forgery.
- Access bypass.
|
| Alerts: |
|
Comments (none posted)
eggdrop: stack-based buffer overflow
| Package(s): | eggdrop |
CVE #(s): | CVE-2007-2807
|
| Created: | September 7, 2007 |
Updated: | January 7, 2008 |
| Description: |
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message. |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server |
CVE #(s): | CVE-2007-3257
|
| Created: | June 18, 2007 |
Updated: | November 7, 2007 |
| Description: |
From the GNOME
bugzilla: "The "SEQUENCE" value in the GData of the IMAP code
(camel-imap-folder.c) is converted from a string using strtol. This allows
for negative values. The imap_rescan uses this value as an int. It checks
for !seq and seq>summary.length. It doesn't check for seq <
0. Although seq is used as the index of an array." |
| Alerts: |
|
Comments (1 posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | |
| Created: | November 6, 2007 |
Updated: | November 7, 2007 |
| Description: |
update to 1.5.0.12 |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845) |
| Alerts: |
|
Comments (none posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | May 12, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
|
Comments (none posted)
flac: arbitrary code execution
| Package(s): | flac |
CVE #(s): | CVE-2007-4619
|
| Created: | October 22, 2007 |
Updated: | January 21, 2008 |
| Description: |
From the Red Hat advisory:
A security flaw was found in the way flac processed audio data. An
attacker could create a carefully crafted FLAC audio file in such a way that
it could cause an application linked with flac libraries to crash or execute
arbitrary code when it was opened. (CVE-2007-4619)
|
| Alerts: |
|
Comments (none posted)
gallery2: multiple unspecified vulnerabilities
| Package(s): | gallery2 |
CVE #(s): | CVE-2007-4650
|
| Created: | September 5, 2007 |
Updated: | November 9, 2007 |
| Description: |
Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow
attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items
via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked
items" in (a) WebDAV and (b) Reupload modules. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gd: multiple vulnerabilities
