LWN.net Logo

Security

On entropy and randomness

By Jake Edge
December 12, 2007

Linux random number generation (RNG) is often a source of confusion to developers, but it is also a very integral part of the security of the system. It provides random data to generate cryptographic keys, TCP sequence numbers, and the like, so unpredictability as well as very strong random numbers are required. When someone notices a flaw, or a possible flaw in the RNG, kernel hackers take notice.

Recurring universally unique identifiers (UUIDs), as reported by the smolt hardware profiler client program, had some worried about problems in the kernel RNG. As it turns out, the problem exists in the interaction between Fedora 8 LiveCD installations and smolt – essentially the UUID came from the CD – but it sparked a discussion leading to some possible improvements. Along the way, some common misconceptions about kernel RNG were cleared up.

The kernel gathers information from external sources to provide input to its entropy pool. This pool contains bits that have extremely strong random properties, so long as unpredictable events (inter-keypress timings, mouse movements, disk interrupts, etc.) are sampled. It provides direct access to this pool via the /dev/random device. Reading from that device will provide the strongest random numbers that Linux can offer – depleting the entropy pool. When the entropy pool runs low, reads to /dev/random block until there is sufficient entropy.

The alternative interface, the one that nearly all programs should use, is /dev/urandom. Reading from that device will not block. If sufficient entropy is available, it will provide random numbers just as strong as /dev/random, if not, it uses the SHA cryptographic hash algorithm to generate very strong random numbers. Developers often overestimate how strong their random numbers need to be; they also overestimate how easy "breaking" /dev/urandom would be, which leads to programs that, unnecessarily, read /dev/random. Ted Ts'o, who wrote the kernel RNG, puts it this way:

Past a certain point /dev/urandom will start returning results which are cryptographically random. At that point, you are depending on the strength of the SHA hash algorithm, and actually being able to not just to find hash collisions, but being able to trivially find all or most possible pre-images for a particular SHA hash algorithm. If that were to happen, it's highly likely that all digital signatures and openssh would be totally broken.

There is still a bit of hole in all of this: how does a freshly installed system, with little or no user interaction, at least yet, get its initial entropy? When Alan Cox and Mike McGrath started describing the smolt problem, the immediate reaction was to look closely at how the entropy pool was being initialized. While that turned out not to be the problem, it did lead Matt Mackall, maintainer of the kernel RNG, to start thinking about better pool initialization. Various ideas about mixing in data specific to the host, like MAC address and PCI device characteristics were discussed.

As Ts'o points out, that will help prevent things like UUID collisions, but it doesn't solve the problem of predictability of the random numbers that will be generated by these systems.

In order to do that we really do need to improve the amount of hardware entropy we can mix into the system. This is a hard problem, but as more people are relying on these facilities, it's something we need to think about quite a bit more!

Linux provides random numbers suitable for nearly any purpose via /dev/urandom. For the truly paranoid, there is also /dev/random, but developers would do well to forget that device exists for everything but the most critical needs. If one is generating a large key pair, to use for the next century, using some data from /dev/random is probably right. Anything with lower requirements should seriously consider /dev/urandom.

Comments (28 posted)

New vulnerabilities

autofs: insecure default configuration

Package(s):autofs CVE #(s):CVE-2007-5964
Created:December 12, 2007 Updated:January 14, 2008
Description: Versions of the autofs automounter daemon as shipped by Red Hat (and possibly other distributors) are installed with an insecure configuration; in particular, the "hosts" map lacks the "nosuid" option, allowing an attacker who has control over an NFS server to run setuid programs on vulnerable systems.
Alerts:
Mandriva MDVSA-2008:009-1 2007-01-12
Mandriva MDVSA-2008:009 2007-01-11
Fedora FEDORA-2007-4707 2007-12-21
Fedora FEDORA-2007-4469 2007-12-15
Fedora FEDORA-2007-4532 2007-12-15
Red Hat RHSA-2007:1129-01 2007-12-12
Fedora FEDORA-2007-4709 2007-12-21
Red Hat RHSA-2007:1128-01 2007-12-12

Comments (none posted)

e2fsprogs: integer overflows

Package(s):e2fsprogs CVE #(s):CVE-2007-5497
Created:December 7, 2007 Updated:February 12, 2008
Description: Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code.
Alerts:
Foresight FLEA-2008-0005-1 2008-02-11
Fedora FEDORA-2007-4447 2008-01-16
Fedora FEDORA-2007-4461 2008-01-16
Red Hat RHSA-2008:0003-01 2008-01-07
Gentoo 200712-13 2007-12-18
rPath rPSA-2007-0262-1 2007-12-11
Debian DSA-1422 2007-12-07
Mandriva MDKSA-2007:242 2007-12-10
Ubuntu USN-555-1 2007-12-08

Comments (none posted)

emacs: buffer overflow

Package(s):emacs CVE #(s):CVE-2007-6109
Created:December 10, 2007 Updated:May 6, 2008
Description:

From the National Vulnerability Database:

Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line.

Alerts:
Ubuntu USN-607-1 2008-05-06
SuSE SUSE-SR:2008:003 2008-02-07
Mandriva MDVSA-2008:034 2007-02-04
Gentoo 200712-03 2007-12-09

Comments (none posted)

emul-linux-x86-qtlibs: arbitrary code execution

Package(s):emul-linux-x86-qtlibs CVE #(s):
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the Gentoo advisory:

An attacker could trigger one of the vulnerabilities by causing a Qt application to parse specially crafted text or Unicode strings, which may lead to the execution of arbitrary code with the privileges of the user running the application.

Alerts:
Gentoo 200712-08 2007-12-09

Comments (none posted)

firebird: arbitrary code execution

Package(s):firebird CVE #(s):CVE-2007-4992 CVE-2007-5246
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the Gentoo advisory:

Adriano Lima and Ramon de Carvalho Valle reported that functions isc_attach_database() and isc_create_database() do not perform proper boundary checking when processing their input.

A remote attacker could send specially crafted requests to the Firebird server on TCP port 3050, possibly resulting in the execution of arbitrary code with the privileges of the user running Firebird (usually firebird).

Alerts:
Gentoo 200712-06 2007-12-09

Comments (none posted)

heimdal: insufficient memory allocation

Package(s):heimdal CVE #(s):CVE-2007-5939
Created:December 7, 2007 Updated:December 12, 2007
Description: The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect.
Alerts:
Mandriva MDKSA-2007:239 2007-12-06

Comments (1 posted)

libnfsidmap: possible privilege escalation

Package(s):libnfsidmap CVE #(s):CVE-2007-4135
Created:December 7, 2007 Updated:December 12, 2007
Description: The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.
Alerts:
Mandriva MDKSA-2007:240 2007-12-07

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CVE-2007-3781 CVE-2007-5969
Created:December 11, 2007 Updated:May 21, 2008
Description: MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)

MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)

Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Gentoo 200804-04 2008-04-06
SuSE SUSE-SR:2008:003 2008-02-07
rPath rPSA-2008-0018-1 2008-01-17
Debian DSA-1451-1 2008-01-06
Ubuntu USN-559-1 2007-12-21
Red Hat RHSA-2007:1157-01 2007-12-19
Fedora FEDORA-2007-4471 2007-12-15
Fedora FEDORA-2007-4465 2007-12-15
Red Hat RHSA-2007:1155-01 2007-12-18
Mandriva MDKSA-2007:243 2007-12-10

Comments (none posted)

nagios: cross-site scripting

Package(s):nagios CVE #(s):CVE-2007-5624
Created:December 7, 2007 Updated:May 9, 2008
Description: Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Alerts:
SuSE SUSE-SR:2008:011 2008-05-09
Mandriva MDVSA-2008:067 2008-03-18
Fedora FEDORA-2007-4145 2007-12-06
Fedora FEDORA-2007-4123 2007-12-06

Comments (none posted)

phpMyAdmin: information disclosure

Package(s):phpMyAdmin CVE #(s):CVE-2007-0095
Created:December 11, 2007 Updated:September 25, 2008
Description: phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message.
Alerts:
Fedora FEDORA-2008-6502 2008-07-17
Fedora FEDORA-2008-6450 2008-07-17
Fedora FEDORA-2008-2229 2008-03-03
Fedora FEDORA-2008-2189 2008-03-03
Fedora FEDORA-2007-4298 2007-12-10
Fedora FEDORA-2007-4334 2007-12-10
Fedora FEDORA-2008-8269 2008-09-24
Fedora FEDORA-2008-8286 2008-09-24

Comments (none posted)

ruby-gnome2: format string vulnerability

Package(s):ruby-gnome2 CVE #(s):CVE-2007-6183
Created:December 7, 2007 Updated:April 23, 2008
Description: A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
Alerts:
Fedora FEDORA-2008-3249 2008-04-22
Fedora FEDORA-2008-3283 2008-04-22
Fedora FEDORA-2008-2682 2008-03-26
Fedora FEDORA-2008-2662 2008-03-26
Fedora FEDORA-2008-1535 2008-02-13
Mandriva MDVSA-2008:033 2007-02-01
Debian DSA-1431-1 2007-12-11
Gentoo 200712-09 2007-12-09
Fedora FEDORA-2007-4216 2007-12-06
Fedora FEDORA-2007-4229 2007-12-06

Comments (none posted)

samba: stack-based buffer overflow

Package(s):samba CVE #(s):CVE-2007-6015
Created:December 11, 2007 Updated:December 19, 2007
Description: A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server.
Alerts:
Ubuntu USN-556-1 2007-12-18
SuSE SUSE-SA:2007:068 2007-12-12
Mandriva MDKSA-2007:244 2007-12-11
Red Hat RHSA-2007:1117-01 2007-12-10
Red Hat RHSA-2007:1114-01 2007-12-10
Slackware SSA:2007-344-01 2007-12-11
Fedora FEDORA-2007-4275 2007-12-10
Fedora FEDORA-2007-4269 2007-12-10
Gentoo 200712-10 2007-12-10
rPath rPSA-2007-0261-1 2007-12-10
Debian DSA-1427-1 2007-12-10

Comments (none posted)

xorg-x11-xfs: arbitrary code execution

Package(s):xorg-x11-xfs CVE #(s):
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the xorg advisory:

Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Maliciously crafted requests can either cause two different problems with both requests:

* An integer overflow in the computation of the size of a dynamic buffer can lead to a heap overflow in the build_range() function.

* An arbitrary number of bytes on the heap can be swapped by the swap_char2b() function.

Alerts:
Fedora FEDORA-2007-763 2007-12-07

Comments (none posted)

zabbix: privilege escalation

Package(s):zabbix CVE #(s):CVE-2007-6210
Created:December 6, 2007 Updated:December 12, 2007
Description: Bas van Schaik has found a privilege escalation in the agentd process of the Zabbix network monitor application. Agentd can be used to run user commands under the root account, leading to an escalation of privilege.
Alerts:
Debian DSA-1420-1 2007-12-05
Fedora FEDORA-2007-4176 2007-12-06
Fedora FEDORA-2007-4160 2007-12-06

Comments (none posted)

Updated vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2007-2214 2007-09-18
rPath rPSA-2007-0182-1 2007-09-14
Ubuntu USN-499-1 2007-08-16
Red Hat RHSA-2007:0662-01 2007-07-13
Red Hat RHSA-2007:0557-01 2007-07-13
Fedora FEDORA-2007-615 2007-07-12
Mandriva MDKSA-2007:142 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:140 2007-07-04
Fedora FEDORA-2007-617 2007-07-02
rPath rPSA-2007-0136-1 2007-06-27
Red Hat RHSA-2007:0556-01 2007-06-26
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0532-01 2007-06-26

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

apache2: denial of service

Package(s):apache2 CVE #(s):CVE-2007-1863
Created:November 19, 2007 Updated:February 18, 2008
Description:

From the CVE entry:

cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19

Comments (1 posted)

httpd: denial of service, cross-site scripting

Package(s):apache httpd CVE #(s):CVE-2007-3847 CVE-2007-4465
Created:September 25, 2007 Updated:February 15, 2008
Description: A flaw was found in the mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465)

Alerts:
Slackware SSA:2008-045-02 2008-02-15
Ubuntu USN-575-1 2008-02-04
Red Hat RHSA-2008:0008-01 2008-01-15
Red Hat RHSA-2008:0006-01 2008-01-15
Red Hat RHSA-2008:0005-01 2008-01-15
Red Hat RHSA-2008:0004-01 2008-01-15
Mandriva MDKSA-2007:235 2007-12-03
SuSE SUSE-SA:2007:061 2007-11-19
Red Hat RHSA-2007:0747-02 2007-11-15
Gentoo 200711-06 2007-11-07
Red Hat RHSA-2007:0746-04 2007-11-07
Red Hat RHSA-2007:0911-01 2007-10-25
Fedora FEDORA-2007-707 2007-09-24

Comments (none posted)

asterisk: possible SQL injection

Package(s):asterisk CVE #(s):CVE-2007-6170
Created:December 3, 2007 Updated:April 15, 2008
Description: Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection.
Alerts:
Gentoo 200804-13 2008-04-14
SuSE SUSE-SR:2008:005 2008-03-06
Debian DSA-1417-1 2007-12-02

Comments (none posted)

cacti: SQL injection vulnerability

Package(s):cacti CVE #(s):CVE-2007-6035
Created:November 22, 2007 Updated:February 18, 2008
Description: Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors.
Alerts:
Fedora FEDORA-2008-1737 2008-02-15
Fedora FEDORA-2008-1699 2008-02-15
Debian DSA-1418-1 2007-12-02
Mandriva MDKSA-2007:231 2007-11-22
Fedora FEDORA-2007-3683 2007-11-22
Gentoo 200712-02:02 2007-12-05
SuSE SUSE-SR:2007:024 2007-11-22
Fedora FEDORA-2007-3667 2007-11-22

Comments (none posted)

cacti: denial of service

Package(s):cacti CVE #(s):CVE-2007-3112 CVE-2007-3113
Created:September 18, 2007 Updated:February 18, 2008
Description: A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters.
Alerts:
Fedora FEDORA-2008-1737 2008-02-15
Fedora FEDORA-2007-3683 2007-11-22
Fedora FEDORA-2007-2199 2007-09-18
Mandriva MDKSA-2007:184 2007-09-17

Comments (none posted)

cairo: integer overflow

Package(s):Cairo CVE #(s):CVE-2007-5503
Created:November 29, 2007 Updated:April 10, 2008
Description: Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges.
Alerts:
Debian DSA-1542-1 2008-04-09
SuSE SUSE-SR:2008:003 2008-02-07
Mandriva MDVSA-2008:019 2007-01-21
Fedora FEDORA-2007-3818 2008-01-16
rPath rPSA-2008-0015-1 2008-01-15
Ubuntu USN-550-3 2007-12-13
Ubuntu USN-550-2 2007-12-10
Gentoo 200712-04 2007-12-09
Ubuntu USN-550-1 2007-12-03
Slackware SSA:2007-337-01 2007-12-04
Red Hat RHSA-2007:1078-02 2007-11-29

Comments (none posted)

centericq: buffer overflows

Package(s):centericq CVE #(s):CVE-2007-3713
Created:July 20, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160.
Alerts:
Debian DSA-1433-1 2007-12-16
Debian-Testing DTSA-55-1 2007-09-03
Fedora FEDORA-2007-1160 2007-07-19

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200708-04 2007-08-09
Mandriva MDKSA-2007:150 2007-07-25
Debian DSA-1340-1 2007-07-24

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2007-4510 CVE-2007-4560
Created:September 3, 2007 Updated:February 13, 2008
Description: Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service.

CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands.

Alerts:
Fedora FEDORA-2008-1608 2008-02-13
Fedora FEDORA-2008-0170 2008-01-22
Gentoo 200709-14 2007-09-20
Fedora FEDORA-2007-2050 2007-09-07
Mandriva MDKSA-2007:172 2007-08-31
Debian DSA-1366-1 2007-09-01

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

debian-goodies: privilege escalation

Package(s):debian-goodies CVE #(s):CVE-2007-3912
Created:October 5, 2007 Updated:March 24, 2008
Description: Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.
Alerts:
Debian DSA-1527-1 2008-03-24
Ubuntu USN-526-1 2007-10-04

Comments (none posted)

Django: denial of service

Package(s):Django CVE #(s):CVE-2007-5712
Created:November 12, 2007 Updated:September 22, 2008
Description:

From the CVE notice:

The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.

Alerts:
Fedora FEDORA-2007-2788 2007-11-09
Fedora FEDORA-2007-3157 2007-11-09
Debian DSA-1640-1 2008-09-20

Comments (none posted)

dovecot: privilege escalation

Package(s):dovecot CVE #(s):CVE-2007-4211
Created:August 15, 2007 Updated:May 21, 2008
Description: From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions."
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Fedora FEDORA-2007-664 2007-08-20
rPath rPSA-2007-0161-1 2007-08-14

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):drupal CVE #(s):CVE-2007-5593 CVE-2007-5594 CVE-2007-5595 CVE-2007-5596 CVE-2007-5597
Created:October 24, 2007 Updated:December 7, 2007
Description: From the Fedora advisory:

- Upgrade to 5.3, fixes:
- HTTP response splitting.
- Arbitrary code execution.
- Cross-site scripting.
- Cross-site request forgery.
- Access bypass.
Alerts:
Fedora FEDORA-2007-4163 2007-12-06
Fedora FEDORA-2007-4136 2007-12-06
Fedora FEDORA-2007-2649 2007-10-24

Comments (none posted)

eggdrop: stack-based buffer overflow

Package(s):eggdrop CVE #(s):CVE-2007-2807
Created:September 7, 2007 Updated:January 7, 2008
Description: A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message.
Alerts:
Debian DSA-1448-1 2008-01-05
Fedora FEDORA-2007-4325 2007-12-10
Fedora FEDORA-2007-4305 2007-12-10
Gentoo 200709-07 2007-09-15
Mandriva MDKSA-2007:175 2007-09-06

Comments (none posted)

emacs: command execution via local variables

Package(s):emacs CVE #(s):CVE-2007-5795
Created:November 14, 2007 Updated:February 5, 2008
Description: From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands.
Alerts:
Mandriva MDVSA-2008:034 2007-02-04
Gentoo 200712-03 2007-12-09
Ubuntu USN-541-1 2007-11-13
Fedora FEDORA-2007-2946 2007-11-17
Fedora FEDORA-2007-3056 2007-11-17

Comments (1 posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Debian DSA-1529-1 2008-03-24
Gentoo 200707-01 2007-07-01

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2007-3844 CVE-2007-3845
Created:August 1, 2007 Updated:February 20, 2008
Description:

A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845)

Alerts:
Mandriva MDVSA-2007:047 2007-02-19
Fedora FEDORA-2007-3414 2007-11-16
Fedora FEDORA-2007-3431 2007-11-16
Red Hat RHSA-2007:0981-01 2007-10-19
Red Hat RHSA-2007:0980-01 2007-10-19
Red Hat RHSA-2007:0979-01 2007-10-19
Debian DSA-1391-1 2007-10-19
Gentoo 200708-09 2007-08-14
rPath rPSA-2007-0157-1 2007-08-10
Slackware SSA:2007-215-01 2007-08-06
Debian DSA-1346-1 2007-08-04
Debian DSA-1345-1 2007-08-04
Debian DSA-1344-1 2007-08-03
Foresight FLEA-2007-0040-1 2007-08-03
Slackware SSA:2007-213-01 2007-08-02
Mandriva MDKSA-2007:152 2007-08-01
Foresight FLEA-2007-0039-1 2007-08-01
Ubuntu USN-493-1 2007-07-31

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey CVE #(s):CVE-2007-5947 CVE-2007-5959 CVE-2007-5960
Created:November 27, 2007 Updated:March 3, 2008
Description: A cross-site scripting flaw was found in the way Firefox handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960)

Alerts:
rPath rPSA-2008-0093-1 2008-02-29
Foresight FLEA-2008-0001-1 2008-02-11
Gentoo 200712-21 2007-12-29
Red Hat RHSA-2007:1083-01 2007-12-19
Mandriva MDKSA-2007:246 2007-12-13
Fedora FEDORA-2007-4098 2007-12-06
Debian DSA-1425-1 2007-12-08
Fedora FEDORA-2007-4106 2007-12-06
rPath rPSA-2007-0260-1 2007-12-06
Fedora FEDORA-2007-756 2007-12-03
Slackware SSA:2007-333-01 2007-11-30
Fedora FEDORA-2007-3962 2007-11-29
Fedora FEDORA-2007-3952 2007-11-29
Red Hat RHSA-2007:1082-01 2007-11-26
Debian DSA-1424-1 2007-12-08
Ubuntu USN-546-2 2007-12-04
SuSE SUSE-SA:2007:066 2007-12-05
Slackware SSA:2007-331-01 2007-11-28
Ubuntu USN-546-1 2007-11-26
Red Hat RHSA-2007:1084-01 2007-11-26

Comments (1 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:May 12, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Debian DSA-1574-1 2008-05-12
Debian DSA-1534-2 2008-04-24
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-1 2008-03-28
Debian DSA-1532-1 2008-03-27
Mandriva MDVSA-2007:047 2007-02-19
Ubuntu USN-503-1 2007-08-24
Slackware SSA:2007-222-04 2007-08-13
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-205-02 2007-07-25
Slackware SSA:2007-205-01 2007-07-25
Foresight FLEA-2007-0033-1 2007-07-24
Debian DSA-1339-1 2007-07-23
Debian DSA-1338-1 2007-07-23
Fedora FEDORA-2007-1181 2007-07-20
Fedora FEDORA-2007-1180 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-642 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
rPath rPSA-2007-0148-1 2007-07-20
Ubuntu USN-490-1 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Fedora FEDORA-2007-1159 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1155 2007-07-19
Red Hat RHSA-2007:0724-01 2007-07-18
Red Hat RHSA-2007:0723-01 2007-07-18
Red Hat RHSA-2007:0722-01 2007-07-18
Fedora FEDORA-2007-1143 2007-07-18
Fedora FEDORA-2007-1144 2007-07-18
Fedora FEDORA-2007-1142 2007-07-18
Fedora FEDORA-2007-1138 2007-07-18

Comments (none posted)

flac: arbitrary code execution

Package(s):flac CVE #(s):CVE-2007-4619
Created:October 22, 2007 Updated:January 21, 2008
Description: From the Red Hat advisory:

A security flaw was found in the way flac processed audio data. An attacker could create a carefully crafted FLAC audio file in such a way that it could cause an application linked with flac libraries to crash or execute arbitrary code when it was opened. (CVE-2007-4619)

Alerts:
Debian DSA-1469-1 2008-01-20
rPath rPSA-2007-0243-1 2007-11-21
Ubuntu USN-540-1 2007-11-13
Gentoo 200711-15 2007-11-12
Mandriva MDKSA-2007:214 2007-11-08
Fedora FEDORA-2007-730 2007-11-05
Fedora FEDORA-2007-2596 2007-11-01
Red Hat RHSA-2007:0975-02 2007-10-22

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gd: buffer overflow

Package(s):gd CVE #(s):CVE-2007-0455
Created:February 7, 2007 Updated:February 28, 2008
Description: The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Ubuntu USN-473-1 2007-06-11
OpenPKG OpenPKG-SA-2007.016 2007-05-18
Trustix TSLSA-2007-0007 2007-02-13
Fedora FEDORA-2007-150 2007-02-12
Fedora FEDORA-2007-149 2007-02-12
rPath rPSA-2007-0028-1 2007-02-08
Mandriva MDKSA-2007:038 2006-02-06
Mandriva MDKSA-2007:036 2006-02-06
Mandriva MDKSA-2007:035 2006-02-06

Comments (2 posted)

gd: multiple vulnerabilities

Package(s):gd CVE #(s):CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Created:August 6, 2007 Updated:July 22, 2008
Description: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified remote attack vectors and impact. (CVE-2007-3472)

The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)

Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3474)

The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. (CVE-2007-3475)

Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. (CVE-2007-3476)

The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. (CVE-2007-3477)

Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. (CVE-2007-3478)

Alerts:
Debian DSA-1613-1 2008-07-22
Red Hat RHSA-2008:0146-01 2008-02-28
SuSE SUSE-SR:2007:015 2007-08-03
Fedora FEDORA-2007-692 2007-09-18
Fedora FEDORA-2007-2055 2007-09-07
Foresight FLEA-2007-0052-1 2007-09-06
rPath rPSA-2007-0176-1 2007-09-05
Trustix TSLSA-2007-0024 2007-08-10
Gentoo 200708-05 2007-08-09
Mandriva MDKSA-2007:153 2007-08-03

Comments (none posted)

gd: denial of service

Package(s):gd CVE #(s):CVE-2007-2756
Created:June 14, 2007 Updated:February 28, 2008
Description: Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Slackware SSA:2007-178-01 2007-06-27
SuSE SUSE-SR:2007:013 2007-06-22
Mandriva MDKSA-2007:124 2007-06-13
Mandriva MDKSA-2007:123 2007-06-13
Mandriva MDKSA-2007:122 2007-06-13

Comments (none posted)

gftp: buffer overflows

Package(s):gftp CVE #(s):CVE-2007-3962 CVE-2007-3961
Created:November 2, 2007 Updated:January 22, 2008
Description: Kalle Olavi Niemitalo discovered two boundary errors in fsplib code included in gFTP when processing overly long directory or file names. A remote attacker could trigger these vulnerabilities by enticing a user to download a file with a specially crafted directory or file name, possibly resulting in the execution of arbitrary code (CVE-2007-3962) or a Denial of Service (CVE-2007-3961).
Alerts:
Mandriva MDVSA-2008:018 2007-01-21
Gentoo 200711-01 2007-11-01

Comments (none posted)

gimp: multiple vulnerabilities

Package(s):gimp CVE #(s):CVE-2007-2949
Created:June 28, 2007 Updated:February 27, 2008
Description: The gimp image editor has several vulnerabilities, including a problem where it can open PSD files with excessive dimensions and a possible stack overflow in the Sunras loader.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Red Hat RHSA-2007:0513-01 2007-09-26
Mandriva MDKSA-2007:170 2007-08-23
Slackware SSA:2007-222-01 2007-08-13
Foresight FLEA-2007-0038-1 2007-08-01
Gentoo 200707-09 2007-07-25
Fedora FEDORA-2007-627 2007-07-16
Debian DSA-1335-1 2007-07-18
Fedora FEDORA-2007-1099 2007-07-16
Fedora FEDORA-2007-1044 2007-07-12
rPath rPSA-2007-0138-1 2007-07-11
Ubuntu USN-480-1 2007-07-04
Fedora FEDORA-2007-618 2007-06-27
Fedora FEDORA-2007-619 2007-06-27
Fedora FEDORA-2007-0725 2007-06-27

Comments (none posted)

gnome-screensaver: keyboard lock bypass

Package(s):gnome-screensaver CVE #(s):CVE-2007-3920
Created:October 24, 2007 Updated:June 13, 2008
Description: From the Ubuntu advisory:

Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard lock focus. A local attacker could exploit this to bypass the user's locked screen saver.

Alerts:
SuSE SUSE-SA:2008:027 2008-06-13
Red Hat RHSA-2008:0485-02 2008-05-21
Fedora FEDORA-2008-0956 2008-01-24
Fedora FEDORA-2008-0930 2008-01-24
Ubuntu USN-537-2 2007-11-02
Ubuntu USN-537-1 2007-10-23

Comments (none posted)

openssh: inappropriate use of trusted cookies

Package(s):gnome-ssh-askpass openssh CVE #(s):CVE-2007-4752
Created:September 11, 2007 Updated:August 25, 2008
Description: OpenSSH in versions prior 4.7 could use a trusted X11 cookie if the creation of an untrusted cookie failed.
Alerts:
Red Hat RHSA-2008:0855-01 2008-08-22
Debian DSA-1576-1 2008-05-14
Ubuntu USN-566-1 2008-01-09
Mandriva MDKSA-2007:236 2007-12-04
Gentoo 200711-02 2007-11-01
Fedora FEDORA-2007-715 2007-10-15
Foresight FLEA-2007-0055-1 2007-09-17
Slackware SSA:2007-255-01 2007-09-13
rPath rPSA-2007-0181-1 2007-