LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
The backdooring of SquirrelMail
SquirrelMail advertises itself as "webmail for nuts." It is a PHP-based package which is in wide use; most distributions include a SquirrelMail package. Security problems in SquirrelMail are certainly not unheard-of; even so, the announcement that the source distribution for version 1.4.12 had been compromised raised some eyebrows. Initially the project downplayed the problem:
It only took one day, though, before Uwe Schindler pointed out that, in fact, the changes made to the source opened a remote-execution back door into deployed SquirrelMail systems. Somewhere along the way, the project discovered that the 1.4.11 release had also been tampered with. The SquirrelMail developers released version 1.4.13 to close the vulnerabilities.
There have not been any public reports of systems being compromised by way of this vulnerability. Additionally, it would appear that all of the distributors which shipped the affected versions got their version of the code prior to the attack. So the episode would appear to have ended reasonably well - as far as we know. There are some lessons that one can take from this attack, though.
The downplaying of the problem initially was a potentially fatal mistake. If somebody has been tampering with the sources, there is no excuse not to go into red-alert mode immediately, even if the developers involved do not understand the attack. When a project has been compromised at such a fundamental level, one must assume the worst.
The compromise was discovered after a user noticed that the tarballs on the download site did not match the posted MD5 checksums. Your editor suspects that very few of us actually verify checksums in the packages they take from the net. Doing so more often would be a good exercise in software hygiene for all of us.
That said, the project got lucky this time around. A smarter attacker would have replaced the checksums after adding the back door, making the changes harder to detect. Longer-term, the increasing doubts about the security of MD5 suggest that relying on it to detect changes to tarballs might not be entirely safe. Far better to use public-key signatures; they should have a longer shelf life, and, if the keys are managed properly, they are impossible to replace. It seems that the project has posted GPG signatures for 1.4.13, though the Wayback Machine suggests that this is a recent practice. Your editor was unable to find the public key needed to verify the signatures.
The modifications to the tarballs were done using a compromised developer's account. The specific changes made were not put into the SquirrelMail source repository. The project has said nothing, though, about what has been done to ensure that no other changes were made there. Some sort of statement from the project along these lines would be most reassuring to SquirrelMail's users.
Perhaps the most encouraging conclusion, though, is this: there have been several attempts to compromise source distributions over the years. Many of them have succeeded in getting bad code into high-profile packages. But none of these attacks - so far as we know - have escaped detection for any significant period of time, and none of them have led to any sort of wide-scale exploit. As a whole, we would appear to be reasonably resistant to this kind of attack, even when the front-line defenses fail. With luck, and continued vigilance, that trend will continue. Both will be required, though: there is no doubt that the attackers will keep trying.
Security news
'You've Got Cross-Site Scripting' (Dark Reading)
Dark Reading reports on a new email alert service for cross-site scripting bugs. "So XSSed.com, a site dedicated to archiving publicly disclosed XSS bugs, is now offering a free email alert service that notifies you as soon as an XSS vulnerability affecting your Website gets indexed to its archive. XSSed claims to have the industry's largest XSS archive, with over 17,000 disclosed vulnerabilities as of this posting."
New vulnerabilities
clamav: integer overflow and off-by-one
| Package(s): | clamav | CVE #(s): | CVE-2007-6335 CVE-2007-6336 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||||||||
| Description: | ClamAV contains integer overflow and off-by-one errors which could be exploited (via specially-crafted email) to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
flash-plugin: lots of problems
| Package(s): | flash-plugin | CVE #(s): | CVE-2007-5275 CVE-2007-4324 CVE-2007-4768 CVE-2007-6242 CVE-2007-6243 CVE-2007-6244 CVE-2007-6245 CVE-2007-6246 | ||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | A vast number of vulnerabilities exists in the proprietary Flash plugin for Firefox. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IRC Services: denial of service
| Package(s): | ircservices | CVE #(s): | CVE-2007-6122 | |||
| Created: | December 14, 2007 | Updated: | December 19, 2007 | |||
| Description: | loverboy reported that the "default_encrypt()" function in file encrypt.c does not properly handle overly long passwords. A remote attacker could provide an overly long password to the vulnerable server, resulting in a denial of service. | |||||
| Alerts: |
| |||||
kdebase: denial of service
| Package(s): | kdebase | CVE #(s): | CVE-2007-5963 | |||
| Created: | December 18, 2007 | Updated: | December 19, 2007 | |||
| Description: | The kdebase package is vulnerable to a denial of service in which a local user can render KDM unusable for logins by any user or cause KDM to exceed system resource limits. | |||||
| Alerts: |
| |||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-5966 | |||||||||||||||
| Created: | December 19, 2007 | Updated: | June 13, 2008 | |||||||||||||||
| Description: | A bug in high-resolution timers (prior to kernel 2.6.22.15) can cause very long sleeps when large timeout values are used. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libexif: integer overflow
| Package(s): | libexif | CVE #(s): | CVE-2007-6352 | |||||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 11, 2008 | |||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An integer overflow flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to execute arbitrary code, or crash. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
libexif: denial of service
| Package(s): | libexif | CVE #(s): | CVE-2007-6351 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 11, 2008 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An infinite recursion flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to crash. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libgd2: buffer overflow
| Package(s): | libgd2 | CVE #(s): | CVE-2007-3996 | ||||||||||||
| Created: | December 19, 2007 | Updated: | January 29, 2008 | ||||||||||||
| Description: | The GD library does not perform proper bounds checking when creating images; as a result, an attacker could, via crafted input, potentially execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mysql: privilege escalation
| Package(s): | mysql | CVE #(s): | CVE-2007-6303 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||
| Description: | From the CVE entry: MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
portage: information disclosure
| Package(s): | portage | CVE #(s): | CVE-2007-6249 | |||
| Created: | December 14, 2007 | Updated: | December 19, 2007 | |||
| Description: | Mike Frysinger reported that the "etc-update" utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup. A local attacker could access sensitive information when configuration files are being merged. | |||||
| Alerts: |
| |||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2007-6239 | ||||||||||||||||||||||||||||||
| Created: | December 18, 2007 | Updated: | April 15, 2008 | ||||||||||||||||||||||||||||||
| Description: | A flaw was found in the way squid stored HTTP headers for cached objects in system memory. An attacker could cause squid to use additional memory, and trigger high CPU usage when processing requests for certain cached objects, possibly leading to a denial of service. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
wpa_supplicant: stack-based buffer overflow
| Package(s): | wpa_supplicant | CVE #(s): | CVE-2007-6025 | |||
| Created: | December 14, 2007 | Updated: | December 19, 2007 | |||
| Description: | A stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 allows remote attackers to cause a denial of service (crash) via crafted TSF data. | |||||
| Alerts: |
| |||||
Xfce: buffer overflows
| Package(s): | xfce4 | CVE #(s): | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | December 19, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Xfce desktop contains a number of buffer overflow vulnerabilities; they have been fixed in the 4.4.2 release. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | |||||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Django: denial of service
| Package(s): | Django | CVE #(s): | CVE-2007-5712 | ||||||
| Created: | November 12, 2007 | Updated: | May 21, 2008 | ||||||
| Description: | From the CVE notice: The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers. | ||||||||
| Alerts: |
| ||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | |||||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | May 21, 2008 | |||||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CVE-2007-3847 CVE-2007-4465 | |||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 15, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
apache2: denial of service
| Package(s): | apache2 | CVE #(s): | CVE-2007-1863 | ||||||
| Created: | November 19, 2007 | Updated: | February 18, 2008 | ||||||
| Description: | From the CVE entry: cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. | ||||||||
| Alerts: |
| ||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | |||||||||
| Created: | December 3, 2007 | Updated: | April 15, 2008 | |||||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | |||||||||||
| Alerts: |
| |||||||||||
autofs: insecure default configuration
| Package(s): | autofs | CVE #(s): | CVE-2007-5964 | ||||||||||||||||||||||||
| Created: | December 12, 2007 | Updated: | January 14, 2008 | ||||||||||||||||||||||||
| Description: | Versions of the autofs automounter daemon as shipped by Red Hat (and possibly other distributors) are installed with an insecure configuration; in particular, the "hosts" map lacks the "nosuid" option, allowing an attacker who has control over an NFS server to run setuid programs on vulnerable systems. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cacti: SQL injection vulnerability
| Package(s): | cacti | CVE #(s): | CVE-2007-6035 | ||||||||||||||||||||||||
| Created: | November 22, 2007 | Updated: | February 18, 2008 | ||||||||||||||||||||||||
| Description: | Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cacti: denial of service
| Package(s): | cacti | CVE #(s): | CVE-2007-3112 CVE-2007-3113 | ||||||||||||
| Created: | September 18, 2007 | Updated: | February 18, 2008 | ||||||||||||
| Description: | A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters. | ||||||||||||||
| Alerts: |
| ||||||||||||||
centericq: buffer overflows
| Package(s): | centericq | CVE #(s): | CVE-2007-3713 | |||||||||
| Created: | July 20, 2007 | Updated: | December 17, 2007 | |||||||||
| Description: | Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160. | |||||||||||
| Alerts: |
| |||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2007-4510 CVE-2007-4560 | ||||||||||||||||||
| Created: | September 3, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
dovecot: privilege escalation
| Package(s): | dovecot | CVE #(s): | CVE-2007-4211 | |||||||||
| Created: | August 15, 2007 | Updated: | May 21, 2008 | |||||||||
| Description: | From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions." | |||||||||||
| Alerts: |
| |||||||||||
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | ||||||||||||
| Created: | May 8, 2007 | Updated: | May 21, 2008 | ||||||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||||||||||||||
| Alerts: |
| ||||||||||||||
e2fsprogs: integer overflows
| Package(s): | e2fsprogs | CVE #(s): | CVE-2007-5497 | |||||||||||||||||||||||||||
| Created: | December 7, 2007 | Updated: | February 12, 2008 | |||||||||||||||||||||||||||
| Description: | Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
eggdrop: stack-based buffer overflow
| Package(s): | eggdrop | CVE #(s): | CVE-2007-2807 | |||||||||||||||
| Created: | September 7, 2007 | Updated: | January 7, 2008 | |||||||||||||||
| Description: | A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
emacs: buffer overflow
| Package(s): | emacs | CVE #(s): | CVE-2007-6109 | ||||||||||||
| Created: | December 10, 2007 | Updated: | May 6, 2008 | ||||||||||||
| Description: | From the National Vulnerability Database: Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. | ||||||||||||||
| Alerts: |
| ||||||||||||||
emacs: command execution via local variables
| Package(s): | emacs | CVE #(s): | CVE-2007-5795 | |||||||||||||||
| Created: | November 14, 2007 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
emul-linux-x86-qtlibs: arbitrary code execution
| Package(s): | emul-linux-x86-qtlibs | CVE #(s): | ||||
| Created: | December 10, 2007 | Updated: | December 12, 2007 | |||
| Description: | From the Gentoo advisory: An attacker could trigger one of the vulnerabilities by causing a Qt application to parse specially crafted text or Unicode strings, which may lead to the execution of arbitrary code with the privileges of the user running the application. | |||||
| Alerts: |
| |||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
firebird: arbitrary code execution
| Package(s): | firebird | CVE #(s): | CVE-2007-4992 CVE-2007-5246 | |||
| Created: | December 10, 2007 | Updated: | December 12, 2007 | |||
| Description: | From the Gentoo advisory: Adriano Lima and Ramon de Carvalho Valle reported that functions isc_attach_database() and isc_create_database() do not perform proper boundary checking when processing their input. A remote attacker could send specially crafted requests to the Firebird server on TCP port 3050, possibly resulting in the execution of arbitrary code with the privileges of the user running Firebird (usually firebird). | |||||
| Alerts: |
| |||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey | CVE #(s): | CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | March 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959) A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | May 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac: arbitrary code execution
| Package(s): | flac | CVE #(s): | CVE-2007-4619 | |
| Created: | October 22, 2007 | Updated: | January 21, 2008 | |
| Description: | From the Red Hat advisory:
A security flaw was found in the way flac processed audio data. An attacker could create a carefully crafted FLAC audio file in such a way that it could cause an application linked with flac libraries to crash or execute arbitrary code when it was opened. (CVE-2007-4619) | |||
| Alerts: |
| |||