LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Web security vulnerabilities and Javascript
Various recent, unrelated security issues seem to have a common thread: Javascript. It is not the fault of the language, exactly, nor of any particular implementation. It is the fundamental nature of how the language is used that often causes it to be "front and center" when security problems are found on the web.
Imagine that your computer reaches out across the net, to an unverified site, over an unencrypted link and grabs code that it executes with little in the way of further inspection. When put that way, it sounds rather dangerous, but that is exactly what browsers do with Javascript code. There are limits to what Javascript is allowed to do—meant to thwart malicious uses—but it has to have some privileges on the local machine in order to be useful.
One of the recent outbreaks is the "random js" attack, which propagates through Javascript served by legitimate websites. It generates a random .js filename for each visitor—which is where the name comes from—inserting a reference to it in a page on the site. It also stores the IP address of the visitor so that it does not repeat the infection multiple times. The payload then tries to exploit a dozen or more Windows vulnerabilities to install malware of various sorts.
The payload is not a problem for Linux users, but the websites hosting the attack are running Apache, many on Linux. The big unresolved question is how the servers were infected. It could be as simple as getting root access via insecure or intercepted root passwords. Or there could be some, as yet unknown, exploit. That certainly bears watching.
Because of the privileges that Javascript has on a local host, it can be used to spread malware, by exploiting the trust that users—those that even concern themselves with such things—have in the website they are visiting. It can also play a role in redirecting traffic away from a trusted site, even though the site itself has not been compromised.
A post by Nat Torkington at O'Reilly illustrates a common problem that content providers need to worry about. O'Reilly's perl.com site carried advertising that required them to load Javascript from the advertiser's site. All was well until the domain expired. A porn site bought it and started providing the required Javascript file with new contents redirecting the users to their site.
A man-in-the-middle or DNS cache poisoning attack could be used for similar results on a smaller scale basis. One can certainly see how it might be used by phishers as well. It is a difficult problem, as website owners need to be able to call out to advertisers' Javascript, but users typically do not expect to run code from a site they did not directly access.
A theoretical attack on home routers has started to show up in the wild. It uses Javascript to exploit a vulnerability in home routers to change the DNS entries for a popular Mexican bank. After that, accesses to the bank would instead go to the malicious website which would collect usernames and passwords, allowing the attacker to access the accounts. Once again, users probably do not expect that surfing to a random site could suddenly expose them to bank account compromise.
There are some things that can be done. For users, if Javascript cannot be disabled entirely—something increasingly difficult in the "Web 2.0" world—it can at least be leashed using NoScript for Firefox.
For website owners, Google's Caja project, seeks to define a subset of Javascript which implements an object-capability language, which would make it easier to sandbox remote code. If this effort succeeds, one can imagine that users could restrict their browsers to only use the Caja subset some day as well.
New vulnerabilities
apt-listchanges: arbitrary code execution
| Package(s): | apt-listchanges | CVE #(s): | CVE-2008-0302 | |||||||||
| Created: | January 17, 2008 | Updated: | January 23, 2008 | |||||||||
| Description: | From the Debian alert: Felipe Sateler discovered that apt-listchanges, a package change history notification tool, used unsafe paths when importing its python libraries. This could allow the execution of arbitrary shell commands if the root user executed the command in a directory which other local users may write to. | |||||||||||
| Alerts: |
| |||||||||||
bind: off-by-one error
| Package(s): | bind | CVE #(s): | CVE-2008-0122 | ||||||||||||
| Created: | January 22, 2008 | Updated: | March 14, 2008 | ||||||||||||
| Description: | Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. | ||||||||||||||
| Alerts: |
| ||||||||||||||
boost: denial of service
| Package(s): | boost | CVE #(s): | CVE-2008-0171 CVE-2008-0172 | |||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||
| Description: | From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
flac: arbitrary code execution
| Package(s): | flac | CVE #(s): | CVE-2007-6277 | |||
| Created: | January 21, 2008 | Updated: | January 23, 2008 | |||
| Description: | From the NVD entry: Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619. | |||||
| Alerts: |
| |||||
horde3: remote email deletion
| Package(s): | horde3 | CVE #(s): | CVE-2007-6018 | ||||||||||||||||||||||||
| Created: | January 21, 2008 | Updated: | February 29, 2008 | ||||||||||||||||||||||||
| Description: | From the Debian advisory: Ulf Harnhammer discovered that the HTML filter of the Horde web application framework performed insufficient input sanitising, which may lead to the deletion of emails if a user is tricked into viewing a malformed email inside the Imp client. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
hsqldb: unspecified vulnerability
| Package(s): | hsqldb | CVE #(s): | CVE-2007-4576 | ||||||
| Created: | January 22, 2008 | Updated: | January 23, 2008 | ||||||
| Description: | HSQLDB contains an unspecified vulnerability which should be fixed in version 1.8.0.8. | ||||||||
| Alerts: |
| ||||||||
kernel: local filesystem corruption
| Package(s): | kernel | CVE #(s): | CVE-2008-0001 | ||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 7, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | From the mitre.org CVE description: VFS in the Linux kernel before 2.6.23.14 performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libcdio: arbitrary code execution
| Package(s): | libcdio | CVE #(s): | CVE-2007-6613 | ||||||||||||
| Created: | January 21, 2008 | Updated: | March 7, 2008 | ||||||||||||
| Description: | From the Gentoo advisory: Devon Miller reported a boundary error in the "print_iso9660_recurse()" function in files cd-info.c and iso-info.c when processing long filenames within Joliet images. A remote attacker could entice a user to open a specially crafted ISO image in the cd-info and iso-info applications, resulting in the execution of arbitrary code with the privileges of the user running the application. Applications linking against shared libraries of libcdio are not affected. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mantis: information disclosure
| Package(s): | mantis | CVE #(s): | CVE-2006-6574 | |||
| Created: | January 21, 2008 | Updated: | January 23, 2008 | |||
| Description: | From the NVD entry: Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field. | |||||
| Alerts: |
| |||||
mantis: cross-site scripting
| Package(s): | mantis | CVE #(s): | |||||||
| Created: | January 23, 2008 | Updated: | January 23, 2008 | ||||||
| Description: | The Mantis 1.1.1 release contains a security fix for this bug. | ||||||||
| Alerts: |
| ||||||||
scponly: arbitrary command execution
| Package(s): | scponly | CVE #(s): | CVE-2007-6350 CVE-2007-6415 | ||||||||||||
| Created: | January 22, 2008 | Updated: | February 18, 2008 | ||||||||||||
| Description: | scponly 4.6 and earlier allows remote authenticated users to bypass
intended restrictions and execute code by invoking dangerous subcommands
including (1) unison, (2) rsync, (3) svn, and (4) svnserve, as originally
demonstrated by creating a Subversion (SVN) repository with malicious
hooks, then using svn to trigger execution of those hooks. (CVE-2007-6350)
In addition, it was discovered that it was possible to invoke with scp with certain options that may lead to execution of arbitrary commands. (CVE-2007-6415). | ||||||||||||||
| Alerts: |
| ||||||||||||||
tomcat: information disclosure
| Package(s): | tomcat5.5 | CVE #(s): | CVE-2008-0128 | ||||||
| Created: | January 21, 2008 | Updated: | March 7, 2008 | ||||||
| Description: | From the Debian advisory: Olaf Kock discovered that HTTPS encryption was insufficiently enforced for single-sign-on cookies, which could result in information disclosure. | ||||||||
| Alerts: |
| ||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2007-3389 | ||||||
| Created: | January 21, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | From the NVD entry: Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload. | ||||||||
| Alerts: |
| ||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2007-3391 | ||||||
| Created: | January 21, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | From the NVD entry: Wireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop. | ||||||||
| Alerts: |
| ||||||||
xine-lib: buffer overflows
| Package(s): | xine-lib | CVE #(s): | CVE-2008-0238 | |||||||||||||||
| Created: | January 23, 2008 | Updated: | February 15, 2008 | |||||||||||||||
| Description: | From the CVE entry: Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 6, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | ||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | February 8, 2008 | ||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | |||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | February 8, 2008 | |||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
R: buffer overflows
| Package(s): | R | CVE #(s): | ||||
| Created: | January 10, 2008 | Updated: | January 16, 2008 | |||
| Description: | The R language has a copy of PCRE, that has a number of buffer overflow and memory corruption vulnerabilities. If an attacker creates specially crafted regular expressions, it may be possible to create a denial of service, execute arbitrary code or disclose unauthorized information. | |||||
| Alerts: |
| |||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | |||||||||||||||
| Created: | August 9, 2006 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | March 12, 2008 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CVE-2007-3847 CVE-2007-4465 | |||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 15, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
apache2: denial of service
| Package(s): | apache2 | CVE #(s): | CVE-2007-1863 | ||||||
| Created: | November 19, 2007 | Updated: | February 18, 2008 | ||||||
| Description: | From the CVE entry: cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. | ||||||||
| Alerts: |
| ||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | ||||||
| Created: | December 3, 2007 | Updated: | March 7, 2008 | ||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | ||||||||
| Alerts: |
| ||||||||
bind: insecure permissions
| Package(s): | bind | CVE #(s): | CVE-2007-6283 | |||||||||
| Created: | December 21, 2007 | Updated: | January 22, 2008 | |||||||||
| Description: | Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named. | |||||||||||
| Alerts: |
| |||||||||||
cacti: SQL injection vulnerability
| Package(s): | cacti | CVE #(s): | CVE-2007-6035 | ||||||||||||||||||||||||
| Created: | November 22, 2007 | Updated: | February 18, 2008 | ||||||||||||||||||||||||
| Description: | Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cacti: denial of service
| Package(s): | cacti | CVE #(s): | CVE-2007-3112 CVE-2007-3113 | ||||||||||||
| Created: | September 18, 2007 | Updated: | February 18, 2008 | ||||||||||||
| Description: | A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2007-4510 CVE-2007-4560 | ||||||||||||||||||
| Created: | September 3, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: mystery vulnerability
| Package(s): | clamav | CVE #(s): | CVE-2007-6337 | |||||||||||||||
| Created: | December 31, 2007 | Updated: | January 22, 2008 | |||||||||||||||
| Description: | Clamav contains "an unspecified vulnerability" associated with the bzip2 decompression code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
clamav: integer overflow and off-by-one
| Package(s): | clamav | CVE #(s): | CVE-2007-6335 CVE-2007-6336 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||||||||
| Description: | ClamAV contains integer overflow and off-by-one errors which could be exploited (via specially-crafted email) to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
claws-mail: insecure temp file
| Package(s): | claws-mail | CVE #(s): | CVE-2007-6208 | |||
| Created: | January 10, 2008 | Updated: | January 16, 2008 | |||
| Description: | Claws Mail creates temp files in an insecure manner. This can be used by a local attacker to make a symlink attack, allowing files with the local user's privileges to be overwritten. | |||||
| Alerts: |
| |||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-5848 | ||||||||||||
| Created: | January 7, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | From the CVE entry: Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. From the rPath advisory: Previous versions of the cups package contain a buffer-overflow weakness. It is not believed that this weakness can be exploited to execute malicious code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | |||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 26, 2008 | |||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | |||||||
| Created: | January 14, 2008 | Updated: | January 16, 2008 | ||||||
| Description: | From the Fedora advisory: Update to 5.6, security fixes: DRUPAL-SA-2008-005 DRUPAL-SA-2008-006 DRUPAL-SA-2008-007see http://drupal.org/security for more information. | ||||||||
| Alerts: |
| ||||||||
e2fsprogs: integer overflows
| Package(s): | e2fsprogs | CVE #(s): | CVE-2007-5497 | |||||||||||||||||||||||||||
| Created: | December 7, 2007 | Updated: | February 12, 2008 | |||||||||||||||||||||||||||
| Description: | Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
emacs: buffer overflow
| Package(s): | emacs | CVE #(s): | CVE-2007-6109 | |||||||||
| Created: | December 10, 2007 | Updated: | February 8, 2008 | |||||||||
| Description: | From the National Vulnerability Database: Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. | |||||||||||
| Alerts: |
| |||||||||||
emacs: command execution via local variables
| Package(s): | emacs | CVE #(s): | CVE-2007-5795 | |||||||||||||||
| Created: | November 14, 2007 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
exiv2: integer overflow
| Package(s): | exiv2 | CVE #(s): | CVE-2007-6353 | ||||||||||||||||||
| Created: | December 21, 2007 | Updated: | January 24, 2008 | ||||||||||||||||||
| Description: | Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fail2ban: denial of service
| Package(s): | fail2ban | CVE #(s): | CVE-2007-4321 | |||
| Created: | January 10, 2008 | Updated: | January 16, 2008 | |||
| Description: | From the Debian alert: Daniel B. Cid discovered that fail2ban, a tool to block IP addresses that cause login failures, is too liberal about parsing SSH log files, allowing an attacker to block any IP address. | |||||
| Alerts: |
| |||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey | CVE #(s): | CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | March 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959) A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | March 31, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac: arbitrary code execution
| Package(s): | flac |