LWN.net Logo

Security

Eee PC security or lack thereof

By Jake Edge
February 13, 2008

The Eee PC has garnered a lot of press for its small form factor, low weight, and solid-state disk, but it has also made a poor showing with security researchers. RISE Security released a report on the security of the Eee last week, showing that it can be subverted ("rooted") right out of the box from ASUS. Unfortunately, it is even worse than that as, even after updating an Eee using the standard mechanism, the hole is not patched.

The vulnerability identified by RISE is in the Samba daemon (smbd), version 3.0.24, which is installed and runs on stock Eee PCs. The vulnerability, CVE-2007-2446 was identified and patched last May, so the Eee is shipping with a version of Samba known to be vulnerable to an arbitrary code execution flaw for nine months or so. In itself, that is not completely surprising.

When hardware vendors install a distribution—or commercial OS like Windows—they tend to install the latest released version, which is likely to be out of date with respect to security issues. A vendor installing Fedora 8 or Debian etch today will be behind on countless security updates. But, unlike the Samba problem discovered on the Eee, updates do exist in the standard places. If the new user updates their system immediately, there is a fairly small window of vulnerability.

Unfortunately for Eee owners, the modified Xandros distribution that comes with it does not yet have an update for Samba. This leaves all Eee PCs vulnerable to being rooted by anyone on the same network. Since the Eee is meant as a mobile device, it likely spends a lot of its time connected to various public networks, especially wireless networks. The Eee makes an interesting target for attackers because it very well might have authentication information for banks or brokerages as well as other private or confidential files.

Some have seriously downplayed the threat but it is clear they don't understand it:

The root attack performed was relatively easy to do, if you like command lines. Maybe Asus or Xandros could work on a patch for this. It almost makes one wonder how many other exploits are lying under the surface just waiting to be found. But, it's not like this actually puts you in danger, just how many hackers are going to be looking for the Asus EeePC or even Xandros based system online and attack them? Probably not many.

Sales of the Eee last year was around 300,000 units; large enough to be an attractive target for the malicious. Because there is not an update to close the hole, Eee users have to rely on other means to protect themselves. This eeeuser.com comment thread provides some of the better advice for dealing with the problem. Removing the Samba package seems to be the simplest, but fairly heavy handed, way to avoid the hole—but many folks need a working Samba. There is no way to disable Samba from the Eee GUI which is the way most owners plan to interact with the machine. This whole incident makes it seem like ASUS (and perhaps Xandros) are not terribly interested in the security of the machines that they sell.

There is a larger issue here. When the normal means of getting security patches comes from the same medium that is also the biggest security threat, there will always be windows of vulnerability. Even if hardware vendors diligently update the distribution they install, there is still some shelf-life and shipping time where security updates can be released. Various studies have shown that there may not be enough time to download patches before an unpatched system succumbs to an attack.

It is a difficult problem to solve completely. Any solution must be very straightforward and consistent so that unsophisticated users can be trained to do it as a matter of course. News about security issues needs to get more widespread attention as well, so that those same users know when the procedure needs to be followed. Firewalls and other network protections only go so far if the machine needs to reach out to the internet to pick up its updates.

If distributions provided some kind of blob (tar file, .deb, .rpm, etc.) that contained all of the security updates since the release, users could grab that from a different (presumably patched or not vulnerable) machine, put it on a USB stick or some other removable media and get it to the new machine. A utility provided by the distribution could then process that blob to apply all the relevant patches—all while the vulnerable machine stayed off the net. As the world domination plan continues, threats against Linux will become more commonplace; we need to try and ensure that users, especially the unsophisticated ones, can be secure in their choice of Linux.

Comments (22 posted)

Security news

Multi-threaded OpenSSH

The folks at the Pittsburgh Supercomputing Center have posted a special version of OpenSSH aimed at high-bandwidth applications. "This cipher mode introduces multi-threading into the OpenSSH application in order to allow it to make full use of CPU resources available on multi-core systems. As the canonical distribution of OpenSSH is unable to make use of more than one core, high performance transfers can be bottlenecked by the cryptographic overhead." It's worth noting that the OpenSSH developers fear the security implications of multi-threading the program and seem uninclined to incorporate this work.

Comments (23 posted)

New vulnerabilities

clamav: arbitrary code execution

Package(s):clamav CVE #(s):CVE-2008-0318
Created:February 13, 2008 Updated:April 18, 2008
Description:

From the CVE:

Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.

Alerts:
Fedora FEDORA-2008-1608 2008-02-13
Fedora FEDORA-2008-1625 2008-02-13
Debian DSA-1497-1 2008-02-16
Gentoo 200802-09 2008-02-21
SuSE SUSE-SR:2008:004 2008-02-22
Mandriva MDVSA-2008:088 2007-04-17

Comments (1 posted)

Doomsday: multiple vulnerabilities

Package(s):Doomsday CVE #(s):CVE-2007-4642 CVE-2007-4643 CVE-2007-4644
Created:February 7, 2008 Updated:February 13, 2008
Description: From the Gentoo alert:

Luigi Auriemma discovered multiple buffer overflows in the D_NetPlayerEvent() function, the Msg_Write() function and the NetSv_ReadCommands() function. He also discovered errors when handling chat messages that are not NULL-terminated (CVE-2007-4642) or contain a short data length, triggering an integer underflow (CVE-2007-4643). Furthermore a format string vulnerability was discovered in the Cl_GetPackets() function when processing PSV_CONSOLE_TEXT messages (CVE-2007-4644).

This vulnerability can be used for the execution of arbitrary code or to create a denial of service.

Alerts:
Gentoo 200802-02 2008-02-06

Comments (none posted)

duplicity: password disclosure

Package(s):duplicity CVE #(s):CVE-2007-5201
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the CVE:

The FTP backend for Duplicity sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.

Alerts:
Fedora FEDORA-2008-1584 2008-02-13
Fedora FEDORA-2008-1521 2008-02-13

Comments (1 posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird CVE #(s):CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593
Created:February 8, 2008 Updated:April 2, 2008
Description: From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417)

A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418)

A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592)

Alerts:
Red Hat RHSA-2008:0103-01 2008-02-07
Red Hat RHSA-2008:0104-01 2008-02-07
Red Hat RHSA-2008:0105-01 2008-02-07
Ubuntu USN-576-1 2008-02-08
Debian DSA-1484-1 2008-02-10
Debian DSA-1485-1 2008-02-10
Debian DSA-1489-1 2008-02-10
rPath rPSA-2008-0051-1 2008-02-08
Foresight FLEA-2008-0001-1 2008-02-11
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1669 2008-02-13
Fedora FEDORA-2008-1459 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
SuSE SUSE-SA:2008:008 2008-02-15
Debian DSA-1506-1 2008-02-24
Mandriva MDVSA-2008:048 2007-02-22
Red Hat RHSA-2008:0105-02 2008-02-27
Fedora FEDORA-2008-2118 2008-02-28
Fedora FEDORA-2008-2060 2008-02-28
rPath rPSA-2008-0093-1 2008-02-29
Slackware SSA:2008-061-01 2008-03-03
Ubuntu USN-582-1 2008-02-29
Ubuntu USN-582-2 2008-03-06
Mandriva MDVSA-2008:062 2007-03-06
Debian DSA-1485-2 2008-03-17
Debian DSA-1506-2 2008-03-20
Fedora FEDORA-2008-2812 2008-04-01
Fedora FEDORA-2008-2830 2008-04-01

Comments (2 posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594
Created:February 8, 2008 Updated:March 26, 2008
Description: From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious website could force arbitrary files from the user's computer to be uploaded without consent. (CVE-2008-0414)

Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416)

Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420)

Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594)

Alerts:
Ubuntu USN-576-1 2008-02-08
Debian DSA-1484-1 2008-02-10
Debian DSA-1485-1 2008-02-10
Debian DSA-1489-1 2008-02-10
rPath rPSA-2008-0051-1 2008-02-08
Foresight FLEA-2008-0001-1 2008-02-11
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1669 2008-02-13
Fedora FEDORA-2008-1459 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
SuSE SUSE-SA:2008:008 2008-02-15
Debian DSA-1506-1 2008-02-24
Mandriva MDVSA-2008:048 2007-02-22
Red Hat RHSA-2008:0105-02 2008-02-27
Fedora FEDORA-2008-2118 2008-02-28
Fedora FEDORA-2008-2060 2008-02-28
Ubuntu USN-582-1 2008-02-29
Ubuntu USN-582-2 2008-03-06
Debian DSA-1485-2 2008-03-17
Debian DSA-1506-2 2008-03-20
Ubuntu USN-592-1 2008-03-26

Comments (none posted)

glib2: buffer overflow

Package(s):glib2 CVE #(s):
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the Fedora advisory:

PCRE 7.6 fixed following bug: A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. The GLib release 2.14.6 updates the included copy of PCRE to version 7.6.

Alerts:
Fedora FEDORA-2008-1533 2008-02-13

Comments (none posted)

gnumeric: arbitrary code execution

Package(s):gnumeric CVE #(s):CVE-2008-0668
Created:February 13, 2008 Updated:April 22, 2008
Description:

From the CVE:

The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information.

Alerts:
Gentoo 200802-05 2008-02-12
Mandriva MDVSA-2008:056 2007-02-28
Debian DSA-1546-1 2008-04-10
Ubuntu USN-604-1 2008-04-22

Comments (none posted)

gnumeric: integer overflow and signedness errors

Package(s):gnumeric CVE #(s):
Created:February 8, 2008 Updated:February 13, 2008
Description: Gnumeric has an integer overflow and signedness errors in the XLS processing, with unknown consequences.
Alerts:
Fedora FEDORA-2008-1313 2008-02-05
Fedora FEDORA-2008-1403 2008-02-05

Comments (none posted)

java: multiple vulnerabilities

Package(s):java-1.5.0-sun CVE #(s):CVE-2008-0657
Created:February 12, 2008 Updated:April 25, 2008
Description: Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.
Alerts:
Red Hat RHSA-2008:0123-01 2008-02-12
Red Hat RHSA-2008:0156-02 2008-03-05
Red Hat RHSA-2008:0210-01 2008-04-03
Gentoo 200804-20 2008-04-17
SuSE SUSE-SA:2008:025 2008-04-25

Comments (none posted)

kernel: insufficient range checks

Package(s):kernel CVE #(s):CVE-2008-0007
Created:February 8, 2008 Updated:May 9, 2008
Description: From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory.
Alerts:
SuSE SUSE-SA:2008:006 2008-02-07
rPath rPSA-2008-0048-1 2008-02-08
Mandriva MDVSA-2008:044 2008-02-12
Debian DSA-1503 2008-02-22
Debian DSA-1504 2008-02-22
Debian DSA-1503-2 2008-03-06
Mandriva MDVSA-2008:072 2008-03-20
SuSE SUSE-SA:2008:017 2008-03-28
Debian DSA-1565-1 2008-05-01
Red Hat RHSA-2008:0211-01 2008-05-07
Red Hat RHSA-2008:0237-01 2008-05-07
Red Hat RHSA-2008:0233-01 2008-05-07
CentOS CESA-2008:0211 2008-05-07
CentOS CESA-2008:0233 2008-05-09

Comments (none posted)

kernel: local root privilege escalation

Package(s):linux-2.6 CVE #(s):CVE-2008-0010 CVE-2008-0600
Created:February 11, 2008 Updated:March 7, 2008
Description:

From the Debian advisory:

The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600).

Alerts:
Debian DSA-1494-1 2008-02-11
Fedora FEDORA-2008-1422 2008-02-11
Fedora FEDORA-2008-1423 2008-02-11
Mandriva MDVSA-2008:043 2007-02-11
Mandriva MDVSA-2008:044 2008-02-12
SuSE SUSE-SA:2008:007 2008-02-12
Debian DSA-1494-2 2008-02-12
Fedora FEDORA-2008-1629 2008-02-13
Fedora FEDORA-2008-1433 2008-02-13
Red Hat RHSA-2008:0129-01 2008-02-12
rPath rPSA-2008-0052-1 2008-02-12
Slackware SSA:2008-042-01 2008-02-13
Ubuntu USN-577-1 2008-02-12
SuSE SUSE-SA:2008:013 2008-03-06

Comments (1 posted)

kernel: memory access violation

Package(s):linux-2.6 CVE #(s):CVE-2008-0163
Created:February 11, 2008 Updated:February 13, 2008
Description:

From the Debian advisory:

In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163).

Alerts:
Debian DSA-1494-1 2008-02-11
Debian DSA-1494-2 2008-02-12
Slackware SSA:2008-042-01 2008-02-13

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CVE-2008-0564
Created:February 13, 2008 Updated:March 17, 2008
Description:

From the Red Hat bugzilla entry:

Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.

Alerts:
Fedora FEDORA-2008-1356 2008-02-13
Fedora FEDORA-2008-1334 2008-02-13
rPath rPSA-2008-0056-1 2008-02-15
Mandriva MDVSA-2008:061 2007-03-06
Ubuntu USN-586-1 2008-03-15

Comments (none posted)

moin: file overwrite via crafted cookie

Package(s):moin CVE #(s):
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the Fedora advisory:

It was discovered that moin allowed to overwrite arbitrary files writable by the user running moin using a crafted cookie with certain user IDs via a directory traversal flaw. This updated package fixes this issue.

Alerts:
Fedora FEDORA-2008-1562 2008-02-13
Fedora FEDORA-2008-1486 2008-02-13

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):mozilla CVE #(s):
Created:February 13, 2008 Updated:February 13, 2008
Description:
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
  Upgraded to firefox-2.0.0.12.
  This upgrade fixes some more security bugs.
  For more information, see:
    http://www.mozilla.org/projects/security/known-vulnerabil...
  (* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
  Upgraded to seamonkey-1.1.8.
  This upgrade fixes some more security bugs.
  For more information, see:
    http://www.mozilla.org/projects/security/known-vulnerabil...
  (* Security fix *)
+--------------------------+
Alerts:
Slackware SSA:2008-043-01 2008-02-13

Comments (none posted)

mplayer: multiple vulnerabilities

Package(s):mplayer CVE #(s):CVE-2008-0485 CVE-2008-0486 CVE-2008-0629 CVE-2008-0630
Created:February 13, 2008 Updated:April 1, 2008
Description:

From the Debian advisory:

Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-0485: Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files.

CVE-2008-0486: Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing.

CVE-2008-0629: Adam Bozanich discovered a buffer overflow in the CDDB access code.

CVE-2008-0630: Adam Bozanich discovered a buffer overflow in URL parsing.

Alerts:
Debian DSA-1496-1 2008-02-12
Fedora FEDORA-2008-1581 2008-02-13
Fedora FEDORA-2008-1543 2008-02-13
Mandriva MDVSA-2008:045 2007-02-14
Mandriva MDVSA-2008:046 2007-02-15
Mandriva MDVSA-2008:046-1 2007-02-20
Gentoo 200802-12 2008-02-26
Gentoo 200803-16 2008-03-10
SuSE SUSE-SR:2008:006 2008-03-14
Debian DSA-1536-1 2008-03-31

Comments (none posted)

netpbm: buffer overflow

Package(s):netpbm CVE #(s):CVE-2008-0554
Created:February 8, 2008 Updated:March 17, 2008
Description: From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file.
Alerts:
Mandriva MDVSA-2008:039 2008-02-07
Debian DSA-1493-1 2008-02-10
Red Hat RHSA-2008:0131-01 2008-02-28

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2007-6698
Created:February 8, 2008 Updated:April 25, 2008
Description: From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36, allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability.
Alerts:
Fedora FEDORA-2008-1307 2008-02-05
rPath rPSA-2008-0059-1 2008-02-12
Fedora FEDORA-2008-1616 2008-02-13
Red Hat RHSA-2008:0110-01 2008-02-21
Mandriva MDVSA-2008:058 2007-03-05
Ubuntu USN-584-1 2008-03-05
Debian DSA-1541-1 2008-04-08
SuSE SUSE-SR:2008:010 2008-04-25

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2008-0658
Created:February 13, 2008 Updated:April 25, 2008
Description:

From the rPath advisory:

Previous versions of the openldap package are vulnerable to a Denial of Service attack in which authenticated users can crash the slapd server.

Alerts:
rPath rPSA-2008-0059-1 2008-02-12
Fedora FEDORA-2008-1616 2008-02-13
Fedora FEDORA-2008-1568 2008-02-13
Red Hat RHSA-2008:0110-01 2008-02-21
Mandriva MDVSA-2008:058 2007-03-05
Ubuntu USN-584-1 2008-03-05
Gentoo 200803-28 2008-03-19
Debian DSA-1541-1 2008-04-08
SuSE SUSE-SR:2008:010 2008-04-25

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2006-4758 CVE-2006-6839 CVE-2006-6840 CVE-2006-6508 CVE-2006-6841 CVE-2008-0471
Created:February 11, 2008 Updated:February 13, 2008
Description:

From the Debian advisory:

CVE-2008-0471: Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page.

CVE-2006-6841 / CVE-2006-6508: Cross site request forgery enabled an attacker to perform various actions on behalf of a logged in user. (Applies to sarge only)

CVE-2006-6840: A negative start parameter could allow an attacker to create invalid output. (Applies to sarge only)

CVE-2006-6839: Redirection targets were not fully checked, leaving room for unauthorised external redirections via a phpBB forum. (Applies to sarge only)

CVE-2006-4758: An authenticated forum administrator may upload files of any type by using specially crafted filenames. (Applies to sarge only)

Alerts:
Debian DSA-1488-1 2008-02-09

Comments (none posted)

SDL_image: buffer overflows

Package(s):SDL_image CVE #(s):CVE-2007-6697 CVE-2008-0544
Created:February 8, 2008 Updated:March 27, 2008
Description: From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
Alerts:
Mandriva MDVSA-2008:040 2007-02-07
Debian DSA-1493-1 2008-02-10
rPath rPSA-2008-0061-1 2008-02-13
Debian DSA-1493-2 2008-03-16
Ubuntu USN-595-1 2008-03-26

Comments (none posted)

tk: buffer overflow

Package(s):tk CVE #(s):CVE-2008-0553
Created:February 8, 2008 Updated:April 4, 2008
Description: From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact.
Alerts:
Mandriva MDVSA-2008:041 2007-02-07
Fedora FEDORA-2008-1323 2008-02-05
Fedora FEDORA-2008-1384 2008-02-05
Fedora FEDORA-2008-1131 2008-02-05
Fedora FEDORA-2008-1122 2008-02-05
Debian DSA-1490-1 2008-02-10
Debian DSA-1491-1 2008-02-10
rPath rPSA-2008-0054-1 2008-02-12
Red Hat RHSA-2008:0134-01 2008-02-21
Red Hat RHSA-2008:0135-01 2008-02-21
Red Hat RHSA-2008:0136-01 2008-02-21
Red Hat RHSA-2008:0135-02 2008-02-22
SuSE SUSE-SR:2008:008 2008-04-04

Comments (none posted)

tomcat: multiple vulnerabilities

Package(s):tomcat5 CVE #(s):CVE-2007-5342 CVE-2007-5333 CVE-2007-6286 CVE-2007-1355 CVE-2007-1358 CVE-2008-0002
Created:February 13, 2008 Updated:April 28, 2008
Description: Refer to the CVE entries for more information.
Alerts:
Fedora FEDORA-2008-1467 2008-02-13
Fedora FEDORA-2008-1603 2008-02-13
Red Hat RHSA-2008:0042-01 2008-03-11
Gentoo 200804-10 2008-04-10
Red Hat RHSA-2008:0195-01 2008-04-28

Comments (none posted)

wml: multiple file overwrite vulnerabilities

Package(s):wml CVE #(s):CVE-2008-0665 CVE-2008-0666
Created:February 11, 2008 Updated:April 28, 2008
Description:

From the Debian advisory:

Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to local denial of service by overwriting files.

Alerts:
Debian DSA-1492-1 2008-02-10
Gentoo 200803-23 2008-03-15
Mandriva MDVSA-2008:076 2007-03-26
Debian DSA-1492-2 2008-04-27

Comments (none posted)

wordpress: remote editing via unknown vectors

Package(s):wordpress CVE #(s):CVE-2008-0664
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the CVE:

The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.

Alerts:
Fedora FEDORA-2008-1512 2008-02-13
Fedora FEDORA-2008-1559 2008-02-13

Comments (none posted)

Updated vulnerabilities

cairo: integer overflow

Package(s):Cairo CVE #(s):CVE-2007-5503
Created:November 29, 2007 Updated:April 10, 2008
Description: Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges.
Alerts:
Red Hat RHSA-2007:1078-02 2007-11-29
Slackware SSA:2007-337-01 2007-12-04
Ubuntu USN-550-1 2007-12-03
Gentoo 200712-04 2007-12-09
Ubuntu USN-550-2 2007-12-10
Ubuntu USN-550-3 2007-12-13
rPath rPSA-2008-0015-1 2008-01-15
Fedora FEDORA-2007-3818 2008-01-16
Mandriva MDVSA-2008:019 2007-01-21
SuSE SUSE-SR:2008:003 2008-02-07
Debian DSA-1542-1 2008-04-09

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CVE-2007-3781 CVE-2007-5969
Created:December 11, 2007 Updated:April 7, 2008
Description: MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)

MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)

Alerts:
Mandriva MDKSA-2007:243 2007-12-10
Red Hat RHSA-2007:1155-01 2007-12-18
Fedora FEDORA-2007-4471 2007-12-15
Fedora FEDORA-2007-4465 2007-12-15
Red Hat RHSA-2007:1157-01 2007-12-19
Ubuntu USN-559-1 2007-12-21
Debian DSA-1451-1 2008-01-06
rPath rPSA-2008-0018-1 2008-01-17
SuSE SUSE-SR:2008:003 2008-02-07
Gentoo 200804-04 2008-04-06

Comments (none posted)

Sun JDK/JRE: multiple vulnerabilities

Package(s):Sun JDK/JRE CVE #(s):CVE-2007-2435 CVE-2007-2788 CVE-2007-2789
Created:June 1, 2007 Updated:April 18, 2008
Description: An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files.
Alerts:
Gentoo 200705-23 2007-05-31
Gentoo 200706-08 2007-06-26
SuSE SUSE-SA:2007:045 2007-07-18
Red Hat RHSA-2007:0817-01 2007-08-06
Red Hat RHSA-2007:1086-01 2007-12-12
Gentoo 200804-20 2008-04-17

Comments (none posted)

Xorg: multiple vulnerabilities

Package(s):Xorg CVE #(s):CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006
Created:January 17, 2008 Updated:April 4, 2008
Description: From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows.
Alerts:
SuSE SUSE-SA:2008:003 2008-01-17
Debian DSA-1466-1 2008-01-17
Red Hat RHSA-2008:0030-01 2008-01-17
Red Hat RHSA-2008:0031-01 2008-01-17
Red Hat RHSA-2008:0064-01 2008-01-17
Red Hat RHSA-2008:0029-01 2008-01-18
Ubuntu USN-571-1 2008-01-18
Debian DSA-1466-2 2008-01-19
Gentoo 200801-09 2008-01-20
Ubuntu USN-571-2 2008-01-19
Debian DSA-1466-3 2008-01-21
Fedora FEDORA-2008-0760 2008-01-22
Fedora FEDORA-2008-0794 2008-01-22
Fedora FEDORA-2008-0831 2008-01-22
Fedora FEDORA-2008-0891 2008-01-22
Mandriva MDVSA-2008:021 2008-01-23
Mandriva MDVSA-2008:022 2008-01-23
Mandriva MDVSA-2008:023 2007-01-23
Mandriva MDVSA-2008:024 2007-01-23
Mandriva MDVSA-2008:025 2007-01-23
rPath rPSA-2008-0032-1 2008-01-30
SuSE SUSE-SR:2008:003 2008-02-07
Gentoo GLSA 200801-09:03 2008-01-20
SuSE SUSE-SR:2008:008 2008-04-04

Comments (none posted)

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Mandriva MDKSA-2007:127 2007-06-19
Fedora FEDORA-2007-0704 2007-06-26
Fedora FEDORA-2008-1711 2008-02-15

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Red Hat RHSA-2007:0532-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0556-01 2007-06-26
rPath rPSA-2007-0136-1 2007-06-27
Fedora FEDORA-2007-617 2007-07-02
Mandriva MDKSA-2007:140 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:142 2007-07-04
Fedora FEDORA-2007-615 2007-07-12
Red Hat RHSA-2007:0557-01 2007-07-13
Red Hat RHSA-2007:0662-01 2007-07-13
Ubuntu USN-499-1 2007-08-16
rPath rPSA-2007-0182-1 2007-09-14
Fedora FEDORA-2007-2214 2007-09-18
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2008-1711 2008-02-15

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
Red Hat RHSA-2006:0618-01 2006-08-08
Red Hat RHSA-2006:0619-01 2006-08-10
Debian DSA-1167-1 2005-09-04
SuSE SUSE-SA:2006:051 2006-09-08
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2008:021 2008-04-04

Comments (none posted)

apache: several vulnerabilities

Package(s):apache CVE #(s):CVE-2007-5000 CVE-2007-6388 CVE-2008-0005
Created:January 15, 2008 Updated:April 4, 2008
Description: A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005)

Alerts:
Red Hat RHSA-2008:0004-01 2008-01-15
Red Hat RHSA-2008:0005-01 2008-01-15
Red Hat RHSA-2008:0006-01 2008-01-15
Red Hat RHSA-2008:0007-01 2008-01-15
Red Hat RHSA-2008:0008-01 2008-01-15
Mandriva MDVSA-2008:014 2008-01-16
Mandriva MDVSA-2008:015 2008-01-16
Mandriva MDVSA-2008:016 2007-01-16
Red Hat RHSA-2008:0009-01 2008-01-21
Ubuntu USN-575-1 2008-02-04
Slackware SSA:2008-045-01 2008-02-15
Slackware SSA:2008-045-02 2008-02-15
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2008-1695 2008-02-15
Gentoo 200803-19 2008-03-11
SuSE SUSE-SA:2008:021 2008-04-04

Comments (1 posted)

httpd: denial of service, cross-site scripting

Package(s):apache httpd CVE #(s):CVE-2007-3847 CVE-2007-4465
Created:September 25, 2007 Updated:February 15, 2008
Description: A flaw was found in the mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465)

Alerts:
Fedora FEDORA-2007-707 2007-09-24
Red Hat RHSA-2007:0911-01 2007-10-25
Red Hat RHSA-2007:0746-04 2007-11-07
Gentoo 200711-06 2007-11-07
Red Hat RHSA-2007:0747-02 2007-11-15
SuSE SUSE-SA:2007:061 2007-11-19
Mandriva MDKSA-2007:235 2007-12-03
Red Hat RHSA-2008:0004-01 2008-01-15
Red Hat RHSA-2008:0005-01 2008-01-15
Red Hat RHSA-2008:0006-01 2008-01-15
Red Hat RHSA-2008:0008-01 2008-01-15
Ubuntu USN-575-1 2008-02-04
Slackware SSA:2008-045-02 2008-02-15

Comments (none posted)

apache2: denial of service

Package(s):apache2 CVE #(s):CVE-2007-1863
Created:November 19, 2007 Updated:February 18, 2008
Description:

From the CVE entry:

cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.

Alerts:
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2008-1711 2008-02-15

Comments (1 posted)

asterisk: possible SQL injection

Package(s):asterisk CVE #(s):CVE-2007-6170
Created:December 3, 2007 Updated:April 15, 2008
Description: Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection.
Alerts:
Debian DSA-1417-1 2007-12-02
SuSE SUSE-SR:2008:005 2008-03-06
Gentoo 200804-13 2008-04-14

Comments (none posted)

bind: off-by-one error

Package(s):bind CVE #(s):CVE-2008-0122
Created:January 22, 2008 Updated:March 14, 2008
Description: Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
Alerts:
Fedora FEDORA-2008-0903 2008-01-22
Fedora FEDORA-2008-0904 2008-01-22
rPath rPSA-2008-0029-1 2008-01-24
SuSE SUSE-SR:2008:006 2008-03-14

Comments (none posted)

boost: denial of service

Package(s):boost CVE #(s):CVE-2008-0171 CVE-2008-0172
Created:January 17, 2008 Updated:March 14, 2008
Description: From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash.
Alerts:
Ubuntu USN-570-1 2008-01-16
Fedora FEDORA-2008-0880 2008-01-22
Mandriva MDVSA-2008:032 2007-02-01
rPath rPSA-2008-0063-1 2008-02-13
Gentoo 200802-08 2008-02-14
Fedora FEDORA-2008-0754 2008-03-13
SuSE SUSE-SR:2008:006 2008-03-14

Comments (none posted)

cacti: SQL injection vulnerability

Package(s):cacti CVE #(s):CVE-2007-6035
Created:November 22, 2007 Updated:February 18, 2008
Description: Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors.
Alerts:
Fedora FEDORA-2007-3667 2007-11-22
Fedora FEDORA-2007-3683 2007-11-22
SuSE SUSE-SR:2007:024 2007-11-22
Mandriva MDKSA-2007:231 2007-11-22
Debian DSA-1418-1 2007-12-02
Gentoo 200712-02:02 2007-12-05
Fedora FEDORA-2008-1737 2008-02-15
Fedora FEDORA-2008-1699 2008-02-15

Comments (none posted)

cacti: denial of service

Package(s):cacti CVE #(s):CVE-2007-3112 CVE-2007-3113
Created:September 18, 2007 Updated:February 18, 2008
Description: A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters.
Alerts:
Mandriva MDKSA-2007:184 2007-09-17
Fedora FEDORA-2007-2199 2007-09-18
Fedora FEDORA-2007-3683 2007-11-22
Fedora FEDORA-2008-1737 2008-02-15

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
Alerts:
Debian DSA-1340-1 2007-07-24
Mandriva MDKSA-2007:150 2007-07-25
Gentoo 200708-04 2007-08-09
SuSE SUSE-SR:2007:015 2007-08-03

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2007-4510 CVE-2007-4560
Created:September 3, 2007 Updated:February 13, 2008
Description: Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service.

CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands.

Alerts:
Debian