Developers Wanted
Aztek Networks. Linux, C++ developers wanted. Embedded, Power-PC target.
Serve your customers, not your servers, with VERIO Linux VPS.
Full-access test-drive
here.
|
Cascading security updates
By Jake Edge February 27, 2008
When following the distributions' security updates on a daily basis, as we
do at LWN, certain days are more work than others. Two weeks ago we had a
rather full update with no
less than 28 packages updated for Fedora (most of those for both F7 and
F8), along with a handful of updates from other distributions. It turns
out that the majority of the Fedora updates had a single cause: a set
of serious vulnerabilities in Mozilla Firefox.
Advertisement
How does a single update to an application ripple so far that more than a
dozen packages have to be rebuilt? One would think there would be shared
libraries that would get updated, with applications picking up those
changes the next time they are run. That is, in theory, how things are
supposed to work, but in this case, the underlying libraries have no fixed application
binary interface (ABI). So, changes to those libraries require any
applications that use them to be rebuilt and retested.
Gecko is the rendering engine used by Mozilla in their products to display
HTML. Various other packages have started using it as well because of its
speed and standards compliance. Because Mozilla sometimes breaks
the ABI between releases, even minor releases, distributions may be stuck
rebuilding those applications when a new version of the library is
released. Normally, that only happens when packaging a new version of the
distribution—or when serious security flaws are found.
Mozilla's solution for this problem is XULRunner which
will provide a stable ABI for applications. As XULRunner and its companion
libxul become more widely available, the applications that
currently link to the Gecko libraries will presumably switch to avoid these
kinds of problems in the future. It is highly unlikely that we have seen
the last security problem in the Gecko engine, so reducing the cascade that
results from finding one would be welcome.
Because of problems with the ABI changing in the past, Fedora chooses to
make the applications' library version number exactly track the Mozilla release number.
Some other distributions do not do that, so unless the ABI does change, they do
not need to update each package that uses the libraries. This has some
advantages, but could lead to broken applications if an ABI change goes
unnoticed.
We have also seen similar cascades of updates, most notably from the xpdf PDF viewer. Unlike
Gecko, there is no library for xpdf, leading multiple applications to
include its source into their own. When a flaw is found, several different
applications (cups, gpdf, etc.) across all distributions need to
be updated immediately, leading to a similar effect as was seen with the
Gecko vulnerabilities. Hopefully, over time, the development of the poppler library will mitigate
this problem somewhat.
There are lots of good reasons to separate code into components where
possible, but security is an important one. Creating and maintaining an ABI
is sometimes difficult, but generally worth the trouble. Imagine the chaos
that could result from a security vulnerability requiring an ABI change in
glibc.
Comments (9 posted)
Security news
Cold Reboot Attacks on Disk Encryption
Ed Felten's Freedom to Tinker weblog has a report on research he and his colleagues have done on subverting whole disk encryption by reading the keys from RAM after the machine has been power-cycled. " The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system."
Comments (38 posted)
Security reports
Risk report: Three years of Red Hat Enterprise Linux 4
Red Hat has published an updated version of its risk report for RHEL4, summarizing the security vulnerabilities in that distribution for the last three years and how Red Hat responded to them. " Fixes for 81% of critical flaws were available from Red Hat Network at latest one calendar day after public disclosure of the flaw. 63% of the critical flaws were fixed on the very same day. This fast response time is a deliberate goal of the Red Hat Security Response Team and forms an
essential part of reducing customer risk from critical flaws." It would be nice if all distributors would produce an occasional report like this.
Comments (18 posted)
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2007-5659
CVE-2007-5663
CVE-2007-5666
CVE-2007-0044
|
| Created: | February 22, 2008 |
Updated: | March 3, 2008 |
| Description: |
Several flaws were found in the way Adobe Reader processed malformed PDF
files. An attacker could create a malicious PDF file which could execute
arbitrary code if opened by a victim. A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack.
|
| Alerts: |
|
Comments (none posted)
asterisk: multiple vulnerabilities
| Package(s): | asterisk |
CVE #(s): | CVE-2007-3762
CVE-2007-3763
CVE-2007-3764
CVE-2007-4103
|
| Created: | February 27, 2008 |
Updated: | February 27, 2008 |
| Description: |
Asterisk suffers from a protocol handling error, a buffer overflow, and a NULL pointer dereferencing bug in the IAX2 channel driver, and a memory overflow in the Skinny channel driver. |
| Alerts: |
|
Comments (none posted)
clamav: heap corruption
| Package(s): | clamav |
CVE #(s): | CVE-2008-0728
|
| Created: | February 22, 2008 |
Updated: | April 18, 2008 |
| Description: |
From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2008-0886
|
| Created: | February 27, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Mandriva advisory: A flaw was found in how CUPS handled the addition and removal of
remote printers via IPP that could allow a remote attacker to send
a malicious IPP packet to the UDP port causing CUPS to crash.
|
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2008-0882
|
| Created: | February 22, 2008 |
Updated: | April 3, 2008 |
| Description: |
From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CVE-2008-0596
CVE-2008-0597
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way CUPS handled the addition and removal of remote
shared printers via IPP. A remote attacker could send malicious UDP IPP
packets causing the CUPS daemon to attempt to dereference already freed
memory and crash. (CVE-2008-0597)
A memory management flaw was found in the way CUPS handled the addition and
removal of remote shared printers via IPP. When shared printer was
removed, allocated memory was not properly freed, leading to a memory leak
possibly causing CUPS daemon crash after exhausting available memory.
(CVE-2008-0596)
These issues were found during the investigation of CVE-2008-0882. |
| Alerts: |
|
Comments (none posted)
diatheke: insufficient input sanitizing
| Package(s): | diatheke |
CVE #(s): | CVE-2008-0932
|
| Created: | February 26, 2008 |
Updated: | March 4, 2008 |
| Description: |
From the Debian advisory: Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitizing of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. |
| Alerts: |
|
Comments (none posted)
dnssec-tools: insufficient validation
| Package(s): | dnssec-tools |
CVE #(s): | |
| Created: | February 26, 2008 |
Updated: | February 27, 2008 |
| Description: |
DNSSEC-Tools 1.3.2 contains
several fixes, including a patch to the libval DNSSEC validation library to
ensure that the signature that validates it is a signature of the trust anchor
itself. |
| Alerts: |
|
Comments (none posted)
dspam: insecure password
| Package(s): | dspam |
CVE #(s): | CVE-2007-6418
|
| Created: | February 22, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Debian advisory: Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. |
| Alerts: |
|
Comments (none posted)
ghostscript: buffer overflow
| Package(s): | ghostscript gs |
CVE #(s): | CVE-2008-0411
|
| Created: | February 27, 2008 |
Updated: | April 10, 2008 |
| Description: |
The Ghostscript color-space handling code suffers from a buffer overflow which may be exploitable by way of a specially-crafted postscript file. |
| Alerts: |
|
Comments (none posted)
kernel: arbitrary code execution
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2004-2731
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2004-2731:
infamous41md reported multiple integer overflows in the Sbus PROM
driver that would allow for a DoS (Denial of Service) attack by a
local user, and possibly the execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
kernel: memory corruption
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2006-5753
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2006-5753:
Eric Sandeen provided a fix for a local memory corruption vulnerability
resulting from a misinterpretation of return values when operating on
inodes which have been marked bad.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2006-6053
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2006-6053:
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext3 filesystem.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2007-2525
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2007-2525:
Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused
by releasing a socket before PPPIOCGCHAN is called upon it. This could
be used by a local user to DoS a system by consuming all available memory.
|
| Alerts: |
|
Comments (none posted)
kernel: reduction in random entropy
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2007-4311
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2007-4311:
PaX team discovered an issue in the random driver where a defect in the
reseeding code leads to a reduction in entropy.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-source-2.6.8 |
CVE #(s): | CVE-2006-7203
|
| Created: | February 25, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Debian advisory:
CVE-2006-7203:
OpenVZ Linux kernel team reported an issue in the smbfs filesystem which
can be exploited by local users to cause a DoS (oops) during mount. |
| Alerts: |
|
Comments (none posted)
moin: multiple XSS vulnerabilities
| Package(s): | moin |
CVE #(s): | CVE-2008-0780
CVE-2008-0781
|
| Created: | February 21, 2008 |
Updated: | April 29, 2008 |
| Description: |
moin has cross site scripting vulnerabilities in the login action
and the AttachFile action. |
| Alerts: |
|
Comments (none posted)
qemu: unchecked block read/write
| Package(s): | qemu kvm |
CVE #(s): | |
| Created: | February 26, 2008 |
Updated: | February 27, 2008 |
| Description: |
From this post
to the Debian security list: "I think I have discovered a
vulnerability in qemu. It is related to the block device drivers: that is,
the backends which implement the functionality offered to a guest via
emulated block devices such as the emulated IDE controller." |
| Alerts: |
|
Comments (none posted)
splitvt: privilege escalation
| Package(s): | splitvt |
CVE #(s): | CVE-2008-0162
|
| Created: | February 22, 2008 |
Updated: | March 4, 2008 |
| Description: |
From the Debian advisory: Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. |
| Alerts: |
|
Comments (none posted)
turba2: access violation
| Package(s): | turba2 |
CVE #(s): | CVE-2008-0807
|
| Created: | February 25, 2008 |
Updated: | February 29, 2008 |
| Description: |
From the Debian advisory:
Peter Paul Elfferich discovered that turba2, a contact management component
for horde framework did not correctly check access rights before allowing
users to edit addresses. This could result in valid users being able to
alter private address records. |
| Alerts: |
|
Comments (none posted)
wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | CVE-2007-3238
CVE-2007-2821
CVE-2008-0193
CVE-2008-0194
|
| Created: | February 22, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Debian advisory:
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. (CVE-2007-3238)
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. (CVE-2007-2821)
Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress
2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to
wp-admin/edit.php. (CVE-2008-0193)
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0194) |
| Alerts: |
|
Comments (none posted)
wyrd: insecure temporary file
| Package(s): | wyrd |
CVE #(s): | CVE-2008-0806
|
| Created: | February 26, 2008 |
Updated: | February 27, 2008 |
| Description: |
wyrd 1.4.3b allows local users to overwrite arbitrary files via a symlink attack on the wyrd-tmp.[USERID] temporary file. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo |
CVE #(s): | CVE-2007-5503
|
| Created: | November 29, 2007 |
Updated: | April 10, 2008 |
| Description: |
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege escalation
| Package(s): | MySQL |
CVE #(s): | CVE-2007-3781
CVE-2007-5969
|
| Created: | December 11, 2007 |
Updated: | April 7, 2008 |
| Description: |
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) |
| Alerts: |
|
Comments (none posted)
SDL_image: buffer overflows
| Package(s): | SDL_image |
CVE #(s): | CVE-2007-6697
CVE-2008-0544
|
| Created: | February 8, 2008 |
Updated: | March 27, 2008 |
| Description: |
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE |
CVE #(s): | CVE-2007-2435
CVE-2007-2788
CVE-2007-2789
|
| Created: | June 1, 2007 |
Updated: | April 18, 2008 |
| Description: |
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files. |
| Alerts: |
|
Comments (none posted)
Xorg: multiple vulnerabilities
Comments (none posted)
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2008-0655
CVE-2008-0667
CVE-2008-0726
|
| Created: | February 18, 2008 |
Updated: | March 3, 2008 |
| Description: |
From the SUSE advisory:
CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader
and Acrobat before 8.1.2 have unknown impact and
attack vectors.
CVE-2008-0667: The DOC.print function in the Adobe JavaScript API,
as used by Adobe Acrobat and Reader before 8.1.2, allows
remote attackers to configure silent non-interactive
printing, and trigger the printing of an arbitrary
number of copies of a document.
CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and
earlier allows remote attackers to execute arbitrary
code via crafted arguments to the printSepsWithParams,
which triggers memory corruption.
|
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache: several vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
|
| Created: | January 15, 2008 |
Updated: | April 4, 2008 |
| Description: |
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005) |
| Alerts: |
|
Comments (1 posted)
asterisk: possible SQL injection
| Package(s): | asterisk |
CVE #(s): | CVE-2007-6170
|
| Created: | December 3, 2007 |
Updated: | April 15, 2008 |
| Description: |
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection. |
| Alerts: |
|
Comments (none posted)
bind: off-by-one error
| Package(s): | bind |
CVE #(s): | CVE-2008-0122
|
| Created: | January 22, 2008 |
Updated: | March 14, 2008 |
| Description: |
Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3,
and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause
a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption. |
| Alerts: |
|
Comments (none posted)
boost: denial of service
| Package(s): | boost |
CVE #(s): | CVE-2008-0171
CVE-2008-0172
|
| Created: | January 17, 2008 |
Updated: | March 14, 2008 |
| Description: |
From the Ubuntu alert:
Will Drewry and Tavis Ormandy discovered that the boost library
did not properly perform input validation on regular expressions.
An attacker could send a specially crafted regular expression to
an application linked against boost and cause a denial of service
via application crash. |
| Alerts: |
|
Comments (none posted)
clamav: arbitrary code execution
| Package(s): | clamav |
CVE #(s): | CVE-2008-0318
|
| Created: | February 13, 2008 |
Updated: | April 18, 2008 |
| Description: |
From the CVE:
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. |
| Alerts: |
|
Comments (1 posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
clamav: arbitrary file overwrite
| Package(s): | clamav |
CVE #(s): | CVE-2007-6595
|
| Created: | February 18, 2008 |
Updated: | April 24, 2008 |
| Description: |
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. |
| Alerts: |
|
Comments (4 posted)
cups: buffer overflow
| Package(s): | cups |
CVE #(s): | CVE-2007-5848
|
| Created: | January 7, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the CVE entry:
Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service.
From the rPath advisory:
Previous versions of the cups package contain a buffer-overflow
weakness. It is not believed that this weakness can be exploited
to execute malicious code. |
| Alerts: |
|
Comments (1 posted)
cups: multiple vulnerabilities
Comments (none posted)
debian-goodies: privilege escalation
| Package(s): | debian-goodies |
CVE #(s): | CVE-2007-3912
|
| Created: | October 5, 2007 |
Updated: | March 24, 2008 |
| Description: |
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart. |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
exiftags: multiple vulnerabilities
| Package(s): | exiftags |
CVE #(s): | CVE-2007-6354
CVE-2007-6355
CVE-2007-6356
|
| Created: | December 31, 2007 |
Updated: | April 1, 2008 |
| Description: |
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356). |
| Alerts: |
|
Comments (none posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2008-0414
CVE-2008-0416
CVE-2008-0420
CVE-2008-0594
|
| Created: | February 8, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845) |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey |
CVE #(s): | CVE-2007-5947
CVE-2007-5959
CVE-2007-5960
|
| Created: | November 27, 2007 |
Updated: | March 3, 2008 |
| Description: |
A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)
A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)
|
| Alerts: |
|
Comments (1 posted)
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird |
CVE #(s): | CVE-2008-0412
CVE-2008-0413
CVE-2008-0415
CVE-2008-0417
CVE-2008-0418
CVE-2008-0419
CVE-2008-0591
CVE-2008-0592
CVE-2008-0593
|
| Created: | February 8, 2008 |
Updated: | April 2, 2008 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
|
| Alerts: |
| |