|
|
| |
|
| |
Security
Cascading security updates
By Jake Edge
February 27, 2008
When following the distributions' security updates on a daily basis, as we
do at LWN, certain days are more work than others. Two weeks ago we had a
rather full update with no
less than 28 packages updated for Fedora (most of those for both F7 and
F8), along with a handful of updates from other distributions. It turns
out that the majority of the Fedora updates had a single cause: a set
of serious vulnerabilities in Mozilla Firefox.
How does a single update to an application ripple so far that more than a
dozen packages have to be rebuilt? One would think there would be shared
libraries that would get updated, with applications picking up those
changes the next time they are run. That is, in theory, how things are
supposed to work, but in this case, the underlying libraries have no fixed application
binary interface (ABI). So, changes to those libraries require any
applications that use them to be rebuilt and retested.
Gecko is the rendering engine used by Mozilla in their products to display
HTML. Various other packages have started using it as well because of its
speed and standards compliance. Because Mozilla sometimes breaks
the ABI between releases, even minor releases, distributions may be stuck
rebuilding those applications when a new version of the library is
released. Normally, that only happens when packaging a new version of the
distribution—or when serious security flaws are found.
Mozilla's solution for this problem is XULRunner which
will provide a stable ABI for applications. As XULRunner and its companion
libxul become more widely available, the applications that
currently link to the Gecko libraries will presumably switch to avoid these
kinds of problems in the future. It is highly unlikely that we have seen
the last security problem in the Gecko engine, so reducing the cascade that
results from finding one would be welcome.
Because of problems with the ABI changing in the past, Fedora chooses to
make the applications' library version number exactly track the Mozilla release number.
Some other distributions do not do that, so unless the ABI does change, they do
not need to update each package that uses the libraries. This has some
advantages, but could lead to broken applications if an ABI change goes
unnoticed.
We have also seen similar cascades of updates, most notably from the xpdf PDF viewer. Unlike
Gecko, there is no library for xpdf, leading multiple applications to
include its source into their own. When a flaw is found, several different
applications (cups, gpdf, etc.) across all distributions need to
be updated immediately, leading to a similar effect as was seen with the
Gecko vulnerabilities. Hopefully, over time, the development of the poppler library will mitigate
this problem somewhat.
There are lots of good reasons to separate code into components where
possible, but security is an important one. Creating and maintaining an ABI
is sometimes difficult, but generally worth the trouble. Imagine the chaos
that could result from a security vulnerability requiring an ABI change in
glibc.
Comments (9 posted)
Security news
Cold Reboot Attacks on Disk Encryption
Ed Felten's Freedom to Tinker weblog has a report on research he and his colleagues have done on subverting whole disk encryption by reading the keys from RAM after the machine has been power-cycled. " The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system."
Comments (38 posted)
Security reports
Risk report: Three years of Red Hat Enterprise Linux 4
Red Hat has published an updated version of its risk report for RHEL4, summarizing the security vulnerabilities in that distribution for the last three years and how Red Hat responded to them. " Fixes for 81% of critical flaws were available from Red Hat Network at latest one calendar day after public disclosure of the flaw. 63% of the critical flaws were fixed on the very same day. This fast response time is a deliberate goal of the Red Hat Security Response Team and forms an
essential part of reducing customer risk from critical flaws." It would be nice if all distributors would produce an occasional report like this.
Comments (18 posted)
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2007-5659
CVE-2007-5663
CVE-2007-5666
CVE-2007-0044
|
| Created: | February 22, 2008 |
Updated: | March 3, 2008 |
| Description: |
Several flaws were found in the way Adobe Reader processed malformed PDF
files. An attacker could create a malicious PDF file which could execute
arbitrary code if opened by a victim. A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack.
|
| Alerts: |
|
Comments (none posted)
asterisk: multiple vulnerabilities
| Package(s): | asterisk |
CVE #(s): | CVE-2007-3762
CVE-2007-3763
CVE-2007-3764
CVE-2007-4103
|
| Created: | February 27, 2008 |
Updated: | February 27, 2008 |
| Description: |
Asterisk suffers from a protocol handling error, a buffer overflow, and a NULL pointer dereferencing bug in the IAX2 channel driver, and a memory overflow in the Skinny channel driver. |
| Alerts: |
|
Comments (none posted)
clamav: heap corruption
| Package(s): | clamav |
CVE #(s): | CVE-2008-0728
|
| Created: | February 22, 2008 |
Updated: | April 18, 2008 |
| Description: |
From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2008-0886
|
| Created: | February 27, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Mandriva advisory: A flaw was found in how CUPS handled the addition and removal of
remote printers via IPP that could allow a remote attacker to send
a malicious IPP packet to the UDP port causing CUPS to crash.
|
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2008-0882
|
| Created: | February 22, 2008 |
Updated: | April 3, 2008 |
| Description: |
From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CVE-2008-0596
CVE-2008-0597
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way CUPS handled the addition and removal of remote
shared printers via IPP. A remote attacker could send malicious UDP IPP
packets causing the CUPS daemon to attempt to dereference already freed
memory and crash. (CVE-2008-0597)
A memory management flaw was found in the way CUPS handled the addition and
removal of remote shared printers via IPP. When shared printer was
removed, allocated memory was not properly freed, leading to a memory leak
possibly causing CUPS daemon crash after exhausting available memory.
(CVE-2008-0596)
These issues were found during the investigation of CVE-2008-0882. |
| Alerts: |
|
Comments (none posted)
diatheke: insufficient input sanitizing
| Package(s): | diatheke |
CVE #(s): | CVE-2008-0932
|
| Created: | February 26, 2008 |
Updated: | March 4, 2008 |
| Description: |
From the Debian advisory: Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitizing of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. |
| Alerts: |
|
Comments (none posted)
dnssec-tools: insufficient validation
| Package(s): | dnssec-tools |
CVE #(s): | |
| Created: | February 26, 2008 |
Updated: | February 27, 2008 |
| Description: |
DNSSEC-Tools 1.3.2 contains
several fixes, including a patch to the libval DNSSEC validation library to
ensure that the signature that validates it is a signature of the trust anchor
itself. |
| Alerts: |
|
Comments (none posted)
dspam: insecure password
| Package(s): | dspam |
CVE #(s): | CVE-2007-6418
|
| Created: | February 22, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Debian advisory: Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. |
| Alerts: |
|
Comments (none posted)
ghostscript: buffer overflow
| Package(s): | ghostscript gs |
CVE #(s): | CVE-2008-0411
|
| Created: | February 27, 2008 |
Updated: | April 10, 2008 |
| Description: |
The Ghostscript color-space handling code suffers from a buffer overflow which may be exploitable by way of a specially-crafted postscript file. |
| Alerts: |
|
Comments (none posted)
kernel: arbitrary code execution
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2004-2731
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2004-2731:
infamous41md reported multiple integer overflows in the Sbus PROM
driver that would allow for a DoS (Denial of Service) attack by a
local user, and possibly the execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
kernel: memory corruption
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2006-5753
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2006-5753:
Eric Sandeen provided a fix for a local memory corruption vulnerability
resulting from a misinterpretation of return values when operating on
inodes which have been marked bad.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2006-6053
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2006-6053:
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext3 filesystem.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2007-2525
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2007-2525:
Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused
by releasing a socket before PPPIOCGCHAN is called upon it. This could
be used by a local user to DoS a system by consuming all available memory.
|
| Alerts: |
|
Comments (none posted)
kernel: reduction in random entropy
| Package(s): | kernel-source-2.4.27 |
CVE #(s): | CVE-2007-4311
|
| Created: | February 25, 2008 |
Updated: | March 6, 2008 |
| Description: |
From the Debian advisory:
CVE-2007-4311:
PaX team discovered an issue in the random driver where a defect in the
reseeding code leads to a reduction in entropy.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-source-2.6.8 |
CVE #(s): | CVE-2006-7203
|
| Created: | February 25, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Debian advisory:
CVE-2006-7203:
OpenVZ Linux kernel team reported an issue in the smbfs filesystem which
can be exploited by local users to cause a DoS (oops) during mount. |
| Alerts: |
|
Comments (none posted)
moin: multiple XSS vulnerabilities
| Package(s): | moin |
CVE #(s): | CVE-2008-0780
CVE-2008-0781
|
| Created: | February 21, 2008 |
Updated: | April 29, 2008 |
| Description: |
moin has cross site scripting vulnerabilities in the login action
and the AttachFile action. |
| Alerts: |
|
Comments (none posted)
qemu: unchecked block read/write
| Package(s): | qemu kvm |
CVE #(s): | |
| Created: | February 26, 2008 |
Updated: | February 27, 2008 |
| Description: |
From this post
to the Debian security list: "I think I have discovered a
vulnerability in qemu. It is related to the block device drivers: that is,
the backends which implement the functionality offered to a guest via
emulated block devices such as the emulated IDE controller." |
| Alerts: |
|
Comments (none posted)
splitvt: privilege escalation
| Package(s): | splitvt |
CVE #(s): | CVE-2008-0162
|
| Created: | February 22, 2008 |
Updated: | March 4, 2008 |
| Description: |
From the Debian advisory: Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. |
| Alerts: |
|
Comments (none posted)
turba2: access violation
| Package(s): | turba2 |
CVE #(s): | CVE-2008-0807
|
| Created: | February 25, 2008 |
Updated: | February 29, 2008 |
| Description: |
From the Debian advisory:
Peter Paul Elfferich discovered that turba2, a contact management component
for horde framework did not correctly check access rights before allowing
users to edit addresses. This could result in valid users being able to
alter private address records. |
| Alerts: |
|
Comments (none posted)
wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | CVE-2007-3238
CVE-2007-2821
CVE-2008-0193
CVE-2008-0194
|
| Created: | February 22, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the Debian advisory:
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. (CVE-2007-3238)
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. (CVE-2007-2821)
Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress
2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to
wp-admin/edit.php. (CVE-2008-0193)
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0194) |
| Alerts: |
|
Comments (none posted)
wyrd: insecure temporary file
| Package(s): | wyrd |
CVE #(s): | CVE-2008-0806
|
| Created: | February 26, 2008 |
Updated: | February 27, 2008 |
| Description: |
wyrd 1.4.3b allows local users to overwrite arbitrary files via a symlink attack on the wyrd-tmp.[USERID] temporary file. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2008-0655
CVE-2008-0667
CVE-2008-0726
|
| Created: | February 18, 2008 |
Updated: | March 3, 2008 |
| Description: |
From the SUSE advisory:
CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader
and Acrobat before 8.1.2 have unknown impact and
attack vectors.
CVE-2008-0667: The DOC.print function in the Adobe JavaScript API,
as used by Adobe Acrobat and Reader before 8.1.2, allows
remote attackers to configure silent non-interactive
printing, and trigger the printing of an arbitrary
number of copies of a document.
CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and
earlier allows remote attackers to execute arbitrary
code via crafted arguments to the printSepsWithParams,
which triggers memory corruption.
|
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache: several vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
|
| Created: | January 15, 2008 |
Updated: | July 29, 2008 |
| Description: |
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005) |
| Alerts: |
|
Comments (1 posted)
asterisk: possible SQL injection
| Package(s): | asterisk |
CVE #(s): | CVE-2007-6170
|
| Created: | December 3, 2007 |
Updated: | April 15, 2008 |
| Description: |
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection. |
| Alerts: |
|
Comments (none posted)
bind: insecure permissions
| Package(s): | bind |
CVE #(s): | CVE-2007-6283
|
| Created: | December 21, 2007 |
Updated: | July 10, 2008 |
| Description: |
Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file
with world-readable permissions, which allows local users to perform
unauthorized named commands, such as causing a denial of service by
stopping named. |
| Alerts: |
|
Comments (1 posted)
bind: off-by-one error
| Package(s): | bind |
CVE #(s): | CVE-2008-0122
|
| Created: | January 22, 2008 |
Updated: | July 10, 2008 |
| Description: |
Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3,
and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause
a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption. |
| Alerts: |
|
Comments (none posted)
boost: denial of service
| Package(s): | boost |
CVE #(s): | CVE-2008-0171
CVE-2008-0172
|
| Created: | January 17, 2008 |
Updated: | March 14, 2008 |
| Description: |
From the Ubuntu alert:
Will Drewry and Tavis Ormandy discovered that the boost library
did not properly perform input validation on regular expressions.
An attacker could send a specially crafted regular expression to
an application linked against boost and cause a denial of service
via application crash. |
| Alerts: |
|
Comments (none posted)
cairo: integer overflow
| Package(s): | Cairo |
CVE #(s): | CVE-2007-5503
|
| Created: | November 29, 2007 |
Updated: | April 10, 2008 |
| Description: |
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges. |
| Alerts: |
|
Comments (none posted)
clamav: arbitrary code execution
| Package(s): | clamav |
CVE #(s): | CVE-2008-0318
|
| Created: | February 13, 2008 |
Updated: | April 18, 2008 |
| Description: |
From the CVE:
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. |
| Alerts: |
|
Comments (1 posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
clamav: arbitrary file overwrite
| Package(s): | clamav |
CVE #(s): | CVE-2007-6595
|
| Created: | February 18, 2008 |
Updated: | August 8, 2008 |
| Description: |
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. |
| Alerts: |
|
Comments (4 posted)
clamav: integer overflow and off-by-one
| Package(s): | clamav |
CVE #(s): | CVE-2007-6335
CVE-2007-6336
|
| Created: | December 19, 2007 |
Updated: | July 17, 2008 |
| Description: |
ClamAV contains integer overflow and off-by-one errors which could be exploited (via specially-crafted email) to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
cups: buffer overflow
| Package(s): | cups |
CVE #(s): | CVE-2007-5848
|
| Created: | January 7, 2008 |
Updated: | February 27, 2008 |
| Description: |
From the CVE entry:
Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service.
From the rPath advisory:
Previous versions of the cups package contain a buffer-overflow
weakness. It is not believed that this weakness can be exploited
to execute malicious code. |
| Alerts: |
|
Comments (1 posted)
cups: multiple vulnerabilities
Comments (none posted)
debian-goodies: privilege escalation
| Package(s): | debian-goodies |
CVE #(s): | CVE-2007-3912
|
| Created: | October 5, 2007 |
Updated: | March 24, 2008 |
| Description: |
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart. |
| Alerts: |
|
Comments (none posted)
Django: denial of service
| Package(s): | Django |
CVE #(s): | CVE-2007-5712
|
| Created: | November 12, 2007 |
Updated: | September 22, 2008 |
| Description: |
From the CVE notice:
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers. |
| Alerts: |
|
Comments (none posted)
dovecot: privilege escalation
| Package(s): | dovecot |
CVE #(s): | CVE-2007-4211
|
| Created: | August 15, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions." |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
dovecot: multiple vulnerabilities
| Package(s): | dovecot |
CVE #(s): | CVE-2007-6598
|
| Created: | January 3, 2008 |
Updated: | October 7, 2008 |
| Description: |
Dovecot has multiple vulnerabilities including an issue involving the
confusion between LDAP-authenticated logins across users with the
same password and a denial of service involving a connecting user. |
| Alerts: |
|
Comments (none posted)
emacs: buffer overflow
| Package(s): | emacs |
CVE #(s): | CVE-2007-6109
|
| Created: | December 10, 2007 |
Updated: | May 6, 2008 |
| Description: |
From the National Vulnerability Database:
Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
exiftags: multiple vulnerabilities
| Package(s): | exiftags |
CVE #(s): | CVE-2007-6354
CVE-2007-6355
CVE-2007-6356
|
| Created: | December 31, 2007 |
Updated: | April 1, 2008 |
| Description: |
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356). |
| Alerts: |
|
Comments (none posted)
exiv2: integer overflow
| Package(s): | exiv2 |
CVE #(s): | CVE-2007-6353
|
| Created: | December 21, 2007 |
Updated: | October 15, 2008 |
| Description: |
Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. |
| Alerts: |
|
Comments (none posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2008-0414
CVE-2008-0416
CVE-2008-0420
CVE-2008-0594
|
| Created: | February 8, 2008 |
Updated: | May 21, 2008 |
| Description: |
From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845) |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey |
CVE #(s): | CVE-2007-5947
CVE-2007-5959
CVE-2007-5960
|
| Created: | November 27, 2007 |
Updated: | March 3, 2008 |
| Description: |
A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)
A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)
|
| Alerts: |
|
Comments (1 posted)
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird |
CVE #(s): | CVE-2008-0412
CVE-2008-0413
CVE-2008-0415
CVE-2008-0417
CVE-2008-0418
CVE-2008-0419
CVE-2008-0591
CVE-2008-0592
CVE-2008-0593
|
| Created: | February 8, 2008 |
Updated: | May 21, 2008 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
|
| Alerts: |
|
Comments (2 posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | May 12, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
|
Comments (none posted)
flash-plugin: lots of problems
Comments (3 posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gd: multiple vulnerabilities
| Package(s): | gd |
CVE #(s): | CVE-2007-3472
CVE-2007-3473
CVE-2007-3474
CVE-2007-3475
CVE-2007-3476
CVE-2007-3477
CVE-2007-3478
|
| Created: | August 6, 2007 |
Updated: | July 22, 2008 |
| Description: |
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure. (CVE-2007-3473)
Multiple unspecified vulnerabilities in the GIF reader in the
GD Graphics Library (libgd) before 2.0.35 allow user-assisted
remote attackers to have unspecified attack vectors and
impact. (CVE-2007-3474)
The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
remote attackers to cause a denial of service (crash) via a GIF image
that has no global color map. (CVE-2007-3475)
Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause
a denial of service (crash and heap corruption) via large color
index values in crafted image data, which results in a segmentation
fault. (CVE-2007-3476)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478) |
| Alerts: |
|
Comments (none posted)
gd: denial of service
| Package(s): | gd |
CVE #(s): | CVE-2007-2756
|
| Created: | June 14, 2007 |
Updated: | February 28, 2008 |
| Description: |
Libgd2 has a denial of service vulnerability involving the incorrect
validation of PNG callback results. If an application that is linked
against libgd2 is used to process a specially-crafted PNG file,
a denial of service involving CPU resource consumption can be
caused. |
| Alerts: |
|
Comments (none posted)
gimp: multiple vulnerabilities
| Package(s): | gimp |
CVE #(s): | CVE-2007-2949
|
| Created: | June 28, 2007 |
Updated: | February 27, 2008 |
| Description: |
The gimp image editor has several vulnerabilities, including
a problem where it can open PSD files with excessive dimensions
and a possible stack overflow in the Sunras loader. |
| Alerts: |
|
Comments (none posted)
gnome-screensaver: keyboard lock bypass
| Package(s): | gnome-screensaver |
CVE #(s): | CVE-2007-3920
|
| Created: | October 24, 2007 |
Updated: | June 13, 2008 |
| Description: |
From the Ubuntu advisory:
Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus. A local
attacker could exploit this to bypass the user's locked screen saver. |
| Alerts: |
|
Comments (none posted)
openssh: inappropriate use of trusted cookies
| Package(s): | gnome-ssh-askpass openssh |
CVE #(s): | CVE-2007-4752
|
| Created: | September 11, 2007 |
Updated: | August 25, 2008 |
| Description: |
OpenSSH in versions prior
4.7 could use a trusted X11 cookie if the creation of an untrusted
cookie failed. |
| Alerts: |
|
Comments (none posted)
gnumeric: arbitrary code execution
| Package(s): | gnumeric |
CVE #(s): | CVE-2008-0668
|
| Created: | February 13, 2008 |
Updated: | August 8, 2008 |
| Description: |
From the CVE:
The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information. |
| Alerts: |
|
Comments (none posted)
horde3: remote email deletion
| Package(s): | horde3 |
CVE #(s): | CVE-2007-6018
|
| Created: | January 21, 2008 |
Updated: | February 29, 2008 |
| Description: |
From the Debian advisory:
Ulf Harnhammer discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client. |
| Alerts: |
|
Comments (none posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
httpd: cross-site scripting, denial of service
| Package(s): | httpd |
CVE #(s): | CVE-2007-6421
CVE-2007-6422
|
| Created: | January 15, 2008 |
Updated: | April 4, 2008 |
| Description: |
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422) |
| Alerts: |
|
Comments (1 posted)
icu: arbitrary code execution
| Package(s): | icu |
CVE #(s): | CVE-2007-4770
CVE-2007-4771
|
| Created: | January 25, 2008 |
Updated: | May 15, 2008 |
| Description: |
From the Red Hat advisory:
Will Drewry reported multiple flaws in the way libicu processed certain
malformed regular expressions. If an application linked against ICU, such
as OpenOffice.org, processed a carefully crafted regular expression, it may
be possible to execute arbitrary code as the user running the application.
|
| Alerts: |
|
Comments (none posted)
imagemagick: multiple vulnerabilities
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-4985
CVE-2007-4986
CVE-2007-4987
CVE-2007-4988
|
| Created: | October 4, 2007 |
Updated: | April 17, 2008 |
| Description: |
The ImageMagick image decoders have multiple vulnerabilities.
If a user can be tricked into processing a specially crafted
DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with
the user's privileges. |
| Alerts: |
|
Comments (none posted)
ImageMagick: integer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-1797
|
| Created: | April 4, 2007 |
Updated: | April 17, 2008 |
| Description: |
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667. |
| Alerts: |
|
Comments (none posted)
java-1.5.0-sun: multiple vulnerabilities
| Package(s): | java-1.5.0-sun |
CVE #(s): | CVE-2007-3503
CVE-2007-3655
CVE-2007-3698
CVE-2007-3922
|
| Created: | August 6, 2007 |
Updated: | June 24, 2008 |
| Description: |
The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)
The JSSE component did not correctly process SSL/TLS handshake requests. A
remote attacker who is able to connect to a JSSE-based service could
trigger this flaw leading to a denial-of-service. (CVE-2007-3698)
A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting to
services hosted on the machine that executed the applet. (CVE-2007-3922)
|
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-1.5.0-sun |
CVE #(s): | CVE-2008-0657
|
| Created: | February 12, 2008 |
Updated: | April 25, 2008 |
| Description: |
Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs. |
| Alerts: |
|
Comments (none posted)
java-1.5.0-sun: multiple vulnerabilities
| Package(s): | java-1.5.0-sun |
CVE #(s): | CVE-2007-5232
CVE-2007-5238
CVE-2007-5239
CVE-2007-5240
CVE-2007-5273
CVE-2007-5274
|
| Created: | October 12, 2007 |
Updated: | April 25, 2008 |
| Description: |
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled,
allows remote attackers to violate the security model for an applet's
outbound connections via a DNS rebinding attack. (CVE-2007-5232)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not
properly enforce access restrictions for untrusted applications, which
allows user-assisted remote attackers to obtain sensitive information (the
Java Web Start cache location) via an untrusted application, aka "three
vulnerabilities." (CVE-2007-5238)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE
1.3.1_20 and earlier does not properly enforce access restrictions for
untrusted (1) applications and (2) applets, which allows user-assisted
remote attackers to copy or rename arbitrary files when local users perform
drag-and-drop operations from the untrusted application or applet window
onto certain types of desktop applications. (CVE-2007-5239)
Visual truncation vulnerability in the Java Runtime Environment in Sun JDK
and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK
and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows
remote attackers to circumvent display of the untrusted-code warning banner
by creating a window larger than the workstation screen. (CVE-2007-5240)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used,
allows remote attackers to violate the security model for an applet's
outbound connections via a multi-pin DNS rebinding attack in which the
applet download relies on DNS resolution on the proxy server, but the
applet's socket operations rely on DNS resolution on the local machine, a
different issue than CVE-2007-5274. NOTE: this is similar to
CVE-2007-5232. (CVE-2007-5273)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows
remote attackers to violate the security model for JavaScript outbound
connections via a multi-pin DNS rebinding attack dependent on the
LiveConnect API, in which JavaScript download relies on DNS resolution by
the browser, but JavaScript socket operations rely on separate DNS
resolution by a Java Virtual Machine (JVM), a different issue than
CVE-2007-5273. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5274) |
| Alerts: |
|
Comments (1 posted)
JRockit: multiple vulnerabilities
Comments (none posted)
kazehakase: multiple vulnerabilities
| Package(s): | kazehakase |
CVE #(s): | |
| Created: | January 31, 2008 |
Updated: | April 23, 2008 |
| Description: |
The kazehakase web browser is vulnerable to buffer overflows and
memory corruption in PCRE. If a remote attacker can convince a user to
open specially crafted bookmarks, it can lead to the
execution of arbitrary code, denial of service or
arbitrary information disclosure. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: out-of-bounds access
| Package(s): | kernel |
CVE #(s): | CVE-2007-4573
|
| Created: | September 25, 2007 |
Updated: | May 21, 2008 |
| Description: |
The IA32 system call emulation functionality in Linux kernel 2.4.x and
2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not
zero extend the eax register after the 32bit entry path to ptrace is used,
which might allow local users to gain privileges by triggering an
out-of-bounds access to the system call table using the %RAX register. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-4130
CVE-2007-6694
|
| Created: | February 1, 2008 |
Updated: | June 20, 2008 |
| Description: |
From the Red Hat advisory: A flaw was found in the way the Red Hat
Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA
method for accessing memory on Itanium architectures. A local unprivileged
user could trigger this flaw and cause a denial of service (system panic).
A possible NULL pointer dereference was found in the chrp_show_cpuinfo
function when using the PowerPC architecture. This may have allowed a local
unprivileged user to cause a denial of service (crash). |
| Alerts: |
|
Comments (none posted)
kernel: denial of service vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-4133
CVE-2007-5093
|
| Created: | January 11, 2008 |
Updated: | May 21, 2008 |
| Description: |
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors.
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device. |
| Alerts: |
|
Comments (none posted)
kernel: ALSA returns incorrect write size
| Package(s): | kernel |
CVE #(s): | CVE-2007-4571
|
| Created: | September 28, 2007 |
Updated: | June 20, 2008 |
| Description: |
The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced
Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does
not return the correct write size, which allows local users to obtain
sensitive information (kernel memory contents) via a small count argument,
as demonstrated by multiple reads of /proc/driver/snd-page-alloc. |
| Alerts: |
|
Comments (none posted)
kernel: insufficient range checks
| Package(s): | kernel |
CVE #(s): | CVE-2008-0007
|
| Created: | February 8, 2008 |
Updated: | August 20, 2008 |
| Description: |
From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory. |
| Alerts: |
|
Comments (none posted)
kernel: remote denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-6058
CVE-2007-4997
|
| Created: | November 9, 2007 |
Updated: | June 13, 2008 |
| Description: |
The Minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
other versions, allows local users to cause a denial of service (hang) via
a malformed minix file stream that triggers an infinite loop in the
minix_bmap function. NOTE: this issue might be due to an integer overflow
or signedness error.
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows
remote attackers to cause a denial of service (crash) via a crafted SKB
length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set, aka an "off-by-two error." |
| Alerts: |
|
Comments (1 posted)
kernel: local filesystem corruption
| Package(s): | kernel |
CVE #(s): | CVE-2008-0001
|
| Created: | January 17, 2008 |
Updated: | June 13, 2008 |
| Description: |
From the mitre.org CVE description:
VFS in the Linux kernel before 2.6.23.14 performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions. |
| Alerts: |
|
Comments (none posted)
kernel: several vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-1353
CVE-2007-2451
CVE-2007-2453
|
| Created: | June 11, 2007 |
Updated: | March 6, 2008 |
| Description: |
Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
kernel memory contents via an uninitialized stack buffer. A local attacker
could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)
The GEODE-AES driver did not correctly initialize its encryption key.
Any data encrypted using this type of device would be easily compromised.
(CVE-2007-2451)
The random number generator was hashing a subset of the available
entropy, leading to slightly less random numbers. Additionally, systems
without an entropy source would be seeded with the same inputs at boot
time, leading to a repeatable series of random numbers. (CVE-2007-2453) |
| Alerts: |
|
Comments (none posted)
kernel: several vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5823
CVE-2006-6054
CVE-2007-1592
|
| Created: | June 12, 2007 |
Updated: | March 6, 2008 |
| Description: |
A flaw in the cramfs file system allows invalid compressed data to cause
memory corruption (CVE-2006-5823)
A flaw in the ext2 file system allows an invalid inode size to cause a
denial of service (system hang) (CVE-2006-6054)
A flaw in IPV6 flow label handling allows a local user to cause a denial of
service (crash) (CVE-2007-1592) |
| Alerts: |
|
Comments (none posted)
kernel: several vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-3851
CVE-2007-3848
CVE-2007-3105
|
| Created: | August 17, 2007 |
Updated: | May 21, 2008 |
| Description: |
The drm/i915 component in the Linux kernel before 2.6.22.2, when used with
i965G and later chipsets, allows local users with access to an X11 session
and Direct Rendering Manager (DRM) to write to arbitrary memory locations
and gain privileges via a crafted batchbuffer. (CVE-2007-3851)
Linux kernel 2.4.35 and other versions allows local users to send arbitrary
signals to a child process that is running at higher privileges by causing
a setuid-root parent process to die, which delivers an attacker-controlled
parent process death signal (PR_SET_PDEATHSIG). (CVE-2007-3848)
Stack-based buffer overflow in the random number generator (RNG)
implementation in the Linux kernel before 2.6.22 might allow local root
users to cause a denial of service or gain privileges by setting the
default wakeup threshold to a value greater than the output pool size,
which triggers writing random numbers to the stack by the pool transfer
function involving "bound check ordering". NOTE: this issue might only
cross privilege boundaries in environments that have granular assignment of
privileges for root. (CVE-2007-3105) |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-5500
|
| Created: | November 28, 2007 |
Updated: | July 8, 2008 |
| Description: |
The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-5501
|
| Created: | November 28, 2007 |
Updated: | March 7, 2008 |
| Description: |
The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-3104
CVE-2007-3740
CVE-2007-3843
CVE-2007-6063
|
| Created: | December 4, 2007 |
Updated: | June 13, 2008 |
| Description: |
The sysfs_readdir function in the Linux kernel 2.6 allows local users to
cause a denial of service (kernel OOPS) by dereferencing a null pointer to
an inode in a dentry. (CVE-2007-3104)
The CIFS filesystem, when Unix extension support is enabled, did not honor
the umask of a process, which allowed local users to gain
privileges.(CVE-2007-3740)
The Linux kernel checked the wrong global variable for the CIFS sec mount
option, which might allow remote attackers to spoof CIFS network traffic
that the client configured for security signatures, as demonstrated by lack
of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843)
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux
kernel allowed local users to have an unknown impact via a crafted argument
to the isdn_ioctl function. (CVE-2007-6063) |
| Alerts: |
|
Comments (none posted)
kernel: several vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-2172
CVE-2007-3739
CVE-2007-4308
|
| Created: | December 3, 2007 |
Updated: | March 28, 2008 |
| Description: |
A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes
RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an
"out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
fib_props (fib_semantics.c, IPv4) functions. (CVE-2007-2172)
mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not
prevent stack expansion from entering into reserved kernel page memory,
which allows local users to cause a denial of service (OOPS) via
unspecified vectors. (CVE-2007-3739)
The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer
ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check
permissions for ioctls, which might allow local users to cause a denial of
service or gain privileges. (CVE-2007-4308) |
| Alerts: |
|
Comments (none posted)
kernel: buffer overflows
| Package(s): | kernel |
CVE #(s): | CVE-2007-5904
|
| Created: | December 3, 2007 |
Updated: | June 20, 2008 |
| Description: |
Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via long SMB responses that trigger the overflows in
the SendReceive function. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-5966
|
| Created: | December 19, 2007 |
Updated: | August 27, 2008 |
| Description: |
A bug in high-resolution timers (prior to kernel 2.6.22.15) can cause very long sleeps when large timeout values are used. |
| Alerts: |
|
Comments (none posted)
krb5: multiple vulnerabilities
| Package(s): | krb5 |
CVE #(s): | CVE-2007-2442
CVE-2007-2443
CVE-2007-2798
|
| Created: | June 27, 2007 |
Updated: | March 24, 2008 |
| Description: |
David Coffey discovered an uninitialized pointer free flaw in the
RPC library used by kadmind. A remote unauthenticated attacker who
could access kadmind could trigger the flaw causing kadmind to crash
or possibly execute arbitrary code (CVE-2007-2442).
David Coffey also discovered an overflow flaw in the same RPC library.
A remote unauthenticated attacker who could access kadmind could
trigger the flaw causing kadmind to crash or possibly execute arbitrary
code (CVE-2007-2443).
Finally, a stack buffer overflow vulnerability was found in kadmind
that allowed an unauthenticated user able to access kadmind the
ability to trigger the vulnerability and possibly execute arbitrary
code (CVE-2007-2798). |
| Alerts: |
|
Comments (none posted)
krb5: buffer overflow, uninitialized pointer
| Package(s): | krb5 |
CVE #(s): | CVE-2007-3999
CVE-2007-4000
|
| Created: | September 4, 2007 |
Updated: | March 24, 2008 |
| Description: |
Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by kadmind. A remote unauthenticated attacker who can access
kadmind could trigger this flaw and cause kadmind to crash.
Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A
remote unauthenticated attacker who can access kadmind could trigger this
flaw and cause kadmind to crash. |
| Alerts: |
|
Comments (none posted)
krb5: multiple vulnerabilities
| Package(s): | krb5 |
CVE #(s): | CVE-2007-0956
CVE-2007-0957
CVE-2007-1216
|
| Created: | April 3, 2007 |
Updated: | March 24, 2008 |
| Description: |
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
A double-free flaw was found in the GSSAPI library used by the kadmin
server daemon. MIT krb5 Security Advisory
2007-003 |
| Alerts: |
|
Comments (none posted)
kvirc: remote arbitrary code execution
| Package(s): | kvirc |
CVE #(s): | CVE-2007-2951
|
| Created: | September 14, 2007 |
Updated: | February 27, 2008 |
| Description: |
Stefan Cornelius from Secunia Research discovered that the
"parseIrcUrl()" function in file src/kvirc/kernel/kvi_ircurl.cpp does
not properly sanitize parts of the URI when building the command for
KVIrc's internal script system. |
| Alerts: |
|
Comments (none posted)
lcms: stack-based buffer overflow
| Package(s): | lcms |
CVE #(s): | CVE-2007-2741
|
| Created: | November 23, 2007 |
Updated: | October 14, 2008 |
| Description: |
Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted ICC profile in a JPG file. |
| Alerts: |
|
Comments (none posted)
libarchive: pax extension header vulnerabilities
| Package(s): | libarchive |
CVE #(s): | CVE-2007-3641
CVE-2007-3644
CVE-2007-3645
|
| Created: | August 9, 2007 |
Updated: | February 27, 2008 |
| Description: |
libarchive, a library for manipulating different streaming archive
formats, has a number of pax extension header vulnerabilities.
These may be used to cause a denial of service or for the execution
of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libcdio: arbitrary code execution
| Package(s): | libcdio |
CVE #(s): | CVE-2007-6613
|
| Created: | January 21, 2008 |
Updated: | March 7, 2008 |
| Description: |
From the Gentoo advisory:
Devon Miller reported a boundary error in the "print_iso9660_recurse()"
function in files cd-info.c and iso-info.c when processing long
filenames within Joliet images.
A remote attacker could entice a user to open a specially crafted ISO
image in the cd-info and iso-info applications, resulting in the
execution of arbitrary code with the privileges of the user running the
application. Applications linking against shared libraries of libcdio
are not affected. |
| Alerts: |
|
Comments (1 posted)
libexif: integer overflow
| Package(s): | libexif |
CVE #(s): | CVE-2007-6352
|
| Created: | December 19, 2007 |
Updated: | October 15, 2008 |
| Description: |
From the Red Hat advisory: An integer overflow flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to execute arbitrary code, or crash. |
| Alerts: |
|
Comments (none posted)
libexif: denial of service
| Package(s): | libexif |
CVE #(s): | CVE-2007-6351
|
| Created: | December 19, 2007 |
Updated: | October 15, 2008 |
| Description: |
From the Red Hat advisory: An infinite recursion flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to crash. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflow
| Package(s): | libgd2 |
CVE #(s): | CVE-2007-3996
|
| Created: | December 19, 2007 |
Updated: | July 22, 2008 |
| Description: |
The GD library does not perform proper bounds checking when creating images; as a result, an attacker could, via crafted input, potentially execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libimager-perl: buffer overflow
| Package(s): | libimager-perl |
CVE #(s): | CVE-2007-2459
|
| Created: | February 20, 2008 |
Updated: | February 20, 2008 |
| Description: |
A buffer overflow in the read_4bit_bmp function in bmp.c in Imager 0.56 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via 4-bit/pixel BMP files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| Alerts: |
|
Comments (none posted)
libpng: denial of service
| Package(s): | libpng |
CVE #(s): | CVE-2007-2445
|
| Created: | May 17, 2007 |
Updated: | July 22, 2008 |
| Description: |
Libpng can be crashed when processing malformed PNG files.
It may also be possible to exploit this vulnerability to execute arbitrary
code. |
| Alerts: |
|
Comments (none posted)
libpng: several vulnerabilities
| Package(s): | libpng |
CVE #(s): | CVE-2007-5266
CVE-2007-5267
CVE-2007-5268
CVE-2007-5269
|
| Created: | October 19, 2007 |
Updated: | June 3, 2008 |
| Description: |
Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21
allow remote attackers to cause a denial of service (crash) via crafted (1)
pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt
(png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT
(png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read
operations. (CVE-2007-5269)
pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical
instead of bitwise operations and (2) incorrect comparisons, which might
allow remote attackers to cause a denial of service (crash) via a crafted
PNG image. (CVE-2007-5268)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause
a denial of service (crash) via a crafted PNG image, due to an incorrect
fix for CVE-2007-5266. (CVE-2007-5267)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1
allows remote attackers to cause a denial of service (crash) via a crafted
PNG image that prevents a name field from being NULL terminated.
(CVE-2007-5266) |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
liferea: weak permissions
| Package(s): | liferea |
CVE #(s): | CVE-2007-5751
|
| Created: | November 2, 2007 |
Updated: | April 23, 2008 |
| Description: |
Liferea before 1.4.6 uses weak permissions (0644) for the feedlist.opml backup file, which allows local users to obtain credentials. |
| Alerts: |
|
Comments (1 posted)
lighttpd: denial of service
| Package(s): | lighttpd |
CVE #(s): | CVE-2007-3946
CVE-2007-3947
CVE-2007-3948
CVE-2007-3949
CVE-2007-3950
|
| Created: | July 19, 2007 |
Updated: | July 15, 2008 |
| Description: |
The lighttpd web server has multiple vulnerabilities involving
a remote access-control setting circumvention that is performed
by the sending of malformed requests. This can be used to crash
the server and cause a denial of service. |
| Alerts: |
|
Comments (none posted)
kernel: several vulnerabilities
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2007-2878
CVE-2007-6151
|
| Created: | January 29, 2008 |
Updated: | July 8, 2008 |
| Description: |
From the Debian advisory: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data.
|
| Alerts: |
|
Comments (none posted)
kernel: local root privilege escalation
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2008-0010
CVE-2008-0600
|
| Created: | February 11, 2008 |
Updated: | June 23, 2008 |
| Description: |
From the Debian advisory:
The vmsplice system call did not properly verify address arguments
passed by user space processes, which allowed local attackers to
overwrite arbitrary kernel memory, gaining root privileges
(CVE-2008-0010, CVE-2008-0600).
|
| Alerts: |
|
Comments (1 posted)
kernel: information leak, denial of service
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2007-6206
CVE-2007-6417
|
| Created: | December 21, 2007 |
Updated: | September 26, 2008 |
| Description: |
Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page maybe improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). (CVE-2007-6417) |
| Alerts: |
|
Comments (none posted)
vmware-player-kernel: several vulnerabilities
| Package(s): | linux-restricted-modules-2.6.17/20, vmware-player-kernel-2.6.15 |
CVE #(s): | CVE-2007-0061
CVE-2007-0062
CVE-2007-0063
CVE-2007-4496
CVE-2007-4497
|
| Created: | November 16, 2007 |
Updated: | August 7, 2008 |
| Description: |
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Player. Attackers with administrative privileges in a guest operating
system could cause a denial of service or possibly execute arbitrary
code on the host operating system. (CVE-2007-4496, CVE-2007-4497)
|
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CVE-2008-0564
|
| Created: | February 13, 2008 |
Updated: | August 29, 2008 |
| Description: |
From the Red Hat bugzilla entry:
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before
2.1.10b1 allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors related to (1) editing templates and (2) the
list's "info attribute" in the web administrator interface, a
different vulnerability than CVE-2006-3636.
|
| Alerts: |
|
Comments (none posted)
mantis: cross-site scripting
| Package(s): | mantis |
CVE #(s): | CVE-2007-6611
|
| Created: | January 7, 2008 |
Updated: | March 4, 2008 |
| Description: |
From the CVE entry:
Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename. |
| Alerts: |
|
Comments (none posted)
mapserver: multiple cross-site scripting vulnerabilities
| Package(s): | mapserver |
CVE #(s): | CVE-2007-4542
CVE-2007-4629
|
| Created: | September 5, 2007 |
Updated: | April 7, 2008 |
| Description: |
CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.
CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name. |
| Alerts: |
|
Comments (none posted)
mod_jk: proxy bypass
| Package(s): | mod_jk |
CVE #(s): | CVE-2007-1860
|
| Created: | May 30, 2007 |
Updated: | March 7, 2008 |
| Description: |
From the Red Hat advisory: "Versions of mod_jk before 1.2.23 decoded request URLs by default inside
Apache httpd and forwarded the encoded URL to Tomcat, which itself did a
second decoding. If Tomcat was used behind mod_jk and configured to only
proxy some contexts, an attacker could construct a carefully crafted HTTP
request to work around the context restriction and potentially access
non-proxied content." |
| Alerts: |
|
Comments (none posted)
moin: arbitrary JavaScript execution
| Package(s): | moin |
CVE #(s): | CVE-2007-2423
|
| Created: | May 8, 2007 |
Updated: | March 10, 2008 |
| Description: |
A flaw was discovered in MoinMoin's error reporting when using the
AttachFile action. By tricking a user into viewing a crafted MoinMoin
URL, an attacker could execute arbitrary JavaScript as the current
MoinMoin user, possibly exposing the user's authentication information
for the domain where MoinMoin was hosted. |
| Alerts: |
|
Comments (none posted)
moodle: cross-site scripting
| Package(s): | moodle |
CVE #(s): | CVE-2008-0123
|
| Created: | January 16, 2008 |
Updated: | July 9, 2008 |
| Description: |
Moodle suffers from a cross-site scripting vulnerability which is only open during the install process. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | |
| Created: | February 13, 2008 |
Updated: | July 29, 2008 |
| Description: |
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
Upgraded to seamonkey-1.1.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
+--------------------------+
|
| Alerts: |
|
Comments (none posted)
mplayer: buffer overflow
| Package(s): | mplayer |
CVE #(s): | CVE-2007-1246
|
| Created: | March 8, 2007 |
Updated: | April 1, 2008 |
| Description: |
MPlayer versions up to 1.0rc1 have a buffer overflow in the
loader/dmo/DMO_VideoDecoder.c DMO_VideoDecoder_Open function.
user-assisted remote attackers can use this to create a buffer overflow
and possibly execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
mplayer: multiple vulnerabilities
| Package(s): | mplayer |
CVE #(s): | CVE-2008-0485
CVE-2008-0486
CVE-2008-0629
CVE-2008-0630
|
| Created: | February 13, 2008 |
Updated: | August 7, 2008 |
| Description: |
From the Debian advisory:
Several buffer overflows have been discovered in the MPlayer movie player,
which might lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0485:
Felipe Manzano and Anibal Sacco discovered a buffer overflow in
the demuxer for MOV files.
CVE-2008-0486:
Reimar Doeffinger discovered a buffer overflow in the FLAC header
parsing.
CVE-2008-0629:
Adam Bozanich discovered a buffer overflow in the CDDB access code.
CVE-2008-0630:
Adam Bozanich discovered a buffer overflow in URL parsing.
|
| Alerts: |
|
Comments (none posted)
mt-daapd: multiple vulnerabilities
| Package(s): | mt-daapd |
CVE #(s): | CVE-2007-5825
CVE-2007-5824
|
| Created: | December 31, 2007 |
Updated: | September 1, 2008 |
| Description: |
From the Gentoo advisory: nnp discovered multiple vulnerabilities in the XML-RPC handler in the
file webserver.c. The ws_addarg() function contains a format string
vulnerability, as it does not properly sanitize username and password
data from the "Authorization: Basic" HTTP header line (CVE-2007-5825).
The ws_decodepassword() and ws_getheaders() functions do not correctly
handle empty Authorization header lines, or header lines without a ':'
character, leading to NULL pointer dereferences (CVE-2007-5824). |
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2007-1420
|
| Created: | March 22, 2007 |
Updated: | May 21, 2008 |
| Description: |
MySQL subselect queries using "ORDER BY" can be used by an attacker with
access to a MySQL instance in order to create an intermittent denial
of service. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
mysql: privilege escalation
| Package(s): | mysql |
CVE #(s): | CVE-2007-6303
|
| Created: | December 19, 2007 |
Updated: | April 7, 2008 |
| Description: |
From the CVE entry: MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
MySQL: privilege escalation
| Package(s): | MySQL |
CVE #(s): | CVE-2007-3781
CVE-2007-5969
|
| Created: | December 11, 2007 |
Updated: | May 21, 2008 |
| Description: |
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: multiple vulnerabilities
| Package(s): | mysql-dfsg |
CVE #(s): | CVE-2007-2583
CVE-2007-2691
CVE-2007-2692
CVE-2007-3782
|
| Created: | November 27, 2007 |
Updated: | July 30, 2008 |
| Description: |
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not
require the DROP privilege for RENAME TABLE statements, which allows remote
authenticated users to rename arbitrary tables. (CVE-2007-2691)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges. (CVE-2007-2692)
MySQL Community Server before 5.0.45 allows remote authenticated users to
gain update privileges for a table in another database via a view that
refers to this external table. (CVE-2007-3782) |
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql-dfsg-5.0 |
CVE #(s): | CVE-2007-6304
|
| Created: | December 21, 2007 |
Updated: | April 7, 2008 |
| Description: |
Philip Stoev discovered that the the federated engine of MySQL
did not properly handle responses with a small number of columns.
An authenticated user could use a crafted response to a SHOW
TABLE STATUS query and cause a denial of service. |
| Alerts: |
|
Comments (none posted)
mysql: buffer overflows
| Package(s): | mysql-dfsg-5.0 |
CVE #(s): | CVE-2008-0226
CVE-2008-0227
|
| Created: | January 29, 2008 |
Updated: | July 21, 2008 |
| Description: |
From the Debian advisory: Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
nagios: cross-site scripting
| Package(s): | nagios |
CVE #(s): | CVE-2007-5624
|
| Created: | December 7, 2007 |
Updated: | May 9, 2008 |
| Description: |
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. |
| Alerts: |
|
Comments (none posted)
nagios-plugins: buffer overflow
| Package(s): | nagios-plugins |
CVE #(s): | CVE-2007-5198
|
| Created: | October 23, 2007 |
Updated: | April 17, 2008 |
| Description: |
Buffer overflow in the redir function in check_http.c in Nagios Plugins
before 1.4.10 allows remote web servers to execute arbitrary code via long
Location header responses (redirects). |
| Alerts: |
|
Comments (none posted)
nagios-plugins: check_snmp buffer overflow
| Package(s): | nagios-plugins |
CVE #(s): | CVE-2007-5623
|
| Created: | November 2, 2007 |
Updated: | April 17, 2008 |
| Description: |
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies. |
| Alerts: |
|
Comments (none posted)
netpbm: buffer overflow
| Package(s): | netpbm |
CVE #(s): | CVE-2008-0554
|
| Created: | February 8, 2008 |
Updated: | May 19, 2008 |
| Description: |
From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file. |
| Alerts: |
|
Comments (none posted)
nss_ldap: credential or other information disclosure
| Package(s): | nss_ldap |
CVE #(s): | CVE-2007-5794
|
| Created: | November 26, 2007 |
Updated: | July 30, 2008 |
| Description: |
From the Gentoo advisory:
Josh Burley reported that nss_ldap does not properly handle the LDAP
connections due to a race condition that can be triggered by
multi-threaded applications using nss_ldap, which might lead to
requested data being returned to a wrong process.
|
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2008-0658
|
| Created: | February 13, 2008 |
Updated: | July 3, 2008 |
| Description: |
From the rPath advisory:
Previous versions of the openldap package are vulnerable to a Denial of
Service attack in which authenticated users can crash the slapd server.
|
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2007-6698
|
| Created: | February 8, 2008 |
Updated: | April 25, 2008 |
| Description: |
From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36,
allows remote authenticated users to cause a denial of service (crash) via
a potentially-successful modify operation with the NOOP control set to
critical, possibly due to a double free vulnerability. |
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2007-5707
|
| Created: | November 8, 2007 |
Updated: | April 9, 2008 |
| Description: |
The OpenLDAP Lightweight Directory Access Protocol suite has a problem
with handling of malformed objectClasses LDAP attributes by the slapd
daemon. Both local and remote attackers can use this to crash slapd,
causing a denial of service. |
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2007-5708
|
| Created: | November 23, 2007 |
Updated: | April 9, 2008 |
| Description: |
slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when
running as a proxy-caching server, allocates memory using a malloc variant
instead of calloc, which prevents an array from being initialized properly
and might allow attackers to cause a denial of service (segmentation fault)
via unknown vectors that prevent the array from being null terminated. |
| Alerts: |
|
Comments (none posted)
OpenOffice.org: arbitrary code execution
| Package(s): | openoffice.org |
CVE #(s): | CVE-2007-0245
|
| Created: | June 13, 2007 |
Updated: | June 12, 2008 |
| Description: |
A specially crafted RTF file could cause the
filter to overwrite data on the heap, which may lead to the execution
of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openoffice.org: arbitrary code execution via TIFF images
| Package(s): | openoffice.org |
CVE #(s): | CVE-2007-2834
|
| Created: | September 17, 2007 |
Updated: | June 12, 2008 |
| Description: |
A heap overflow vulnerability has been discovered in the TIFF parsing
code of the OpenOffice.org suite. The parser uses untrusted values
from the TIFF file to calculate the number of bytes of memory to
allocate. A specially crafted TIFF image could trigger an integer
overflow and subsequently a buffer overflow that could cause the
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openoffice.org: arbitrary code execution
| Package(s): | openoffice.org |
CVE #(s): | CVE-2007-4575
|
| Created: | December 5, 2007 |
Updated: | September 10, 2008 |
| Description: |
From the OpenOffice advisory:
A security vulnerability in HSQLDB, the default database engine shipped with OpenOffice.org 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user. |
| Alerts: |
|
Comments (none posted)
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | September 17, 2008 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
openssl: off-by-one error
| Package(s): | openssl |
CVE #(s): | CVE-2007-4995
|
| Created: | October 23, 2007 |
Updated: | May 13, 2008 |
| Description: |
Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f
and 0.9.7 allows remote attackers to execute arbitrary code via unspecified
vectors. |
| Alerts: |
|
Comments (none posted)
openssl: off-by-one error
| Package(s): | openssl |
CVE #(s): | CVE-2007-5135
|
| Created: | October 3, 2007 |
Updated: | July 31, 2008 |
| Description: |
From the Debian advisory: An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in the libssl library from OpenSSL, an implementation of Secure
Socket Layer cryptographic libraries and utilities. This error could
allow an attacker to crash an application making use of OpenSSL's libssl
library, or potentially execute arbitrary code in the security context
of the user running such an application. |
| Alerts: |
|
Comments (none posted)
openssl: private key attack
| Package(s): | openssl |
CVE #(s): | CVE-2007-3108
|
| Created: | August 7, 2007 |
Updated: | May 13, 2008 |
| Description: |
OpenSSL could allow a local user in certain circumstances to divulge
information about private keys being used. |
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | CVE-2007-4367
CVE-2007-3929
CVE-2007-3142
CVE-2007-3819
|
| Created: | August 23, 2007 |
Updated: | February 27, 2008 |
| Description: |
The Opera browser has multiple vulnerabilities.
The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript.
A freed pointer in the BitTorrent support may be
accessed, this can be used for malicious code execution.
The browser is vulnerable to several memory read protection
errors. There are URI display errors that can be used to trick
users into visiting arbitrary web sites. |
| Alerts: |
|
Comments (none posted)
paramiko: insecure random pool usage
| Package(s): | paramiko |
CVE #(s): | CVE-2008-0299
|
| Created: | January 16, 2008 |
Updated: | March 4, 2008 |
| Description: |
Programs which keep more than one paramiko connection open may leak random pool information. |
| Alerts: |
|
Comments (none posted)
pcre: CVE consolidation
| Package(s): | pcre |
CVE #(s): | CVE-2005-4872
CVE-2006-7227
CVE-2006-7224
|
| Created: | November 15, 2007 |
Updated: | May 13, 2008 |
| Description: |
PCRE has flaws in the way it handles malformed regular
expressions.
If an application linked against PCRE, such as Konqueror,
encounters a maliciously created regular expression, it may be possible
to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227
have been combined into CVE-2006-7224. |
| Alerts: |
|
Comments (5 posted)
pcre: two arbitrary code execution vulnerabilities
| Package(s): | pcre |
CVE #(s): | CVE-2007-1659
CVE-2007-1660
|
| Created: | November 6, 2007 |
Updated: | July 16, 2008 |
| Description: |
Multiple flaws were found in the way pcre handles certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it may be possible to run arbitrary
code as the user running the application. (CVE-2007-1659, CVE-2007-1660) |
| Alerts: |
|
Comments (none posted)
pcre: buffer overflow
| Package(s): | pcre |
CVE #(s): | CVE-2008-0674
|
| Created: | February 19, 2008 |
Updated: | May 26, 2008 |
| Description: |
A buffer overflow caused by a character class containing a
very large number of characters with codepoints greater than 255 (in UTF-8 mode) may affect usages of pcre, when regular expressions from untrusted sources are compiled. |
| Alerts: |
|
Comments (none posted)
pcre: buffer overflows in library
| Package(s): | pcre |
CVE #(s): | CVE-2006-7228
CVE-2006-7230
CVE-2007-1661
CVE-2007-4766
CVE-2007-4767
|
| Created: | November 23, 2007 |
Updated: | July 16, 2008 |
| Description: |
Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application. |
| Alerts: |
|
Comments (1 posted)
pcre: buffer overflows
| Package(s): | pcre3 |
CVE #(s): | CVE-2007-1662
CVE-2007-4768
|
| Created: | November 27, 2007 |
Updated: | May 7, 2008 |
| Description: |
Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE)
library before 7.3 allows context-dependent attackers to execute arbitrary
code via a singleton Unicode sequence in a character class in a regex
pattern, which is incorrectly optimized. (CVE-2007-4768) |
| Alerts: |
|
Comments (none posted)
peercast: buffer overflow
| Package(s): | peercast |
CVE #(s): | CVE-2007-6454
|
| Created: | December 28, 2007 |
Updated: | May 21, 2008 |
| Description: |
A heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request. |
| Alerts: |
|
Comments (none posted)
perl-Net-DNS: predictable id sequence
| Package(s): | perl-Net-DNS |
CVE #(s): | CVE-2007-3377
|
| Created: | June 26, 2007 |
Updated: | March 12, 2008 |
| Description: |
Net::DNS before 0.60 uses an id sequence that is predictable and the same
in all child processes. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2007-3799
CVE-2007-3998
CVE-2007-4659
CVE-2007-4658
CVE-2007-4670
CVE-2007-4661
|
| Created: | October 23, 2007 |
Updated: | May 19, 2008 |
| Description: |
From the Red Hat advisory:
Various integer overflow flaws were found in the PHP gd extension. A
script that could be forced to resize images from an untrusted source could
possibly allow a remote attacker to execute arbitrary code as the apache
user. (CVE-2007-3996)
A previous security update introduced a bug into PHP session cookie
handling. This could allow an attacker to stop a victim from viewing a
vulnerable web site if the victim has first visited a malicious web page
under the control of the attacker, and that page can set a cookie for the
vulnerable web site. (CVE-2007-4670)
A flaw was found in the PHP money_format function. If a remote attacker
was able to pass arbitrary data to the money_format function this could
possibly result in an information leak or denial of service. Note that is
is unusual for a PHP script to pass user-supplied data to the money_format
function. (CVE-2007-4658)
A flaw was found in the PHP wordwrap function. If a remote attacker was
able to pass arbitrary data to the wordwrap function this could possibly
result in a denial of service. (CVE-2007-3998)
A bug was found in PHP session cookie handling. This could allow an
attacker to create a cross-site cookie insertion attack if a victim follows
an untrusted carefully-crafted URL. (CVE-2007-3799)
A flaw was found in handling of dynamic changes to global variables. A
script which used certain functions which change global variables could
be forced to enable the register_globals configuration option, possibly
resulting in global variable injection. (CVE-2007-4659)
An integer overflow flaw was found in the PHP chunk_split function. If a
remote attacker was able to pass arbitrary data to the third argument of
chunk_split they could possibly execute arbitrary code as the apache user.
Note that it is unusual for a PHP script to use the chunk_split function
with a user-supplied third argument. (CVE-2007-4661) |
| Alerts: |
|
Comments (none posted)
php: regression in PHP 4.4.7
| Package(s): | php |
CVE #(s): | |
| Created: | February 20, 2008 |
Updated: | February 20, 2008 |
| Description: |
PHP 4 has a GD related
bug in version 4.4.7. This has been fixed in PHP5 and is fixed in PHP
4.4.8. |
| Alerts: |
|
Comments (none posted)
php5: multiple vulnerabilities
| Package(s): | php5 |
CVE #(s): | CVE-2007-4657
CVE-2007-4660
CVE-2007-4662
|
| Created: | November 30, 2007 |
Updated: | July 4, 2008 |
| Description: |
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4,
allow remote attackers to obtain sensitive information (memory contents) or
cause a denial of service (thread crash) via a large len value to the (1)
strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE:
this affects different product versions than CVE-2007-3996.
(CVE-2007-4657)
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4
has unknown impact and attack vectors, related to an incorrect size
calculation. (CVE-2007-4660)
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4
has unknown impact and attack vectors. (CVE-2007-4662) |
| Alerts: |
|
Comments (none posted)
php5: multiple vulnerabilities
| Package(s): | php5 |
CVE #(s): | CVE-2007-4783
CVE-2007-4840
CVE-2007-5898
CVE-2007-5899
CVE-2007-5900
|
| Created: | November 20, 2007 |
Updated: | July 24, 2008 |
| Description: |
The php5 package contains multiple vulnerabilities, the most serious of which involve several Denial of Service attacks (application crashes and temporary application hangs). It is not currently known that these vulnerabilities can be exploited to execute malicious code. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: cross-site scripting vulnerabilities
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2007-5386
CVE-2007-5589
|
| Created: | November 2, 2007 |
Updated: | March 14, 2008 |
| Description: |
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin
2.11.1, when accessed by a browser that does not URL-encode requests,
allows remote attackers to inject arbitrary web script or HTML via the
query string.
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
common.lib.php in libraries/; and certain input available in PHP_SELF and
(2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other
vectors related to (3) REQUEST_URI. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: information disclosure
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2007-0095
|
| Created: | December 11, 2007 |
Updated: | September 25, 2008 |
| Description: |
phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information
via a direct request for themes/darkblue_orange/layout.inc.php, which
reveals the path in an error message. |
| Alerts: |
|
Comments (none posted)
poppler and xpdf: multiple vulnerabilities
| Package(s): | poppler xpdf |
CVE #(s): | CVE-2007-4352
CVE-2007-5392
CVE-2007-5393
|
| Created: | November 8, 2007 |
Updated: | February 26, 2008 |
| Description: |
The xpdf and poppler PDF libraries contain several vulnerabilities which can lead to arbitrary command execution via hostile PDF files. Numerous other applications which use these libraries (PDF viewers, CUPS, etc.) will be affected by the vulnerabilities as well. |
| Alerts: |
|
Comments (none posted)
PostgreSQL: multiple vulnerabilities
| Package(s): | postgresql |
CVE #(s): | CVE-2007-6600
CVE-2007-4772
CVE-2007-6067
CVE-2007-4769
CVE-2007-6601
|
| Created: | January 9, 2008 |
Updated: | March 6, 2008 |
| Description: |
Several vulnerabilities have been found in the PostgreSQL database manager. The developers call the fixes "critical," but also note that, as of the time of the update, none of them were known to be exploited; see this advisory for more information. |
| Alerts: |
|
Comments (none posted)
pulseaudio: denial of service
| Package(s): | pulseaudio |
CVE #(s): | CVE-2007-1804
|
| Created: | May 30, 2007 |
Updated: | March 10, 2008 |
| Description: |
The pulseaudio network code suffers from a denial of service vulnerability exploitable by an unauthenticated attacker. |
| Alerts: |
|
Comments (none posted)
python: integer overflows
| Package(s): | python |
CVE #(s): | CVE-2007-4965
|
| Created: | October 30, 2007 |
Updated: | August 8, 2008 |
| Description: |
Multiple integer overflows in the imageop module in Python 2.5.1 and
earlier allow context-dependent attackers to cause a denial of service
(application crash) and possibly obtain sensitive information (memory
contents) via crafted arguments to (1) the tovideo method, and unspecified
other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other
files, which trigger heap-based buffer overflows. |
| Alerts: |
|
Comments (none posted)
python: information disclosure
| Package(s): | python |
CVE #(s): | CVE-2007-2052
|
| Created: | May 9, 2007 |
Updated: | July 28, 2008 |
| Description: |
Python 2.4 and 2.5 contain a bug in PyLocale_strxfrm() which could enable an attacker to read portions of unrelated memory. |
| Alerts: |
|
Comments (none posted)
qemu: multiple vulnerabilities
Comments (none posted)
qt4: security restriction bypass
| Package(s): | qt4 |
CVE #(s): | CVE-2007-5965
|
| Created: | January 3, 2008 |
Updated: | February 21, 2008 |
| Description: |
Trolltech Qt has a privilege escalation vulnerability.
An error can be triggered in QSslSocket when verifying SSL certificates,
attackers can use this to bypass the SSL certificate verification
and acquire unauthorized access to a vulnerable application. |
| Alerts: |
|
Comments (1 posted)
ruby: insufficient SSL certificate validation
| Package(s): | ruby |
CVE #(s): | CVE-2007-5162
CVE-2007-5770
|
| Created: | October 8, 2007 |
Updated: | October 10, 2008 |
| Description: |
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. |
| Alerts: |
|
Comments (none posted)
ruby-gnome2: format string vulnerability
| Package(s): | ruby-gnome2 |
CVE #(s): | CVE-2007-6183
|
| Created: | December 7, 2007 |
Updated: | April 23, 2008 |
| Description: |
A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter. |
| Alerts: |
|
Comments (none posted)
samba: buffer overflow
| Package(s): | samba |
CVE #(s): | CVE-2007-4572
|
| Created: | November 15, 2007 |
Updated: | July 1, 2008 |
| Description: |
The Samba user authentication is vulnerable to a heap-based buffer overflow.
Remote unauthenticated users can use this to crash the Samba server
and cause a denial of service. |
| Alerts: |
|
Comments (none posted)
SDL_image: buffer overflows
| Package(s): | SDL_image |
CVE #(s): | CVE-2007-6697
CVE-2008-0544
|
| Created: | February 8, 2008 |
Updated: | March 27, 2008 |
| Description: |
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
squid: denial of service
| Package(s): | squid |
CVE #(s): | CVE-2007-6239
|
| Created: | December 18, 2007 |
Updated: | October 13, 2008 |
| Description: |
A flaw was found in the way squid stored HTTP headers for cached objects
in system memory. An attacker could cause squid to use additional memory,
and trigger high CPU usage when processing requests for certain cached
objects, possibly leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE |
CVE #(s): | CVE-2007-2435
CVE-2007-2788
CVE-2007-2789
|
| Created: | June 1, 2007 |
Updated: | April 18, 2008 |
| Description: |
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files. |
| Alerts: |
|
Comments (none posted)
tar: buffer overflow
| Package(s): | tar |
CVE #(s): | CVE-2007-4476
|
| Created: | October 16, 2007 |
Updated: | October 3, 2008 |
| Description: |
Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." |
| Alerts: |
|
Comments (none posted)
teTeX: multiple vulnerabilities
| Package(s): | tetex |
CVE #(s): | CVE-2007-5937
CVE-2007-5936
CVE-2007-5935
|
| Created: | November 19, 2007 |
Updated: | May 9, 2008 |
| Description: |
From the Gentoo advisory:
Joachim Schrod discovered several buffer overflow vulnerabilities and
an insecure temporary file creation in the "dvilj" application that is
used by dvips to convert DVI files to printer formats (CVE-2007-5937,
CVE-2007-5936). Bastien Roucaries reported that the "dvips" application
is vulnerable to two stack-based buffer overflows when processing DVI
documents with long \href{} URIs (CVE-2007-5935). teTeX also includes
code from Xpdf that is vulnerable to a memory corruption and two
heap-based buffer overflows (GLSA 200711-22); and it contains code from
T1Lib that is vulnerable to a buffer overflow when processing an overly
long font filename (GLSA 200710-12). |
| Alerts: |
|
Comments (none posted)
tetex: buffer overflow
| Package(s): | tetex |
CVE #(s): | CVE-2007-0650
|
| Created: | May 8, 2007 |
Updated: | May 13, 2008 |
| Description: |
A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in
teTeX might allow user-assisted remote attackers to overwrite files and
possibly execute arbitrary code via a long filename. NOTE: other overflows
exist but might not be exploitable, such as a heap-based overflow in the
check_idx function. |
| Alerts: |
|
Comments (1 posted)
tk: buffer overflow
| Package(s): | tk |
CVE #(s): | CVE-2008-0553
|
| Created: | February 8, 2008 |
Updated: | June 20, 2008 |
| Description: |
From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact. |
| Alerts: |
|
Comments (none posted)
Tk: buffer overflow
| Package(s): | tk8.3 |
CVE #(s): | | |
|