Cross-site scripting (XSS) is a frequent topic on security forums because
it is a common web application flaw that can lead to variety of unpleasant
surprises. One of the more frequently seen abuses of an XSS flaw is in the
aid of a phishing attack. With the advent of Extended Validation (EV)
certificates coupled with the accompanying browser UI changes, some XSS attacks will
become much more powerful.
By now, most users are familiar with SSL certificates, which are used to
authenticate one or both sides of an HTTPS connection to the other. EV
certificates are a step up from a
more pedestrian SSL certificate as the recipient must undergo more scrutiny from the
certificate authority (CA) before being granted one. We covered EV certificates in more
detail in November 2006, but they are just now starting to be installed
more widely.
Netcraft reported
the problem a few weeks ago with regard to sourceforge.net. Sourceforge is one of
the 4,000 or so sites with an EV certificate, but it also has an XSS
problem. So anyone using the site for XSS purposes now gets the benefit of
the higher trust that is supposed to be embodied in an EV certificate.
Browser vendors are being encouraged to highlight the EV certificates in
their UI so as to give users more confidence in those sites. The most
recent Firefox 3 betas as well as IE7 are highlighting the site name in
green in the address bar to denote this higher trust. Unfortunately, the
extra validation does not extend to testing the site for XSS flaws, which could
leave users easily fooled.
A phishing attack could use an XSS flaw in a search box or error message, for
example, to add content to the appearance of a site. That content is really coming
from the XSS attack but it would appear under the "green means go" address
bar for the EV certificate-protected site. That content could include a
login screen that sent the credentials elsewhere or a cookie stealing
attack for session hijacking. For any site with sensitive information, XSS
attacks are already a problem, EV certificates just add another mechanism
for exploiting the user's trust.
Much like the padlock icon that appeared many years
ago to denote a "secure" (really, just encrypted) connection, this new green address bar indicator is
somewhat difficult to explain. Based on the vetting process for EV
certificates, there should be a real entity behind an EV
certificate—or at least there was one at the time of
issuance—but it is by no means an endorsement of the security of everything on a web
page that has one. It is, like the original padlock, more nuanced than that.
Unfortunately, users are not good at security nuances. They want yes or no
answers to "Is this site safe?"; that answer is nearly always "maybe" or
perhaps "probably". At one time, the padlock icon was seen as a "yes" answer;
now the green address bar may take its place. Somehow users need to be
taught to look beyond simple answers and websites need to clean up their
act so that their users are not scammed.
The number of sites with XSS
problems is staggering (a look at xssed.com
is instructive) and new ones crop up all the time.
In many ways, XSS is an attack against users rather than directly against a
site. This may make it less of a priority to fix than a direct attack,
like a SQL injection, might be. That is very unfortunate for their users, especially if
they have a shiny new EV certificate.
The LWN Security page has lots of useful information, but sometimes it
seems to stretch on for a long ways. A lot of that length is contained in
the "Updated vulnerabilities" section and we are starting to wonder if that
really adds that much to the page. It is collected automatically from our
daily security updates, so removing it won't help us kick out the weekly
edition any faster, but it might make reading the page, especially in the
"one big page" format, somewhat easier. If we removed that section, the
information will still appear in the daily summaries, of course, and be
available by searching our database. Before we do that, though, we'd like
to hear from our readers regarding their thoughts on the matter. Please
comment if you have thoughts one way or the other.
Flaws in the JRE allowed an untrusted application or applet to elevate its
privileges. This could be exploited by a remote attacker to access local
files or execute local applications accessible to the user running the JRE
(CVE-2008-1185, CVE-2008-1186)
A flaw was found in the Java XSLT processing classes. An untrusted
application or applet could cause a denial of service, or execute arbitrary
code with the permissions of the user running the JRE. (CVE-2008-1187)
Several buffer overflow flaws were found in Java Web Start (JWS). An
untrusted JNLP application could access local files or execute local
applications accessible to the user running the JRE.
(CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196)
A flaw was found in the Java Plug-in. A remote attacker could bypass the
same origin policy, executing arbitrary code with the permissions of the
user running the JRE. (CVE-2008-1192)
A flaw was found in the JRE image parsing libraries. An untrusted
application or applet could cause a denial of service, or possible execute
arbitrary code with the permissions of the user running the JRE.
(CVE-2008-1193)
A flaw was found in the JRE color management library. An untrusted
application or applet could trigger a denial of service (JVM crash).
(CVE-2008-1194)
The JRE allowed untrusted JavaScript code to create local network
connections by the use of Java APIs. A remote attacker could use these
flaws to acesss local network services. (CVE-2008-1195)
The Joomla PHP-based content management system has the following vulnerabilities:
There are multiple cross-site request forgery vulnerabilities.
There is one cross-site scripting vulnerability.
There is a vulnerability where remote authenticated administrators can
promote arbitrary users to the administrator group, violating the intended
security model.
There is a registered user privilege escalation vulnerability.
The libnet-dns-perl package can crash when decoding malformed A records, creating a denial of service vulnerability. Also, the domain name expander can be sent into an infinite loop, also a denial of service problem.
From the CVE entry: Cross-site scripting (XSS) vulnerability in api.php in
(1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through
1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and
earlier; when Internet Explorer is used, allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors.
From the CVE entry: Multiple stack-based buffer overflows in PDFLib allow user-assisted remote attackers to execute arbitrary code via a long filename argument to the PDF_load_image function that results in an overflow in the pdc_fsearch_fopen function, and possibly other vectors.
Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable
of $_GET and $_POST as a source for its parameters.
An attacker could entice a user to visit a malicious web application
that sets an "sql_query" cookie and is hosted on the same domain as
phpMyAdmin, and thereby conduct SQL injection attacks with the
privileges of the user authenticating in phpMyAdmin afterwards.
Red Hat bug #436023:
"Unspecified vulnerability in vdccm before 0.10.1 in SynCE
(SynCE-dccm) might allow attackers to cause a denial of service via
unspecified vectors."
Red Hat bug #436024:
"The Utils::runScripts function in src/utils.cpp in vdccm 0.92
through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute
arbitrary commands via shell metacharacters in a certain string to TCP port
5679."
* Michal Luczaj and Luigi Auriemma reported that VLC contains
boundary errors when handling subtitles in the ParseMicroDvd(),
ParseSSA(), and ParseVplayer() functions in the
modules/demux/subtitle.c file, allowing for a stack-based buffer
overflow (CVE-2007-6681).
* The web interface listening on port 8080/tcp contains a format
string error in the httpd_FileCallBack() function in the
network/httpd.c file (CVE-2007-6682).
* The browser plugin possibly contains an argument injection
vulnerability (CVE-2007-6683).
* The RSTP module triggers a NULL pointer dereference when processing
a request without a "Transport" parameter (CVE-2007-6684).
* Luigi Auriemma and Remi Denis-Courmont found a boundary error in
the modules/access/rtsp/real_sdpplin.c file when processing SDP data
for RTSP sessions (CVE-2008-0295) and a vulnerability in the
libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a
heap-based buffer overflow.
* Felipe Manzano and Anibal Sacco (Core Security Technologies)
discovered an arbitrary memory overwrite vulnerability in VLC's
MPEG-4 file format parser (CVE-2008-0984).
From the Gentoo alert:
Joey Hess reported that vobcopy appends data to the file
"/tmp/vobcopy.bla" in an insecure manner.
A local attacker could exploit this vulnerability to conduct symlink
attacks and append data to arbitrary files with the privileges of the
user running Vobcopy.
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges.
The am-utils package could be vulnerable to an attack in which one local
user can modify the contents of arbitrary files to which other local users
running expn have write access.
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection.
Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.
A local attacker could exploit this vulnerability to conduct symlink
attacks to delete arbitrary files and directories with the privileges
of the user running Audacity.
Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file
with world-readable permissions, which allows local users to perform
unauthorized named commands, such as causing a denial of service by
stopping named.
Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3,
and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause
a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption.
From the Ubuntu alert:
Will Drewry and Tavis Ormandy discovered that the boost library
did not properly perform input validation on regular expressions.
An attacker could send a specially crafted regular expression to
an application linked against boost and cause a denial of service
via application crash.
From the Mandriva alert:
A number of vulnerabilities were found in the Cacti program, including
XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection
vulnerabilities, and information disclosure vulnerabilities.
A vulnerability in Cacti 0.8.6i and earlier versions allows remote
authenticated users to cause a denial of service (CPU consumption) via
large values of the graph_start, graph_end, graph_height, or graph_width
parameters.
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges.
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash.
A flaw was found in the way CUPS handled the addition and removal of remote
shared printers via IPP. A remote attacker could send malicious UDP IPP
packets causing the CUPS daemon to attempt to dereference already freed
memory and crash. (CVE-2008-0597)
A memory management flaw was found in the way CUPS handled the addition and
removal of remote shared printers via IPP. When shared printer was
removed, allocated memory was not properly freed, leading to a memory leak
possibly causing CUPS daemon crash after exhausting available memory.
(CVE-2008-0596)
These issues were found during the investigation of CVE-2008-0882.
The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability.
From the Red Hat alert:
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy. A user with the ability to connect to the dbus-daemon may
be able to execute certain method calls they should normally not have
permission to access.
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart.
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions."
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name.
Dovecot has multiple vulnerabilities including an issue involving the
confusion between LDAP-authenticated logins across users with the
same password and a denial of service involving a connecting user.
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message.
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges.
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions.
The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message.
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail.
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356).
Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow.
fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
Firebird does not properly handle certain types of XDR requests,
resulting in an integer overflow (CVE-2008-0387). Furthermore, it is
vulnerable to a buffer overflow when processing usernames
(CVE-2008-0467).
A remote attacker could send specially crafted XDR requests or an
overly long username to the vulnerable server, possibly resulting in
the remote execution of arbitrary code with the privileges of the user
running the application.
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user.
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)
The Freetype font rendering library versions 2.3.4 and below
has an integer sign error. Remote attackers may be able to
create a specially crafted TrueType Font file with a negative
n_points value that will cause an integer overflow and heap-based
buffer overflow, allowing the execution of arbitrary code.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure. (CVE-2007-3473)
Multiple unspecified vulnerabilities in the GIF reader in the
GD Graphics Library (libgd) before 2.0.35 allow user-assisted
remote attackers to have unspecified attack vectors and
impact. (CVE-2007-3474)
The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
remote attackers to cause a denial of service (crash) via a GIF image
that has no global color map. (CVE-2007-3475)
Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause
a denial of service (crash and heap corruption) via large color
index values in crafted image data, which results in a segmentation
fault. (CVE-2007-3476)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478)
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus. A local
attacker could exploit this to bypass the user's locked screen saver.
The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information.
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code.
Ulf Harnhammer discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client.
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user).
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)
From the Red Hat advisory:
Will Drewry reported multiple flaws in the way libicu processed certain
malformed regular expressions. If an application linked against ICU, such
as OpenOffice.org, processed a carefully crafted regular expression, it may
be possible to execute arbitrary code as the user running the application.
The ImageMagick image decoders have multiple vulnerabilities.
If a user can be tricked into processing a specially crafted
DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with
the user's privileges.
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667.
The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote
user-assisted attackers to cause a denial of service (crash) and possibly
corrupt the heap via malformed image files.
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files.
The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)
The JSSE component did not correctly process SSL/TLS handshake requests. A
remote attacker who is able to connect to a JSSE-based service could
trigger this flaw leading to a denial-of-service. (CVE-2007-3698)
A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting to
services hosted on the machine that executed the applet. (CVE-2007-3922)
Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled,
allows remote attackers to violate the security model for an applet's
outbound connections via a DNS rebinding attack. (CVE-2007-5232)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not
properly enforce access restrictions for untrusted applications, which
allows user-assisted remote attackers to obtain sensitive information (the
Java Web Start cache location) via an untrusted application, aka "three
vulnerabilities." (CVE-2007-5238)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE
1.3.1_20 and earlier does not properly enforce access restrictions for
untrusted (1) applications and (2) applets, which allows user-assisted
remote attackers to copy or rename arbitrary files when local users perform
drag-and-drop operations from the untrusted application or applet window
onto certain types of desktop applications. (CVE-2007-5239)
Visual truncation vulnerability in the Java Runtime Environment in Sun JDK
and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK
and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows
remote attackers to circumvent display of the untrusted-code warning banner
by creating a window larger than the workstation screen. (CVE-2007-5240)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used,
allows remote attackers to violate the security model for an applet's
outbound connections via a multi-pin DNS rebinding attack in which the
applet download relies on DNS resolution on the proxy server, but the
applet's socket operations rely on DNS resolution on the local machine, a
different issue than CVE-2007-5274. NOTE: this is similar to
CVE-2007-5232. (CVE-2007-5273)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows
remote attackers to violate the security model for JavaScript outbound
connections via a multi-pin DNS rebinding attack dependent on the
LiveConnect API, in which JavaScript download relies on DNS resolution by
the browser, but JavaScript socket operations rely on separate DNS
resolution by a Java Virtual Machine (JVM), a different issue than
CVE-2007-5273. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5274)
An integer overflow vulnerability exists in the embedded ICC profile
image parser (CVE-2007-2788), an unspecified vulnerability exists in
the font parsing implementation (CVE-2007-4381), and an error exists
when processing XSLT stylesheets contained in XSLT Transforms in XML
signatures (CVE-2007-3716), among other vulnerabilities.
The kazehakase web browser is vulnerable to buffer overflows and
memory corruption in PCRE. If a remote attacker can convince a user to
open specially crafted bookmarks, it can lead to the
execution of arbitrary code, denial of service or
arbitrary information disclosure.
The kdebase package is vulnerable to a denial of service in which a local user can render KDM unusable for logins by any user or cause KDM to exceed system resource limits.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
The IA32 system call emulation functionality in Linux kernel 2.4.x and
2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not
zero extend the eax register after the 32bit entry path to ptrace is used,
which might allow local users to gain privileges by triggering an
out-of-bounds access to the system call table using the %RAX register.
From the Red Hat advisory: A flaw was found in the way the Red Hat
Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA
method for accessing memory on Itanium architectures. A local unprivileged
user could trigger this flaw and cause a denial of service (system panic).
A possible NULL pointer dereference was found in the chrp_show_cpuinfo
function when using the PowerPC architecture. This may have allowed a local
unprivileged user to cause a denial of service (crash).
The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced
Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does
not return the correct write size, which allows local users to obtain
sensitive information (kernel memory contents) via a small count argument,
as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory.
From the Red Hat advisory: a flaw was found in the handling of zombie processes. A local user could
create processes that would not be properly reaped, possibly causing a
denial of service.
From the Red Hat advisory: a flaw in the hypervisor for hosts running on Itanium architectures
allowed an Intel VTi domain to read arbitrary physical memory from other
Intel VTi domains, which could make information available to unauthorized
users.
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538)
The Minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
other versions, allows local users to cause a denial of service (hang) via
a malformed minix file stream that triggers an infinite loop in the
minix_bmap function. NOTE: this issue might be due to an integer overflow
or signedness error.
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows
remote attackers to cause a denial of service (crash) via a crafted SKB
length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set, aka an "off-by-two error."
From the mitre.org CVE description:
VFS in the Linux kernel before 2.6.23.14 performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions.
Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
kernel memory contents via an uninitialized stack buffer. A local attacker
could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)
The GEODE-AES driver did not correctly initialize its encryption key.
Any data encrypted using this type of device would be easily compromised.
(CVE-2007-2451)
The random number generator was hashing a subset of the available
entropy, leading to slightly less random numbers. Additionally, systems
without an entropy source would be seeded with the same inputs at boot
time, leading to a repeatable series of random numbers. (CVE-2007-2453)
The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors.
The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes
RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an
"out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
fib_props (fib_semantics.c, IPv4) functions. (CVE-2007-2172)
mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not
prevent stack expansion from entering into reserved kernel page memory,
which allows local users to cause a denial of service (OOPS) via
unspecified vectors. (CVE-2007-3739)
The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer
ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check
permissions for ioctls, which might allow local users to cause a denial of
service or gain privileges. (CVE-2007-4308)
Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via long SMB responses that trigger the overflows in
the SendReceive function.
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures.
The drm/i915 component in the Linux kernel before 2.6.22.2, when used with
i965G and later chipsets, allows local users with access to an X11 session
and Direct Rendering Manager (DRM) to write to arbitrary memory locations
and gain privileges via a crafted batchbuffer. (CVE-2007-3851)
Linux kernel 2.4.35 and other versions allows local users to send arbitrary
signals to a child process that is running at higher privileges by causing
a setuid-root parent process to die, which delivers an attacker-controlled
parent process death signal (PR_SET_PDEATHSIG). (CVE-2007-3848)
Stack-based buffer overflow in the random number generator (RNG)
implementation in the Linux kernel before 2.6.22 might allow local root
users to cause a denial of service or gain privileges by setting the
default wakeup threshold to a value greater than the output pool size,
which triggers writing random numbers to the stack by the pool transfer
function involving "bound check ordering". NOTE: this issue might only
cross privilege boundaries in environments that have granular assignment of
privileges for root. (CVE-2007-3105)
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors.
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device.
The sysfs_readdir function in the Linux kernel 2.6 allows local users to
cause a denial of service (kernel OOPS) by dereferencing a null pointer to
an inode in a dentry. (CVE-2007-3104)
The CIFS filesystem, when Unix extension support is enabled, did not honor
the umask of a process, which allowed local users to gain
privileges.(CVE-2007-3740)
The Linux kernel checked the wrong global variable for the CIFS sec mount
option, which might allow remote attackers to spoof CIFS network traffic
that the client configured for security signatures, as demonstrated by lack
of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843)
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux
kernel allowed local users to have an unknown impact via a crafted argument
to the isdn_ioctl function. (CVE-2007-6063)
CVE-2004-2731:
infamous41md reported multiple integer overflows in the Sbus PROM
driver that would allow for a DoS (Denial of Service) attack by a
local user, and possibly the execution of arbitrary code.
CVE-2006-5753:
Eric Sandeen provided a fix for a local memory corruption vulnerability
resulting from a misinterpretation of return values when operating on
inodes which have been marked bad.
CVE-2006-6053:
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext3 filesystem.
CVE-2007-2525:
Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused
by releasing a socket before PPPIOCGCHAN is called upon it. This could
be used by a local user to DoS a system by consuming all available memory.
David Coffey discovered an uninitialized pointer free flaw in the
RPC library used by kadmind. A remote unauthenticated attacker who
could access kadmind could trigger the flaw causing kadmind to crash
or possibly execute arbitrary code (CVE-2007-2442).
David Coffey also discovered an overflow flaw in the same RPC library.
A remote unauthenticated attacker who could access kadmind could
trigger the flaw causing kadmind to crash or possibly execute arbitrary
code (CVE-2007-2443).
Finally, a stack buffer overflow vulnerability was found in kadmind
that allowed an unauthenticated user able to access kadmind the
ability to trigger the vulnerability and possibly execute arbitrary
code (CVE-2007-2798).
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by kadmind. A remote unauthenticated attacker who can access
kadmind could trigger this flaw and cause kadmind to crash.
Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A
remote unauthenticated attacker who can access kadmind could trigger this
flaw and cause kadmind to crash.
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted ICC profile in a JPG file.
mirror --script in lftp before 3.5.9 does not properly quote shell
metacharacters, which might allow remote user-assisted attackers to execute
shell commands via a malicious script. NOTE: it is not clear whether this
issue crosses security boundaries, since the script already supports
commands such as "get" which could overwrite executable files.
Devon Miller reported a boundary error in the "print_iso9660_recurse()"
function in files cd-info.c and iso-info.c when processing long
filenames within Joliet images.
A remote attacker could entice a user to open a specially crafted ISO
image in the cd-info and iso-info applications, resulting in the
execution of arbitrary code with the privileges of the user running the
application. Applications linking against shared libraries of libcdio
are not affected.
From the Red Hat advisory: An integer overflow flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to execute arbitrary code, or crash.
From the Red Hat advisory: An infinite recursion flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to crash.
The GD library does not perform proper bounds checking when creating images; as a result, an attacker could, via crafted input, potentially execute arbitrary code.
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application.
Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21
allow remote attackers to cause a denial of service (crash) via crafted (1)
pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt
(png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT
(png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read
operations. (CVE-2007-5269)
pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical
instead of bitwise operations and (2) incorrect comparisons, which might
allow remote attackers to cause a denial of service (crash) via a crafted
PNG image. (CVE-2007-5268)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause
a denial of service (crash) via a crafted PNG image, due to an incorrect
fix for CVE-2007-5266. (CVE-2007-5267)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1
allows remote attackers to cause a denial of service (crash) via a crafted
PNG image that prevents a name field from being NULL terminated.
(CVE-2007-5266)
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
From the CVE entry: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.
The lighttpd web server has multiple vulnerabilities involving
a remote access-control setting circumvention that is performed
by the sending of malformed requests. This can be used to crash
the server and cause a denial of service.
From the Debian advisory: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data.
The vmsplice system call did not properly verify address arguments
passed by user space processes, which allowed local attackers to
overwrite arbitrary kernel memory, gaining root privileges
(CVE-2008-0010, CVE-2008-0600).
Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page maybe improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). (CVE-2007-6417)
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Player. Attackers with administrative privileges in a guest operating
system could cause a denial of service or possibly execute arbitrary
code on the host operating system. (CVE-2007-4496, CVE-2007-4497)
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before
2.1.10b1 allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors related to (1) editing templates and (2) the
list's "info attribute" in the web administrator interface, a
different vulnerability than CVE-2006-3636.
CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.
CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.
From the Red Hat advisory: "Versions of mod_jk before 1.2.23 decoded request URLs by default inside
Apache httpd and forwarded the encoded URL to Tomcat, which itself did a
second decoding. If Tomcat was used behind mod_jk and configured to only
proxy some contexts, an attacker could construct a carefully crafted HTTP
request to work around the context restriction and potentially access
non-proxied content."
A flaw was discovered in MoinMoin's error reporting when using the
AttachFile action. By tricking a user into viewing a crafted MoinMoin
URL, an attacker could execute arbitrary JavaScript as the current
MoinMoin user, possibly exposing the user's authentication information
for the domain where MoinMoin was hosted.
A cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1
allows remote attackers to inject arbitrary web script or HTML via a style
expression in the search parameter.
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
Upgraded to seamonkey-1.1.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
+--------------------------+
MPlayer versions up to 1.0rc1 have a buffer overflow in the
loader/dmo/DMO_VideoDecoder.c DMO_VideoDecoder_Open function.
user-assisted remote attackers can use this to create a buffer overflow
and possibly execute arbitrary code.
Several buffer overflows have been discovered in the MPlayer movie player,
which might lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0485:
Felipe Manzano and Anibal Sacco discovered a buffer overflow in
the demuxer for MOV files.
CVE-2008-0486:
Reimar Doeffinger discovered a buffer overflow in the FLAC header
parsing.
CVE-2008-0629:
Adam Bozanich discovered a buffer overflow in the CDDB access code.
CVE-2008-0630:
Adam Bozanich discovered a buffer overflow in URL parsing.
From the Gentoo advisory: nnp discovered multiple vulnerabilities in the XML-RPC handler in the
file webserver.c. The ws_addarg() function contains a format string
vulnerability, as it does not properly sanitize username and password
data from the "Authorization: Basic" HTTP header line (CVE-2007-5825).
The ws_decodepassword() and ws_getheaders() functions do not correctly
handle empty Authorization header lines, or header lines without a ':'
character, leading to NULL pointer dereferences (CVE-2007-5824).
MySQL subselect queries using "ORDER BY" can be used by an attacker with
access to a MySQL instance in order to create an intermittent denial
of service.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
From the CVE entry: MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not
require the DROP privilege for RENAME TABLE statements, which allows remote
authenticated users to rename arbitrary tables. (CVE-2007-2691)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges. (CVE-2007-2692)
MySQL Community Server before 5.0.45 allows remote authenticated users to
gain update privileges for a table in another database via a view that
refers to this external table. (CVE-2007-3782)
Philip Stoev discovered that the the federated engine of MySQL
did not properly handle responses with a small number of columns.
An authenticated user could use a crafted response to a SHOW
TABLE STATUS query and cause a denial of service.
From the Debian advisory: Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code.
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Buffer overflow in the redir function in check_http.c in Nagios Plugins
before 1.4.10 allows remote web servers to execute arbitrary code via long
Location header responses (redirects).
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file.
Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
proxy server written by Igor Sysoev. The "msie_refresh" directive could
allow cross site scripting.
Josh Burley reported that nss_ldap does not properly handle the LDAP
connections due to a race condition that can be triggered by
multi-threaded applications using nss_ldap, which might lead to
requested data being returned to a wrong process.
From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36,
allows remote authenticated users to cause a denial of service (crash) via
a potentially-successful modify operation with the NOOP control set to
critical, possibly due to a double free vulnerability.
The OpenLDAP Lightweight Directory Access Protocol suite has a problem
with handling of malformed objectClasses LDAP attributes by the slapd
daemon. Both local and remote attackers can use this to crash slapd,
causing a denial of service.
slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when
running as a proxy-caching server, allocates memory using a malloc variant
instead of calloc, which prevents an array from being initialized properly
and might allow attackers to cause a denial of service (segmentation fault)
via unknown vectors that prevent the array from being null terminated.
A heap overflow vulnerability has been discovered in the TIFF parsing
code of the OpenOffice.org suite. The parser uses untrusted values
from the TIFF file to calculate the number of bytes of memory to
allocate. A specially crafted TIFF image could trigger an integer
overflow and subsequently a buffer overflow that could cause the
execution of arbitrary code.
A security vulnerability in HSQLDB, the default database engine shipped with OpenOffice.org 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user.
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms.
Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f
and 0.9.7 allows remote attackers to execute arbitrary code via unspecified
vectors.
From the Debian advisory: An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in the libssl library from OpenSSL, an implementation of Secure
Socket Layer cryptographic libraries and utilities. This error could
allow an attacker to crash an application making use of OpenSSL's libssl
library, or potentially execute arbitrary code in the security context
of the user running such an application.
Opera version 9.26 fixes: an issue where simulated text inputs could trick users into uploading arbitrary files, image properties can no longer be used to execute scripts, and an issue where the representation of DOM attribute values could allow cross site scripting.
PCRE has flaws in the way it handles malformed regular
expressions.
If an application linked against PCRE, such as Konqueror,
encounters a maliciously created regular expression, it may be possible
to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227
have been combined into CVE-2006-7224.
Multiple flaws were found in the way pcre handles certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it may be possible to run arbitrary
code as the user running the application. (CVE-2007-1659, CVE-2007-1660)
Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application.
A buffer overflow caused by a character class containing a
very large number of characters with codepoints greater than 255 (in UTF-8 mode) may affect usages of pcre, when regular expressions from untrusted sources are compiled.
Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE)
library before 7.3 allows context-dependent attackers to execute arbitrary
code via a singleton Unicode sequence in a character class in a regex
pattern, which is incorrectly optimized. (CVE-2007-4768)
A heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request.
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485).
Various integer overflow flaws were found in the PHP gd extension. A
script that could be forced to resize images from an untrusted source could
possibly allow a remote attacker to execute arbitrary code as the apache
user. (CVE-2007-3996)
A previous security update introduced a bug into PHP session cookie
handling. This could allow an attacker to stop a victim from viewing a
vulnerable web site if the victim has first visited a malicious web page
under the control of the attacker, and that page can set a cookie for the
vulnerable web site. (CVE-2007-4670)
A flaw was found in the PHP money_format function. If a remote attacker
was able to pass arbitrary data to the money_format function this could
possibly result in an information leak or denial of service. Note that is
is unusual for a PHP script to pass user-supplied data to the money_format
function. (CVE-2007-4658)
A flaw was found in the PHP wordwrap function. If a remote attacker was
able to pass arbitrary data to the wordwrap function this could possibly
result in a denial of service. (CVE-2007-3998)
A bug was found in PHP session cookie handling. This could allow an
attacker to create a cross-site cookie insertion attack if a victim follows
an untrusted carefully-crafted URL. (CVE-2007-3799)
A flaw was found in handling of dynamic changes to global variables. A
script which used certain functions which change global variables could
be forced to enable the register_globals configuration option, possibly
resulting in global variable injection. (CVE-2007-4659)
An integer overflow flaw was found in the PHP chunk_split function. If a
remote attacker was able to pass arbitrary data to the third argument of
chunk_split they could possibly execute arbitrary code as the apache user.
Note that it is unusual for a PHP script to use the chunk_split function
with a user-supplied third argument. (CVE-2007-4661)
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used)
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4,
allow remote attackers to obtain sensitive information (memory contents) or
cause a denial of service (thread crash) via a large len value to the (1)
strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE:
this affects different product versions than CVE-2007-3996.
(CVE-2007-4657)
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4
has unknown impact and attack vectors, related to an incorrect size
calculation. (CVE-2007-4660)
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4
has unknown impact and attack vectors. (CVE-2007-4662)
The php5 package contains multiple vulnerabilities, the most serious of which involve several Denial of Service attacks (application crashes and temporary application hangs). It is not currently known that these vulnerabilities can be exploited to execute malicious code.
Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1325:
The PMA_ArrayWalkRecursive function in libraries/common.lib.php
does not limit recursion on arrays provided by users, which allows
context-dependent attackers to cause a denial of service (web
server crash) via an array with many dimensions.
CVE-2007-1395:
Incomplete blacklist vulnerability in index.php allows remote
attackers to conduct cross-site scripting (XSS) attacks by
injecting arbitrary JavaScript or HTML in a (1) db or (2) table
parameter value followed by an uppercase </SCRIPT> end tag,
which bypasses the protection against lowercase </script>.
CVE-2007-2245:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via (1) the
fieldkey parameter to browse_foreigners.php or (2) certain input
to the PMA_sanitize function.
CVE-2006-6942:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary HTML or web script via (1) a comment
for a table name, as exploited through (a) db_operations.php,
(2) the db parameter to (b) db_create.php, (3) the newname parameter
to db_operations.php, the (4) query_history_latest,
(5) query_history_latest_db, and (6) querydisplay_tab parameters to
(c) querywindow.php, and (7) the pos parameter to (d) sql.php.
CVE-2006-6944:
phpMyAdmin allows remote attackers to bypass Allow/Deny access rules
that use IP addresses via false headers.
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin
2.11.1, when accessed by a browser that does not URL-encode requests,
allows remote attackers to inject arbitrary web script or HTML via the
query string.
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
common.lib.php in libraries/; and certain input available in PHP_SELF and
(2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other
vectors related to (3) REQUEST_URI.
phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information
via a direct request for themes/darkblue_orange/layout.inc.php, which
reveals the path in an error message.
phpMyAdmin prior to version 2.11.2.1 has an SQL injection vulnerability
in db_create.php. Remote authenticated users with CREATE DATABASE privileges can use this to execute arbitrary SQL commands via the db parameter.
db_create.php also has a related cross-site scripting vulnerability.
Remote authenticated users can inject arbitrary web scripts or HTML
using a hex-encoded IMG element in the db parameter in a POST request.
A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin
4.1.1 allows remote attackers to inject arbitrary web script or HTML via
the server parameter.
Several vulnerabilities have been found in the PostgreSQL database manager. The developers call the fixes "critical," but also note that, as of the time of the update, none of them were known to be exploited; see this advisory for more information.
Multiple integer overflows in the imageop module in Python 2.5.1 and
earlier allow context-dependent attackers to cause a denial of service
(application crash) and possibly obtain sensitive information (memory
contents) via crafted arguments to (1) the tovideo method, and unspecified
other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other
files, which trigger heap-based buffer overflows.
From Debian
Security: Ian Jackson discovered that accesses beyond end of qemu
emulated disk devices can result in accesses to emulator's virtual memory
space accesses and thus can allow user with sufficient privilege in guest
(root, as this would need modification to kernel's driver) to break out of
VM.
The bgpd daemon in Quagga prior to 0.99.9 allowed remote BGP peers to cause
a denial of service crash via a malformed OPEN message or COMMUNITY
attribute.
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
The Samba user authentication is vulnerable to a heap-based buffer overflow.
Remote unauthenticated users can use this to crash the Samba server
and cause a denial of service.
A stack buffer overflow flaw was found in the way Samba authenticates
remote users. A remote unauthenticated user could trigger this flaw to
cause the Samba server to crash, or execute arbitrary code with the
permissions of the Samba server.
Samba's mechanism for creating NetBIOS replies is vulnerable to a
buffer overflow. Samba servers that are configured to run as a
WINS server can be crashed by a remote unauthenticated user,
execution of arbitrary code may also be possible.
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
A flaw was found in the way squid stored HTTP headers for cached objects
in system memory. An attacker could cause squid to use additional memory,
and trigger high CPU usage when processing requests for certain cached
objects, possibly leading to a denial of service.
Subversion 1.4.3 and earlier does not properly implement the "partial
access" privilege for users who have access to changed paths but not copied
paths, which allows remote authenticated users to obtain sensitive
information (revision properties) via svn (1) propget, (2) proplist, or (3)
propedit.
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files.
A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in
teTeX might allow user-assisted remote attackers to overwrite files and
possibly execute arbitrary code via a long filename. NOTE: other overflows
exist but might not be exploitable, such as a heap-based overflow in the
check_idx function.
Joachim Schrod discovered several buffer overflow vulnerabilities and
an insecure temporary file creation in the "dvilj" application that is
used by dvips to convert DVI files to printer formats (CVE-2007-5937,
CVE-2007-5936). Bastien Roucaries reported that the "dvips" application
is vulnerable to two stack-based buffer overflows when processing DVI
documents with long \href{} URIs (CVE-2007-5935). teTeX also includes
code from Xpdf that is vulnerable to a memory corruption and two
heap-based buffer overflows (GLSA 200711-22); and it contains code from
T1Lib that is vulnerable to a buffer overflow when processing an overly
long font filename (GLSA 200710-12).
Security research firm iDefense reported that researcher regenrecht
discovered a heap-based buffer overflow vulnerability in Mozilla mail code
which could potentially allow an attacker to run arbitrary code. The
vulnerability is caused by allocating a buffer that can be three bytes too
small in certain cases when viewing an email message with an external MIME body.
From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact.
The Tk toolkit's GIF-reading code contains a buffer overflow which could be exploited via a malicious image file. Fixes may be found in versions 8.4.12 and 8.3.5.
It was discovered that Tk could be made to overrun a buffer when loading
certain images. If a user were tricked into opening a specially crafted GIF
image, remote attackers could cause a denial of service or execute
arbitrary code with user privileges.
Jan Oravec reported that the "/usr/bin/tomboy" script sets the
"LD_LIBRARY_PATH" environment variable incorrectly, which might result
in the current working directory (.) to be included when searching for
dynamically linked libraries of the Mono Runtime application.
Note that the tomboy vulnerability was added in 2007.
Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the 'examples' web application not be installed on
a production system.
The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).
Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).
It was reported Tomcat did not properly handle the following character
sequence in a cookie: \" (a backslash followed by a double-quote). It was
possible remote attackers could use this failure to obtain sensitive
information, such as session IDs, for session hijacking attacks
(CVE-2007-3385).
A cross-site scripting (XSS) vulnerability existed in the Host Manager
Servlet. This allowed remote attackers to inject arbitrary HTML and web
script via crafted requests (CVE-2007-3386).
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Previous versions of the wireshark package are vulnerable
to multiple types of Denial of Service attacks, including
crashes and excessive memory consumption. It has not been
determined that these vulnerabilities can be exploited to
execute malicious code.
These security issues have been fixed: - omit commits of all-forbidden files
from query results - disallow direct URL navigation to hidden CVSROOT folder -
strip forbidden paths from revision view - don't traverse log history thru
forbidden locations - honor forbiddenness via diff view path parameters
Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML
generation toolkit, creates insecure temporary files in the eperl and
ipp backends and in the wmg.cgi script, which could lead to local denial
of service by overwriting files.
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.
From the Gentoo alert:
Miroslav Lichvar discovered that the "xdg-open" and "xdg-email" shell
scripts do not properly sanitize their input before processing it.
A remote attacker could entice a user to open a specially crafted link
with a vulnerable application using Xdg-Utils (e.g. an email client),
resulting in the execution of arbitrary code with the privileges of the
user running the application.
iDefense reported an integer overflow flaw in the XFree86 XC-MISC
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash) or potentially execute arbitrary code with root
privileges on the XFree86 server. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled various
font files. A malicious local user could exploit these issues to
potentially execute arbitrary code with the privileges of the X.org server.
(CVE-2007-1351, CVE-2007-1352)
An integer overflow flaw was found in the XFree86 XGetPixel() function.
Improper use of this function could cause an application calling it to
function improperly, possibly leading to a crash or arbitrary code
execution. (CVE-2007-1667)
Moritz Jodeit discovered that the DirectShow loader of Xine did not
correctly validate the size of an allocated buffer. By tricking a user
into opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
xine-lib contains a buffer overflow which could be exploited (via a specially-crafted stream) to execute arbitrary code; see this advisory for more information.
From the CVE entry: Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function.
xmms suffers from vulnerabilities in its handling of BMP images. Should a hostile image be included in an xmms skin, it could lead to code execution on the user's system.
From the X.org security advisory:
Several vulnerabilities have been identified in server code of the X
window system caused by lack of proper input validation on user
controlled data in various parts of the software, causing various
kinds of overflows.
The X.Org X11 xfs font server has a temp file vulnerability in the
startup script. A local user can modify the permissions of the script
in order to elevate their local privileges.
CVE-2007-1095:
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292:
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511:
It was discovered that insecure focus handling of the file upload
control can lead to information disclosure. This is a variant of
CVE-2006-2894.
CVE-2007-5334:
Eli Friedman discovered that web pages written in Xul markup can hide the
titlebar of windows, which can lead to spoofing attacks.
CVE-2007-5337:
Georgi Guninski discovered the insecure handling of smb:// and sftp:// URI
schemes may lead to information disclosure. This vulnerability is only
exploitable if Gnome-VFS support is present on the system.
CVE-2007-5338:
"moz_bug_r_a4" discovered that the protection scheme offered by XPCNativeWrappers
could be bypassed, which might allow privilege escalation.
CVE-2007-5339:
L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay,
Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of arbitrary code.
CVE-2007-5340:
Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the
Javascript engine, which might allow the execution of arbitrary code.
