LWN.net Logo

Security

Extended Validation certificates and cross-site scripting

By Jake Edge
March 12, 2008

Cross-site scripting (XSS) is a frequent topic on security forums because it is a common web application flaw that can lead to variety of unpleasant surprises. One of the more frequently seen abuses of an XSS flaw is in the aid of a phishing attack. With the advent of Extended Validation (EV) certificates coupled with the accompanying browser UI changes, some XSS attacks will become much more powerful.

Advertisement

By now, most users are familiar with SSL certificates, which are used to authenticate one or both sides of an HTTPS connection to the other. EV certificates are a step up from a more pedestrian SSL certificate as the recipient must undergo more scrutiny from the certificate authority (CA) before being granted one. We covered EV certificates in more detail in November 2006, but they are just now starting to be installed more widely.

Netcraft reported the problem a few weeks ago with regard to sourceforge.net. Sourceforge is one of the 4,000 or so sites with an EV certificate, but it also has an XSS problem. So anyone using the site for XSS purposes now gets the benefit of the higher trust that is supposed to be embodied in an EV certificate.

Browser vendors are being encouraged to highlight the EV certificates in their UI so as to give users more confidence in those sites. The most recent Firefox 3 betas as well as IE7 are highlighting the site name in green in the address bar to denote this higher trust. Unfortunately, the extra validation does not extend to testing the site for XSS flaws, which could leave users easily fooled.

A phishing attack could use an XSS flaw in a search box or error message, for example, to add content to the appearance of a site. That content is really coming from the XSS attack but it would appear under the "green means go" address bar for the EV certificate-protected site. That content could include a login screen that sent the credentials elsewhere or a cookie stealing attack for session hijacking. For any site with sensitive information, XSS attacks are already a problem, EV certificates just add another mechanism for exploiting the user's trust.

Much like the padlock icon that appeared many years ago to denote a "secure" (really, just encrypted) connection, this new green address bar indicator is somewhat difficult to explain. Based on the vetting process for EV certificates, there should be a real entity behind an EV certificate—or at least there was one at the time of issuance—but it is by no means an endorsement of the security of everything on a web page that has one. It is, like the original padlock, more nuanced than that.

Unfortunately, users are not good at security nuances. They want yes or no answers to "Is this site safe?"; that answer is nearly always "maybe" or perhaps "probably". At one time, the padlock icon was seen as a "yes" answer; now the green address bar may take its place. Somehow users need to be taught to look beyond simple answers and websites need to clean up their act so that their users are not scammed.

The number of sites with XSS problems is staggering (a look at xssed.com is instructive) and new ones crop up all the time. In many ways, XSS is an attack against users rather than directly against a site. This may make it less of a priority to fix than a direct attack, like a SQL injection, might be. That is very unfortunate for their users, especially if they have a shiny new EV certificate.

Comments (10 posted)

Removing the updated vulnerability listings

The LWN Security page has lots of useful information, but sometimes it seems to stretch on for a long ways. A lot of that length is contained in the "Updated vulnerabilities" section and we are starting to wonder if that really adds that much to the page. It is collected automatically from our daily security updates, so removing it won't help us kick out the weekly edition any faster, but it might make reading the page, especially in the "one big page" format, somewhat easier. If we removed that section, the information will still appear in the daily summaries, of course, and be available by searching our database. Before we do that, though, we'd like to hear from our readers regarding their thoughts on the matter. Please comment if you have thoughts one way or the other.

Comments (46 posted)

New vulnerabilities

java: multiple vulnerabilities

Package(s):java-1.5.0-sun CVE #(s):CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196
Created:March 7, 2008 Updated:April 29, 2008
Description: From the Red Hat advisory:

Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186)

A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187)

Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196)

A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192)

A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193)

A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194)

The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195)

Alerts:
Red Hat RHSA-2008:0186-01 2008-03-06
Ubuntu USN-592-1 2008-03-26
rPath rPSA-2008-0128-1 2008-03-27
Mandriva MDVSA-2008:080 2007-03-28
SuSE SUSE-SA:2008:018 2008-04-02
Red Hat RHSA-2008:0210-01 2008-04-03
SuSE SUSE-SA:2008:019 2008-04-04
Gentoo 200804-20 2008-04-17
SuSE SUSE-SA:2008:025 2008-04-25
Red Hat RHSA-2008:0243-01 2008-04-28
Red Hat RHSA-2008:0244-01 2008-04-28
Red Hat RHSA-2008:0245-01 2008-04-28
rPath rPSA-2008-0128-2 2008-03-27

Comments (none posted)

joomla: multiple vulnerabilities

Package(s):joomla CVE #(s):CVE-2007-6642 CVE-2007-6643 CVE-2007-6644 CVE-2007-6645
Created:March 6, 2008 Updated:March 12, 2008
Description: The Joomla PHP-based content management system has the following vulnerabilities: There are multiple cross-site request forgery vulnerabilities. There is one cross-site scripting vulnerability. There is a vulnerability where remote authenticated administrators can promote arbitrary users to the administrator group, violating the intended security model. There is a registered user privilege escalation vulnerability.
Alerts:
Mandriva MDVSA-2008:060 2007-03-05

Comments (none posted)

kronolith: privilege escalation and more?

Package(s):kronolith CVE #(s):
Created:March 10, 2008 Updated:March 12, 2008
Description:

The Fedora advisory is light on details:

Fix privilege escalation in Horde API. Fix missing ownership validation on share changes.

Alerts:
Fedora FEDORA-2008-2221 2008-03-07
Fedora FEDORA-2008-2212 2008-03-06

Comments (none posted)

libnet-dns-perl: denial of service

Package(s):libnet-dns-perl CVE #(s):CVE-2007-6341 CVE-2007-3409
Created:March 12, 2008 Updated:March 27, 2008
Description: The libnet-dns-perl package can crash when decoding malformed A records, creating a denial of service vulnerability. Also, the domain name expander can be sent into an infinite loop, also a denial of service problem.
Alerts:
Debian DSA-1515-1 2008-03-11
Mandriva MDVSA-2008:073 2007-03-20
Ubuntu USN-594-1 2008-03-26

Comments (none posted)

lighttpd: cgi source disclosure

Package(s):lighttpd CVE #(s):CVE-2008-1111
Created:March 7, 2008 Updated:April 4, 2008
Description: lighttpd before 1.4.18 is vulnerable to cgi source disclosure.
Alerts:
Fedora FEDORA-2008-2262 2008-03-06
Fedora FEDORA-2008-2278 2008-03-06
Debian DSA-1513-1 2008-03-06
rPath rPSA-2008-0106-1 2008-03-12
SuSE SUSE-SR:2008:008 2008-04-04

Comments (none posted)

MediaWiki: cross-site scripting

Package(s):mediawiki CVE #(s):CVE-2008-0460
Created:March 7, 2008 Updated:March 12, 2008
Description: From the CVE entry: Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Alerts:
Fedora FEDORA-2008-2245 2008-03-06
Fedora FEDORA-2008-2288 2008-03-06

Comments (none posted)

moin: multiple vulnerabilities

Package(s):moin CVE #(s):CVE-2007-2637 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099
Created:March 10, 2008 Updated:April 29, 2008
Description:

From the Debian advisory:

CVE-2007-2637: Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure.

CVE-2008-0782: A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files.

CVE-2008-1098: Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages.

CVE-2008-1099: The macro code validates access control lists insufficiently, which could lead to information disclosure.

Alerts:
Debian DSA-1514-1 2008-03-09
Gentoo 200803-27 2008-03-18
Fedora FEDORA-2008-3328 2008-04-29
Fedora FEDORA-2008-3301 2008-04-29

Comments (none posted)

nx: multiple vulnerabilites

Package(s):nx CVE #(s):
Created:March 7, 2008 Updated:March 12, 2008
Description: There are multiple vulnerabilities in nx before 3.1.0.
Alerts:
Fedora FEDORA-2008-2258 2008-03-06

Comments (none posted)

pdflib: multiple buffer overflows

Package(s):pdflib CVE #(s):CVE-2007-6561
Created:March 11, 2008 Updated:March 12, 2008
Description: From the CVE entry: Multiple stack-based buffer overflows in PDFLib allow user-assisted remote attackers to execute arbitrary code via a long filename argument to the PDF_load_image function that results in an overflow in the pdc_fsearch_fopen function, and possibly other vectors.
Alerts:
Gentoo 200803-17 2008-03-10

Comments (none posted)

phpmyadmin: sql injection

Package(s):phpmyadmin CVE #(s):CVE-2008-1149
Created:March 10, 2008 Updated:April 25, 2008
Description:

From the Gentoo advisory:

Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable of $_GET and $_POST as a source for its parameters.

An attacker could entice a user to visit a malicious web application that sets an "sql_query" cookie and is hosted on the same domain as phpMyAdmin, and thereby conduct SQL injection attacks with the privileges of the user authenticating in phpMyAdmin afterwards.

Alerts:
Gentoo 200803-15 2008-03-09
Debian DSA-1557-1 2008-04-24

Comments (none posted)

SynCE: several vulnerabilities

Package(s):synce-sync-engine CVE #(s):CVE-2007-6703 CVE-2008-1136
Created:March 7, 2008 Updated:March 12, 2008
Description: Red Hat bug #436023: "Unspecified vulnerability in vdccm before 0.10.1 in SynCE (SynCE-dccm) might allow attackers to cause a denial of service via unspecified vectors."

Red Hat bug #436024: "The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679."

Alerts:
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06
Fedora FEDORA-2008-0680 2008-03-06

Comments (none posted)

vlc: multiple vulnerabilities

Package(s):vlc CVE #(s):CVE-2007-6681 CVE-2007-6682 CVE-2007-6683 CVE-2007-6684 CVE-2008-0295 CVE-2008-0296 CVE-2008-0984
Created:March 10, 2008 Updated:April 23, 2008
Description:

From the Gentoo advisory:

* Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681).

* The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682).

* The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683).

* The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684).

* Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow.

* Felipe Manzano and Anibal Sacco (Core Security Technologies) discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).

Alerts:
Gentoo 200803-13 2008-03-07
Debian DSA-1543-1 2008-04-09

Comments (none posted)

vobcopy: insecure temp file

Package(s):vobcopy CVE #(s):CVE-2007-5718
Created:March 6, 2008 Updated:March 12, 2008
Description: From the Gentoo alert: Joey Hess reported that vobcopy appends data to the file "/tmp/vobcopy.bla" in an insecure manner. A local attacker could exploit this vulnerability to conduct symlink attacks and append data to arbitrary files with the privileges of the user running Vobcopy.
Alerts:
Gentoo 200803-11 2008-03-05

Comments (none posted)

Updated vulnerabilities

cairo: integer overflow

Package(s):Cairo CVE #(s):CVE-2007-5503
Created:November 29, 2007 Updated:April 10, 2008
Description: Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges.
Alerts:
Red Hat RHSA-2007:1078-02 2007-11-29
Slackware SSA:2007-337-01 2007-12-04
Ubuntu USN-550-1 2007-12-03
Gentoo 200712-04 2007-12-09
Ubuntu USN-550-2 2007-12-10
Ubuntu USN-550-3 2007-12-13
rPath rPSA-2008-0015-1 2008-01-15
Fedora FEDORA-2007-3818 2008-01-16
Mandriva MDVSA-2008:019 2007-01-21
SuSE SUSE-SR:2008:003 2008-02-07
Debian DSA-1542-1 2008-04-09

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CVE-2007-3781 CVE-2007-5969
Created:December 11, 2007 Updated:April 7, 2008
Description: MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)

MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)

Alerts:
Mandriva MDKSA-2007:243 2007-12-10
Red Hat RHSA-2007:1155-01 2007-12-18
Fedora FEDORA-2007-4471 2007-12-15
Fedora FEDORA-2007-4465 2007-12-15
Red Hat RHSA-2007:1157-01 2007-12-19
Ubuntu USN-559-1 2007-12-21
Debian DSA-1451-1 2008-01-06
rPath rPSA-2008-0018-1 2008-01-17
SuSE SUSE-SR:2008:003 2008-02-07
Gentoo 200804-04 2008-04-06

Comments (none posted)

SDL_image: buffer overflows

Package(s):SDL_image CVE #(s):CVE-2007-6697 CVE-2008-0544
Created:February 8, 2008 Updated:March 27, 2008
Description: From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
Alerts:
Mandriva MDVSA-2008:040 2007-02-07
Debian DSA-1493-1 2008-02-10
rPath rPSA-2008-0061-1 2008-02-13
Debian DSA-1493-2 2008-03-16
Ubuntu USN-595-1 2008-03-26

Comments (none posted)

Sun JDK/JRE: multiple vulnerabilities

Package(s):Sun JDK/JRE CVE #(s):CVE-2007-2435 CVE-2007-2788 CVE-2007-2789
Created:June 1, 2007 Updated:April 18, 2008
Description: An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files.
Alerts:
Gentoo 200705-23 2007-05-31
Gentoo 200706-08 2007-06-26
SuSE SUSE-SA:2007:045 2007-07-18
Red Hat RHSA-2007:0817-01 2007-08-06
Red Hat RHSA-2007:1086-01 2007-12-12
Gentoo 200804-20 2008-04-17

Comments (none posted)

Xorg: multiple vulnerabilities

Package(s):Xorg CVE #(s):CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006
Created:January 17, 2008 Updated:April 4, 2008
Description: From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows.
Alerts:
SuSE SUSE-SA:2008:003 2008-01-17
Debian DSA-1466-1 2008-01-17
Red Hat RHSA-2008:0030-01 2008-01-17
Red Hat RHSA-2008:0031-01 2008-01-17
Red Hat RHSA-2008:0064-01 2008-01-17
Red Hat RHSA-2008:0029-01 2008-01-18
Ubuntu USN-571-1 2008-01-18
Debian DSA-1466-2 2008-01-19
Gentoo 200801-09 2008-01-20
Ubuntu USN-571-2 2008-01-19
Debian DSA-1466-3 2008-01-21
Fedora FEDORA-2008-0760 2008-01-22
Fedora FEDORA-2008-0794 2008-01-22
Fedora FEDORA-2008-0831 2008-01-22
Fedora FEDORA-2008-0891 2008-01-22
Mandriva MDVSA-2008:021 2008-01-23
Mandriva MDVSA-2008:022 2008-01-23
Mandriva MDVSA-2008:023 2007-01-23
Mandriva MDVSA-2008:024 2007-01-23
Mandriva MDVSA-2008:025 2007-01-23
rPath rPSA-2008-0032-1 2008-01-30
SuSE SUSE-SR:2008:003 2008-02-07
Gentoo GLSA 200801-09:03 2008-01-20
SuSE SUSE-SR:2008:008 2008-04-04

Comments (none posted)

am-utils: overwrite arbitrary files

Package(s):am-utils CVE #(s):
Created:February 29, 2008 Updated:March 5, 2008
Description: The am-utils package could be vulnerable to an attack in which one local user can modify the contents of arbitrary files to which other local users running expn have write access.
Alerts:
rPath rPSA-2008-0088-1 2008-02-28

Comments (none posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
Red Hat RHSA-2006:0618-01 2006-08-08
Red Hat RHSA-2006:0619-01 2006-08-10
Debian DSA-1167-1 2005-09-04
SuSE SUSE-SA:2006:051 2006-09-08
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2008:021 2008-04-04

Comments (none posted)

apache: several vulnerabilities

Package(s):apache CVE #(s):CVE-2007-5000 CVE-2007-6388 CVE-2008-0005
Created:January 15, 2008 Updated:April 4, 2008
Description: A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005)

Alerts:
Red Hat RHSA-2008:0004-01 2008-01-15
Red Hat RHSA-2008:0005-01 2008-01-15
Red Hat RHSA-2008:0006-01 2008-01-15
Red Hat RHSA-2008:0007-01 2008-01-15
Red Hat RHSA-2008:0008-01 2008-01-15
Mandriva MDVSA-2008:014 2008-01-16
Mandriva MDVSA-2008:015 2008-01-16
Mandriva MDVSA-2008:016 2007-01-16
Red Hat RHSA-2008:0009-01 2008-01-21
Ubuntu USN-575-1 2008-02-04
Slackware SSA:2008-045-01 2008-02-15
Slackware SSA:2008-045-02 2008-02-15
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2008-1695 2008-02-15
Gentoo 200803-19 2008-03-11
SuSE SUSE-SA:2008:021 2008-04-04

Comments (1 posted)

asterisk: possible SQL injection

Package(s):asterisk CVE #(s):CVE-2007-6170
Created:December 3, 2007 Updated:April 15, 2008
Description: Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection.
Alerts:
Debian DSA-1417-1 2007-12-02
SuSE SUSE-SR:2008:005 2008-03-06
Gentoo 200804-13 2008-04-14

Comments (none posted)

audacity: insecure tmpfile handling

Package(s):audacity CVE #(s):CVE-2007-6061
Created:March 3, 2008 Updated:March 21, 2008
Description: From the Gentoo advisory:

Viktor Griph reported that the "AudacityApp::OnInit()" method in file src/AudacityApp.cpp does not handle temporary files properly.

A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity.

Alerts:
Gentoo 200803-03 2008-03-02
Mandriva MDVSA-2008:074 2007-03-20

Comments (none posted)

bind: off-by-one error

Package(s):bind CVE #(s):CVE-2008-0122
Created:January 22, 2008 Updated:March 14, 2008
Description: Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
Alerts:
Fedora FEDORA-2008-0903 2008-01-22
Fedora FEDORA-2008-0904 2008-01-22
rPath rPSA-2008-0029-1 2008-01-24
SuSE SUSE-SR:2008:006 2008-03-14

Comments (none posted)

boost: denial of service

Package(s):boost CVE #(s):CVE-2008-0171 CVE-2008-0172
Created:January 17, 2008 Updated:March 14, 2008
Description: From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash.
Alerts:
Ubuntu USN-570-1 2008-01-16
Fedora FEDORA-2008-0880 2008-01-22
Mandriva MDVSA-2008:032 2007-02-01
rPath rPSA-2008-0063-1 2008-02-13
Gentoo 200802-08 2008-02-14
Fedora FEDORA-2008-0754 2008-03-13
SuSE SUSE-SR:2008:006 2008-03-14

Comments (none posted)

cacti: multiple vulnerabilities

Package(s):cacti CVE #(s):CVE-2008-0783 CVE-2008-0784 CVE-2008-0785 CVE-2008-0786
Created:February 28, 2008 Updated:March 11, 2008
Description: From the Mandriva alert: A number of vulnerabilities were found in the Cacti program, including XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection vulnerabilities, and information disclosure vulnerabilities.
Alerts:
Mandriva MDVSA-2008:052 2008-02-27
SuSE SUSE-SR:2008:005 2008-03-06
Gentoo 200803-18 2008-03-10

Comments (none posted)

clamav: arbitrary code execution

Package(s):clamav CVE #(s):CVE-2008-0318
Created:February 13, 2008 Updated:April 18, 2008
Description:

From the CVE:

Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.

Alerts:
Fedora FEDORA-2008-1608 2008-02-13
Fedora FEDORA-2008-1625 2008-02-13
Debian DSA-1497-1 2008-02-16
Gentoo 200802-09 2008-02-21
SuSE SUSE-SR:2008:004 2008-02-22
Mandriva MDVSA-2008:088 2007-04-17

Comments (1 posted)

clamav: arbitrary file overwrite

Package(s):clamav CVE #(s):CVE-2007-6595
Created:February 18, 2008 Updated:April 24, 2008
Description:

From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.

Alerts:
Debian DSA-1497-1 2008-02-16
Mandriva MDVSA-2008:088 2007-04-17
SuSE SUSE-SA:2008:024 2008-04-24

Comments (4 posted)

clamav: heap corruption

Package(s):clamav CVE #(s):CVE-2008-0728
Created:February 22, 2008 Updated:April 18, 2008
Description: From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption."
Alerts:
Gentoo 200802-09 2008-02-21
SuSE SUSE-SR:2008:004 2008-02-22
Mandriva MDVSA-2008:088 2007-04-17

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2008-0882
Created:February 22, 2008 Updated:April 3, 2008
Description: From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash.
Alerts:
Red Hat RHSA-2008:0157-01 2008-02-21
Fedora FEDORA-2008-1901 2008-02-25
Fedora FEDORA-2008-1976 2008-02-25
Mandriva MDVSA-2008:050 2008-02-26
SuSE SUSE-SA:2008:012 2008-03-06
Debian DSA-1530-1 2008-03-25
Gentoo 200804-01 2008-04-01
Ubuntu USN-598-1 2008-04-02

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393
Created:December 19, 2007 Updated:April 3, 2008
Description: The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability.
Alerts:
Gentoo 200712-14 2007-12-18
Debian DSA-1437-1 2007-12-26
Ubuntu USN-563-1 2008-01-09
SuSE SUSE-SA:2008:002 2008-01-10
SuSE SUSE-SR:2008:002 2008-01-25
Debian DSA-1480-1 2008-02-05
Mandriva MDVSA-2008:036 2007-02-06
Debian DSA-1537-1 2008-04-02

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CVE-2008-0596 CVE-2008-0597
Created:February 25, 2008 Updated:March 6, 2008
Description:

From the Red Hat advisory:

A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597)

A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596)

These issues were found during the investigation of CVE-2008-0882.

Alerts:
Red Hat RHSA-2008:0153-01 2008-02-25
Red Hat RHSA-2008:0161-01 2008-02-25
Mandriva MDVSA-2008:050 2008-02-26
rPath rPSA-2008-0091-1 2008-02-29
SuSE SUSE-SA:2008:012 2008-03-06

Comments (none posted)

dbus: privilege escalation

Package(s):dbus CVE #(s):CVE-2008-0595
Created:February 28, 2008 Updated:March 14, 2008
Description: From the Red Hat alert: Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. A user with the ability to connect to the dbus-daemon may be able to execute certain method calls they should normally not have permission to access.
Alerts:
Red Hat RHSA-2008:0159-01 2008-02-27
Fedora FEDORA-2008-2043 2008-02-28
Fedora FEDORA-2008-2070 2008-02-28
Mandriva MDVSA-2008:054 2007-02-28
rPath rPSA-2008-0099-1 2008-03-07
SuSE SUSE-SR:2008:006 2008-03-14

Comments (none posted)

debian-goodies: privilege escalation

Package(s):debian-goodies CVE #(s):CVE-2007-3912
Created:October 5, 2007 Updated:March 24, 2008
Description: Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.
Alerts:
Ubuntu USN-526-1 2007-10-04
Debian DSA-1527-1 2008-03-24

Comments (none posted)

evolution: format string vulnerability

Package(s):evolution CVE #(s):CVE-2008-0072
Created:March 5, 2008 Updated:March 14, 2008
Description: The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message.
Alerts:
Red Hat RHSA-2008:0177-01 2008-03-05
Red Hat RHSA-2008:0178-01 2008-03-05
Debian DSA-1512-1 2008-03-05
Gentoo 200803-12 2008-03-05
Ubuntu USN-583-1 2008-03-05
Fedora FEDORA-2008-2290 2008-03-06
Fedora FEDORA-2008-2292 2008-03-06
Mandriva MDVSA-2008:063 2007-03-06
SuSE SUSE-SA:2008:014 2008-03-14

Comments (none posted)

exiftags: multiple vulnerabilities

Package(s):exiftags CVE #(s):CVE-2007-6354 CVE-2007-6355 CVE-2007-6356
Created:December 31, 2007 Updated:April 1, 2008
Description: From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356).
Alerts:
Gentoo 200712-17 2007-12-29
Debian DSA-1533-1 2008-03-27
Debian DSA-1533-2 2008-04-01

Comments (none posted)

firebird: multiple vulnerabilities

Package(s):firebird CVE #(s):CVE-2008-0387 CVE-2008-0467
Created:March 3, 2008 Updated:March 27, 2008
Description: From the Gentoo advisory:

Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467).

A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.

Alerts:
Gentoo 200803-02 2008-03-02
Debian DSA-1529-1 2008-03-24

Comments (none posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Gentoo 200707-01 2007-07-01
Debian DSA-1529-1 2008-03-24

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594
Created:February 8, 2008 Updated:March 26, 2008
Description: From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious website could force arbitrary files from the user's computer to be uploaded without consent. (CVE-2008-0414)

Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416)

Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420)

Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594)

Alerts:
Ubuntu USN-576-1 2008-02-08
Debian DSA-1484-1 2008-02-10
Debian DSA-1485-1 2008-02-10
Debian DSA-1489-1 2008-02-10
rPath rPSA-2008-0051-1 2008-02-08
Foresight FLEA-2008-0001-1 2008-02-11
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1669 2008-02-13
Fedora FEDORA-2008-1459 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
SuSE SUSE-SA:2008:008 2008-02-15
Debian DSA-1506-1 2008-02-24
Mandriva MDVSA-2008:048 2007-02-22
Red Hat RHSA-2008:0105-02 2008-02-27
Fedora FEDORA-2008-2118 2008-02-28
Fedora FEDORA-2008-2060 2008-02-28
Ubuntu USN-582-1 2008-02-29
Ubuntu USN-582-2 2008-03-06
Debian DSA-1485-2 2008-03-17
Debian DSA-1506-2 2008-03-20
Ubuntu USN-592-1 2008-03-26

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird CVE #(s):CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593
Created:February 8, 2008 Updated:April 2, 2008
Description: From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417)

A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418)

A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592)

Alerts:
Red Hat RHSA-2008:0103-01 2008-02-07
Red Hat RHSA-2008:0104-01 2008-02-07
Red Hat RHSA-2008:0105-01 2008-02-07
Ubuntu USN-576-1 2008-02-08
Debian DSA-1484-1 2008-02-10
Debian DSA-1485-1 2008-02-10
Debian DSA-1489-1 2008-02-10
rPath rPSA-2008-0051-1 2008-02-08
Foresight FLEA-2008-0001-1 2008-02-11
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1669 2008-02-13
Fedora FEDORA-2008-1459 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
SuSE SUSE-SA:2008:008 2008-02-15
Debian DSA-1506-1 2008-02-24
Mandriva MDVSA-2008:048 2007-02-22
Red Hat RHSA-2008:0105-02 2008-02-27
Fedora FEDORA-2008-2118 2008-02-28
Fedora FEDORA-2008-2060 2008-02-28
rPath rPSA-2008-0093-1 2008-02-29
Slackware SSA:2008-061-01 2008-03-03
Ubuntu USN-582-1 2008-02-29
Ubuntu USN-582-2 2008-03-06
Mandriva MDVSA-2008:062 2007-03-06
Debian DSA-1485-2 2008-03-17
Debian DSA-1506-2 2008-03-20
Fedora FEDORA-2008-2812 2008-04-01
Fedora FEDORA-2008-2830 2008-04-01

Comments (2 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:April 25, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Fedora FEDORA-2007-1138 2007-07-18
Fedora FEDORA-2007-1142 2007-07-18
Fedora FEDORA-2007-1144 2007-07-18
Fedora FEDORA-2007-1143 2007-07-18
Red Hat RHSA-2007:0722-01 2007-07-18
Red Hat RHSA-2007:0723-01 2007-07-18
Red Hat RHSA-2007:0724-01 2007-07-18
Fedora FEDORA-2007-1155 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1159 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Ubuntu USN-490-1 2007-07-19
rPath rPSA-2007-0148-1 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
Fedora FEDORA-2007-642 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-1180 2007-07-20
Fedora FEDORA-2007-1181 2007-07-20
Debian DSA-1338-1 2007-07-23
Debian DSA-1339-1 2007-07-23
Foresight FLEA-2007-0033-1 2007-07-24
Slackware SSA:2007-205-01 2007-07-25
Slackware SSA:2007-205-02 2007-07-25
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-222-04 2007-08-13
Ubuntu USN-503-1 2007-08-24
Mandriva MDVSA-2007:047 2007-02-19
Debian DSA-1532-1 2008-03-27
Debian DSA-1534-1 2008-03-28
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-2 2008-04-24

Comments (none posted)

flash-plugin: lots of problems