LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Image handling vulnerabilities
Bugs that linger for eight years without a fix are probably annoying to whoever reported them; perhaps others as well. When those bugs have possible security implications, it is hard to see how they can remain unfixed for even eight months, let alone years, but that appears to be the case with some GTK image handling bugs. Code to handle image formats has been the source of numerous vulnerabilities along the way, which makes it even harder to see why these have languished so long.
A call for ideas for a hackfest on the GNOME foundation mailing list seems like a bit of a strange place to find information about vulnerabilities, but in the ensuing thread, Michael Chudobiak brought up some bugs that he would like to see addressed, perhaps as part of a hackfest:
The bugs he listed were from 2002 (80925), 2004 (142428), and 2008 (522803), but Alan Cox mentioned that he reported one of them as a GNOME security bug "about eight years ago". In his opinion all of the bugs were of the "well known, never fixed" variety. Because the code in question lives in GTK—used by many GNOME applications—"quite a few gnome apps fed small compressed images explode".
The basic problem is that the routines handling images create the full-resolution image in memory regardless of the size requested. In addition, various memory-intensive techniques are used to scale the image to the requested size. This impacts Nautilus and other GNOME programs that create thumbnails of large images.
Presumably, a denial of service, at a minimum, can result from these operations, though there may be other ways to exploit any program crashes that result. Cox has a plan to see them get fixed:
The vendor security list, often abbreviated vendor-sec, is a closed mailing list for distribution security teams to exchange information about vulnerabilities in various programs. It is closed so that bugs that are not publicly known can be freely discussed. Whether Cox's posting to that list spurs any action remains to be seen.
It is a rare week where LWN does not report some kind of image handling botch as a new vulnerability. This week, a cups vulnerability in handling PNG files could lead to a denial of service; last week we reported an Opera vulnerability in handling images in HTML canvas elements that could possibly lead to arbitrary code execution. Image handling is an area where all bugs need to be scrutinized carefully for potential security issues.
Hopefully, part of the problem is that the GNOME hackers did not realize the security implications of the bugs. There does seem to be ample complaint about performance problems, though, to get some kind of action over the last six or eight years. This is a set of related bugs that have seemingly been overlooked for a long time. Perhaps that time is now coming to an end.
New vulnerabilities
clamav: buffer overflows
| Package(s): | clamav | CVE #(s): | CVE-2008-0314 CVE-2008-1100 | ||||||||||||||||||
| Created: | April 18, 2008 | Updated: | May 15, 2008 | ||||||||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2008-1387 CVE-2008-1833 CVE-2008-1835 CVE-2008-1836 CVE-2008-1837 | |||||||||||||||
| Created: | April 18, 2008 | Updated: | May 15, 2008 | |||||||||||||||
| Description: | From the CVE entries:
ClamAV before 0.93 allows remote attackers to cause a denial of service (CPU consumption) via a crafted ARJ archive, as demonstrated by the PROTOS GENOME test suite for Archive Formats. (CVE-2008-1387) Heap-based buffer overflow in libclamav in ClamAV 0.92.1 allows remote attackers to execute arbitrary code via a crafted WWPack compressed PE binary. (CVE-2008-1833) ClamAV before 0.93 allows remote attackers to bypass the scanning enging via a RAR file with an invalid version number, which cannot be parsed by ClamAV but can be extracted by Winrar. (CVE-2008-1835) The rfc2231 function in message.c in libclamav in ClamAV before 0.93 allows remote attackers to cause a denial of service (crash) via a crafted message that produces a string that is not null terminated, which triggers a buffer over-read. (CVE-2008-1836) libclamunrar in ClamAV before 0.93 allows remote attackers to cause a denial of service (crash) via crafted RAR files that trigger "memory problems," as demonstrated by the PROTOS GENOME test suite for Archive Formats. (CVE-2008-1837) | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cups: arbitrary code execution
| Package(s): | cups | CVE #(s): | CVE-2008-1722 | |||||||||||||||
| Created: | April 21, 2008 | Updated: | May 13, 2008 | |||||||||||||||
| Description: | From the Gentoo advisory: Thomas Pollet reported a possible integer overflow vulnerability in the PNG image handling in the file filter/image-png.c. A malicious user might be able to execute arbitrary code with the privileges of the user running CUPS (usually lp), or cause a Denial of Service by sending a specially crafted PNG image to the print server. The vulnerability is exploitable via the network if CUPS is sharing printers remotely. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
dbmail: authentication bypass
| Package(s): | dbmail | CVE #(s): | CVE-2007-6714 | |||||||||
| Created: | April 21, 2008 | Updated: | April 29, 2008 | |||||||||
| Description: | From the Gentoo advisory: A vulnerability in DBMail's authldap module when used in conjunction with an Active Directory server has been reported by vugluskr. When passing a zero length password to the module, it tries to bind anonymously to the LDAP server. If the LDAP server allows anonymous binds, this bind succeeds and results in a successful authentication to DBMail. By passing an empty password string to the server, an attacker could be able to log in to any account. | |||||||||||
| Alerts: |
| |||||||||||
fedora-ds-admin: privilege escalation and arbitrary command execution
| Package(s): | fedora-ds-admin | CVE #(s): | CVE-2008-0892 CVE-2008-0893 | ||||||
| Created: | April 22, 2008 | Updated: | April 23, 2008 | ||||||
| Description: | From the CVE entries:
The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat
Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5,
allows remote attackers to execute arbitrary commands.
Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5, does not properly restrict access to CGI scripts, which allows remote attackers to perform administrative actions. | ||||||||
| Alerts: |
| ||||||||
feh: shell command injection
| Package(s): | feh | CVE #(s): | |||||||
| Created: | April 17, 2008 | Updated: | April 23, 2008 | ||||||
| Description: | feh has a vulnerability involving shell command injection using specially crafted file names. | ||||||||
| Alerts: |
| ||||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | CVE-2008-1380 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2008 | Updated: | May 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert: A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ikiwiki: cross-site request forgery
| Package(s): | ikiwiki | CVE #(s): | CVE-2008-0165 | |||
| Created: | April 21, 2008 | Updated: | April 23, 2008 | |||
| Description: | From the Debian advisory: It has been discovered that ikiwiki, a Wiki implementation, does not guard password and content changes against cross-site request forgery (CSRF) attacks. | |||||
| Alerts: |
| |||||
mplayer: arbitrary code execution
| Package(s): | mplayer | CVE #(s): | CVE-2008-1558 | |||
| Created: | April 21, 2008 | Updated: | April 23, 2008 | |||
| Description: | From the Debian advisory: It was discovered that the MPlayer movie player performs insufficient input sanitising on SDP session data, leading to potential execution of arbitrary code through a malformed multimedia stream. | |||||
| Alerts: |
| |||||
mt-daapd: integer overflow
| Package(s): | mt-daapd | CVE #(s): | CVE-2008-1771 | |||
| Created: | April 23, 2008 | Updated: | April 23, 2008 | |||
| Description: | The mt-daapd music server suffers from an integer overflow enabling remote denial of service attacks and possibly code execution. | |||||
| Alerts: |
| |||||
openfire: denial of service
| Package(s): | openfire | CVE #(s): | CVE-2008-1728 | |||
| Created: | April 23, 2008 | Updated: | April 23, 2008 | |||
| Description: | The openfire (formerly wildfire) Jabber server cannot cope with clients which fail to read messages, leading to a denial of service vulnerability. | |||||
| Alerts: |
| |||||
openoffice.org: multiple vulnerabilities
| Package(s): | openoffice.org | CVE #(s): | CVE-2007-5745 CVE-2007-5746 CVE-2007-5747 CVE-2008-0320 | ||||||||||||||||||||||||
| Created: | April 17, 2008 | Updated: | May 15, 2008 | ||||||||||||||||||||||||
| Description: | From the Debian alert:
CVE-2007-5745, CVE-2007-5747: Several bugs have been discovered in the way OpenOffice.org parses Quattro Pro files that may lead to a overflow in the heap potentially leading to the execution of arbitrary code. CVE-2007-5746: Specially crafted EMF files can trigger a buffer overflow in the heap that may lead to the execution of arbitrary code. CVE-2008-0320: A bug has been discovered in the processing of OLE files that can cause a buffer overflow in the heap potentially leading to the execution of arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
php-toolkit: denial of service
| Package(s): | php-toolkit | CVE #(s): | CVE-2008-1734 | |||
| Created: | April 18, 2008 | Updated: | April 23, 2008 | |||
| Description: | From the Gentoo advisory: Toni Arnold, David Sveningsson, Michal Bartoszkiewicz, and Joseph reported that php-select does not quote parameters passed to the "tr" command, which could convert the "-D PHP5" argument in the "APACHE2_OPTS" setting in the file /etc/conf.d/apache2 to lower case. | |||||
| Alerts: |
| |||||
poppler: arbitrary code execution
| Package(s): | poppler | CVE #(s): | CVE-2008-1693 | ||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2008 | Updated: | May 9, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo alert: Poppler does not handle fonts inside PDF files safely, allowing for execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
python2.4: arbitrary code execution
| Package(s): | python2.4 | CVE #(s): | CVE-2008-1887 | |||
| Created: | April 21, 2008 | Updated: | April 23, 2008 | |||
| Description: | From the Debian advisory: CVE-2008-1887: Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code. | |||||
| Alerts: |
| |||||
speex: insufficient boundary checks
| Package(s): | speex | CVE #(s): | CVE-2008-1686 | ||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2008 | Updated: | May 9, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | The speex speech codec has insufficient boundary checking in speex_packet_to_header(). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
sun java: multiple vulnerabilities
| Package(s): | sun-jre, sun-jdk | CVE #(s): | CVE-2007-5689 CVE-2007-5237 CVE-2008-0628 | ||||||
| Created: | April 18, 2008 | Updated: | April 28, 2008 | ||||||
| Description: | From the CVE entries:
The Java Virtual Machine (JVM) in Sun Java Runtime Environment (JRE) in SDK and JRE 1.3.x through 1.3.1_20 and 1.4.x through 1.4.2_15, and JDK and JRE 5.x through 5.0 Update 12 and 6.x through 6 Update 2, allows remote attackers to execute arbitrary programs, or read or modify arbitrary files, via applets that grant privileges to themselves. (CVE-2007-5689) Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka "two vulnerabilities." (CVE-2007-5237) The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources. (CVE-2008-0628) | ||||||||
| Alerts: |
| ||||||||
suphp: privilege escalation
| Package(s): | suphp | CVE #(s): | CVE-2008-1614 | |||
| Created: | April 18, 2008 | Updated: | April 23, 2008 | |||
| Description: | suPHP before 0.6.3 allows local users to gain privileges via (1) a race condition that involves multiple symlink changes to point a file owned by a different user, or (2) a symlink to the directory of a different user, which is used to determine privileges. | |||||
| Alerts: |
| |||||
vlc: multiple vulnerabilities
| Package(s): | vlc | CVE #(s): | CVE-2008-1881 CVE-2008-1489 CVE-2008-1768 CVE-2008-1769 | |||
| Created: | April 23, 2008 | Updated: | April 23, 2008 | |||
| Description: | The latest set of vulnerabilities in vlc include a stack-based buffer overflow in the subtitle code (CVE-2008-1881), an integer overflow vulnerability in the MP4 code leading to a heap overflow (CVE-2008-1489), more integer overflows (CVE-2008-1768), and a "boundary error" in Cinepak leading to memory corruption (CVE-2008-1769). | |||||
| Alerts: |
| |||||
WebKit: cross-site scripting and code execution
| Package(s): | WebKit | CVE #(s): | CVE-2008-1010 CVE-2008-1011 | |||||||||||||||
| Created: | April 23, 2008 | Updated: | April 29, 2008 | |||||||||||||||
| Description: | The WebKit browser engine suffers from a buffer overflow leading to arbitrary code execution and a cross-site scripting vulnerability; some more information is available from this summary. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Page editor: Jake Edge
Next page: Kernel development>>