User: Password:
Subscribe / Log in / New account


Brief items

Buffer overflows in XV

April 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

What do you do with security problems in programs that aren't freely licensed, and the maintainer has stopped responding when notified of security problems and so forth? One example of this is the XV image viewing and editing application. The application is getting a bit long in the tooth, to say the least. The last release is more than ten years old, but it is still shipped by Novell/SUSE (at least in 9.2), Gentoo and others. Even grumpy editors continue to find XV an attractive choice, albeit less than acceptable due to its licensing.

Several vulnerabilities have been reported in XV since its development came to a halt, including a buffer overflow last August that was not completely addressed by vendor patches. The lack of security updates from the original author, John Bradley, is something of a problem. There have been patches and updates from other sources since the last official release, but the XV page itself seems to have been last updated in March of 2001.

Greg Roelofs has released a patch that is supposed to take care of the problem in his jumbo patches to add features to XV. (Note that the vulnerability that affects XV has also been reported by Bruno Rohee to affect Gwenview and ImageMagick.)

However, this doesn't address the problem of getting the patches into the upstream version. We attempted to contact Bradley, but received no response to our e-mail. Presumably, Bradley is not particularly interested in maintaining XV at this point, but has not seen fit to release the code to anyone else for maintainership, either.

Though the code is available for XV, the license precludes another person or group from picking up maintainership of the project. XV has a "shareware" license that is relatively liberal, allowing personal use without registration, and distribution is permitted for non-commercial purposes. In short, the license allows for distribution of patches and so forth, but it does not allow for a third party to assume control of the project and give it the care and feeding it obviously needs.

Given the amount of effort that has gone into patches for XV, it would seem more logical for interested parties to turn their attention to image viewers and editors that are not encumbered by proprietary licenses. XV provides yet another cautionary tale for users considering software that is "free enough" without actually having an open source license that allows the project to be carried by users interested in its further development.

Comments (none posted)

Main AGNULA Host attacked (and potentially compromised)

The main AGNULA host was attacked on April 16. Although they do not believe that the unknown attacker was successful in his attempts to install a backdoor, they are taking no chances. "However, following good security practices and common sense, we can not guarantee the integrity of the host. Since we had already planned an extensive upgrade of the server, we decided to go down the safer route: completely wipe out the system, reinstall everything from scratch and recover backup data from the day before the attempted compromise." AGNULA should be back in action by April 25.

Full Story (comments: none)

New vulnerabilities

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2005-0753
Created:April 18, 2005 Updated:July 13, 2005
Description: CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code.
Debian DSA-742-1 cvs 2005-07-07
Fedora-Legacy FLSA:155508 cvs 2005-05-12
Ubuntu USN-117-1 cvs 2005-05-04
Red Hat RHSA-2005:387-01 cvs 2005-04-25
Gentoo 200504-16:02 cvs 2005-04-18
Slackware SSA:2005-111-01 cvs 2005-04-22
Trustix TSLSA-2005-0013 cvs 2005-04-20
Mandriva MDKSA-2005:073 cvs 2005-04-20
Fedora FEDORA-2005-330 cvs 2005-04-20
Gentoo 200504-16 cvs 2005-04-18
SuSE SUSE-SA:2005:024 cvs 2005-04-18

Comments (none posted)

geneweb: insecure file operations

Package(s):geneweb CVE #(s):CAN-2005-0391
Created:April 19, 2005 Updated:April 20, 2005
Description: Tim Dijkstra discovered a problem during the upgrade of geneweb, a genealogy software with web interface. The maintainer scripts automatically converted files without checking their permissions and content, which could lead to the modification of arbitrary files.
Debian DSA-712-1 geneweb 2005-04-19

Comments (none posted)

htdig: unescaped output

Package(s):htdig CVE #(s):
Created:April 19, 2005 Updated:April 20, 2005
Description: Unescaped output in htsearch and qtest causes security problems.
Fedora FEDORA-2005-367 htdig 2005-04-19

Comments (none posted)

info2www: missing input sanitizing

Package(s):info2www CVE #(s):CAN-2004-1341
Created:April 19, 2005 Updated:April 20, 2005
Description: Nicolas Gregoire discovered a cross-site scripting vulnerability in info2www, a converter for info files to HTML. A malicious person could place a harmless looking link on the web that could cause arbitrary commands to be executed in a user's browser.
Debian DSA-711-1 info2www 2005-04-19

Comments (none posted)

logwatch: denial of service

Package(s):logwatch CVE #(s):CAN-2005-1061
Created:April 19, 2005 Updated:April 20, 2005
Description: A bug was found in the logwatch secure script. If an attacker is able to inject an arbitrary string into the /var/log/secure file, it is possible to prevent logwatch from detecting malicious activity.
Red Hat RHSA-2005:364-01 logwatch 2005-04-19

Comments (none posted)

monkeyd: multiple vulnerabilities

Package(s):monkeyd CVE #(s):
Created:April 15, 2005 Updated:April 20, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a double expansion error in monkeyd, resulting in a format string vulnerability. Ciaran McCreesh of Gentoo Linux discovered a Denial of Service vulnerability, a syntax error caused monkeyd to zero out unallocated memory should a zero byte file be requested.
Gentoo 200504-14 monkeyd 2005-04-15

Comments (none posted)

Mozilla Firefox, Mozilla Suite: multiple vulnerabilities

Package(s):mozilla CVE #(s):CAN-2005-0989
Created:April 19, 2005 Updated:July 18, 2005
Description: The following vulnerabilities were found and fixed in the Mozilla Suite and Mozilla Firefox:
  • Vladimir V. Perepelitsa reported a memory disclosure bug in JavaScript's regular expression string replacement when using an anonymous function as the replacement argument (CAN-2005-0989).
  • moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM nodes from the content window, allowing privilege escalation via DOM property overrides.
  • Michael Krax reported a possibility to run JavaScript code with elevated privileges through the use of javascript: favicons.
  • Michael Krax also discovered that malicious Search plugins could run JavaScript in the context of the displayed page or stealthily replace existing search plugins.
  • shutdown discovered a technique to pollute the global scope of a window in a way that persists from page to page.
  • Doron Rosenberg discovered a possibility to run JavaScript with elevated privileges when the user asks to "Show" a blocked popup that contains a JavaScript URL.
  • Finally, Georgi Guninski reported missing Install object instance checks in the native implementations of XPInstall-related JavaScript objects.
The following Firefox-specific vulnerabilities have also been discovered:
  • Kohei Yoshino discovered a new way to abuse the sidebar panel to execute JavaScript with elevated privileges.
  • Omar Khan reported that the Plugin Finder Service can be tricked to open javascript: URLs with elevated privileges.
Gentoo 200507-17 Thunderbird 2005-07-18
Fedora-Legacy FLSA:152883 mozilla 2005-05-18
Red Hat RHSA-2005:384-01 Mozilla 2005-04-28
SuSE SUSE-SA:2005:028 firefox 2005-04-27
Red Hat RHSA-2005:386-01 mozilla 2005-04-26
Slackware SSA:2005-111-04 mozilla 2005-04-22
Red Hat RHSA-2005:383-01 firefox 2005-04-21
Gentoo 200504-18 mozilla-firefox 2005-04-19

Comments (none posted)

MPlayer: heap overflows

Package(s):mplayer CVE #(s):
Created:April 20, 2005 Updated:July 12, 2005
Description: Heap overflows have been found in the code handling RealMedia RTSP and Microsoft Media Services streams over TCP (MMST). By setting up a malicious server and enticing a user to use its streaming data, a remote attacker could possibly execute arbitrary code on the client computer with the permissions of the user running MPlayer.
Mandriva MDKSA-2005:115 mplayer 2005-07-11
Gentoo 200504-19 mplayer 2005-04-20

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CAN-2004-0957
Created:April 14, 2005 Updated:April 20, 2005
Description: MySQL has a vulnerability in which a user with grant privileges can can grant privileges in other databases. In order to use this exploit, the database must have an underscore character in the name.
Conectiva CLA-2005:947 MySQL 2005-04-20
Mandriva MDKSA-2005:070 MySQL 2005-04-12

Comments (1 posted)

php4: integer overflow and denial of service

Package(s):php4 CVE #(s):CAN-2005-1042 CAN-2005-1043
Created:April 14, 2005 Updated:July 13, 2005
Description: The php4 EXIF module has two vulnerabilities. An integer overflow in the exif_process_IFD_TAG() function can be exploited to cause a buffer overflow for the purpose of arbitrary code execution. EXIF headers with a large IFD nesting level can be used to cause a denial of service. Remote exploits are possible.
Fedora-Legacy FLSA:155505 php 2005-07-10
Red Hat RHSA-2005:406-01 PHP 2005-05-04
Red Hat RHSA-2005:405-01 PHP 2005-04-28
Mandriva MDKSA-2005:072 php 2005-04-18
Ubuntu USN-112-1 php4 2005-04-14

Comments (none posted)

realplayer: arbitrary code execution

Package(s):realplayer helixplayer CVE #(s):CAN-2005-0755
Created:April 20, 2005 Updated:June 27, 2005
Description: RealNetworks, Inc. has fixed a security vulnerability that offered the potential for an attacker to run arbitrary or malicious code on a customer's machine. Linux RealPlayer 10 (10.0.0 - 3) and Helix Player (10.0.0 - 3) are vulnerable.
Red Hat RHSA-2005:523-01 RealPlayer 2005-06-23
Red Hat RHSA-2005:517-01 HelixPlayer 2005-06-23
Gentoo 200504-21 realplayer 2005-04-22
Red Hat RHSA-2005:394-01 RealPlayer 2005-04-20
Red Hat RHSA-2005:392-03 HelixPlayer 2005-04-20
Red Hat RHSA-2005:363-03 RealPlayer 2005-04-20
Fedora FEDORA-2005-329 HelixPlayer 2005-04-20
SuSE SUSE-SA:2005:026 RealPlayer 2005-04-20

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CAN-2005-0718
Created:April 14, 2005 Updated:April 29, 2005
Description: Squid has a remote denial of service vulnerability that can be triggered by a remote connection abort during a PUT or POST request, leading to an eventual server crash.
SuSE SUSE-SR:2005:012 multi 2005-04-29
Mandriva MDKSA-2005:078 squid 2005-04-28
Conectiva CLA-2005:948 squid 2005-04-27
Ubuntu USN-111-1 squid 2005-04-14

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Red Hat RHSA-2006:0117-01 vixie-cron 2006-03-15
Red Hat RHSA-2005:361-01 vixie-cron 2005-10-05
Fedora FEDORA-2005-320 vixie-cron 2005-04-15

Comments (none posted)

XV: multiple vulnerabilities

Package(s):xv CVE #(s):
Created:April 19, 2005 Updated:July 19, 2005
Description: Greg Roelofs has reported multiple input validation errors in XV image decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has reported insufficient validation in the PDS (Planetary Data System) image decoder, format string vulnerabilities in the TIFF and PDS decoders, and insufficient protection from shell meta-characters in malformed filenames. Successful exploitation would require a victim to view a specially created image file using XV, potentially resulting in the execution of arbitrary code.
Slackware SSA:2005-195-02 xv 2005-07-15
Gentoo 200504-17 xv 2005-04-19

Comments (none posted)


BCS Asia 2005 Slides and pictures

Proceeding slides and photos from the Bellua Cyber Security Asia 2005 conference are online. "44 speakers from Asia, Europe and the Americas joined Bellua Cyber Security Asia 2005 to discuss present and future information security issues through an intensive series of presentations, demonstrations and technical sessions."

Full Story (comments: none)

Page editor: Forrest Cook
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds