Security
The WMF vulnerability
Image file formats continue to be fertile ground for anybody seeking security vulnerabilities. It seems that there is a tiny hole in the "Windows metafile" (WMF) implementation on just about every version of Windows. Exploits exist and are widespread; all it takes to be compromised is an attempt to view a malicious WMF file. Using Internet Explorer to view web page which includes the WMF file is sufficient; depending on who you believe, it may also be possible to deliver malicious files in email.Quite a few sites hosting exploits have been found; by some estimates, hundreds of thousands of machines have already been compromised. Happily, Windows users can rely on Microsoft's recent commitment to security for a patch.
Unhappily, it seems that Microsoft, which has known about the vulnerability since sometime in December, will not have a fix available until January 10. Meanwhile, users are told to be careful out there and "avoid reading email from strangers." So Windows users will be left vulnerable to a severe vulnerability - with numerous exploits already happening - for a minimum of two weeks. It is tempting to insert a long, Microsoft-bashing rant here, but there is little point.
Instead, we'll point out a couple of things which might be worth knowing if you're concerned with security issues involving Windows in any way:
- Firefox (on Windows) users are vulnerable too. Being compromised via
Firefox is harder than with Internet Explorer; current versions of the
browser require an explicit user action before a WMF file will be
displayed. But requiring an extra click is a thin line of defense, at
best.
- There is an unofficial fix available for people who do not want to wait for Microsoft to get around to putting up a patch. By all accounts, the fix does exactly what it says it does, but, since it is a binary patch, it is hard to verify independently.
It is hard to imagine a vulnerability of this severity staying open for so long in the free software world. If distributors were slow in releasing a patch, the community would fill in quickly - with verifiable, source-available fixes. There is little doubt that, sooner or later, a serious vulnerability will threaten free software users; that is, unfortunately, the nature of software. But the nature of free software should keep that vulnerability from being left open for anywhere near so long.
(See also: the CERT advisory for the WMF vulnerability and this FAQ).
New vulnerabilities
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | ||||||||||||||||||||
| Created: | January 2, 2006 | Updated: | March 17, 2010 | ||||||||||||||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
dhis-tools-dns: insecure temporary file
| Package(s): | dhis-tools-dns | CVE #(s): | CVE-2005-3341 | ||||
| Created: | December 27, 2005 | Updated: | January 4, 2006 | ||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that two scripts in the dhis-tools-dns package, DNS configuration utilities for a dynamic host information System, which are usually executed by root, create temporary files in an insecure fashion. | ||||||
| Alerts: |
| ||||||
ketm: arbitrary code execution
| Package(s): | ketm | CVE #(s): | CVE-2005-3535 | ||||||||
| Created: | December 23, 2005 | Updated: | January 4, 2006 | ||||||||
| Description: | Steve Kemp from the Debian Security Audit Project discovered a buffer overflow in ketm, an old school 2D-scrolling shooter game, that can be exploited to execute arbitrary code with group games privileges. | ||||||||||
| Alerts: |
| ||||||||||
nbd: arbitrary code execution
| Package(s): | nbd | CVE #(s): | CVE-2005-3534 | ||||||||
| Created: | December 22, 2005 | Updated: | January 4, 2006 | ||||||||
| Description: | The network block device server has a vulnerability that can potentially be used to execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
openmotif: buffer overflows
| Package(s): | openmotif | CVE #(s): | CVE-2005-3964 | ||||||||||||
| Created: | December 29, 2005 | Updated: | July 27, 2006 | ||||||||||||
| Description: | The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
php: CRLF injection vulnerability
| Package(s): | php | CVE #(s): | CVE-2005-3883 | ||||
| Created: | December 27, 2005 | Updated: | January 4, 2006 | ||||
| Description: | A CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument, when using sendmail as the MTA (mail transfer agent). | ||||||
| Alerts: |
| ||||||
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 | CVE #(s): | CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537 | ||||
| Created: | December 22, 2005 | Updated: | February 11, 2008 | ||||
| Description: | The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem. | ||||||
| Alerts: |
| ||||||
pinentry: local privilege escalation
| Package(s): | pinentry | CVE #(s): | |||||
| Created: | January 3, 2006 | Updated: | January 4, 2006 | ||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered that the pinentry ebuild incorrectly sets the permissions of the pinentry binaries upon installation, so that the sgid bit is set making them execute with the privileges of group ID 0. | ||||||
| Alerts: |
| ||||||
printer-filters-utils: privilege escalation
| Package(s): | printer-filters-utils | CVE #(s): | |||||
| Created: | January 2, 2006 | Updated: | January 4, 2006 | ||||
| Description: | A local root vulnerability has been discovered in the mtink binary, which has a buffer overflow in its handling of the HOME environment variable, allowing the possibility for a local user to gain root privileges. | ||||||
| Alerts: |
| ||||||
rssh: privilege escalation
| Package(s): | rssh | CVE #(s): | CVE-2005-3345 | ||||
| Created: | December 27, 2005 | Updated: | January 4, 2006 | ||||
| Description: | Max Vozeler discovered that the rssh_chroot_helper command allows local users to chroot into arbitrary directories. A local attacker could exploit this vulnerability to gain root privileges by chrooting into arbitrary directories. | ||||||
| Alerts: |
| ||||||
scponly: privilege escalation
| Package(s): | scponly | CVE #(s): | CVE-2005-4532 | ||||||||
| Created: | December 29, 2005 | Updated: | February 13, 2006 | ||||||||
| Description: | The scponly restricted shell has a privilege escalation vulnerability. Local users can chroot into arbitrary directories, and can gain root privileges if a directory contains hard links to setuid programs. Also, scponly does not properly validate command line parameters to the scp and rsync commands. | ||||||||||
| Alerts: |
| ||||||||||
tkdiff: insecure temporary file
| Package(s): | tkdiff | CVE #(s): | CVE-2005-3343 | ||||||||||||
| Created: | December 27, 2005 | Updated: | January 4, 2006 | ||||||||||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that tkdiff, a graphical side by side "diff" utility, creates temporary files in an insecure fashion. | ||||||||||||||
| Alerts: |
| ||||||||||||||
xnview: privilege escalation
| Package(s): | xnview | CVE #(s): | |||||
| Created: | December 30, 2005 | Updated: | January 4, 2006 | ||||
| Description: | Krzysiek Pawlik of Gentoo Linux discovered that the XnView package for IA32 used the DT_RPATH field insecurely, causing the dynamic loader to search for shared libraries in potentially untrusted directories. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>