[gull-annonces] Résumé SecurityFocus Newsletter #261

Marc SCHAEFER schaefer at alphanet.ch
Sat Aug 14 23:11:02 CEST 2004 

GNU Transport Layer Security Library X.509 Certificate Verif...
BugTraq ID: 10839
Remote: Yes
Date Published: Aug 02 2004
Relevant URL: http://www.securityfocus.com/bid/10839
Summary:
Reportedly GNU Transport Layer Security Library (GNUTLS) is affected
by a X.509 certificate verification denial of service vulnerability.
This issue is due to a design error that causes the application to
attempt to verify invalid X.509 certificates.

This issue would allow an attacker to cause the affected application
to consume CPU resources and hang while attempted verification takes
place, denying service to legitimate users.

U.S. Robotics USR808054 Wireless Access Point Web Administra...
BugTraq ID: 10840
Remote: Yes
Date Published: Aug 02 2004
Relevant URL: http://www.securityfocus.com/bid/10840
Summary:
The USR808054 wireless access point is reported to contain a denial of
service vulnerability in its embedded web server.

When malicious requests are received by the device, it will reportedly
crash, denying service to legitimate users of the access point.

This issue can be exploited by anybody with network connectivity to
the administration HTTP server, no authentication is required.

Version 1.21h of the device was found to be vulnerable, but other
versions are also likely affected. Due to the practice of code-reuse
in companies, it is also possible that other devices and products have
this same flaw.

This BID may also be related to BID 6994, but this has not been
confirmed.

[ firmware ]

BreakCalendar Multiple Remote Vulnerabilities
BugTraq ID: 10847
Remote: Yes
Date Published: Aug 03 2004
Relevant URL: http://www.securityfocus.com/bid/10847
Summary:
Reportedly BreakCalendar is affected by multiple remote
vulnerabilities.  These issues are due to a failure to sanitize
user-supplied input.

An attacker could leverage these issues to conduct cross-site
scripting attacks and to perform actions facilitated by the 'add
event' and 'edit/remove event' forms.

ripMIME MIME Attachment Decoding Weakness
BugTraq ID: 10848
Remote: Yes
Date Published: Aug 03 2004
Relevant URL: http://www.securityfocus.com/bid/10848
Summary:
It is reported that a weakness exists in ripMIMEs decoding routine.

If ripMIME is being used in conjunction with a virus scanning, or
other similar type of application, this weakness has the affect of not
passing the attachment to the engine. This means that the attachments
will bypass the scanning process.

By bypassing the scanning process, the message may then be passed on
to an end user while still containing virus, or other malicious code
that should have been blocked by the filter.

Attackers may exploit this weakness by forming malicious content
designed to pass through filtering software. This content is designed
to be decoded by the end users MUA. Some MUAs may decode the MIME
attachments, even though they are formed incorrectly, allowing the
malicious content to be delivered.

Version 1.3.2.3 has been released which fixes this weakness.

PuTTY Modpow Integer Handling Memory Corruption Vulnerabilit...
BugTraq ID: 10850
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10850
Summary:
Reportedly PuTTY is affected by a remote, pre-authentication code
execution vulnerability.

An attacker might leverage this issue to execute arbitrary code on an
affected system.  As this issue is exploitable before any
authorization and before the host key is verified, any remote attacker
can exploit this to gain unauthorized access to a vulnerable computer
with the privileges of the user that started the affected application.

Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memo...
BugTraq ID: 10852
Remote: No
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10852
Summary:
A vulnerability in the Linux kernel in the 64-bit file offset handling
code may allow malicious users to read kernel memory.  This issue is
due to a design error that causes the affected code to fail to
properly validate file pointers.

An attacker may leverage this issue to read arbitrary Linux kernel
memory.  This could allow an attacker to read sensitive data such as
cached passwords.  This issue will certainly aid in further attacks
against the affected computer.

It has been reported that the Linux 2.6.X kernel, although still
vulnerable, might not be exploitable. This BID will be updated when
more information becomes available.

Juniper Networks NetScreen SSHv1 Denial Of Service Vulnerabi...
BugTraq ID: 10854
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10854
Summary:
Juniper Networks NetScreen firewalls configured to run the SSHv1
service are reported prone to a denial of service vulnerability. It is
reported that the vulnerability may be triggered by a remote attacker,
prior to any form of authentication.

[ firmware ]

Acme thttpd Directory Traversal Vulnerability
BugTraq ID: 10862
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10862
Summary:
It is reported that thttpd is susceptible to a directory traversal
vulnerability. This issue presents itself due to insufficient
sanitization of user-supplied data. This issue only exists in the
Windows port of the application, as it does not correctly take into
consideration the environmental attributes of file system access in
applications.

This issue may allow an attacker to retrieve arbitrary, potentially
sensitive files, from the affected host computer, as the user that the
thttpd process is running as.

Version 2.07 beta 0.4 of thttpd, running on a Microsoft Windows
platform is reported vulnerable to this issue.

[ very efficient, small and KISS open source HTTP daemon ]

Gnome VFS 'extfs' Scripts Undisclosed Vulnerability
BugTraq ID: 10864
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10864
Summary:
Gnome VFSs 'extfs' scripts are reported prone to an undisclosed
vulnerability.

It is reported that a user that views specially crafted, attacker
supplied URIs utilizing the 'extfs' VFS module may be able to execute
arbitrary commands in the context of the user.

This BID will be updated as further information is disclosed.

LILO gfxboot Plaintext Password Display Vulnerability
BugTraq ID: 10866
Remote: No
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10866
Summary:
Reportedly gfxboot is affected by a plain text password display
vulnerability.  This issue is due to a design error that fails to
protect user passwords.

The problem reportedly results in the plain text lilo boot password to
be displayed when typing.

An attacker might leverage this issue to read the plain text lilo boot
password.

YaST2 Utility Library File Verification Shell Code Injection...
BugTraq ID: 10867
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10867
Summary:
YaST2 utility library 'liby2util' is affected by a file verification
shell code injection vulnerability.  This issue is due to a design
error that fails to properly validate files.

An attacker could leverage this issue to inject malicious shell code
into a file name being transferred using the vulnerable utility.  This
might facilitate privilege escalation and unauthorized access.

Neon WebDAV Client Library Unspecified Vulnerability
BugTraq ID: 10869
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10869
Summary:
It is reported that Neon contains an unspecified vulnerability. The
cause of this vulnerability is currently unknown.

Due to the nature of the library, it is likely that this is a remotely
exploitable issue.

It is currently unknown what the affects and impacts of this issue
is. This BID will be updated immediately when more information becomes
available.

PSCP Modpow Base Integer Handling Buffer Overrun Vulnerabili...
BugTraq ID: 10870
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10870
Summary:
PSCP is reported prone to a buffer overrun vulnerability. 

An attacker might leverage this issue to execute arbitrary code on an
affected system.  As this issue is exploitable before any
authorization and before the host key is verified, any remote attacker
can exploit this to gain unauthorized access to a vulnerable computer
with the privileges of the user that started the affected application.

[ voir Putty ]

libpng Graphics Library Multiple Remote Vulnerabilities
BugTraq ID: 10857
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10857
Summary:
The libpng graphics library is reported prone to multiple
vulnerabilities. The following issues are reported:

It is reported that a stack-based buffer overrun vulnerability exists
in the libpng library (CAN-2004-0597).

A remote attacker may exploit this condition, by supplying a malicious
image to an unsuspecting user. When this image is viewed, the
vulnerability may be triggered resulting in code execution occurring
in the context of the user that viewed the malicious image.

A denial of service vulnerability is also reported to affect libpng
(CAN-2004-0598).

A remote attacker may exploit this condition, by supplying a malicious
image to an unsuspecting user. When the malicious image is viewed, a
NULL pointer dereference will occur resulting in a crash of the
application that is linked to the vulnerable library.

Additionally several integer overrun vulnerabilities are reported to
exist in png_handle_sPLT(), png_read_png() and other functions of
libpng (CAN-2004-0599).

A remote attacker may exploit the integer-overrun conditions, by
supplying a malicious image to an unsuspecting user. When the
malicious image is viewed, an integer value may wrap, or be
interpreted incorrectly resulting in a crash of the application that
is linked to the vulnerable library, or may potentially result in
arbitrary code execution.

This BID will be split into independent BIDs when further analysis of
these vulnerabilities is complete.

Mozilla and Netscape SOAPParameter Integer Overflow Vulnerab...
BugTraq ID: 10843
Remote: Yes
Date Published: Aug 02 2004
Relevant URL: http://www.securityfocus.com/bid/10843
Summary:
It is reported that Mozilla and Netscape contain an integer overflow
vulnerability in the SOAPParameter object constructor. This overflow
may result in the corruption of critical heap memory structures,
leading to possible remote code execution.

An attacker can exploit this issue by crafting a malicious web page
and having unsuspecting users view the page in a vulnerable version of
Mozilla or Netscape.

Netscape 7.0, 7.1, and versions of Mozilla prior to 1.7.1 are known to
be vulnerable to this issue. Users of affected versions of Netscape
are urged to switch to Mozilla 1.7.1 or later, as new versions of
Netscape are not likely to appear.

Mozilla Browser Input Type HTML Tag Unauthorized Access Vuln...
BugTraq ID: 10874
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10874
Summary:
Mozilla browser is reportedly affected by an input type HTML tag
unauthorized access vulnerability.  This issue is due to an access
validation error that allows access to arbitrary files on an
unsuspecting user's system.

This issue will allow an attacker to obtain arbitrary files residing
on the computer of an unsuspecting user that activates a malicious
script.

Mozilla Browser/Thunderbird SendUIDL POP3 Message Handling R...
BugTraq ID: 10875
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10875
Summary:
Mozilla and Mozilla Thunderbird are reported prone to a remote heap
overflow vulnerability. The issue is reported to exist due to a lack
of sufficient boundary checks performed on POP3 data handled by
SendUidl().

An attacker controlled POP3 mail server may exploit this condition by
sending a specifically crafted email message to the affected mail
client. This will result in the corruption of heap-based memory.

Mozilla Browser Non-FQDN SSL Certificate Spoofing Vulnerabil...
BugTraq ID: 10876
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10876
Summary:
Mozilla browser is reportedly vulnerable to an SSL certificate
spoofing vulnerability in the 'cert_TestHostName()' function.  This
issue is due to a design error that fails to properly validate
certified host names.

This issue would allow an attacker to spoof a trusted certificate from
a third party site, facilitating phishing style attacks by luring an
unsuspecting user to enter information on what is apparently a trusted
site.

Mozilla SSL Redirect Spoofing Vulnerability
BugTraq ID: 10880
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10880
Summary:
It is reported that Mozilla, and products derived from Mozilla are
susceptible to an SSL redirect spoofing vulnerability.

By exploiting this vulnerability, an attacker can ensure that the
victims browser contains the SSL lock icon, and will display the SSL
certificate information of a legitimate site when the lock is clicked
on.

This vulnerability may aid in Phishing style attacks.

Mozilla prior to 1.7, Mozilla Firebird 0.7, Mozilla Firefox prior to
0.9, and Mozilla Thunderbird prior to 0.7 are all reported vulnerable.

CVSTrac filediff Remote Command Execution Vulnerability
BugTraq ID: 10878
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10878
Summary:
CVSTrac is affected by a remote command execution vulnerability in the
'filediff' functionality.  This issue is due to an input validation
error that allows for the appending of shell commands.

An attacker could leverage this issue to execute arbitrary shell
commands on a vulnerable computer with the privileges of the web
server process.

Thomson SpeedTouch Home ADSL Modem Predictable Initial TCP S...
BugTraq ID: 10881
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10881
Summary:
A vulnerability is reported to exist in the algorithms used by Thomson
SpeedTouch Home ADSL Modem to generate initial TCP sequence
numbers. The ability to predict TCP sequence numbers may allow a
remote attacker to inject packets into a vulnerable data stream, for
example the telnet service on the affected modem.

[ firmware ]

GNU Info Follow XRef Buffer Overrun Vulnerability
BugTraq ID: 10882
Remote: No
Date Published: Aug 06 2004
Relevant URL: http://www.securityfocus.com/bid/10882
Summary:
GNU Info is reported prone to a buffer overrun vulnerability. The
vulnerability is reported to present itself due to a lack of boundary
checks performed on argument data for the (f) follow xref Info
command.

An attacker may exploit this vulnerability by crafting a malicious
Info script that is sufficient to trigger the issue.

Although this vulnerability is reported to affect info version
4.7-2.1, other versions might also be affected.

More information about the gull-annonces mailing list