[gull-annonces] Résumé SecurityFocus Newsletter #263
Marc SCHAEFER
schaefer at alphanet.ch
Wed Aug 25 15:51:06 CEST 2004
gv Postscript and PDF Viewer Multiple Remote Buffer Overflow...
BugTraq ID: 10944
Remote: Yes
Date Published: Aug 14 2004
Relevant URL: http://www.securityfocus.com/bid/10944
Summary:
gv is reported prone to multiple remote buffer overflow
vulnerabilities. These issues exist due to insufficient checking
performed by the application on file headers for PostScript and PDF
documents.
These vulnerabilities exist in the 'psscan' function of the 'ps.c'
file. The vulnerabilities include multiple stack and heap based
buffer overflows. A number of the stack overflows have been
specified, however, there are also a number of unspecified heap
overflows.
Successful exploitation of these issues may result in an attacker
executing arbitrary code on a vulnerable computer to gain unauthorized
access. This would occur in the context of the vulnerable
application.
It should be noted that applications such as Web browsers may use the
software as an automatic handler for PostScript and PDF files.
Yukihiro Matsumoto Ruby CGI Session Management Insecure File...
BugTraq ID: 10946
Remote: No
Date Published: Aug 16 2004
Relevant URL: http://www.securityfocus.com/bid/10946
Summary:
It is reported that Ruby is prone to an insecure file permissions
vulnerability. This issue affects the CGI session management
component of the application.
This issue may allow a local attacker with access to a vulnerable Web
server to hijack a session.
Ruby versions prior to 1.6.7 and 1.8.1 are affected by the issue.
awstats rawlog Plugin Logfile Parameter Input Validation Vul...
BugTraq ID: 10950
Remote: Yes
Date Published: Aug 16 2004
Relevant URL: http://www.securityfocus.com/bid/10950
Summary:
awstats rawlog Plugin is reported prone to an input validation
vulnerability. The issue is reported to exist because user supplied
'logfile' URI data passed to the 'awstats.pl' script is not sanitized.
An attacker may exploit this condition to execute commands remotely or
disclose contents of web server readable files.
It should be noted that although this vulnerability is reported to
affect AWStats version 6.1, other versions might also be affected.
Gentoo Linux Tomcat EBuild Insecure Install Permissions Vuln...
BugTraq ID: 10951
Remote: No
Date Published: Aug 16 2004
Relevant URL: http://www.securityfocus.com/bid/10951
Summary:
The Gentoo Linux Tomcat eBuild is reported prone to an insecure
default install permission vulnerability. It is reported that certain
Tomcat scripts are installed with permissions that allow members of
the tomcat group to write to the file.
A local attacker that is a member of the Tomcat group may exploit this
condition to escalate privileges.
KDE Mcoputils Insecure Temporary File Creation Vulnerability
BugTraq ID: 10952
Remote: No
Date Published: Aug 16 2004
Relevant URL: http://www.securityfocus.com/bid/10952
Summary:
KDEs mcoputils is reported to contain an insecure temporary file
creation vulnerability. The result of this is that temporary files
created by the application may use predictable filenames.
A local attacker may also possibly exploit this vulnerability to
execute symbolic link file overwrite attacks. This may allow an
attacker to overwrite arbitrary files with the privileges of the
targeted user. Privilege escalation may also be possible using this
method of attack.
SpamAssassin Malformed Email Remote Denial Of Service Vulner...
BugTraq ID: 10957
Remote: Yes
Date Published: Aug 16 2004
Relevant URL: http://www.securityfocus.com/bid/10957
Summary:
SpamAssassin is reported prone to a remote denial of service
vulnerability. Full details regarding this vulnerability are not
known.
A remote attacker may potentially exploit this vulnerability to deny
service to a target SpamAssassin service.
SpamAssassin versions prior to 2.64 are reported vulnerable to this
issue.
This BID will be updated as further details regarding this
vulnerability are announced.
rxvt-unicode Open File Descriptor Leakage Vulnerability
BugTraq ID: 10959
Remote: No
Date Published: Aug 16 2004
Relevant URL: http://www.securityfocus.com/bid/10959
Summary:
It is reported that RXVT-Unicode fails to properly close file
descriptors when spawning new child terminal windows.
The child process could then potentially gain access to possibly
sensitive information from the contents of the open file
descriptors. Depending on the mode of the original file, and the
privileges of the user that opened it, processes in the child window
may exploit this vulnerability to take control of the parent
process. Other attacks may also be possible.
An attacker requires local access to the RXVT-Unicode process window
to exploit this vulnerability.
Versions prior to 3.6 are reported vulnerable to this issue.
Inter7 vpopmail vsybase.c Multiple Vulnerabilities
BugTraq ID: 10962
Remote: Yes
Date Published: Aug 17 2004
Relevant URL: http://www.securityfocus.com/bid/10962
Summary:
vpopmail is reported prone to multiple buffer overflow and a format
string vulnerability. These issues are present in the 'vsybase.c'
file. These issues exist due to the use of the sprintf() function.
It is conjectured that these issues may allow an attacker to execute
arbitrary code to gain unauthorized access to a vulnerable computer.
At the very least a denial of service condition may result.
vpopmail versions 5.4.2 and prior are affected by these issue.
[ vpopmail est un ajout ? qmail ]
Inter7 vpopmail Multiple SQL Injection Vulnerabilities
BugTraq ID: 10990
Remote: Yes
Date Published: Aug 20 2004
Relevant URL: http://www.securityfocus.com/bid/10990
Summary:
vpopmail is reportedly susceptible to SQL injection
vulnerabilities. This issue is due to a failure of the application to
properly sanitize user-supplied input data before using it in an SQL
query.
vpopmail is only vulnerable if SQL servers are utilized by the
application. Sites using the 'cdb' backend for data storage are not
affected.
Successful exploitation could result in compromise of the application,
disclosure or modification of data or may permit an attacker to
exploit vulnerabilities in the underlying database implementation.
Vpopmail is reported vulnerable in versions prior to 5.4.6.
GNU gLibc LD_DEBUG Local Information Disclosure Vulnerabilit...
BugTraq ID: 10963
Remote: No
Date Published: Aug 17 2004
Relevant URL: http://www.securityfocus.com/bid/10963
Summary:
A local vulnerability is reported to exist in glibc, it is reported
that LD_DEBUG is allowed on setuid binaries even though this should
not be allowed. A local attacker may debug a setuid binary and may
disclose sensitive information.
Information harvested in this manner may be employed to aid in further
attacks that are launched against a vulnerable host.
TNFTPD Multiple Signal Handler Remote Superuser Compromise V...
BugTraq ID: 10967
Remote: Yes
Date Published: Aug 17 2004
Relevant URL: http://www.securityfocus.com/bid/10967
Summary:
It is reported that TNFTPD is susceptible to multiple remote superuser
compromise vulnerabilities. These vulnerabilities are all derived from
improper signal handler operations. Signals can be delivered to the
vulnerable FTPD by a remote attacker via out-of-band TCP data (OOB).
These vulnerabilities may allow an anonymous remote attacker to gain
superuser privileges on computer hosting the affected software.
TNFTPD versions prior to 10 Aug 2004 are reported vulnerable. All
versions of Lukemftpd are reported vulnerable. NetBSD version 1.6.2
and prior, NetBSD-2.0 prior to 15 Aug 2004, as well as NetBSD-current
prior to 10 Aug 2004 are reported vulnerable as well.
MySQL mysqlhotcopy Script Insecure Temporary File Creation V...
BugTraq ID: 10969
Remote: No
Date Published: Aug 18 2004
Relevant URL: http://www.securityfocus.com/bid/10969
Summary:
mysqlhotcopy is reported to contain an insecure temporary file
creation vulnerability. The result of this is that temporary files
created by the application may use predictable filenames. This issue
presents itself when the 'scp' method is used with the script.
A local attacker may also possibly exploit this vulnerability to
execute symbolic link file overwrite attacks.
It was confirmed that this issue exists in mysqlhotcopy shipped with
MySQL 3.23.49 and 4.0.20. Other versions of MySQL are likely to be
affected as well. This BID will be updated as more information
becomes available.
Cisco IOS OSPF Remote Denial Of Service Vulnerability
BugTraq ID: 10971
Remote: Yes
Date Published: Aug 18 2004
Relevant URL: http://www.securityfocus.com/bid/10971
Summary:
Cisco IOS is reported prone to a remote denial of service
vulnerability.
It is reported that the vulnerability manifests when a malformed Open
Shortest Path First (OSPF) packet is handled by the vulnerable router.
A remote attacker may exploit this condition in multiple routers that
reside on the same network segment as the attacker, to trigger a
device reset. The attacker may continuously transmit malicious OSPF
packets to the target routers in order to effectively deny network
services to legitimate hosts.
[ firmware ]
Courier-IMAP Remote Format String Vulnerability
BugTraq ID: 10976
Remote: Yes
Date Published: Aug 18 2004
Relevant URL: http://www.securityfocus.com/bid/10976
Summary:
Courier-IMAP is reported to be susceptible to a remote format string
vulnerability. This issue is due to a failure of the application to
properly sanitize user-supplied input before using it as the format
specifier in a formatted printing function.
Successful exploitation of this issue will allow an attacker to
execute arbitrary code on the affected computer with the privileges of
the user that the IMAP daemon runs as. This vulnerability is
exploitable prior to authentication.
Courier-IMAP versions 1.6.0 through to 2.2.1 are reported
vulnerable. Other versions may also be vulnerable.
Multiple Qt Image Handling Heap Overflow Vulnerabilities
BugTraq ID: 10977
Remote: Yes
Date Published: Aug 19 2004
Relevant URL: http://www.securityfocus.com/bid/10977
Summary:
Multiple heap overflows have been reported to exist in the Qt QImage
library. These issues may be triggered when handling malformed images
of various types, potentially causing a denial of service in
applications that use the library to render images. Remote code
execution is also possible.
MySQL mysql_real_connect Function Potential Remote Buffer Ov...
BugTraq ID: 10981
Remote: Yes
Date Published: Aug 20 2004
Relevant URL: http://www.securityfocus.com/bid/10981
Summary:
MySQL is prone to a potential remote buffer overflow vulnerability.
This issue occurs due to insufficient boundary checks performed by the
'mysql_real_connect' function.
The 'mysql_real_connect' function does not verify the length of the IP
address returned through a DNS response from a server. Immediate
consequences of an attack may result in a denial of service condition.
It is conjectured that this issue could allow for arbitrary code
execution, however, this has not been confirmed.
It is also reported that the glibc library verifies the length of an
IP address, however, other libraries may obtain the length from a DNS
response packet. Computers using glibc on Linux and BSD platforms may
not be vulnerable to this issue.
British National Corpus SARA Remote Buffer Overflow Vulnerab...
BugTraq ID: 10984
Remote: Yes
Date Published: Aug 20 2004
Relevant URL: http://www.securityfocus.com/bid/10984
Summary:
sarad is reported prone to a buffer overflow vulnerability. This
issue presents itself due to insufficient sanitization of
user-supplied data.
A remote attacker can trigger the overflow condition by supplying a
large string value to the application. Arbitrary code execution is
possible in the context of the server.
In addition to this issue, it is reported that various other instances
of potential buffer overflow and format string vulnerabilities exist
throughout the application. These issues exist due to the use of
strcpy() and sprintf functions. This BID will be updated upon further
analysis.
More information about the gull-annonces
mailing list