[gull-annonces] Résumé SecurityFocus Newsletter #280

Marc SCHAEFER schaefer at alphanet.ch
Sat Dec 25 13:53:46 CET 2004


[ Cette semaine, sortie des devoirs de quelques étudiants de DJB, qui
ont trouvé 44 bugs dans des logiciels courants, la plupart locaux.
]

mtr mtr_curses_keyaction Local Off-By-One Buffer Overflow Vu...
BugTraq ID: 11884
Remote: No
Date Published: Dec 11 2004
Relevant URL: http://www.securityfocus.com/bid/11884
Summary:
mtr is reported prone to an off-by-one buffer overflow
vulnerability. The issue is present in the mtr_curses_keyaction()
function for the key bindings 's', 'b', 'Q', 'i', 'f', 'm' and 'o'.

Exploitation of this vulnerability could allow a local attacker to
hijack a raw socket. The possibility of successful exploitation may
depend on certain properties of the underlying environment, including
the architecture and the compiler version used.  These factors may
limit the possibility of exploiting the condition to corrupt a
sensitive value in memory.

Citadel/UX Network Data Logging Remote Format String Vulnera...
BugTraq ID: 11885
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11885
Summary:
A remote format string vulnerability reportedly affects the network
data logging functionality of Citadel/UX.  This issue is due to a
failure of the application to properly sanitize user-supplied input
prior to passing it as the format specifier to a formatted printing
function.

A remote attacker may leverage this issue to write to arbitrary
process memory, facilitating code execution.  Any code execution would
take place with superuser privileges.

mnoGoSearch Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 11895
Remote: Yes
Date Published: Dec 10 2004
Relevant URL: http://www.securityfocus.com/bid/11895
Summary:
It is reported that mnoGoSearch is affected by various cross-site
scripting vulnerabilities.  These issues are due to a failure of the
application to properly sanitize user-supplied URI input.

These problems present themselves when malicious HTML and script code
is sent to the application through the next/prev search results page
and extended/simple search form links.

mnoGoSearch 3.2.26 and prior versions are vulnerable to these issues.

[ il n'est pas déterminé si cela concerne la base en C ou le frontend
  en PHP. ]

SQLgrey Postfix Greylisting Service Unspecified SQL Injectio...
BugTraq ID: 11898
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11898
Summary:
SQLgrey Postfix Greylisting Service is prone to an unspecified SQL
injection vulnerability.  This issue is reportedly due to insufficient
sanitization of SQL syntax from fields in email processed by the
software.

The issue could be exploited to influence SQL queries, potentially
allowing for compromise of the software or other attacks that impact
database security.

This issue was reportedly missed by the vendor when they fixed the
issue described in BID 11633.

zgv Image Viewer Animated GIF Remote Memory Corruption Vulne...
BugTraq ID: 11915
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11915
Summary:
A remote memory corruption vulnerability affects the animated GIF
functionality of zgv. It should be noted that although it is likely
that xzgv is also vulnerable to this issue, this has not been
confirmed. The underlying issue causing this vulnerability is unknown,
although it is likely due to a failure of the application to handle
malformed image files.

The full impact of this issue is currently unknown, however this issue
can be leveraged to cause the affected application to crash.  It is
possible, however unconfirmed, that this issue may be leveraged to
execute arbitrary code.

Linux NFS 64-Bit Architecture Remote Buffer Overflow Vulnera...
BugTraq ID: 11911
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11911
Summary:
A remote buffer overflow reportedly affects the disk quota
functionality of the Linux NFS utilities.  This issue is due to a
failure of the application to properly validate the length of
user-supplied strings prior to copying them into static process
buffers.

An attacker may leverage this issue to execute arbitrary on an
affected computer with superuser privileges.  This may be exploited to
gain unauthorized access or privilege escalation.

Linux kernel IGMP Multiple Vulnerabilities
BugTraq ID: 11917
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11917
Summary:
Linux kernel IGMP functionality is reported prone to multiple
vulnerabilities.  These issues can allow local attackers to carry out
denial of service and privilege escalation attacks.  Remote attackers
may also cause denial of service conditions in vulnerable computers.

The first issue exists in the 'ip_mc_source()' function and may allow
local attackers to cause a denial of service condition or gain
elevated privileges.

The second issue is related to the first issue and may allow an
attacker to disclose sensitive kernel memory.

The third vulnerability exists in the IGMP/IP networking module and
may allow remote attackers to cause a denial of service condition in a
vulnerable computer.

[ voir
    http://www.securityfocus.com/archive/1/384550/2004-12-15/2004-12-21/0
  pour la mitigation de l'attaque distante
]

Linux kernel scm_send Local Denial of Service Vulnerability
BugTraq ID: 11921
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11921
Summary:
Linux kernel is reported prone to a local denial of service
vulnerability.  This issue presents itself in the SCM logical sub
layer of the socket API.

An unprivileged application can craft a malformed auxiliary message
and send it to a socket, which results in the kernel invoking
'__scm_send()' in a manner that leads to a crash.  This issue can
allow local attackers to cause a denial of service condition on a
vulnerable computer.  It is not confirmed if this vulnerability can be
leveraged to gain elevated privileges.

UseModWiki wiki.pl Cross-Site Scripting Vulnerability
BugTraq ID: 11924
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11924
Summary:
It is reported that UseModWiki is affected by a cross-site scripting
vulnerability. This issue is due to a failure of the application to
properly sanitize user-supplied URI input before outputting it in Web
Pages.

This issue could permit a remote attacker to create a malicious URI
link that includes hostile HTML and script code. If this link were to
be followed, the hostile code may be rendered in the Web browser of
the victim user. This would occur in the security context of the
affected Web site and may allow for theft of cookie-based
authentication credentials or other attacks.

[ n'oublions pas que tout système qui autorise l'ajout d'images
  via un tag IMG SRC externe ou similaire peut au minimum autoriser le
  suivi des accès, c'est inhérent à la flexibilité des Wikis.
]

OpenBSD ISAKMPD Kernel Heap Buffer Overflow Local Denial Of ...
BugTraq ID: 11928
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11928
Summary:
It is reported that OpenBSD's IPSEC implementation is susceptible to a
kernel heap buffer overflow local denial of service
vulnerability. This issue is reportedly only exploitable by local
users when isakmpd(8) is running.

This issue allows attackers with local interactive access on computers
running isakmpd(8) to cause kernel crashes, denying service to
legitimate users. It is reported that this issue doesn't likely allow
privilege escalation or code execution.

It should be noted that isakmpd(8) is not configured to run by
default.

Ricoh Aficio 450/455 PCL Printer Remote ICMP Denial Of Servi...
BugTraq ID: 11932
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11932
Summary:
It is reported that Ricoh 450/455 printers are susceptible to a remote
denial of service vulnerability. This issue is due to a failure of the
device to properly handle exceptional ICMP packets.

Remote attackers may exploit this vulnerability to restart affected
devices. Repeated packets may be utilized to sustain the condition,
causing the device to repeatedly restart. Source addresses of the
malicious ICMP packets may also be spoofed, reducing the likelihood of
locating, or blocking access to the attacker.

Due to code reuse among devices, it is likely that other printers are
also affected.

[ firmware ]

Linux kernel Local DRM Denial Of Service Vulnerability
BugTraq ID: 11936
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11936
Summary:
It is reported that the DRM module in the Linux kernel is susceptible
to a local denial of service vulnerability.

This vulnerability likely results in the corruption of video memory,
crashing the X server. It is also reported that malicious users may be
able to modify the video output.

Further details are unavailable at this time. This BID will be updated
as further analysis is completed.

Linux kernel /proc Filesystem Local Information Disclosure Vu...
BugTraq ID: 11937
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11937
Summary:
It is reported that the Linux kernel /proc filesystem is susceptible
to an information disclosure vulnerability. This issue is due to a
race-condition allowing unauthorized access to potentially sensitive
process information.

This vulnerability may allow malicious local users to gain access to
potentially sensitive environment variables in other users
processes. As some programs pass passwords and other sensitive
information in environment variables, this may aid a malicious user in
further attacks.

Further details are unavailable at this time. This BID will be updated
as further analysis is completed.

Linux kernel sys32_ni_syscall() / sys32_vm86_warning() local buffer ...
BugTraq ID: 11938
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11938
Summary:
The Linux kernel for 64-Bit architectures is reported prone to a local
buffer overflow vulnerability.

This vulnerability exists in 'sys32_ni_syscall()' and
'sys32_vm86_warning()' as a result of an unbounded copy of a 16 byte
string into an 8 byte buffer using the strcpy() function.

Immediate consequences of exploitation of this vulnerability could be
a kernel panic; this could be used to deny service to legitimate
users. It is not currently known whether this vulnerability may be
leveraged to provide for execution of arbitrary code.

Linux kernel sock_dgram_sendmsg Local Denial Of Service Vuln...
BugTraq ID: 11939
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11939
Summary:
The Linux kernel is reported to be prone to a local denial of service
vulnerability. This vulnerability is reported to exist when
'CONFIG_SECURITY_NETWORK=y' and 'CONFIG_SECURITY_SELINUX=y' options
are set in the Linux kernel.

A local attacker may exploit this vulnerability to trigger a kernel
panic and effectively deny service to legitimate users.

vim Modelines Arbitrary Command Execution Variant Vulnerabil...
BugTraq ID: 11941
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11941
Summary:
vim modelines is prone to a vulnerability that may permit execution of
arbitrary commands.  Reportedly, certain modelines options expose this
issue.  Exploitation could occur when a malicious file is opened in
the editor and would occur in the context of the user opening the
file.

This issue is similar to BID 6384.

ethereal Multiple Unspecified Denial of Service and Potentia...
BugTraq ID: 11943
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11943
Summary:
ethereal 0.10.8 has been released to address multiple vulnerabilities.
These vulnerabilities are reported to cause denial of service
conditions in the application, however, it is reported that some
issues may allow for arbitrary code execution.

The following specific issues were specified:

A denial of service vulnerability presents itself in the DICOM
dissector.

The application suffers from a denial of service vulnerability when
handling a malformed RTP timestamp.

It is reported that the HTTP dissector may allow a remote attacker to
access memory that was previously freed.

Another denial of service issues affecting the application arises when
Ethereal processes a specially crafted SMB packet.

This BID will be updated as more information becomes available.

3Com 3CDaemon TFTP Service Remote Buffer Overflow Vulnerabil...
BugTraq ID: 11944
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11944
Summary:
3CDaemon TFTP service is reported to be prone to a remote denial of
service vulnerability. The vulnerability presents itself when any
command is invoked that contains a superfluous filename
parameter. When such a command is handled, the 3CDaemon will fail
reporting opmode 0x01.

[ firmware ? ]

Asante FM2008 Managed Ethernet Switch Default Backdoor Accou...
BugTraq ID: 11947
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11947
Summary:
It is reported that Asante FM2008 managed Ethernet switches contain a
default backdoor account vulnerability.

Attackers with network access to the telnet port of affected devices
may gain administrative access by using these default
credentials. These default credentials are not reportedly usable in
the web administration interface, just the telnet or serial
interfaces.

Version v01.06 of Asante FM2008 switches are reported susceptible to
this vulnerability. Due to code reuse among devices, it is likely that
other devices are vulnerable as well.

[ firmware ]

Linux kernel Multiple Local Vulnerabilities
BugTraq ID: 11956
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11956
Summary:
The Linux kernel is reported prone to multiple local
vulnerabilities. The following individual issues are reported:

An integer overflow is reported to exist in 'ip_options_get()' of the
'ip_options.c' kernel source file, this vulnerability is only reported
to exist in the 2.6 kernel tree.

Although unconfirmed, due to the nature of this vulnerability it is
conjectured that this issue may be further leveraged to provide for
arbitrary code execution with ring 0 privileges.

A local attacker may exploit this vulnerability to deny service to
legitimate users. Other attacks are also likely possible.

A second integer overflow vulnerability is reported to exist in the
'vc_resize()' function of the Linux kernel, this vulnerability is
reported to exist in the 2.6 and 2.4 kernel trees.

Although unconfirmed, due to the nature of this vulnerability it is
conjectured that this issue may be further leveraged to provide for
arbitrary code execution with ring 0 privileges.

A local attacker may exploit this vulnerability to deny service to
legitimate users. Other attacks are also likely possible.

A third vulnerability, a memory leak, is reported to exist in
'ip_options_get()' of the 'ip_options.c' kernel source file, this
vulnerability is reported to exist in the 2.6, and 2.4 kernel tree.

A local attacker may exploit this vulnerability to consume kernel heap
memory resources and in doing so may impact system performance
ultimately resulting in a denial of service to legitimate users.

ChBg Scenario File Overflow Vulnerability
BugTraq ID: 11957
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11957
Summary:
ChBg is reported prone to a remote buffer overflow vulnerability.
This issue arises because the application fails to carry out proper
boundary checks before copying user-supplied data in to sensitive
process buffers.  It is reported that this issue can allow an attacker
to gain superuser privileges on a vulnerable computer.

An attacker can exploit this issue by crafting a malicious scenario
file. A scenario is a file containing a list of pictures to display.

If a user obtains this file and processes it through ChBg, the
attacker-supplied instructions may be executed on the vulnerable
computer.

ChBg 1.5 is reported prone to this vulnerability.  It is likely that
other versions are affected as well.

Cisco Guard And Traffic Anomaly Detector Default Backdoor Ac...
BugTraq ID: 11959
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11959
Summary:
It is reported that Cisco Guard and Anomaly Detector appliances
contain a default backdoor account vulnerability.

These appliances contain an undocumented user with a username of
'root', and an unspecified default password. This is an administrative
account, with privileges similar to the Unix superuser.

By exploiting this vulnerability, attackers with SSH or HTTPS access
to affected devices may gain administrative access.

Versions of Cisco Guard prior to 3.1, and versions of Cisco Anomaly
Detector prior to 3.1 are reportedly affected by this vulnerability.

[ firmware ]

MPlayer MMST get_header Remote Client-Side Buffer Overflow V...
BugTraq ID: 11962
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11962
Summary:
A remote, client-side buffer overflow vulnerability reportedly affects
MPlayer. This issue is due to a failure of the application to properly
validate the length of user-supplied strings prior to copying them
into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This
may facilitate unauthorized access or privilege escalation.

ChangePassword Local Privilege Escalation Vulnerability
BugTraq ID: 11963
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11963
Summary:
ChangePassword is reported prone to a local privilege escalation
vulnerability.  This issue can allow local attackers to gain superuser
privileges on a vulnerable computer.

ChangePassword 0.8 and prior versions are believed to be affected by
this issue.

TNFTP FTP Client Directory Traversal Vulnerability
BugTraq ID: 11965
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11965
Summary:
The tnftp FTP client is reported susceptible to a directory traversal
vulnerability. This issue is due to a failure of the application to
properly sanitize user-supplied input data.

This vulnerability results in the ability of the attacker controlling
a malicious remote server being able to write to arbitrary locations
on the client's computer with the privileges of the user invoking the
vulnerable FTP client. Depending on the particular configuration of
the vulnerable FTP client, new files may be created, files may be
overwritten, or appended to. Depending on the configuration, this may
also occur without confirmation.

[ lequel ?  celui d'HP? ]

CUPS HPGL File Processor Buffer Overflow Vulnerability
BugTraq ID: 11968
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11968
Summary:
CUPS is reported prone to a remote buffer overflow vulnerability. The
issue is reported to exist in the 'hpgl-input.c' source file and is
because of a lack of sufficient boundary checks performed on data
contained in HPGL files.

A remote attacker may exploit this condition to execute arbitrary code
in the context of the vulnerable CUPS daemon.

xine-lib Remote Client-Side Buffer Overflow Vulnerability
BugTraq ID: 11969
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11969
Summary:
It is reported that the xine media library is affected by a remote
buffer overflow vulnerability. This issue can allow a remote attacker
to gain unauthorized access to a vulnerable computer. The overflow
condition presents itself in the 'demux_aiff.c' file.

Samba Directory Access Control List Remote Integer Overflow ...
BugTraq ID: 11973
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11973
Summary:
A remotely exploitable integer overflow vulnerability affects the
directory access control list (DACL) processing functionality of
Samba.  This issue is due to a failure of the application to properly
perform sanity checking on calculated data sizes prior to copying data
into static process buffers.

An attacker with access to an SMB share may leverage this issue to
overwrite the heap of the affected process, facilitating code
execution with superuser privileges.

Yanf HTTP Response Buffer Overflow Vulnerability
BugTraq ID: 11975
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11975
Summary:
Yanf is prone to a buffer overflow vulnerability.  This issue is
exposed when the client reads data from a remote HTTP server.

If this issue is successfully exploited, it could allow for execution
of arbitrary code in the context of the user running the client.

jpegtoavi File List Buffer Overflow Vulnerability
BugTraq ID: 11976
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11976
Summary:
jpegtoavi is prone to a buffer overflow.  This issue is exposed when
the software handles a malformed file list.  As the list originates
from an external or untrusted source, this issue is considered remote
in nature.

If this vulnerability is successfully exploited, it will result in
execution of arbitrary code in the context of the user running the
application.

vilistextum HTML Attribute Parsing Buffer Overflow Vulnerabi...
BugTraq ID: 11979
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11979
Summary:
vilistextum is prone to a buffer overflow vulnerability.  This issue
is exposed when the application parses HTML attributes while
converting an HTML file to text/ASCII.  Since HTML files will likely
originate from an external or untrusted source, this issue should be
considered remote in nature.

Successful exploitation will allow for execution of arbitrary code in
the context of the user running the application.

2fax Tab Expansion Buffer Overflow Vulnerability
BugTraq ID: 11980
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11980
Summary:
2fax is prone to a buffer overflow vulnerability.  This issue is
exposed when the software performs tab expansion operations while
converting files.  Since files may originate from an external or
untrusted source, this issue is considered remote in nature.

Successful exploitation will result in execution of arbitrary code in
the context of the user running the application.

mplayer And xine-lib Multiple Remote Client-Side Buffer Over...
BugTraq ID: 11987
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11987
Summary:
Multiple remote, client side buffer overflow vulnerabilities
reportedly affect xine-lib and MPlayer.  These issues are due to a
failure of the application to properly validate the length of
user-supplied strings prior to copying them into static process
buffers.

An attacker may exploit these issues to execute arbitrary code with
the privileges of the user that activated the vulnerable
application. This may facilitate unauthorized access or privilege
escalation.

QwikMail HELO Command Buffer Overflow Vulnerability
BugTraq ID: 11989
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11989
Summary:
QwikMail (qwik-smtpd) is reported prone to a remotely exploitable
buffer overflow vulnerability.  The issue is due to insufficient
bounds checking of client-supplied SMTP HELO request data.

This issue could theoretically be exploited to execute arbitrary code.
Due to the memory layout, it is also reportedly possible to overwrite
an adjacent buffer in a manner that will allow a remote attacker to
abuse the server as an unauthorized mail relay.

nasm Error Preprocessor Directive Buffer Overflow Vulnerabil...
BugTraq ID: 11991
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11991
Summary:
nasm is prone to a buffer overflow.  This condition is exposed when
the application attempts to assemble a source file that contains
malformed '%error' preprocessor directive arguments.  Since the source
file may originate from an external or untrusted source, this
vulnerability is considered remote in nature.

Successful exploitation will permit arbitrary code execution with the
privileges of the user running the application.

Slashcode Slash CVS Unspecified Security Vulnerability
BugTraq ID: 11993
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11993
Summary:
An unspecified vulnerability or vulnerabilities affect Slashcode
Slash.  The underlying cause of this issue is currently unknown.

The potential impact or impacts of this issue are currently unknown.
This BID will be updated upon the release of more information.

rtf2latex2e Stack Buffer Overflow Vulnerability
BugTraq ID: 11994
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11994
Summary:
It is reported that rtf2latex2e is susceptible to a stack buffer
overflow vulnerability. This issue is due to a failure of the
application to properly bounds check user-supplied image data prior to
copying it into a fixed-size memory buffer.

This vulnerability allows remote attackers to alter the proper flow of
execution of the application, potentially resulting in the execution
of attacker-supplied machine code in the context of the application
attempting to read the malicious RTF file.

Convex 3D Buffer Overflow Vulnerability
BugTraq ID: 11995
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11995
Summary:
It is reported that Convex 3D is susceptible to a stack-based buffer
overflow vulnerability. This issue is due to a failure of the
application to properly check the bounds of user-supplied image data
prior to copying it into a fixed-size memory buffer.

This vulnerability allows remote attackers to alter the proper flow of
execution of the application, potentially resulting in the execution
of attacker-supplied machine code in the context of the application
attempting to read a malicious file.

NetBSD Multiple Local Unspecified Binary Compatibility Layer...
BugTraq ID: 11996
Remote: No
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11996
Summary:
It is reported that NetBSD is susceptible to multiple unspecified
local vulnerabilities in its binary compatibility layer. It is
reported that many, if not all of the compatibility types are affected
by these vulnerabilities. The system call translation functions
reportedly execute unsafe operations with the user-supplied system
call arguments.

This BID will be updated as further information is disclosed, and as
further analysis is performed.

These vulnerabilities affect computers running NetBSD that have any
'COMPAT_*' options defined in the running kernel.

These vulnerabilities allow local users to crash the kernel, denying
service to legitimate users. It is also conjectured that some of these
issues may allow for code execution in kernel-space, leading to
privilege escalation.

LinPopUp Remote Buffer Overflow Vulnerability
BugTraq ID: 11997
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11997
Summary:
LinPopUp is reported prone to a remote buffer overflow vulnerability.
This issue arises because the application fails to carry out proper
boundary checks before copying user-supplied data in to sensitive
process buffers. It is reported that this issue can allow an attacker
to gain unauthorized access to a computer in the context of the
application.

An attacker can exploit this issue by crafting a malicious message
that contains excessive string data, replacement memory addresses, and
executable instructions to trigger this issue.

LinPopUp version 1.2.0 is reported prone to this vulnerability. It is
likely that other versions are affected as well.

YAMT ID3 Tag Sort Command Execution Vulnerability
BugTraq ID: 11999
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11999
Summary:
YAMT (Yet Another MP3 Tool) is prone to a vulnerability that may allow
attackers to execute arbitrary commands.  This issue is exposed when
the program attempts to sort ID3 tags.  As this data may originate
from an external or untrusted source, this issue is considered remote
in nature.

Successful exploitation will allow an attacker to execute arbitrary
commands when the software processes an MP3 that contains malicious
ID3 tag data.  This will occur in the context of the user running the
application.

o3read HTML Parser Buffer Overflow Vulnerability
BugTraq ID: 12000
Remote: Yes
Date Published: Dec 17 2004
Relevant URL: http://www.securityfocus.com/bid/12000
Summary:
o3read is prone to a buffer overflow vulnerability.  This issue is
exposed when the program parses HTML content during file format
conversion.  This issue is considered to be remote in nature since it
is possible that files may originate from an external or untrusted
source.

Successful exploitation will result in code execution with the
privileges of the user running the application.




More information about the gull-annonces mailing list