[gull-annonces] Résumé SecurityFocus Newsletter #256

Marc SCHAEFER schaefer at alphanet.ch
Wed Jul 7 10:21:01 CEST 2004 

MPlayer GUI File Name Buffer Overflow Vulnerability
BugTraq ID: 10615
Remote: Yes
Date Published: Jun 28 2004
Relevant URL: http://www.securityfocus.com/bid/10615
Summary:
It has been reported that MPlayer when used with the graphical user
interface (GUI) is affected by a buffer overflow vulnerability.  This
issue is due to a failure of the application to properly handle
user-supplied strings when copying them into finite buffers.

Successful exploitation would immediately produce a denial of service
condition in the affected process. This issue may also be leveraged to
execute code on the affected system within the security context of the
user running the vulnerable process.

Apache ap_escape_html Memory Allocation Denial Of Service Vu...
BugTraq ID: 10619
Remote: Yes
Date Published: Jun 28 2004
Relevant URL: http://www.securityfocus.com/bid/10619
Summary:
Apache Web Server is reportedly affected by a memory allocation based
denial of service vulnerability.  This issue is due to a failure of
the server to handle excessivley long HTTP header strings.

This issue would allow an attacker to cause the affected application
to crash, denying service to legitimate users.

Although Apache version 2.0.49 reportedly affected by this issue, it
is likely that earlier versions are affected as well.

[ Apache 1.3.x non affecté ]

D-Link AirPlus DI-614+, DI-624, and DI-604 DHCP Server Flood...
BugTraq ID: 10621
Remote: Yes
Date Published: Jun 27 2004
Relevant URL: http://www.securityfocus.com/bid/10621
Summary:
The D-Link DI-614+, DI-624, and DI-604 are reported susceptible to a
denial of service vulnerability in their DHCP service.

By flooding the DHCP service with valid DHCP requests, the device will
reportedly consume all available memory and eventually reboot.

An attacker may be able to deny service to legitimate users of an
affected device by repeatedly causing the device to reboot.

The DI-614+ with firmware revision 2.30, and the DI-604 with unknown
firmware were reported vulnerable. The DI-624 Revision B was also
confirmed susceptible.

[ firmware ]

popclient Email Message Buffer Overflow Vulnerability
BugTraq ID: 10625
Remote: Yes
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10625
Summary:
It has been reported that popclient is affected by an off by one
buffer overflow vulnerability.  This issue is due to a failure of the
application to properly manage static stack-based buffers.

Successful exploitation of this issue may cause a denial of service
condition in the affected application; it is unlikely that this issue
could be leveraged to execute code, however it may be possible.

Dr. Web Unspecified Buffer Overflow Vulnerability
BugTraq ID: 10628
Remote: Yes
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10628
Summary:
It has been reported that an unspecified buffer overflow vulnerability
exists in Dr. Web.

Users of Dr. Web have reported seeing this message logged to syslog by
ProPolice on OpenBSD computers: drwebd: stack overflow in function int
scanMail(int, time_t *, int, int, const char *)

An unspecified buffer overflow in the scanMail() function may be
exploitable. If it is, attempts to exploit it may result in the
affected application crashing. This may also be leveraged to execute
arbitrary code in the context of the Dr. Web process.

As more information is known, this BID will be updated.

[ antivirus, existant comme port dans FreeBSD, licence inconnue,
  serveur WWW en russe.
]

Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vuln...
BugTraq ID: 10632
Remote: No
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10632
Summary:
It is reported that the OpenPROM Linux kernel driver contains multiple integer overflow vulnerabilities.

Two vulnerabilities are reported to exist in the OpenPROM driver, both involve overflowing an integer value. These values are used to allocate kernel memory, and then subsequently to copy data into the kernel. This could lead to overwriting large amounts of kernel memory.

These vulnerabilities could lead to a system crash, or possible code execution in the context of the kernel.

Some versions of the Linux kernel are vulnerable to both overflows, other versions are only susceptible to one. Kernel version 2.6.6 does not appear to be vulnerable.

[ sbus est un bus SPARC (Sun). OpenPROM n'est-il pas un projet MacOS X?
]

Pavuk Remote Stack-Based Buffer Overrun Vulnerability
BugTraq ID: 10633
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10633
Summary:
Pavuk is reported prone to a remote buffer overrun vulnerability. It
is reported that the issue exists due to a lack of boundary checks
performed on third party data, that is received from remote HTTP
servers, before the data is copied into a finite stack-based buffer.

Ultimately a remote malicious site may exploit this condition to
execute arbitrary code in the context of the user who is running the
vulnerable Pavuk software.

[ Programme pour synchroniser (miroir, copier) des documents 
  via HTTP/HTTPS
]

Linux Kernel IPTables Sign Error Denial Of Service Vulnerabi...
BugTraq ID: 10634
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10634
Summary:
It has been reported that the Linux kernel is affected by a denial of
service vulnerability in the iptables implementation.  This issue is
due to a failure of iptables to handle certain TCP packet header
values.

An attacker can exploit this issue to cause the iptables
implementation to consume all CPU resources due to an infinite loop,
denying service to legitimate users.

[ kernel 2.6 ]

Juniper JUNOS Packet Forwarding Engine IPv6 Denial of Servic...
BugTraq ID: 10636
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10636
Summary:
Juniper routers running the JUNOS operating system are reported prone
to a denial of service vulnerability due to memory exhaustion.  An
attacker can cause a persistent denial of service condition by
repeatedly sending certain IPv6 packets to a router.

This issue affects the JUNOS Packet Forwarding Engine IPv6 branch
released after February 24, 2004.  All Juniper Networks M-series and
T-series routing platforms with IPv6 support are also prone to this
issue.

[ firmware ]

Open WebMail Vacation.PL Remote Command Execution Variant Vu...
BugTraq ID: 10637
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10637
Summary:
A vulnerability is reported in Open WebMail that allows a remote
attacker to execute arbitrary commands on a vulnerable host.

Exploitation of the vulnerability could allow a non-privileged user to
remotely execute arbitrary commands in the context of the web server
that is hosting the vulnerable application.

This vulnerability is reported to affect all versions of Open WebMail
released before 29/06/2004.

[ http://openwebmail.org/, basé sur Neomail, GPL ]

ZyXEL Prestige Router Authentication Password Field Remote D...
BugTraq ID: 10638
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10638
Summary:
ZyXEL Prestige routers are reported prone to a remote denial of
service vulnerability. The issue is reported to exist due to a lack of
boundary checks performed on password string data handled by the
device authentication interface.

A remote attacker who has access to the authentication interface of
the affected appliance may trigger a device reset at will, effectively
denying service to legitimate users.

[ firmware ]

RSBAC Jail SUID And SGID File Creation Vulnerability
BugTraq ID: 10640
Remote: No
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10640
Summary:

The process jail feature of RSBAC reportedly improperly allows files
to be created with SUID and SGID attributes.

These files can then be used to escalate the privileges inside the
jail. This may allow for further attacks and possible system
compromises.

Versions 1.2.2 and 1.2.3 are reported to be vulnerable to this
issue. A patch has been released by the vendor.

[ http://www.rsbac.org/, un patch pour le kernel Linux ajoutant
  du contrôle d'accès: MAC, ACL, RC.
]

FreeBSD Linux Binary Compatibility Memory Access Vulnerabili...
BugTraq ID: 10643
Remote: No
Date Published: Jul 01 2004
Relevant URL: http://www.securityfocus.com/bid/10643
Summary:
It has been reported that FreeBSD is affected by a memory access
vulnerability when implementing linux binary compatibility.  This
issue is due to a programming error that causes certain memory to be
accessed without proper validation.

This issue would allow an attacker to disclose and overwrite kernel
memory, resulting in information disclosure, privilege escalation and
potential denial of service.

Esearch eupdatedb Symbolic Link Vulnerability
BugTraq ID: 10644
Remote: No
Date Published: Jul 01 2004
Relevant URL: http://www.securityfocus.com/bid/10644
Summary:
It has been reported that eupdatedb, an esearch utility is affected by
a symbolic link vulnerability.  This issue is due to a failure of the
application to properly handle temporary file creation.

An attacker can leverage this vulnerability to create an arbitrary
file with the permissions of an unsuspecting user that has activated
the vulnerable utility; facilitating a number of possible attacks.

[ Esearch is a replacement for the Gentoo portage command "emerge
  search". It uses an index to speed up searching of the Portage tree.
]

IBM Informix I-Spy Local Privilege Escalation Vulnerability
BugTraq ID: 10647
Remote: No
Date Published: Jul 02 2004
Relevant URL: http://www.securityfocus.com/bid/10647
Summary:
It is reported that I-Spy is susceptible to a privilege escalation
vulnerability in its 'runbin' binary.

The 'runbin' binary uses its argv[0] to determine both the name of a
binary to run, and the path to that binary. 'runbin' is installed
setuid root by default.

An attacker with local interactive access to a computer with an
affected version of I-Spy installed would be able to exploit this fact
to cause attacker specified binaries to be run as the superuser.

I-Spy version 2.x is reported vulnerable to this issue.

[ en théorie, Informix/I-SPY est en licence libre ]

More information about the gull-annonces mailing list