[gull-annonces] Résumé SecurityFocus Newsletter #297

Marc SCHAEFER schaefer at alphanet.ch
Thu Apr 28 10:14:01 CEST 2005 

KDE KMail HTML EMail Remote Email Content Spoofing Vulnerabi...
BugTraq ID: 13085
Remote: Yes
Date Published: Apr 11 2005
Relevant URL: http://www.securityfocus.com/bid/13085
Summary:
A remote email message content spoofing vulnerability affects KDE
KMail.  This issue is due to a failure of the application to properly
sanitize HTML email messages.

An attacker may leverage this issue to spoof email content and various
header fields of email messages.  This may aid an attacker in
conducting phishing and social engineering attacks by spoofing PGP
keys as well as other critical information.

OpenOffice Malformed Document Remote Heap Overflow Vulnerabi...
BugTraq ID: 13092
Remote: Yes
Date Published: Apr 11 2005
Relevant URL: http://www.securityfocus.com/bid/13092
Summary:
OpenOffice is reported prone to a remote heap overflow vulnerability.

An attacker may exploit this issue by crafting a malformed .doc file
and enticing a user to open this file with the affected application.
If a vulnerable user opens this file in OpenOffice, the application
may crash due to memory corruption.  This issue may also be leveraged
to execute arbitrary code in the context of the user running
OpenOffice.

OpenOffice 1.1.4 and 2.0 Beta are reported vulnerable to this issue.

rsnapshot Local File Permission Manipulation Vulnerability
BugTraq ID: 13095
Remote: No
Date Published: Apr 11 2005
Relevant URL: http://www.securityfocus.com/bid/13095
Summary:
A local file privileges manipulation vulnerability affects rsnapshot.
This issue is due to a design error that causes the failure of the
utility to properly assign permissions on files referenced by symbolic
link files.

An attacker may leverage this issue to change the permissions on
arbitrary files backed up by the affected utility.  Specifically an
attacker can claim ownership of the target file.

KDE PCX Image File Handling Buffer Overflow Vulnerability
BugTraq ID: 13096
Remote: Yes
Date Published: Apr 11 2005
Relevant URL: http://www.securityfocus.com/bid/13096
Summary:
KDE is reported prone to a PCX image file handling buffer overflow
vulnerability. This issue is due to a failure of the 'kimgio' image
library to properly validate PCX image data.

This vulnerability was reported to exist in PCX image handling
routines, but other image handlers have been patched by the vendor. It
is therefore possible that other image file formats may also be
affected by similar problems.

Attackers may exploit this vulnerability to crash applications
utilizing the affected library, or possibly cause arbitrary machine
code to be executed in the context of the application utilizing the
affected library.

ImageMagick Multiple Unspecified Image Handling Heap-Based M...
BugTraq ID: 13100
Remote: Yes
Date Published: Apr 11 2005
Relevant URL: http://www.securityfocus.com/bid/13100
Summary:
ImageMagick is reported prone to multiple unspecified heap memory
corruption vulnerabilities. It is reported that these issues are
caused by a lack of sufficient sanity checks performed while
allocating heap-based memory when the chunk size is derived from the
image height, width and plane values.

It is reported that a malicious image may be used to trigger these
issues.

A remote attacker may potentially exploit these vulnerabilities to
crash affected software, or to potentially execute arbitrary code in
the context of the user that is running the affected software,
although this is not confirmed.

This BID will be updated and split into unique BIDs as soon as further
information is available.

FreeBSD PortUpgrade Local Insecure Temporary File Handling V...
BugTraq ID: 13106
Remote: No
Date Published: Apr 12 2005
Relevant URL: http://www.securityfocus.com/bid/13106
Summary:
A local insecure file handling vulnerability affects FreeBSD
portupgrade.  This issue is due to a design error that causes the
affected application to fail to securely handle temporary files.

An attacker may leverage this issue to corrupt arbitrary files and
execute code with the privileges of a user that runs the vulnerable
utility.  It should be noted that this utility is commonly run with
superuser privileges.

Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of ...
BugTraq ID: 13124
Remote: Yes
Date Published: Apr 12 2005
Relevant URL: http://www.securityfocus.com/bid/13124
Summary:
Multiple vendor implementations of TCP/IP Internet Control Message
Protocol (ICMP) are reported prone to several denial of service
attacks.

ICMP is employed by network nodes to determine certain automatic
actions to take based on network failures reported by an ICMP message.

It is reported that for ICMP error messages, no security checks are
recommended by the RFC. As long as an ICMP message contains a valid
source and destination IP address and port pair, it will be accepted
for an associated connection.

The following individual attacks are reported:

A blind connection-reset attack is reported to affect multiple
vendors. This attack takes advantage of the specification that
describes that on receiving a 'hard' ICMP error, the corresponding
connection should be aborted. The Mitre ID CAN-2004-0790 is assigned
to this issue.

A remote attacker may exploit this issue to terminate target TCP
connections and deny service for legitimate users.

An ICMP Source Quench attack is reported to affect multiple
vendors. This attack takes advantage of the specification that a host
must react to receive ICMP Source Quench messages by slowing
transmission on the associated connection. The Mitre ID CAN-2004-0791
is assigned to this issue.

A remote attacker may exploit this issue to degrade the performance of
TCP connections and partially deny service for legitimate users.

An attack against ICMP PMTUD is reported to affect multiple vendors
when they are configured to employ PMTUD. By sending a suitable forged
ICMP message to a target host an attacker may reduce the MTU for a
given connection. The Mitre ID CAN-2004-1060 is assigned to this
issue.

A remote attacker may exploit this issue to degrade the performance of
TCP connections and partially deny service for legitimate users.

Salim Gasmi GLD Postfix Greylisting Daemon Buffer Overflow V...
BugTraq ID: 13129
Remote: Yes
Date Published: Apr 12 2005
Relevant URL: http://www.securityfocus.com/bid/13129
Summary:
It is reported that GLD contains a buffer overflow vulnerability. This
issue is due to a failure of the application to properly ensure that a
fixed-size memory buffer is sufficiently large prior to copying
user-supplied input data into it.

Remote attackers may exploit this vulnerability to cause arbitrary
machine code to be executed in the context of the affected service. As
the service is designed to be run as the superuser, remote attackers
may gain superuser privileges on affected computers.

GLD version 1.4 is reportedly affected, but prior versions may also be
affected.

Salim Gasmi GLD Postfix Greylisting Daemon Format String Vul...
BugTraq ID: 13133
Remote: Yes
Date Published: Apr 12 2005
Relevant URL: http://www.securityfocus.com/bid/13133
Summary:
It is reported that GLD contains a format string vulnerability. This
issue is due to a failure of the application to properly sanitize
user-supplied input data prior to using it in a formatted-printing
function.

Remote attackers may exploit this vulnerability to cause arbitrary
machine code to be executed in the context of the affected service. As
the service is designed to be run as the superuser, remote attackers
may gain superuser privileges on affected computers.

GLD version 1.4 is reportedly affected, but prior versions may also be
affected.

JunkBuster Heap Corruption Vulnerability
BugTraq ID: 13146
Remote: Yes
Date Published: Apr 13 2005
Relevant URL: http://www.securityfocus.com/bid/13146
Summary:
JunkBuster is prone to a heap corruption vulnerability during the
filtering of URI's.  This could potentially be exploited to execute
arbitrary code.

JunkBuster Configuration Modification Vulnerability
BugTraq ID: 13147
Remote: Yes
Date Published: Apr 13 2005
Relevant URL: http://www.securityfocus.com/bid/13147
Summary:
JunkBuster is prone to an issue that could allow a remote attacker to
modify configuration settings.  This could potentially compromise the
privacy of the user of the affected application.

LG U8120 Mobile Phone MIDI File Remote Denial Of Service Vul...
BugTraq ID: 13154
Remote: Yes
Date Published: Apr 13 2005
Relevant URL: http://www.securityfocus.com/bid/13154
Summary:
A remote denial of service vulnerability is reported to affect the LG
U8120 Mobile Phone. The report indicates that the issue manifests when
an affected phone processes a malicious MIDI file.

[ firmware ]

cpio chmod(2) File Permission Modification Race Condition Weakn...
BugTraq ID: 13159
Remote: No
Date Published: Apr 13 2005
Relevant URL: http://www.securityfocus.com/bid/13159
Summary:
cpio is prone to a security weakness. The issue is only present when
an archive is extracted into a world or group writeable directory. It
has been reported that cpio employs non-atomic procedures to write a
file and later change the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of
target files.

This weakness affects cpio version 2.6 and previous versions.

Squid Proxy Aborted Connection Remote Denial Of Service Vuln...
BugTraq ID: 13166
Remote: Yes
Date Published: Apr 14 2005
Relevant URL: http://www.securityfocus.com/bid/13166
Summary:
A remote denial of service vulnerability affects the Squid Proxy.
This issue is due to a failure of the application to properly handle
exceptional network requests.  The problem presents itself when a
remote attacker prematurely aborts a connection during a PUT or POST
request.

A remote attacker may leverage this issue to crash the affected Squid
Proxy, denying service to legitimate users.

visudo Insecure Temporary File Creation Vulnerability
BugTraq ID: 13171
Remote: No
Date Published: Apr 14 2005
Relevant URL: http://www.securityfocus.com/bid/13171
Summary:
visudo is prone to an insecure temporary file creation
vulnerability. However, the issue can only manifest if the software is
invoked on a sudoers file that is contained in a world writable
directory.

The visudo application creates a temporary file in the same directory
as the sudoers file that is being edited. The temporary file is named
using a easily predictable filename.

An attacker may exploit this vulnerability to corrupt arbitrary files
with privileges of the superuser.

Oops! Proxy Server Auth Remote Format String Vulnerability
BugTraq ID: 13172
Remote: Yes
Date Published: Apr 14 2005
Relevant URL: http://www.securityfocus.com/bid/13172
Summary:
Oops! Proxy Server is prone to a remote format string
vulnerability. This issue presents itself because the application
fails to properly sanitize user-supplied input prior to passing it as
the format specifier to a formatted printing function.

A successful attack may result in crashing the server or lead to
arbitrary code execution. This may facilitate unauthorized access or
privilege escalation in the context the server.

Opps! versions prior to and including version 1.5.53 are reported
prone to this issue.

[ proxy HTTP plutôt orienté threading, assez inefficace sous Linux ]

More information about the gull-annonces mailing list