[gull-annonces] Résumé SecurityFocus Newsletter #327/328

Marc SCHAEFER schaefer at alphanet.ch
Thu Dec 22 19:24:38 CET 2005


Unalz Archive Filename Buffer Overflow Vulnerability
BugTraq ID: 15577
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15577
Summary:
unalz is prone to a buffer overflow vulnerability.  This issue is exposed 
when the application extracts an ALZ archive that contains a file with a 
long name.  
This vulnerability could be exploited to execute arbitrary code in the 
context of the user who extracts a malicious archive.

ktools Remote Buffer Overflow Vulnerability
BugTraq ID: 15600
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15600
Summary:
ktools is prone to a remote buffer overflow vulnerability.

An attacker may execute arbitrary code with the privileges of the 
application and gain unauthorized remote access.

ktools 0.3 and prior versions are vulnerable to this issue. 

FreeWebStat Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15601
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15601
Summary:
FreeWebStat  is prone to multiple cross-site scripting vulnerabilities. 
These issues are due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage these issues to have arbitrary script code executed 
in the browser of an unsuspecting user in the context of the affected site.  
These may facilitate the theft of cookie-based authentication credentials as 
well as other attacks.

FreeWebStat version 1.0 rev37 is reported to affected; other versions may 
also be vulnerable.

Cisco IOS HTTP Service HTML Injection Vulnerability
BugTraq ID: 15602
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15602
Summary:
Cisco IOS HTTP service is reportedly prone to an HTML injection 
vulnerability.

An attacker can submit malicious HTML and script code through the 
'/level/15/exec/-/buffers/assigned' and /level/15/exec/-/buffers/all' 
scripts.  This code may be executed in the browser of an administrator when 
they attempt to view the contents of memory buffers through the vulnerable 
scripts of the HTTP service.

This vulnerable has been reported to affect versions of IOS from 11.0 
through 12.4.  Cisco IOS XR is not vulnerable.  As this is a HTML injection 
vulnerability that targets users of the IOS web interface, devices with the 
HTTP service disabled are not affected.

Cisco has confirmed this advisory.  See Cisco security advisory 
"cisco-sa-20051201-http" in the reference section.

[ firmware ]

Linux kernel ptrace CLONE_THREAD Local Denial of Service Vulnerability
BugTraq ID: 15642
Remote: No
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15642
Summary:
Linux kernel is susceptible to a local denial of service vulnerability.

In instances where a process is created via the 'clone' system call with the 
'CLONE_THREAD' argument is ptraced, the kernel fails to properly ensure that 
the ptracing process is not attempting to trace itself.

This issue allows local users to crash the kernel, denying service to 
legitimate users.

kernel versions prior to 2.6.14.2 are vulnerable to this issue.

Linux kernel IPv6 FlowLable Denial Of Service Vulnerability
BugTraq ID: 15729
Remote: No
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux kernel is prone to a local denial of service vulnerability.

Local attackers can exploit this to corrupt kernel memory or free 
non-allocated memory.  Successful exploitation will result in a crash of the 
kernel, effectively denying service to legitimate users.

Linux kernel ptraced Child Auto-Reap Local Denial of Service 
Vulnerability
BugTraq ID: 15625
Remote: No
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15625
Summary:
Linux kernel is susceptible to a local denial of service vulnerability.

The kernel improperly auto-reaps processes when they are being ptraced, 
leading to an invalid pointer. Further operations on this pointer result in 
a kernel crash.

This issue allows local users to crash the kernel, denying service to 
legitimate users.

kernel versions prior to 2.6.15 are vulnerable to this issue.

Linux kernel time_out_leases printk Local Denial of Service Vulnerability
BugTraq ID: 15627
Remote: No
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15627
Summary:
Linux kernel is susceptible to a local denial of service vulnerability.

This issue is triggered by consuming excessive kernel log memory by 
obtaining numerous file lock leases. Once the leases timeout, the event will 
be logged, and kernel memory will be consumed.

This issue allows local attackers to consume excessive kernel memory, 
eventually leading to an out-of-memory condition, and a denial of service 
for legitimate users.

kernel versions prior to 2.6.15-rc3 are vulnerable to this issue.

Perl perl_sv_vcatpvfn Format String Integer Wrap Vulnerability
BugTraq ID: 15629
Remote: Yes
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15629
Summary:
Perl is susceptible to a format string vulnerability. This issue is due to a 
failure of the programming language to properly handle format specifiers in 
formatted printing functions.

An attacker may leverage this issue to write to arbitrary process memory, 
facilitating code execution in the context of the Perl interpreter process. 
This can result in unauthorized remote access.

Developers should treat the formatted printing functions in Perl as 
equivalently vulnerable to exploitation as the C library versions, and 
properly sanitize all data passed in the format specifier argument.

All applications that utilize formatted printing functions in an unsafe 
manner should be considered exploitable.

NuFW Malformed Packet Remote Denial Of Service Vulnerability
BugTraq ID: 15645
Remote: Yes
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15645
Summary:
NuFW is susceptible to a remote denial of service vulnerability. This issue 
is due to a failure of the application to properly handle malformed network 
packets from authenticated users.

This issue results in the 'nuauth' application crashing, denying service to 
further users.

NuFW versions prior to 1.0.16, as well as the development version 1.1, are 
affected by this issue.

[ libre entreprise-grade firewall distribution ]

CenterICQ Malformed Packet Handling Remote Denial of Service 
Vulnerability
BugTraq ID: 15649
Remote: Yes
Date Published: 2005-11-30
Relevant URL: http://www.securityfocus.com/bid/15649
Summary:
CenterICQ is prone to a remote denial of service vulnerability. 

The vulnerability presents itself when the client is running on a computer 
that is directly connected to the Internet and handles malformed packets on 
the listening port for ICQ messages.

A successful attack can cause the client to crash.

Astaro Security Linux ISAKMP IKE Traffic Denial of Service Vulnerability
BugTraq ID: 15666
Remote: Yes
Date Published: 2005-11-30
Relevant URL: http://www.securityfocus.com/bid/15666
Summary:
Astaro Security Linux is prone to a denial of service when handling 
malformed IKE traffic.

It is conjectured that the issue can occur if a packet with a malformed 
payload is sent during an IKE exchange causing the daemon to crash. 

Avaya TN2602AP IP Media Resource 320 Remote Denial of Service 
Vulnerability
BugTraq ID: 15668
Remote: Yes
Date Published: 2005-11-30
Relevant URL: http://www.securityfocus.com/bid/15668
Summary:
Avaya TN2602AP IP Media Resource 320 is prone to a remote denial of service 
vulnerability.

A successful attack can result in a memory leak and lead to a denial of 
service condition due to a crash.

Avaya TN2602AP IP Media Resource 320 versions prior to vintage 9 firmware 
are vulnerable to this issue.

[ firmware ]

sobexsrv dosyslog Remote Format String Vulnerability
BugTraq ID: 15692
Remote: Yes
Date Published: 2005-12-03
Relevant URL: http://www.securityfocus.com/bid/15692
Summary:
sobexsrv is prone to a remote format string vulnerability.  This issue is 
due to a failure in the application to properly sanitize user-supplied input.

Successful exploitation can facilitate a crash or arbitrary code execution 
in the context of affected server application.

MultiTech MultiVOIP INVITE Remote Buffer Overflow Vulnerability
BugTraq ID: 15711
Remote: Yes
Date Published: 2005-12-05
Relevant URL: http://www.securityfocus.com/bid/15711
Summary:
MultiTech MultiVOIP devices are prone to a remotely exploitable buffer 
overflow vulnerability.  Successful exploitation could result in a denial of 
service or potential arbitrary code execution.

This vulnerability may also be present in third-party devices that implement 
the MultiTech VOIP Gateway and protocol stack.

[ firmware ]

xpdf JPX Stream Reader Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15721
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15721
Summary:
xpdf is reported prone to a remote buffer overflow vulnerability. This issue 
exists because the applications fails to perform proper boundary checks 
before copying user-supplied data into process buffers. A remote attacker 
may execute arbitrary code in the context of a user running the application. 
This can result in the attacker gaining unauthorized access to the 
vulnerable computer. 
It is reported that this issue presents itself in the 
'JPXStream::readCodestream' function residing in the 'xpdf/JPXStream.cc' 
file.

This issue is reported to affect xpdf 3.01, however, it is likely that 
earlier versions are prone to this vulnerability as well.  Applications 
using embedded xpdf code may be vulnerable to this issue as well.

kpdf reportedly incorporates vulnerable xpdf code.  Version 0.5 of kpdf is 
prone to this issue, however, other versions may also be affected.

xpdf StreamPredictor Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15725
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15725
Summary:
xpdf is reported prone to a remote buffer overflow vulnerability. This issue 
exists because the applications fails to perform proper boundary checks 
before copying user-supplied data into process buffers. A remote attacker 
may execute arbitrary code in the context of a user running the application. 
This can result in the attacker gaining unauthorized access to the 
vulnerable computer. 
It is reported that this issue presents itself in the 
'StreamPredictor::StreamPredictor' function residing in the 'xpdf/Stream.cc' 
file.

This issue is reported to affect xpdf 3.01, however, it is likely that 
earlier versions are prone to this vulnerability as well.  Applications 
using embedded xpdf code may be vulnerable to this issue as well.

pdftohtml also includes vulnerable versions of xpdf.  Version 0.36 of 
pdftohtml was reported prone to this issue, however, earlier versions may 
also be affected.

kpdf reportedly incorporates vulnerable xpdf code.  Version 0.5 of kpdf is 
prone to this issue, however, other versions may also be affected.

xpdf DCTStream Progressive Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15726
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15726
Summary:
xpdf is reported prone to a remote buffer overflow vulnerability. This issue 
exists because the applications fails to perform proper boundary checks 
before copying user-supplied data into process buffers. A remote attacker 
may execute arbitrary code in the context of a user running the application. 
This can result in the attacker gaining unauthorized access to the 
vulnerable computer. 
It is reported that this issue presents itself in the 
'DCTStream::readProgressiveSOF' function residing in the 'xpdf/Stream.cc' 
file.

This issue is reported to affect xpdf 3.01, however, it is likely that 
earlier versions are prone to this vulnerability as well.  Applications 
using embedded xpdf code may be vulnerable to this issue as well.

pdftohtml also includes vulnerable versions of xpdf.  Version 0.36 of 
pdftohtml was reported prone to this issue, however, earlier versions may 
also be affected.

kpdf reportedly incorporates vulnerable xpdf code.  Version 0.5 of kpdf is 
prone to this issue, however, other versions may also be affected.

xpdf DCTStream Baseline Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15727
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15727
Summary:
xpdf is reported prone to a remote buffer overflow vulnerability. This issue 
exists because the applications fails to perform proper boundary checks 
before copying user-supplied data into process buffers. A remote attacker 
may execute arbitrary code in the context of a user running the application. 
This can result in the attacker gaining unauthorized access to the 
vulnerable computer. 
It is reported that this issue presents itself in the 
'CTStream::readBaselineSOF' function residing in the 'xpdf/Stream.cc' file.

This issue is reported to affect xpdf 3.01, however, it is likely that 
earlier versions are prone to this vulnerability as well.  Applications 
using embedded xpdf code may be vulnerable to this issue as well.

pdftohtml also includes vulnerable versions of xpdf.  Version 0.36 of 
pdftohtml was reported prone to this issue, however, earlier versions may 
also be affected.

kpdf reportedly incorporates vulnerable xpdf code.  Version 0.5 of kpdf is 
prone to this issue, however, other versions may also be affected.

FFmpeg libavodec Heap Buffer Overflow Vulnerability
BugTraq ID: 15743
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15743
Summary:
FFmpeg's libavcodec is susceptible to a heap buffer overflow vulnerability. 
This issue is due to a failure of the library to properly bounds check 
user-supplied data prior to utilizing it in memory allocation and copy 
operations.

Attackers may exploit this vulnerability to execute arbitrary code in the 
context of applications that utilize an affected version of the libavcodec 
library.

An attacker can exploit this issue by enticing a user to open a malformed 
PNG file with an application that utilizes a vulnerable version of 
libavcodec. If the application is configured as the default handler for PNG 
files, this could present a viable Web or email attack vector as when the 
PNG is clicked from an appropriate client application, the application 
utilizing the vulnerable library will automatically be invoked.

Multiple Vendor BIOS Password Persistence Weakness
BugTraq ID: 15751
Remote: No
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15751
Summary:
Multiple BIOS (Basic Input-Output System) vendors fail to clear the keyboard 
buffer after reading the BIOS password during the system startup process.

This issue is reported to affect Insyde BIOS V190, and AWARD BIOS Modular 
4.50pg. Other versions and platforms are also likely affected.

Depending on the operating system running on affected computers, the memory 
region may or may not be available for user-level access. With Linux 
operating systems, superuser access is required. With Microsoft Windows 
operating systems, non-privileged users may access the keyboard buffer 
region.

Attackers that obtain the BIOS password may then utilize it for further 
attacks.

cURL / libcURL URL Parser Buffer Overflow Vulnerability
BugTraq ID: 15756
Remote: Yes
Date Published: 2005-12-07
Relevant URL: http://www.securityfocus.com/bid/15756
Summary:
cURL and libcURL are prone to a buffer overflow vulnerability.  This issue 
is due to a failure in the library to perform proper bounds checks on user 
supplied data before using it in a finite sized buffer.

The issues occur when the URL parser function handles an excessively long 
URL string.

An attacker can exploit this issue to crash the affected library, 
effectively denying service.  Arbitrary code execution may also be possible, 
this may facilitate a compromise of the underlying system.

Apache MPM worker.c Denial Of Service Vulnerability
BugTraq ID: 15762
Remote: Yes
Date Published: 2005-12-07
Relevant URL: http://www.securityfocus.com/bid/15762
Summary:
Apache is prone to a memory leak, causing a denial of service vulnerability.

Apache is prone to a memory leak, causing a denial of service vulnerability.
An attacker may consume excessive memory resources, resulting in a denial of 
service condition affecting legitimate users.

Apache 2.x versions are vulnerable; other versions may also be affected.

Apache James Spooler Memory Leak Denial Of Service Vulnerability
BugTraq ID: 15765
Remote: Yes
Date Published: 2005-12-07
Relevant URL: http://www.securityfocus.com/bid/15765
Summary:
James is prone to a memory leak denial of service vulnerability.

This issue occurs during an error condition in the spooler.

An attacker can exploit this issue by creating multiple error conditions and 
eventually consume system resources.

Successful exploitation will ultimately crash the application denying 
service to legitimate users.

Dell TrueMobile 2300 Remote Credential Reset Vulnerability
BugTraq ID: 15770
Remote: Yes
Date Published: 2005-12-07
Relevant URL: http://www.securityfocus.com/bid/15770
Summary:
It is possible for remote attackers to gain control of a target TrueMobile 
2300 running firmware versions 3.0.0.8 and 5.1.1.6.  Other versions are 
likely affected.  The vulnerability appears to be in an administrative 
component accessed through the web-based control interface.  Unauthenticated 
attackers can force the device to reset the administrative credentials 
without authorization.  Once credentials have been reset an attacker can log 
in and perform malicious actions, potentially compromising the entire LAN 
behind the device.

[ firmware ]

Courier Mail Server Unauthorized Access Vulnerability
BugTraq ID: 15771
Remote: Yes
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15771
Summary:
Courier Mail Server is prone to an unauthorized access vulnerability.  This 
issue occurs because accounts that have been deactivated may still be able 
to log onto the server.

Mozilla Firefox Large History File Buffer Overflow Vulnerability
BugTraq ID: 15773
Remote: Yes
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15773
Summary:
Mozilla Firefox is reportedly prone to a remote denial of service 
vulnerability.

This issue presents itself when the browser handles a large entry in the 
'history.dat' file.  An attacker may trigger this issue by enticing a user 
to visit a malicious Web site and supplying excessive data to be stored in 
the affected file.

This may cause a denial of service condition.

**UPDATE: Proof of concept exploit code has been published.  The author of 
the code attributes the crash to a buffer overflow condition.  The alleged 
flaw cannot be reproduced by Symantec.

ACME Perl-Cal Cal_make.PL Cross-Site Scripting Vulnerability
BugTraq ID: 15779
Remote: Yes
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15779
Summary:
Perl-Cal is prone to a cross-site scripting vulnerability. This issue is due 
to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed 
in the browser of an unsuspecting user in the context of the affected site.  
This may facilitate the theft of cookie-based authentication credentials as 
well as other attacks.

Ethereal OSPF Protocol Dissection Stack Buffer Overflow Vulnerability
BugTraq ID: 15794
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15794
Summary:
A remote buffer overflow vulnerability affects Ethereal. This issue is due 
to a failure of the application to securely copy network-derived data into 
sensitive process buffers. The specific issue exists in the OSPF dissector.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This may 
facilitate unauthorized access or privilege escalation.

Motorola SB5100E Cable Modem LanD Packet Denial Of Service Vulnerability
BugTraq ID: 15795
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15795
Summary:
Motorola SB5100E Cable Modems are prone to a denial of service vulnerability.

These devices are susceptible to a remote denial of service vulnerability 
when handling TCP 'LanD' packets.

This issue allows attackers to block network traffic to arbitrarily targeted 
network services. A physical restart of the device will return it to normal 
operations.

[ firmware ]



More information about the gull-annonces mailing list