[gull-annonces] Résumé SecurityFocus Newsletter #284

Marc SCHAEFER schaefer at alphanet.ch
Fri Jan 28 18:11:02 CET 2005 

Debian Liantian Insecure Temporary File Vulnerability
BugTraq ID: 12202
Remote: No
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12202
Summary:
The Debian lintian program creates temporary files in an insecure
manner.  A local attacker could exploit this condition to launch
symbolic link attacks to cause arbitrary files to be deleted in the
context of the user running the program.

Dillo Interface Message Format String Vulnerability
BugTraq ID: 12203
Remote: Yes
Date Published: Jan 09 2005
Relevant URL: http://www.securityfocus.com/bid/12203
Summary:
Dillo Web browser is prone to a format string vulnerability.  This
issue is exposed when the browser handles messages to the interface.

The vulnerability may be triggered when a user visits a malicious Web
page.  If successfully exploited, this will result in execution of
arbitrary code in the context of the client user.

[ client WWW GTK+ en C, 350 kilobytes ]

Linux iproute2 netbug Script Insecure Temporary File Creatio...
BugTraq ID: 12208
Remote: No
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12208
Summary:
iproute2 is distributed with a script named 'netbug'. The 'netbug'
script is reported prone to an unspecified insecure temporary file
creation vulnerability.

It is conjectured that the 'netbug' script creates a temporary file
using a predictable filename in a world read-writeable location. This
issue may be leveraged to corrupt arbitrary files with the privileges
of a user that invokes the vulnerable script.

Apache mod_auth_radius Malformed RADIUS Server Reply Integer...
BugTraq ID: 12217
Remote: Yes
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12217
Summary:
mod_auth_radius is reported prone to an integer overflow
vulnerability.  This issue is due to an error in the application when
handling server-supplied integer values before these values are
employed as the size argument in a subsequent memory copy operation.

To exploit this vulnerability, an attacker must control a RADIUS
server or intercept network traffic and send spoofed RADIUS replies to
the Apache server.  Successful exploitation may result in memory
corruption and allow for arbitrary code execution.

All versions of mod_auth_radius are considered vulnerable at the
moment.

MPG123 Layer 2 Frame Header Heap Overflow Vulnerability
BugTraq ID: 12218
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12218
Summary:
mpg123 is prone to a heap-based buffer overflow vulnerability related
to handling of layer 2 streams.  This issue is exposed when the player
loads MP2/MP3 files with malformed header data.

This vulnerability could be exploited to execute arbitrary code in the
context of the user running the player.

[ mpg123 est considéré non-libre; utilisez plutôt mpg321. Dernier avis. ]

Squid Proxy Malformed NTLM Type 3 Message Remote Denial of S...
BugTraq ID: 12220
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12220
Summary:
Squid is reported to be susceptible to a denial of service
vulnerability in its NTLM authentication module.  This vulnerability
presents itself when an attacker sends a malformed NTLM type 3 message
to Squid.

Failure of NTLM authentication would result in the Squid application
denying access to legitimate users of the proxy.

This vulnerability affects Squid 2.5.

HylaFAX Remote Access Control Bypass Vulnerability
BugTraq ID: 12227
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12227
Summary:
The HylaFAX daemon is reported prone to a vulnerability that could
allow unauthorized access to the HylaFAX service. It is reported that
the issue presents itself due to the methods used to match a given
username and hostname to an entry in the 'hosts.hfaxd' configuration
file.

A remote attacker may exploit this vulnerability to gain unauthorized
access to the affected service.

bmv Insecure Temporary File Vulnerability
BugTraq ID: 12229
Remote: No
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12229
Summary:
bmv creates temporary files in an insecure manner.  A local attacker
could take advantage of this issue to perform symbolic link attacks
and corrupt files in the context of the user running the application.

It is not known if this vulnerability could be exploited to gain
elevated privileges, though at the very least an attacker could cause
critical files to be overwritten, causing loss of data or a denial of
service condition.

Mozilla/Netscape/Firefox Browser Modal Dialog Spoofing Vulne...
BugTraq ID: 12234
Remote: Yes
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12234
Summary:
Mozilla, Firefox, and Netscape Web browsers are reported prone to a
vulnerability that may conceal modal dialogs by covering them with a
pop-up window.

Download or security dialogs may be obscured by the use of JavaScript
that places a specially crafted pop-up window that is directly placed
on top of the dialog.  This may induce a user into trusting the
spoofed dialogs and taking further action based on this false sense of
trust.

This issue was reported to affect Windows versions of the browsers.

Apple ITunes Playlist Buffer Overflow Vulnerability
BugTraq ID: 12238
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12238
Summary:
Apple iTunes is prone to a buffer overflow vulnerability.  This issue
is exposed when the application parses 'm3u' and 'pls' playlist files.
As these files may originate from an external source, this issue is
considered remotely exploitable.

If the vulnerability is successfully exploited, it will result in
execution of arbitrary code in the context of the user running the
application.

[ est-ce du matériel?  si oui firmware (propriétaire, mais firmware
  quand même) ]

Linux Kernel Multiple Unspecified Vulnerabilities
BugTraq ID: 12239
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12239
Summary:
It is reported that the Linux kernel version 2.6.9 is prone to
multiple unspecified vulnerabilities. The issues are reported to exist
in coda, xfs, network bridging, rose network protocol, and sdla wan
drivers.

Details regarding the reported vulnerabilities are not currently
available. It is conjectured that the issues are both local and remote
in nature and result in a kernel panic when triggered. This is not
confirmed.

This BID will be updated as soon as further details in regards to
these vulnerabilities become available.

POP Password Changer Unauthorized Password Change Vulnerabil...
BugTraq ID: 12240
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12240
Summary:
poppassd_pam is reported prone to a vulnerability that may allow
remote unauthorized users to change passwords.  This issue can
potentially allow an attacker to gain superuser privileges on a
vulnerable computer.

Reportedly, the application does not check the validity of old
passwords before changing a password.

poppassd_pam 1.0 is affected by this vulnerability.

Deutsche Telekom Teledat 530 DSL Router Port 515 Remote Deni...
BugTraq ID: 12241
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12241
Summary:
The Teledat 530 DSL router is reported prone to a remote denial of
service vulnerability. The issue presents itself due to a failure to
gracefully handle exceptional conditions. Specifically, it is reported
that when the affected appliance handles unspecified character data on
the service listening on port 515, the appliance will crash.

A remote attacker may exploit this vulnerability to deny service to
legitimate users.

[ firmware ]

GNU Mailman Multiple Unspecified Remote Vulnerabilities
BugTraq ID: 12243
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12243
Summary:
GNU Mailman is reported prone to multiple unspecified remote
vulnerabilities. The following individual issues are reported:

It is reported that GNU Mailman package for Ubuntu and Debian Linux is
affected by an information disclosure vulnerability.

Information that is harvested by exploiting this vulnerability may be
used to aid in further attacks that are launched against a target
user, or the computer that is hosting the vulnerable software.

A cross-site scripting vulnerability has been discovered in GNU
Mailman. The issue occurs due to insufficient sanitization of
user-supplied data.

It may be possible to exploit this issue in order to steal an
unsuspecting user's cookie-based authentication credentials, as well
as other sensitive information. Other attacks are also possible.

Finally, Mailman is reported prone to a weak auto-generated password
vulnerability. It is reported that, when a user subscribes to a
mailing list and a password is not specified, Mailman will
auto-generate one. The password generation algorithm will generate a
weak low entropy password. This password may potentially be brute
forced by an attacker.

Linux Kernel Symmetrical Multiprocessing Page Fault Local Pr...
BugTraq ID: 12244
Remote: No
Date Published: Jan 12 2005
Relevant URL: http://www.securityfocus.com/bid/12244
Summary:
A local privilege escalation vulnerability affects the page fault
handler of the Linux Kernel on symmetric multiprocessor (SMP)
computers. This issue is due to a race condition error that may allow
an attacker to gain superuser privileges.

A malicious local attacker may exploit this issue to gain superuser
privileges on an the affected computer.

Helvis Multiple Local Vulnerabilities
BugTraq ID: 12247
Remote: No
Date Published: Jan 12 2005
Relevant URL: http://www.securityfocus.com/bid/12247
Summary:
helvis is reported prone to multiple local vulnerabilities. The
following individual issues are reported:

The 'elvprsv' utility is reported prone to an arbitrary file deletion
vulnerability. It is reported that the 'elvprsv' utility is installed
with setuid superuser privileges and therefore can be invoked by any
user to delete arbitrary specified files on a vulnerable computer.

'elvprsv' is reported prone to a weak default permissions
vulnerability on preserved emails that it generates. It is reported
that emails preserved by the 'elvprsv' utility are written with
insecure world readable permissions by default.

A local attacker may exploit this issue to disclose sensitive
information that is contained in preserved files that are written by
the affected utility.

Finally, it is reported that the helvis 'elvrec' utility may be used
to disclose the contents of files that are preserved by 'elvprsv'.

A local attacker may exploit this issue to disclose sensitive
information that is contained in preserved files that are written by
the affected utility.

[ variante de vi ]

OpenBSD TCP Timestamp Remote Denial Of Service Vulnerability
BugTraq ID: 12250
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12250
Summary:
A remote denial of service vulnerability affects the TCP timestamp
processing functionality of OpenBSD.  This issue is due to a failure
of the system to properly handle exceptional network data.

A remote attacker may leverage this issue to cause the kernel to panic
on an affected computer, triggering a denial of service condition.

OpenBSD HTTPD mod_include Local Buffer Overflow Vulnerabilit...
BugTraq ID: 12251
Remote: No
Date Published: Jan 12 2005
Relevant URL: http://www.securityfocus.com/bid/12251
Summary:
OpenBSD httpd mod_include is reported prone to a local buffer overflow
vulnerability.  This issue arises because the application fails to
perform boundary checks on user-supplied data before copying it in to
sensitive process buffers.  This issue may allow attackers to crash
the server and potentially execute arbitrary code.

Specifically, this issue presents itself when a vulnerable server has
the XBitHack directive or server-side includes functionality enabled.

A successful attack may result in a denial of service condition,
however, it is conjectured that arbitrary code execution in the
context of the httpd process may be possible as well.

Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File ...
BugTraq ID: 12253
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12253
Summary:
Multiple Vim scripts are reported prone to an insecure temporary file
creation vulnerability. It is reported that the Vim 'tcltags' and
'vimspell.sh' scripts create temporary files in an insecure manner.

An attacker that has local interactive access to a system may exploit
this issue to corrupt arbitrary files with the privileges of the user
that is invoking the vulnerable application.

University of Minnesota Gopher Multiple Remote Vulnerabiliti...
BugTraq ID: 12254
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12254
Summary:
Multiple remote vulnerabilities affect Gopher.  These issues are due
to a failure of the application to properly sanitize user-supplied
data and a failure to verify input sizes.

The first issue is an integer overflow, the second issue is a format
string vulnerability.

An attacker may leverage these issues to crash the affected daemon.
These issues may also be leveraged to execute arbitrary code with the
privileges of the gopherd process.  This may facilitate unauthorized
access.

Linux Kernel User Triggerable BUG() Unspecified Local Denial...
BugTraq ID: 12261
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12261
Summary:
Linux Kernel is reported prone to a local denial of service
vulnerability.

It is reported that this issue presents itself when a large Virtual
Memory Area (VMA) is created by a user that overlaps with arg pages
during the exec() system call.

Successful exploitation will lead to a denial of service condition in
a vulnerable computer.

No further details are available at this time. This issue will be
updated as more information becomes available.

Midnight Commander Multiple Unspecified Vulnerabilities
BugTraq ID: 12263
Remote: Unknown
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12263
Summary:
It has been reported that Midnight Commander running on Debian
operating systems is prone to multiple, unspecified vulnerabilities.
These issues are due to various design and boundary condition errors.

These issues could be leveraged by an attacker to execute arbitrary
code on an affected system, which may facilitate unauthorized
access. It is also possible for an attacker to carry out symbolic link
attacks against an affected system, potentially facilitating a system
wide denial of service.

MySQL MaxDB WebAgent WebSQL Password Parameter Remote Buffer...
BugTraq ID: 12265
Remote: Yes
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12265
Summary:
MySQL MaxDB WebAgent WebSQL is reported prone to a remote buffer
overflow vulnerability.  This issue results from insufficient boundary
checks performed by the application when handling malformed
user-supplied data.  It is possible that an attacker may leverage this
issue to execute arbitrary code on a vulnerable computer.

This issue can lead to a superuser compromise.

This issue is reported to affect MaxDB 7.5.00, however, it is likely
that other versions prior to 7.5.00.18 are vulnerable.

Exim IP Address Command Line Argument Local Buffer Overflow ...
BugTraq ID: 12268
Remote: No
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12268
Summary:
A local buffer overflow vulnerability triggered by an excessively long
command line argument affects Exim.  This issue is due to a failure of
the application to validate the length of user-supplied data prior to
attempting to store it in process buffers.

An attacker may leverage this issue to execute arbitrary code with the
privileges of the affected mailer application.  As the application is
a setuid application, it is possible that further privilege escalation
may occur.

Multiple Vendor Anti-Virus Gateway Failure To Decode Base64 ...
BugTraq ID: 12269
Remote: Yes
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12269
Summary:
Multiple vendor anti-virus gateway products are reported prone to a
security weakness that could lead to a false sense of security. It is
reported that the affected anti-virus gateways do not decode
base64-encoded images that are contained in 'data' URIs.

A malicious image that is obfuscated in this manner will bypass the
affected anti-virus scanner; the image will be rendered in the browser
of a target user when the malicious page is viewed. It is reported
that because Microsoft Internet Explorer does not support the 'data'
URI, Internet Explorer cannot be used as an attack vector to exploit
this weakness.

This weakness may lead to a false sense of security where a network
administrator believes that the affected product will detect malicious
images designed to trigger a target vulnerability. In reality, the
images may be obfuscated by an attacker and may not be detected.

More information about the gull-annonces mailing list