[gull-annonces] Résumé SecurityFocus Newsletter #340-347
Marc SCHAEFER
schaefer at alphanet.ch
Fri Apr 28 18:37:06 CEST 2006
OpenSSH Remote PAM Denial Of Service Vulnerability
BugTraq ID: 16892
Remote: Yes
Last Updated: 2006-03-05
Relevant URL: http://www.securityfocus.com/bid/16892
Summary:
OpenSSH is susceptible to a remote denial-of-service vulnerability. This
issue is due to a design flaw when handling connections when configured to
use OpenPAM authentication system.
This issue may be exploited by remote attackers to deny SSH service to
legitimate users.
OpenSSH in conjunction with OpenPAM on FreeBSD versions 5.3 and 5.4 are
affected by this issue. Other operating systems and versions may also be
affected.
lighttpd Remote Script Disclosure Vulnerability
BugTraq ID: 16893
Remote: Yes
Last Updated: 2006-03-05
Relevant URL: http://www.securityfocus.com/bid/16893
Summary:
The 'lighttpd' webserver is prone to an information-disclosure
vulnerability. An attacker may obtain the source code of script files.
Scripts may contain sensitive information that may aid in further attacks
launched against the target computer.
Versions prior to 1.4.10a of lighttpd for Windows are vulnerable.
Compex NetPassage WPE54G Denial Of Service Vulnerability
BugTraq ID: 16894
Remote: Yes
Last Updated: 2006-03-05
Relevant URL: http://www.securityfocus.com/bid/16894
Summary:
NetPassage WPE54G is prone to a remote denial-of-service vulnerability. This
issue is due to a failure in the device to properly handle user-supplied
input.
An attacker can exploit this issue to crash the affected device, effectively
denying service to legitimate users.
[ firmware ]
FFmpeg libavcodec Heap Buffer Overflow Vulnerability
BugTraq ID: 15743
Remote: Yes
Last Updated: 2006-03-04
Relevant URL: http://www.securityfocus.com/bid/15743
Summary:
FFmpeg's libavcodec is susceptible to a heap buffer-overflow vulnerability.
This issue is due to the library's failure to properly bounds-check
user-supplied data before using it in memory allocation and copy operations.
Attackers may exploit this vulnerability to execute arbitrary code in the
context of applications that use an affected version of the libavcodec
library.
An attacker can exploit this issue by enticing a user to open a malformed
PNG file with an application that uses a vulnerable version of libavcodec.
If the application is configured as the default handler for PNG files, this
could present a viable web or email attack vector -- when the PNG is clicked
from an appropriate client application, the application using the vulnerable
library will automatically be invoked.
Mozilla/Netscape/Firefox Browsers Domain Name Remote Buffer Overflow
Vulnerability
BugTraq ID: 14784
Remote: Yes
Last Updated: 2006-03-04
Relevant URL: http://www.securityfocus.com/bid/14784
Summary:
Mozilla/Netscape/Firefox are reported prone to a remote buffer-overflow
vulnerability when handling a malformed URI.
A successful attack may result in a crash of the application or the
execution of arbitrary code.
Firefox 1.0.6 and 1.5 Beta 1 are vulnerable to this issue. Mozilla 1.7.11
and Netscape 8.0.3.3 and 7.2 are affected as well.
Mozilla Browser/Firefox Arbitrary Command Execution Vulnerability
BugTraq ID: 14888
Remote: Yes
Last Updated: 2006-03-04
Relevant URL: http://www.securityfocus.com/bid/14888
Summary:
Mozilla Browser/Firefox are affected by an arbitrary command-execution
vulnerability.
This attack would occur in the context of the user running the vulnerable
application and may facilitate unauthorized remote access.
Mozilla Firefox 1.0.6 running on UNIX-based platforms is reportedly
vulnerable. Other versions and applications employing Firefox functionality
may be vulnerable as well.
Mozilla Browser 1.7.x versions and Thunderbird 1.x versions are also
vulnerable to this issue.
SuSE YaST Online Update Script Signature Verification Bypass
Vulnerability
BugTraq ID: 16889
Remote: Yes
Last Updated: 2006-03-04
Relevant URL: http://www.securityfocus.com/bid/16889
Summary:
SuSE YaST Online Update (YOU) is prone to a signature-bypass vulnerability.
This could allow any script to be supplied and executed by the YOU utility.
To exploit this issue, an attacker would have to be able to manipulate files
on a YOU mirror or perform a man-in-the-middle attack.
FreeBSD Remote NFS RPC Request Denial of Service Vulnerability
BugTraq ID: 16838
Remote: Yes
Last Updated: 2006-03-04
Relevant URL: http://www.securityfocus.com/bid/16838
Summary:
FreeBSD is susceptible to a remote denial-of-service vulnerability. This
issue is due to a flaw in affected versions of the kernel that potentially
results in a crash when handling malformed RPC messages through TCP.
This issue allows remote attackers to cause affected systems to crash,
denying further network service to legitimate users.
Squid Proxy SSLConnectTimeout Remote Denial Of Service Vulnerability
BugTraq ID: 14731
Remote: Yes
Last Updated: 2006-03-04
Relevant URL: http://www.securityfocus.com/bid/14731
Summary:
A remote denial-of-service vulnerability affects the Squid Proxy. The
application fails to properly handle exceptional network requests.
A remote attacker may leverage this issue to crash the affected Squid Proxy,
denying service to legitimate users.
Mozilla Browser/Firefox DOM Objects Spoofing Vulnerability
BugTraq ID: 14921
Remote: Yes
Last Updated: 2006-03-07
Relevant URL: http://www.securityfocus.com/bid/14921
Summary:
Mozilla and Firefox are prone to a DOM object spoofing vulnerability.
Successful exploitation could allow a remote attacker to execute arbitrary
script code with elevated privileges.
Mozilla Browser/Firefox Arbitrary HTTP Request Injection Vulnerability
BugTraq ID: 14923
Remote: Yes
Last Updated: 2006-03-07
Relevant URL: http://www.securityfocus.com/bid/14923
Summary:
Mozilla and Firefox browsers are prone to a vulnerability that permits the
injection of arbitrary HTTP requests. This issue is due to a failure in the
application to properly sanitize user-supplied input.
This issue can be used to exploit server or proxy flaws from the user's
machine, or to fool a server or proxy into thinking a single request is a
stream of separate requests.
Apache mod_python FileSession Code Execution Vulnerability
BugTraq ID: 16916
Remote: Yes
Last Updated: 2006-03-07
Relevant URL: http://www.securityfocus.com/bid/16916
Summary:
Apache mod_python is prone to a code-execution vulnerability.
Presumably, this issue can be exploited remotely through a specially crafted
session cookie. However, conflicting details also suggest that only local
attackers can exploit this vulnerability. This information will be updated
when more details become available.
A successful attack may facilitate a remote compromise in the context of the
server. Local attacks may be possible as well.
Apache mod_disk_cache Module Client Authentication Credential Storage
Weakness
BugTraq ID: 9933
Remote: Yes
Last Updated: 2006-03-07
Relevant URL: http://www.securityfocus.com/bid/9933
Summary:
Apache's mod_disk_cache module is reported to be prone to a weakness that
could result in an attacker gaining access to proxy or standard
authentication credentials. The mod_disk_cache module is reported to store
HTTP hop-by-hop headers including user login and password information in
plaintext format on disk.
An attacker could use this issue in conjunction with other possible
vulnerabilities in a host to gain access to user authentication credentials.
Successful exploitation of this issue may lead to further attacks against
vulnerable users of the affected host.
Apache versions 2.0.49 and prior with mod_disk_cache enabled are assumed to
be affected by this issue.
Apache Mod_SSL SSLVerifyClient Restriction Bypass Vulnerability
BugTraq ID: 14721
Remote: Yes
Last Updated: 2006-03-07
Relevant URL: http://www.securityfocus.com/bid/14721
Summary:
Apache 2.x mod_ssl is prone to a restriction-bypass vulnerability. This
issue presents itself when mod_ssl is configured to be used with the
'SSLVerifyClient' directive.
This issue allows attackers to bypass security policies to gain access to
locations that are configured to be forbidden for clients without a valid
client certificate.
up-IMAPProxy Multiple Unspecified Remote Format String Vulnerabilities
BugTraq ID: 15048
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/15048
Summary:
up-IMAPProxy is reported prone to multiple unspecified remote format string
vulnerabilities.
Successful exploitation could result in a failure of the application or
arbitrary code execution in the context of the application.
Specific details of these issues are not currently known. This BID will be
updated when further information becomes available.
Apache mod_ssl SSLCipherSuite Restriction Bypass Vulnerability
BugTraq ID: 11360
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/11360
Summary:
Apache 2.x mod_ssl is reported prone to a restriction-bypass vulnerability.
This issue presents itself when mod_ssl is configured to be used with the
'SSLCipherSuite' directive in a 'Directory' or 'Location' context.
Reportedly, this vulnerability allows a client to use any cipher suite
allowed by the virtual host configuration regardless of cipher suites
specified for a specific directory. This can allow an attacker to bypass
security policies and use potentially weaker encryption types than allowed.
Apache versions 2.0.35 to 2.0.52 are reported vulnerable to this issue.
Apache mod_include Local Buffer Overflow Vulnerability
BugTraq ID: 11471
Remote: No
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/11471
Summary:
The problem presents itself when the affected module attempts to parse
mod_include-specific tag values. A failure to properly validate the lengths
of user-supplied tag strings before copying them into finite buffers
facilitates the overflow.
A local attacker may leverage this issue to execute arbitrary code on the
affected computer with the privileges of the affected Apache server.
LibTIFF TIFFOpen() Buffer Overflow Vulnerability
BugTraq ID: 13585
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/13585
Summary:
LibTIFF is prone to a buffer-overflow vulnerability. The issue occurs in the
'TIFFOpen()' function when malformed TIFF files are opened. Successful
exploitation could lead to arbitrary code execution.
libdbi-perl Unspecified Insecure Temporary File Creation Vulnerability
BugTraq ID: 12360
Remote: No
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/12360
Summary:
The 'libdbi-perl' utility is affected by an unspecified insecure temporary
file-creation vulnerability. This issue is likely due to a design error that
causes the application to fail to verify the presence of a file before
writing to it.
An attacker may leverage this issue to overwrite arbitrary files with the
privileges of an unsuspecting user that activates the vulnerable application.
Debian has reported that this vulnerability affects libdbi-perl 1.21 running
on Debian GNU/Linux 3.0 alias 'woody'. Other versions may be affected as
well.
GNUTLS libtasn1 DER Decoding Denial of Service Vulnerabilities
BugTraq ID: 16568
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/16568
Summary:
libtasn1 is prone to multiple denial-of-service vulnerabilities. A remote
attacker can send specifically crafted data to trigger these flaws, leading
to denial-of-service condition.
These issues have been addressed in Libtasn1 versions 0.2.18; earlier
versions are vulnerable.
ProFTPD _xlate_ascii_write() Buffer Overrun Vulnerability
BugTraq ID: 9782
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/9782
Summary:
A remotely exploitable buffer overrun was reported in ProFTPD. This issue is
due to insufficient bounds checking of user-supplied data in the
'_xlate_ascii_write()' function, permitting an attacker to overwrite two
bytes of memory adjacent to the affected buffer. The attacker may be able to
exploit this to execute arbitrary code in the context of the server. The
attacker may trigger this issue by submitting a RETR command to the server.
Mozilla Browser/Firefox JavaScript Engine Integer Overflow Vulnerability
BugTraq ID: 14917
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/14917
Summary:
Mozilla Browser/Firefox are affected by an integer-overflow vulnerability in
their JavaScript engine. A remote attacker may exploit this issue by
creating a malicious site and enticing users to visit it.
A successful attack may facilitate unauthorized remote access to a
vulnerable computer.
Netscape Browser 8.0.3.3, Netscape 7.2, and K-Meleon 0.9 are also vulnerable.
Acme Labs thttpd htpasswd Multiple Vulnerabilities
BugTraq ID: 16972
Remote: Yes
Last Updated: 2006-03-06
Relevant URL: http://www.securityfocus.com/bid/16972
Summary:
Multiple buffer-overflow vulnerabilities exist in the 'htpasswd' utility
included with thttpd. These vulnerabilities are due to improper bounds
checking of user-supplied input prior to copying it into insufficiently
sized memory buffers.
'htpasswd' is also susceptible to a command-execution vulnerability. This
issue is due to a failure of the application to properly sanitize
user-supplied input.
Since the program is not installed setuid by default, this vulnerability
does not normally have a local impact. However, this may be an issue if the
software is called from a CGI script or if it is used in conjunction with
'sudo' or other such privilege escalation utilities. An attacker may be
able to supply malformed data to the program which will cause the overflow
to occur.
The 'htpasswd' utility in thttpd was originally copied from Apache,
therefore these issues may be similar to the one described in BID 13777,
Apache HTPasswd User Command Line Argument Buffer Overflow Vulnerability.
Version 2.25b is vulnerable to these issues; prior versions are also likely
affected.
GNOME Evolution Denial Of Service Vulnerability
BugTraq ID: 16899
Remote: Yes
Last Updated: 2006-03-05
Relevant URL: http://www.securityfocus.com/bid/16899
Summary:
A denial-of-service vulnerability has been reported in Evolution.
A remote attacker may cause a denial-of-service condition in the
application, effectively denying service to legitimate users.
Cisco IOS TCLSH AAA Command Authorization Bypass Vulnerability
BugTraq ID: 16383
Remote: Yes
Last Updated: 2006-03-05
Relevant URL: http://www.securityfocus.com/bid/16383
Summary:
Cisco IOS is prone to a remote AAA command authorization-bypass
vulnerability. This issue is due to the software's failure to properly
enforce command authorization restrictions in the TCL shell.
This issue allows remote attackers to bypass AAA command authorization
checks and to gain elevated access to affected devices.
This issue is documented by Cisco bug ID
CSCeh73049http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeh73049.
[ firmware ]
CGI.pm Start_Form Cross-Site Scripting Vulnerability
BugTraq ID: 8231
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/8231
Summary:
CGI.pm is prone to cross-site scripting attacks under some circumstances.
This issue occurs because the 'start_form()' function (or other functions
that use this function) does not sufficiently sanitize HTML and script code
when a form action isn't specified. This could expose scripts that use the
function to cross-site scripting attacks.
GNU tar Invalid Headers Buffer Overflow Vulnerability
BugTraq ID: 16764
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/16764
Summary:
GNU Tar is prone to a buffer overflow when handling invalid headers.
Successful exploitation could potentially lead to arbitrary code execution,
but this has not been confirmed.
Tar versions 1.14 and above are vulnerable.
AbiWord RTF File Processing Buffer Overflow Vulnerability
BugTraq ID: 14971
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/14971
Summary:
AbiWord is susceptible to a buffer-overflow vulnerability. This issue is due
to the application's failure to properly bounds-check user-supplied data
before copying it to an insufficiently sized memory buffer while importing
RTF files.
This issue likely allows attackers to execute arbitrary machine code in the
context of the user running the affected application.
sa-exim Unauthorized File Access Vulnerability
BugTraq ID: 17110
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/17110
Summary:
sa-exim is prone to an unauthorized file-access vulnerability. This issue is
due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit this issue to delete arbitrary files in the context
of the user running the affected application.
[ module spamassassin de exim ]
unalz Hostile Destination Path Vulnerability
BugTraq ID: 17105
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/17105
Summary:
unalz contains a vulnerability in the handling of pathnames for archived
files.
By specifying a path for an archived item that points outside the expected
destination directory, the creator of the archive can cause the file to be
extracted to arbitrary locations on the filesystem, possibly including paths
containing system binaries and other sensitive or confidential information.
It is conjectured that an attacker could use this to create or overwrite
binaries in any desired location, using the privileges of the invoking user.
version 0.53 is vulnerable; other versions may also be affected.
CGI::Session Multiple Information Disclosure Vulnerabilities
BugTraq ID: 17099
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/17099
Summary:
CGI::Session is prone to multiple information-disclosure vulnerabilities.
These issues are due to a failure in the application to properly set file
permissions.
An attacker can exploit these issues to retrieve the session data of an
arbitrary user.
If an administrative user's credentials are retrieved, successful
exploitation may result in the compromise of the affected application; other
attacks are also possible.
[ il est possible de tourner les scripts Perl sous un UID sp?cifique,
et il est possible d'utiliser un r?pertoire temporaire ~/tmp, donc
cette vuln?rabilit? n'est un probl?me qu'en cas de `party-line',
tous les scripts sous le m?me UID.
]
Ethereal GTP Protocol Dissector Denial of Service Vulnerability
BugTraq ID: 16076
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/16076
Summary:
The Ethereal GTP protocol dissector is prone to a remotely exploitable
denial-of-service vulnerability.
Successful exploitation will cause a denial-of-service condition in the
Ethereal application.
Further details are not currently available. This BID will be updated as
more information is disclosed.
W3C libwww Multiple Vulnerabilities
BugTraq ID: 15035
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/15035
Summary:
W3C libwww is prone to multiple vulnerabilities.
These issues include a buffer overflow vulnerability and some issues related
to the handling of multipart/byteranges content.
libwww 5.4.0 is reported to be vulnerable. Other versions may be affected
as well. These issues may also be exploited through other applications that
implement the library.
Ethereal IRC Protocol Dissector Denial of Service Vulnerability
BugTraq ID: 15219
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/15219
Summary:
The Ethereal IRC protocol dissector is prone to a remotely exploitable
denial-of-service vulnerability.
An attacker may exploit this issue by causing Ethereal to process a
malformed packet. Successful exploitation will cause a denial-of-service
condition in the Ethereal application.
Further details are not currently available. This BID will be updated as
more information is disclosed.
Ethereal OSPF Protocol Dissection Stack Buffer Overflow Vulnerability
BugTraq ID: 15794
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/15794
Summary:
A remote buffer-overflow vulnerability affects Ethereal. This issue is due
to the application's failure to securely copy network-derived data into
sensitive process buffers. The specific issue occurs in the OSPF dissector.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This may
facilitate unauthorized access or privilege escalation.
lurker Multiple Input Validation Vulnerabilities
BugTraq ID: 17003
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/17003
Summary:
lurker is prone to multiple input-validation vulnerabilities. These issues
are due to failures in the application to properly sanitize user-supplied
input.
An attacker may leverage these issues to retrieve arbitrary files, overwrite
arbitrary files, and have arbitrary script code executed in the browser of
an unsuspecting user, all in the context of the affected site. This may
facilitate a compromise of the application and the theft of cookie-based
authentication credentials as well as other attacks.
xpdf Multiple Unspecified Vulnerabilities
BugTraq ID: 16748
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/16748
Summary:
The 'xpdf' utility is reportedly prone to multiple unspecified security
vulnerabilities. The cause and impact of these issues are currently unknown.
All versions of xpdf are considered vulnerable at the moment. This BID will
update when more information becomes available.
linux kernel mbind(2) System Call Local Denial of Service Vulnerability
BugTraq ID: 16924
Remote: No
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/16924
Summary:
The Linux kernel mbind(2) system call is prone to a local
denial-of-service vulnerability. This issue is due to a lack of proper input
sanitization in the system call's arguments.
This issue allows local users to panic the kernel, denying further service
to legitimate users.
This issue affects Linux kernel versions prior to 2.6.15.5.
Bugzilla Internal Error Cross-Site Scripting Vulnerability
BugTraq ID: 12154
Remote: Yes
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/12154
Summary:
Bugzilla is prone to a cross-site scripting vulnerability. The issue is
exposed when the software renders internal errors that include user-supplied
input.
An attacker may exploit this issue by enticing a user to follow a link that
will cause hostile HTML and script code to be rendered in an internal error
page. Exploitation may allow an attacker to steal cookie-based
authentication credentials or to mount other attacks.
Ubuntu Linux Local Installation Password Disclosure Vulnerability
BugTraq ID: 17086
Remote: No
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/17086
Summary:
Ubuntu Linux is susceptible to a local password-disclosure vulnerability.
This issue is due to the installation system improperly storing cleartext
passwords in world-readable files.
This issue allows local attackers to gain access to the user account that
was created during the initial installation of Ubuntu. Since this user is
granted 'sudo' access to the superuser account, this potentially allows
local attackers to completely compromise affected computers.
Linux kernel Security Key Functions Local copy_to_user Race Vulnerability
BugTraq ID: 17084
Remote: No
Last Updated: 2006-03-15
Relevant URL: http://www.securityfocus.com/bid/17084
Summary:
The Linux kernel is susceptible to a local race-condition vulnerability in
its security-key functionality. This issue is due to a race condition that
allows attackers to modify an argument of a copy operation after is has been
validated, but before it is used.
This vulnerability allows local attackers to crash the kernel, denying
service to legitimate users. It may also allow attackers to read portions of
kernel memory, and thus gain access to potentially sensitive information.
This may aid them in further attacks.
Linux kernel NFS Client Denial of Service Vulnerability
BugTraq ID: 16922
Remote: No
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/16922
Summary:
Linux kernel NFS client is prone to a denial-of-service vulnerability. An
unprivileged local user can panic the NFS client and cause it to fail.
This issue was addressed in Linux kernel 2.6.15.5; earlier versions are
vulnerable.
Linux kernel ELF File Entry Point Denial of Service Vulnerability
BugTraq ID: 16925
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/16925
Summary:
Linux kernel is prone to a denial-of-service vulnerability when processing a
malformed ELF file. This issue occurs only on Intel EM64T processors.
Linux kernel versions prior to 2.6.15.5 are affected by this issue.
Linux kernel ATM Module Inconsistent Reference Counts Denial of Service
Vulnerability
BugTraq ID: 17078
Remote: No
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/17078
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.
This vulnerability affects the ATM module and allows local users to panic
the kernel by creating inconsistent reference counts, denying further
service to legitimate users.
This issue affects Linux kernel versions prior to 2.6.14.
Linux kernel XFS File System Local Information Disclosure Vulnerability
BugTraq ID: 16921
Remote: No
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/16921
Summary:
The Linux kernel's XFS filesystem is susceptible to a local
information-disclosure vulnerablity. This issue is due to a flaw in the
filesystem that may result in previously written data being returned to
local users.
This issue allows local malicious users to gain access to potentially
sensitive data, aiding them in further attacks.
Linux kernel versions prior to 2.6.15.5 are affected by this issue.
Bugzilla Authentication Information Disclosure Vulnerability
BugTraq ID: 13605
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/13605
Summary:
Bugzilla is prone to a vulnerability that could allow username and password
information to be disclosed in generated links. Any user with access to the
server's web logs could potentially gain access to the user's authentication
information.
Bugzilla Hidden Product Information Disclosure Vulnerability
BugTraq ID: 13606
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/13606
Summary:
Bugzilla is prone to an information-disclosure vulnerability due to improper
access validation. This could allow a user to determine the existence of a
product in the Bugzilla database even if it should not be visible to them.
Firebird Local Inet_Server Buffer Overflow Vulnerability
BugTraq ID: 17077
Remote: No
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/17077
Summary:
Firebird is susceptible to a local buffer-overflow vulnerability. This issue
is due to the application's failure to properly check boundaries of
user-supplied command-line argument data before copying it to an
insufficiently sized memory buffer.
Attackers may exploit this issue to execute arbitrary machine code with
elevated privileges, because the affected binaries are often installed with
setuid privileges.
OpenSSL Insecure Protocol Negotiation Weakness
BugTraq ID: 15071
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/15071
Summary:
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue
is due to the implementation of the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option
to maintain compatibility with third-party software.
This issue presents itself when two peers try to negotiate the protocol they
wish to communicate with. Attackers who can intercept and modify the SSL
communications may exploit this weakness to force SSL version 2 to be chosen.
The attacker may then exploit various insecurities in SSL version 2 to gain
access to or tamper with the cleartext communications between the targeted
client and server.
Note that the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the
frequently used 'SSL_OP_ALL' option.
SSL peers that are configured to disallow SSL version 2 are not affected by
this issue.
lynx NNTP Article Header Buffer Overflow Vulnerability
BugTraq ID: 15117
Remote: Yes
Last Updated: 2006-03-14
Relevant URL: http://www.securityfocus.com/bid/15117
Summary:
lynx is prone to a buffer overflow when handling NNTP article headers.
This issue may be exploited when the browser handles NNTP content, such as
through 'news:' or 'nntp:' URIs. Successful exploitation will result in
code execution in the context of the program user.
Sylpheed LDIF Import Remote Buffer Overflow Vulnerability
BugTraq ID: 15363
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/15363
Summary:
Sylpheed is prone to a buffer-overflow vulnerability.
A buffer overflow can occur when an unsuspecting user imports a malicious
LFID file into an address book.
Exploitation of this vulnerability may allow an attacker to gain
unauthorized access to the computer in the context of the Sylpheed client.
Metamail Message Processing Remote Buffer Overflow Vulnerability
BugTraq ID: 16611
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/16611
Summary:
Metamail is prone to a remote buffer-overflow vulnerability.
This issue arises when the application handles messages with large string
values for boundaries.
This can cause memory corruption and trigger a crash in the application.
This issue may also lead to arbitrary code execution, but this is
unconfirmed.
Metamail 2.7 is reportedly vulnerable, but other versions may be affected as
well.
Lincoln D. Stein Crypt::CBC Perl Module Weak Ciphertext Vulnerability
BugTraq ID: 16802
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/16802
Summary:
Crypt::CBC is susceptible to a weak-ciphertext vulnerability. This issue is
due to a flaw in its creation of IVs (Initialization Vectors) for ciphers
with a blocksize larger than 8.
This issue results in the creation of ciphertext that contains bytes
encrypted with a constant null IV. This ciphertext is prone to differential
cryptanalysis, aiding attackers in compromising the plaintext of encrypted
data.
The level of difficulty attackers may face trying to exploit this flaw is
currently unknown, but data encrypted with vulnerable versions of Crypt::CBC
should be considered insecure.
Crypt::CBC versions prior to 2.17 are vulnerable to this issue if they use
the 'RandomIV' header style.
Heimdal RSHD Local Privilege Escalation Vulnerability
BugTraq ID: 16524
Remote: No
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/16524
Summary:
Heimdal 'rshd' is prone to a local privilege-escalation vulnerability.
A local attacker can gain ownership of a file by overwriting its credential
cache. This may lead to various attacks, including privilege escalation.
Heimdal versions prior to 0.7.2 and 0.6.6 are vulnerable.
[ version kerberis?e de rshd; utilisez plut?t SSH de toute mani?re ]
PEAR::Auth Multiple Unspecified SQL Injection Vulnerabilities
BugTraq ID: 16758
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/16758
Summary:
PEAR::Auth is prone to multiple unspecified SQL-injection vulnerabilities.
This vulnerability could permit remote attackers to pass malicious input to
database queries, resulting in the modification of query logic or other
attacks.
Successful exploitation could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in the
underlying database implementation.
PEAR::Auth versions prior to 1.2.4 and to 1.3.0r4 are vulnerable.
Further information reports these issues affect the DB and LDAP Auth
Containers.
Apache HTTP Request Smuggling Vulnerability
BugTraq ID: 14106
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/14106
Summary:
Apache is prone to an HTTP-request-smuggling attack.
A specially crafted request with a 'Transfer-Encoding: chunked' header and a
'Content-Length' header can cause the server to forward a reassembled
request with the original 'Content-Length' header. As a result, the
malicious request may piggyback on the valid HTTP request.
This attack may result in cache poisoning, cross-site scripting, session
hijacking, and other attacks.
This issue was originally described in BID 13873 (Multiple Vendor Multiple
HTTP Request Smuggling Vulnerabilities). Due to the availability of more
details and vendor confirmation, the issue is now a new BID.
Apache CGI Byterange Request Denial of Service Vulnerability
BugTraq ID: 14660
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/14660
Summary:
Apache is prone to a denial of service when handling large CGI byterange
requests.
PCRE Regular Expression Heap Overflow Vulnerability
BugTraq ID: 14620
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/14620
Summary:
PCRE is prone to a heap-overflow vulnerability. This issue is due to the
library's failure to properly perform boundary checks on user-supplied input
before copying data to an internal memory buffer.
The impact of successful exploitation of this vulnerability depends on the
application and the user credentials using the vulnerable library. A
successful attack may ultimately permit an attacker to control the contents
of critical memory control structures and write arbitrary data to arbitrary
memory locations.
Apache mod_ssl CRL Handling Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 14366
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/14366
Summary:
Apache's mod_ssl is prone to an off-by-one buffer-overflow condition.
The vulnerability arising in the mod_ssl CRL verification callback allows
for potential memory corruption when a malicious CRL is handled.
An attacker may exploit this issue to trigger a denial-of-service condition.
Presumably, arbitrary code execution may be possible as well.
wzdftpd SITE Command Arbitrary Command Execution Vulnerability
BugTraq ID: 14935
Remote: Yes
Last Updated: 2006-03-17
Relevant URL: http://www.securityfocus.com/bid/14935
Summary:
The 'wzdftpd' utility is affected by a remote arbitrary command-execution
vulnerability.
This issue can allow an attacker to execute commands in the context of an
affected server and potentially gain unauthorized access.
Version 0.5.4 of wzdftpd is reported to be vulnerable. Other versions may be
affected as well.
util-vserver Unknown Linux Capabilities Vulnerability
BugTraq ID: 17180
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17180
Summary:
The util-vserver package for the Linux-VServer project is susceptible to an
unknown Linux capability vulnerability. The package fails to properly handle
unknown Linux capabilities.
The exact consequences of this issue are currently unknown. They depend on
the nature of the unknown capabilities and on the nature of the applications
that use them. Hosted virtual servers may possibly gain inappropriate access
to the hosting operating system.
libcgi-session-perl Multiple Insecure Temporary File Creation
Vulnerabilities
BugTraq ID: 17177
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17177
Summary:
The libcgi-session-perl package is prone to multiple vulnerabilities -- it
creates temporary files in an insecure manner. An attacker could exploit
these vulnerabilities to overwrite files or gain access to information in
sensitive files.
Version 4.03-1 of libcgi-session-perl is vulnerable. Other versions may also
be affected.
curl / libcurl TFTP URL Parser Buffer Overflow Vulnerability
BugTraq ID: 17154
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17154
Summary:
curl and libcurl are prone to a buffer-overflow vulnerability. This issue is
due to a failure in the library to perform proper bounds checks on
user-supplied data before using it in a finite-sized buffer.
The issue occurs when the URL parser handles an excessively long URL string
with a TFTP protocol prefix 'tftp://'.
An attacker can exploit this issue to crash the affected library,
effectively denying service. Arbitrary code execution may also be possible,
which may facilitate a compromise of the underlying system.
Linux kernel Netfilter do_replace Remote Buffer Overflow Vulnerability
BugTraq ID: 17178
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17178
Summary:
The Linux kernel is susceptible to a remote buffer-overflow vulnerability.
This issue is due to the kernel's failure to properly bounds-check
user-supplied input before using it in a memory copy operation.
This issue allows remote attackers to overwrite kernel memory with arbitrary
data, potentially allowing them to execute malicious machine code in the
context of affected kernels. This vulnerability facilitates the complete
compromise of affected computers.
Linux kernel versions prior to 2.6.16 in the 2.6 series are affected by this
issue.
F5 Firepass 4100 SSL VPN Cross-Site Scripting Vulnerability
BugTraq ID: 17175
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17175
Summary:
FirePass 4100 SSL VPN is prone to a cross-site scripting vulnerability. This
issue is due to a failure in the application to properly sanitize
user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed
in the browser of an unsuspecting user in the context of the affected site.
This may facilitate the theft of cookie-based authentication credentials as
well as other attacks.
[ firmware ]
Linux VServer Project CHRoot Breakout Vulnerability
BugTraq ID: 9596
Remote: No
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/9596
Summary:
VServer is reported prone to a breakout vulnerability that allows a
malicious user to escape from the context of the chrooted root directory of
the virtual server. This issue is due to the VServer application failing to
secure itself against a "chroot-again" style vulnerability. Successful
exploitation of this issue may allow an attacker to gain access to the
filesystem outside of the chrooted root directory.
X.Org X Window Server Local Privilege Escalation Vulnerability
BugTraq ID: 17169
Remote: No
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17169
Summary:
The X.Org X Window server is prone to a privilege-escalation vulnerability.
A local attacker can exploit this issue to load arbitrary modules and
execute them or overwrite arbitrary files with superuser privileges. This
may facilitate a complete compromise of the affected computer.
GNOME Evolution Inline XML File Attachment Buffer Overflow Vulnerability
BugTraq ID: 16408
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/16408
Summary:
GNOME Evolution email client is prone to a denial-of-service vulnerability
when processing messages containing inline XML file attachments with
excessively long strings.
Linux kernel raw_sendmsg() Kernel Memory Access Vulnerability
BugTraq ID: 14787
Remote: No
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/14787
Summary:
Linux kernel is prone to a kernel memory-access vulnerability.
This issue affects the 'raw_sendmsg()' function and can allow a local
attacker to access kernel memory or manipulate the hardware state due to
unauthorized access to I/O ports.
Linux kernel 2.6.10 is reportedly vulnerable, but other versions are likely
to be affected as well.
ProFTPD SQLShowInfo SQL Output Format String Vulnerability
BugTraq ID: 14380
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/14380
Summary:
A format-string vulnerability affects ProFTPD. This issue occurs when the
SQLShowInfo directive is enabled. If the attacker can influence data in the
backend SQL database, then the attacker may be able to exploit this issue by
inserting a malicious format string into data that will be queried by
ProFTPD.
A successful attack will allow arbitrary code to execute in the context of
the server.
ProFTPD Shutdown Message Format String Vulnerability
BugTraq ID: 14381
Remote: Yes
Last Updated: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/14381
Summary:
A format-string vulnerability affects ProFTPD. This issue occurs when the
server prints a shutdown message containing certain variables such as the
current directory. If an attacker could create a directory on the server,
this may trigger this issue.
Successful exploitation will result in arbitrary code execution in the
context of the server.
Todd Miller sudo Local Privilege Escalation Vulnerability
BugTraq ID: 15191
Remote: No
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/15191
Summary:
sudo is prone to a local privilege-escalation vulnerability.
The vulnerability presents itself because the application fails to properly
sanitize malicious data supplied through environment variables.
A successful attack may result in a complete compromise.
GnuPG Incorrect Non-Detached Signature Verification Vulnerability
BugTraq ID: 17058
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17058
Summary:
GnuPG is prone to a vulnerability involving incorrect verification of
non-detached signatures.
A successful attack can allow an attacker to simply take a signed message
and inject arbitrary data into it and bypass verification.
Note that this issue also affects verification of signatures embedded in
encrypted messages. Scripts and applications using gpg are affected, as are
applications using the GPGME library.
GnuPG versions prior to 1.4.2.2 are vulnerable to this issue.
Apache Log4Net Denial Of Service Vulnerability
BugTraq ID: 17095
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17095
Summary:
Log4net is prone to a remote denial-of-service vulnerability.
An attacker may cause the application to crash, thus denying service to
legitimate users.
KDE KJS encodeuri / decodeuri Remote Heap Overflow Vulnerability
BugTraq ID: 16325
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/16325
Summary:
KDE KJS is prone to a remote heap-overflow vulnerability.
Specifically, the issue presents itself when the application decodes
specially crafted UTF-8 encoded URI sequences.
A successful attack can result in a remote compromise in the context of the
user running the vulnerable application.
KDE versions 3.2.0, up to and including KDE 3.5.0, are vulnerable to this
issue.
Multiple Web Browser International Domain Name Handling Site Property
Spoofing Vulnerabilities
BugTraq ID: 12461
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/12461
Summary:
Multiple Web browsers are reported prone to vulnerabilities that surround
the handling of International Domain Names.
The vulnerabilities are caused by inconsistencies in how International
Domain Names are processed. Reports indicate that attackers can leverage
this to spoof address bar, status-bar, and SSL certificate values.
Remote attackers may exploit these vulnerabilities in phishing-style
attacks. Through a false sense of trust, users may voluntarily disclose
sensitive information to a malicious website.
Although these vulnerabilities are reported to affect browsers, mail clients
that depend on the browser to generate HTML code may also be affected.
KDE kate, kwrite Local Backup File Information Disclosure Vulnerability
BugTraq ID: 14297
Remote: No
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/14297
Summary:
KDE kate and kwrite are susceptible to a local information-disclosure
vulnerability. The applications fail to maintain secure file permissions
when creating backup files.
This vulnerability allows local attackers to gain access to the contents of
potentially sensitive files.
Note: Since these applications are network-aware, under some unknown
circumstances, this issue may not be restricted to local attackers.
Kpdf and kword Multiple Unspecified Buffer and Integer Overflow
Vulnerabilities
BugTraq ID: 16143
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/16143
Summary:
kpdf and kword are prone to multiple buffer and integer overflows.
Successful exploitation could result in arbitrary code execution in the
context of the user running the vulnerable application.
Specific details of these issues are not currently available. This record
will be updated when more information becomes available.
The following are vulnerable:
- kdegraphics package
- kpdf versions 3.4.3 and earlier
- koffice
- kword versions 1.4.2 and earlier
xkpdf loca Table Verification Remote Denial of Service Vulnerability
BugTraq ID: 14529
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/14529
Summary:
The 'xpdf' utility is prone to a remote denial-of-service vulnerability.
The vulnerability presents itself when the application tries to verify the
validity of a malformed 'loca' table in PDF files.
This issue can result in disk consumption and can ultimately lead to a
denial-of-service condition.
The 'kpdf', 'gpdf', and 'CUPS' utilities are vulnerable to this issue as
well.
libungif Null Pointer Dereference Denial of Service Vulnerability
BugTraq ID: 15304
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/15304
Summary:
The libungif library is prone to a denial-of-service vulnerability. The
library fails to handle exceptional conditions.
Successful exploitation of this vulnerability will cause the application
using the affected library to crash, effectively denying service to
legitimate users.
Version 4.1.3 and prior are considered vulnerable to this issue.
A remote attacker may exploit this issue to deny service for legitimate
users.
libungif Colormap Handling Memory Corruption Vulnerability
BugTraq ID: 15299
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/15299
Summary:
The libungif library is prone to a memory-corruption vulnerability.
Reports indicate that due to the library's improper handling of colormaps in
GIF files, an attacker can trigger out-of-bounds writes and corrupt memory.
This may lead to a denial-of-service condition.
Version 4.1.3 and prior are considered vulnerable to this issue.
GDK-Pixbuf XPM Images Integer Overflow Vulnerability
BugTraq ID: 15428
Remote: Yes
Last Updated: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/15428
Summary:
A remote integer-overflow vulnerability affects gdk-pixbuf.
When an application that uses the vulnerable library processes a malformed
XPM file, the application will crash, denying service to legitimate users.
An attacker may also be able to exploit this issue to execute arbitrary code
with the privileges of the application using the vulnerable library.
ImageMagick Image Filename Remote Command Execution Vulnerability
BugTraq ID: 16093
Remote: Yes
Last Updated: 2006-03-27
Relevant URL: http://www.securityfocus.com/bid/16093
Summary:
ImageMagick is prone to a remote shell command-execution vulnerability.
Successful exploitation can allow arbitrary commands to be executed in the
context of the affected user. Note that attackers could exploit this issue
through other applications that use ImageMagick as the default image viewer.
ImageMagick 6.2.4.5 is reportedly vulnerable. Other versions may be affected
as well.
ImageMagick File Name Handling Remote Format String Vulnerability
BugTraq ID: 12717
Remote: Yes
Last Updated: 2006-03-27
Relevant URL: http://www.securityfocus.com/bid/12717
Summary:
ImageMagick is reported prone to a remote format-string vulnerability.
Reportedly, this issue arises when the application handles malformed
filenames. An attacker can exploit this vulnerability by crafting a
malicious file with a name that contains format specifiers and sending the
file to an unsuspecting user.
Note that there are other attack vectors that may not require user
interaction, since the application can be used with custom printing systems
and web applications.
A successful attack may crash the application or lead to arbitrary code
execution.
All versions of ImageMagick are considered vulnerable at the moment.
FreeRadius RLM_SQLCounter SQL Injection Vulnerability
BugTraq ID: 17294
Remote: Yes
Last Updated: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17294
Summary:
FreeRADIUS is prone to an SQL-injection vulnerability. This issue is due to
a failure in the application to properly sanitize user-supplied input before
using it in an SQL query.
Successful exploitation could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in the
underlying database implementation.
FreeRADIUS Multiple RLM_SQLCounter Buffer Overflow Vulnerabilities
BugTraq ID: 17293
Remote: Yes
Last Updated: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17293
Summary:
FreeRADIUS is prone to multiple buffer-overflow vulnerabilities. These
issues are due to a failure in the application to do proper bounds checking
on user-supplied data.
Reportedly, these issues may result in a denial-of-service condition only.
Attackers cannot exploit these issues to gain unauthorized remote access.
Debian GNU/Linux Multiple Packages Insecure RUNPATH Vulnerability
BugTraq ID: 17288
Remote: No
Last Updated: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17288
Summary:
Multiple packages in Debian GNU/Linux are susceptible to an insecure RUNPATH
vulnerability. This issue is due to a flaw in the build system that results
in insecure RUNPATHs being included in certain binaries.
This vulnerability may result in arbitrary code being executed in the
context of users who run the vulnerable executables. This may facilitate
privilege escalation.
NetPBM pstopnm Arbitrary Code Execution Vulnerability
BugTraq ID: 14379
Remote: Yes
Last Updated: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/14379
Summary:
The 'pstopnm' command is susceptible to an arbitrary command-execution
vulnerability. This issue is due to the program's failure of to ensure that
GhostScript is executed in a secure manner.
This issue allows attackers to create malicious PostScript files that allow
arbitrary commands to be executed when the affected utility parses the
files. This occurs in the context of the user running the affected utility.
This vulnerability was reported in version 10.0 of netpbm. Other versions
may also be affected.
flex Code Generation Buffer Overflow Vulnerability
BugTraq ID: 16896
Remote: Yes
Last Updated: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/16896
Summary:
flex is prone to a buffer-overflow vulnerability. This issue is due to a
failure in the application to do proper bounds checking on user-supplied
data before using it in finite-sized memory buffers.
An attacker can exploit this issue to execute arbitrary code in the context
of the user running the affected application. This may facilitate a
compromise of the underlying computer.
flex versions 2.5.31 and prior are vulnerable.
[ lex/flex est comme yacc/bison un g?n?rateur de code: le code g?n?r?
finira dans l'application. En tant que tel la vuln?rabilit? signifie
qu'il faut recompiler toute application qui utilise flex dans sa
compilation. Du moins c'est ainsi que j'ai compris ces bugs. ]
NetBSD if_bridge(4) Kernel Memory Disclosure Vulnerability
BugTraq ID: 17312
Remote: No
Last Updated: 2006-03-30
Relevant URL: http://www.securityfocus.com/bid/17312
Summary:
NetBSD 'if_bridge(4)' is prone to a kernel memory-disclosure vulnerability.
This issue can allow a user-space process to obtain portions of kernel
memory, which may aid in further attacks against the vulnerable computer.
util-vserver SUEXEC Privilege Escalation Weakness
BugTraq ID: 17361
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17361
Summary:
The util-vserver package for the Linux-VServer project is susceptible to a
privilege-escalation weakness.
This issue allows remote attackers that exploit latent vulnerabilities in
services to potentially gain superuser privileges in a guest virtual server.
This may aid them in further attacks.
zope RestructuredText File Include Vulnerability
BugTraq ID: 15082
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/15082
Summary:
Zope is prone to a file-include vulnerability in the docutils module because
Zope honors file-inclusion directives in RestructuredText objects by default.
An attacker can exploit this vulnerability to include and execute arbitrary
Zope code in the security context of the Zope server.
Net-SNMP Unspecified Remote Stream-Based Protocol Denial Of Service
Vulnerability
BugTraq ID: 14168
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/14168
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability. The issue is
exposed when Net-SNMP is configured to have an open stream-based protocol
port, such as TCP.
The exact details describing this issue are not available. This BID will be
updated when further details are made available.
Info-ZIP unzip CHMod File Permission Modification Race Condition Weakness
BugTraq ID: 14450
Remote: No
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/14450
Summary:
Info-ZIP unzip is reported prone to a security weakness. The issue occurs
only when an archive is extracted into a world- or group-writable directory.
Reportedly, unzip employs non-atomic procedures to write a file and later to
change the permissions on the newly extracted file.
A local attacker may leverage this issue to modify file permissions of
target files.
Squid FTP Server Response Denial Of Service Vulnerability
BugTraq ID: 15157
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/15157
Summary:
Squid is prone to a remote denial-of-service vulnerability. This is due to a
flaw in the way that Squid communicates with FTP servers.
This issue has been reported in Squid version 2.5 and prior.
ARJ Software unarj Remote Buffer Overflow Vulnerability
BugTraq ID: 11665
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/11665
Summary:
A remote buffer overflow vulnerability affects ARJ Software's unarj. This
issue is caused by a failure of the application to carry out sufficient
bounds checking on user-supplied strings prior to processing.
A remote attacker may leverage this issue to execute arbitrary code with the
privileges of a user that process a malicious file with the affected
application. This may facilitate unauthorized access or privilege
escalation.
Winace unace ACE Archive Remote Directory Traversal Vulnerability
BugTraq ID: 12628
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/12628
Summary:
A remotely exploitable client-side directory-traversal vulnerability affects
Winace unace. The application fails to properly sanitize file and directory
names contained within malicious ACE format archives.
An attacker may leverage this issue by distributing malicious ACE archives
to unsuspecting users. This issue will allow an attacker to write files to
arbitrary locations on the filesystem with the privileges of an unsuspecting
user that extracts the malicious ACE archive.
Winace unace ACE Archive Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 12630
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/12630
Summary:
Multiple remotely exploitable client-side buffer-overflow vulnerabilities
reportedly affect WinAce unace. These issues are due to the application's
failure to properly validate the length of user-supplied strings before
copying them into static process buffers.
An attacker may exploit these issues to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This may
facilitate unauthorized access or privilege escalation.
**Update: Versions 2.x of unace are reportedly affected by one of these
issues as well. The vulnerability has been confirmed in 2.04, 2.2, and 2.5.
University Of Washington IMAP Mailbox Name Buffer Overflow Vulnerability
BugTraq ID: 15009
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/15009
Summary:
University of Washington IMAP is prone to a buffer-overflow vulnerability.
This issue is exposed when the application parses mailbox names.
If successful, an attacker may execute arbitrary code in the context of the
server process. Note that to exploit this issue, the attacker must first
authenticate to the service.
Samba Machine Trust Account Local Information Disclosure Vulnerability
BugTraq ID: 17314
Remote: No
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17314
Summary:
Samba is susceptible to a local information-disclosure vulnerability. This
issue is due to a design error that potentially leads to sensitive
information being written to log files. This occurs when the debugging level
has been set to 5 or higher.
This issue allows local attackers to gain access to the machine trust
account of affected computers. Attackers may then impersonate the affected
server in the domain. By impersonating the member server, attackers may gain
access to further sensitive information, including the users and groups in
the domain; other information may also be available. This may aid attackers
in further attacks.
Samba versions 3.0.21 through to 3.0.21c that use the 'winbindd' daemon are
susceptible to this issue.
Linux kernel IP ID Information Disclosure Weakness
BugTraq ID: 17109
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17109
Summary:
The Linux kernel is susceptible to a remote information-disclosure weakness.
This issue is due to an implementation flaw of a zero 'ip_id'
information-disclosure countermeasure.
This issue allows remote attackers to use affected computers in stealth
network port and trust scans.
The Linux kernel 2.6 series, as well as some kernels in the 2.4 series, are
affected by this weakness.
FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability
BugTraq ID: 17171
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17171
Summary:
FreeRADIUS is prone to an authentication-bypass vulnerability. The issue
exists in the EAP-MSCHAPv2 state machine. Bypassing authentication could
also cause the server to crash.
FreeRADIUS versions from 1.0.0 to 1.1.0 are vulnerable.
FreeRADIUS Multiple Remote Vulnerabilities
BugTraq ID: 14775
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/14775
Summary:
FreeRADIUS is susceptible to multiple remote vulnerabilities.
- Memory-handling vulnerabilities. These issues may allow remote attackers
to crash affected services or possibly execute arbitrary machine code in the
context of the vulnerable application.
- File descriptor leak. Attackers may exploit this to gain access to files
that they may not normally have access to.
- The LDAP module contains a flaw whereby attacker-specified data may be
passed on to the configured LDAP database without proper input sanitization.
These issues are all reported to affect version 1.0.4 of FreeRADIUS;
previous versions are also likely vulnerable to one or more of these issues.
**Update: The vendor has posted a response to these issues. Please see
"Response to Suse Audit Report on FreeRADIUS" for further details.
Multiple LHA Buffer Overflow/Directory Traversal Vulnerabilities
BugTraq ID: 10243
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/10243
Summary:
LHA has been reported prone to multiple vulnerabilities that may allow a
malicious archive to execute arbitrary code or corrupt arbitrary files when
the archive is operated on.
The first issues reported have been assigned the CVE candidate identifier
(CAN-2004-0234). It is reported that LHA is prone to two stack based buffer
overflow vulnerabilities. These vulnerabilities may be exploited to execute
supplied instructions with the privileges of the user who invoked the
affected LHA utility.
The second set of issues has been assigned CVE candidate identifier
(CAN-2004-0235). In addition to the buffer overflow vulnerabilities that
were reported, LHA has been reported prone to a several directory traversal
issues. These directory traversal vulnerabilities may likely be exploited to
corrupt/overwrite files in the context of the user who is running the
affected LHA utility.
**It has been reported that issue may also cause a denial of service
condition in the ClearSwift MAILsweeper products due to code dependency.
**Update: Many F-Secure Anti-Virus products are also reported to be prone to
the buffer overflow vulnerability.
zoo misc.c Buffer Overflow Vulnerability
BugTraq ID: 16790
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/16790
Summary:
zoo is prone to a buffer-overflow vulnerability. This issue is due to a
failure in the application to do proper bounds checking on user-supplied
data before using it in a finite-sized buffer.
An attacker can exploit this issue to execute arbitrary code in the context
of the victim user running the affected application.
storevackup Insecure Temporary File Creation Vulnerability
BugTraq ID: 14985
Remote: No
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/14985
Summary:
storevackup creates temporary files in an insecure manner.
An attacker with local access could potentially exploit this issue to view
files and obtain privileged information. The attacker may also perform
symlink attacks, overwriting arbitrary files in the context of the affected
application.
Exploitation would most likely result in loss of confidentiality and theft
of privileged information. Successful exploitation of a symlink attack may
result in sensitive configuration files being overwritten. This may result
in a denial of service; other attacks may also be possible.
kaffeine Remote HTTP_Peek Buffer Overflow Vulnerability
BugTraq ID: 17372
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17372
Summary:
kaffeine is reportedly affected by a remote buffer overflow vulnerability.
The problem presents itself due to insufficient boundary checks on
user-supplied strings prior to copying them into finite stack-based buffers.
An attacker can leverage this issue remotely to execute arbitrary code on an
affected computer with the privileges of an unsuspecting user that executed
the vulnerable software.
xine-lib Malformed MPEG Stream Buffer Overflow Vulnerability
BugTraq ID: 17370
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17370
Summary:
Xine-lib is susceptible to a buffer-overflow vulnerability. This issue is
due to the application's failure to properly bounds check user-supplied
input data prior to copying it to an insufficiently-sized memory buffer.
Successful exploits allow remote attackers to execute arbitrary machine code
in the context of the affected application.
Xine-lib version 1.1.1 is reportedly affected. Other versions may also be
affected, as well as all applications that use a vulnerable version of the
library.
HP Color LaserJet 2500/4600 Toolbox Directory Traversal Vulnerability
BugTraq ID: 17367
Remote: Yes
Last Updated: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17367
Summary:
The HP Color LaserJet 2500/4600 Toolbox is prone to a directory-traversal
vulnerability. This issue is due to a failure in the application to properly
sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from
the vulnerable system in the context of the affected application.
Information obtained may aid attackers in further attacks.
MySQL Query Logging Bypass Vulnerability
BugTraq ID: 16850
Remote: Yes
Last Updated: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/16850
Summary:
MySQL is susceptible to a query-logging-bypass vulnerability. This issue is
due to a discrepency between the handling of NULL bytes in input data.
This issue allows attackers to bypass the query-logging functionality of the
database so they can cause malicious SQL queries to be improperly logged.
This may help them hide the traces of malicious activity from administrators.
This issue affects MySQL version 5.0.18; other versions may also be affected.
Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability
BugTraq ID: 15102
Remote: Yes
Last Updated: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/15102
Summary:
GNU wget and curl are prone to a buffer-overflow vulnerability. This issue
is due to a failure in the applications to do proper bounds checking on
user-supplied data before using it in a memory copy operation.
An attacker can exploit this vulnerability to execute arbitrary code in the
context of the user running the vulnerable application.
Exploitation of this vulnerability requires that NTLM authentication be
enabled in the affected clients.
GNU Mailman Attachment Scrubber Malformed MIME Message Denial Of Service
Vulnerability
BugTraq ID: 17311
Remote: Yes
Last Updated: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17311
Summary:
GNU Mailman is prone to denial-of-service attacks. This issue affects the
attachment-scrubber utility.
The vulnerability could be triggered by mailing-list posts and will affect
the availability of mailing lists hosted by the application.
This issue presents itself only when Mailman is used in conjunction with
Python email version 2.5.
Apache Struts Multiple Remote Vulnerabilities
BugTraq ID: 17342
Remote: Yes
Last Updated: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17342
Summary:
Apache Struts is susceptible to multiple remote vulnerabilities.
The following issues were identified:
- A cross-site scripting vulnerability. An attacker may leverage this issue
to have arbitrary script code executed in the browser of an unsuspecting
user in the context of the affected site. This may help the attacker steal
cookie-based authentication credentials and launch other attacks.
- A denial-of-service vulnerability. An attacker may leverage this issue to
crash an affected web application, denying further service to legitimate
users.
- A validation-bypass vulnerability. An attacker may leverage this issue to
bypass validation and authentication checks in a web application. The exact
consequences of this issue depend on the nature of the targeted application.
Apache Struts versions prior to 1.2.9 are affected by these issues.
BusyBox Insecure Password Hash Weakness
BugTraq ID: 17330
Remote: Yes
Last Updated: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17330
Summary:
BusyBox is susceptible to an insecure password-hash weakness. This issue is
due to a design flaw that results in password hashes being created in an
insecure manner.
This issue allows attackers to use precomputed password hashes in
brute-force attacks if they can gain access to password hashes by some means
(such as exploiting another vulnerability).
GTD-PHP Multiple Input Validation Vulnerabilities
BugTraq ID: 17366
Remote: Yes
Last Updated: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17366
Summary:
gtd-php is prone to multiple input-validation vulnerabilities. These issues
are due to a failure in the application to properly sanitize user-supplied
input.
An attacker can exploit these issues to execute arbitrary HTML and script
code in the browser of a victim user in the context of the affected website.
This may allow the attacker to steal cookie-based authentication
credentials, to control how the site is rendered to the user, and to launch
other attacks.
Easy Software Products CUPS HTTP GET Denial Of Service Vulnerability
BugTraq ID: 12200
Remote: Yes
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/12200
Summary:
CUPS is prone to a remotely exploitable denial-of-service vulnerability.
This condition occurs when the server receives an HTTP GET request
containing the string '/..'. This vulnerability is reportedly caused by a
logic error.
This issue was introduced in the 1.1.21 release.
sudo Python Environment Variable Handling Security Bypass Vulnerability
BugTraq ID: 16184
Remote: No
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/16184
Summary:
sudo is prone to a security-bypass vulnerability that could lead to
arbitrary code execution. This issue is due to an error in the application
when handling environment variables.
A local attacker with the ability to run Python scripts can exploit this
vulnerability to gain access to an interactive Python prompt. That attacker
may then execute arbitrary code with elevated privileges, facilitating the
complete compromise of affected computers.
An attacker must have the ability to run Python scripts through Sudo to
exploit this vulnerability.
This issue is similar to BID 15394 (sudo Perl Environment Variable Handling
Security Bypass Vulnerability).
sudo Perl Environment Variable Handling Security Bypass Vulnerability
BugTraq ID: 15394
Remote: No
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/15394
Summary:
Sudo is prone to a security-bypass vulnerability that could lead to
arbitrary code execution. This issue is due to an error in the application
when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment
variables when tainting is ignored.
An attacker can exploit this vulnerability to bypass security restrictions
and include arbitrary library files.
To exploit this vulnerability, an attacker must be able to run Perl scripts
through Sudo.
MPlayer Multiple Integer Overflow Vulnerabilities
BugTraq ID: 17295
Remote: Yes
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/17295
Summary:
MPlayer is susceptible to two integer-overflow vulnerabilities. An attacker
may exploit these issues to execute arbitrary code with the privileges of
the user that activated the vulnerable application. This may help the
attacker gain unauthorized access or escalate privileges.
MPlayer version 1.0.20060329 is affected by these issues; other versions may
also be affected.
GDK-Pixbuf/GTK XPM Images Buffer Overflow Vulnerability
BugTraq ID: 15435
Remote: Yes
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/15435
Summary:
The gdk-pixbuf and gtk2 packages are prone to a buffer overflow. When an
application that uses a vulnerable library processes a malformed XPM image
file, it results in a heap-based buffer overflow. An attacker can exploit
this vulnerability to execute arbitrary code in the context of the victim
user.
GDK-Pixbuf/GTK XPM Images Infinite Loop Denial Of Service Vulnerability
BugTraq ID: 15429
Remote: Yes
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/15429
Summary:
The 'gdk-pixbuf' and 'gtk2' libraries are prone to a denial-of-service
vulnerability. This issue occurs when an application using one of the
affected libraries handles a malformed XPM image file.
Exploitation could cause an application using a vulnerable library to enter
an infinite loop, resulting in a denial of service.
Tony Cook Imager JPEG and TGA Images Denial Of Service Vulnerability
BugTraq ID: 17415
Remote: Yes
Last Updated: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/17415
Summary:
The Perl Imager module is susceptible to a denial-of-service vulnerability.
This issue is due to a failure of the software to properly handle unexpected
image data.
Malformed image files may cause a crash in applications that use the
affected Perl module, resulting in a denial-of-service condition.
27. PHPList Index.PHP Local File Include Vulnerability
BugTraq ID: 17429
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17429
Summary:
PHPList is prone to a local file-include vulnerability. This may facilitate
the unauthorized viewing of files and unauthorized execution of local
scripts.
Attackers may exploit this issue to execute arbitrary code by manipulating
log files.
CenterICQ Malformed Packet Handling Remote Denial of Service
Vulnerability
BugTraq ID: 15649
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/15649
Summary:
CenterICQ is prone to a remote denial-of-service vulnerability.
The vulnerability presents itself when the client is running on a computer
that is directly connected to the Internet and handles malformed packets on
the listening port for ICQ messages.
A successful attack can cause the client to crash.
Linux kernel BINFMT_ELF Loader Local Privilege Escalation Vulnerabilities
BugTraq ID: 11646
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/11646
Summary:
Multiple vulnerabilities have been identified in the Linux ELF binary
loader. These issues can allow local attackers to gain elevated privileges.
The source of these issues resides in the 'load_elf_binary' function of the
'binfmt_elf.c' file.
The first issue results from an improper check performed on the return value
of the 'kernel_read()' function. An attacker may gain control over execution
flow of a setuid binary by modifying the memory layout of a binary.
The second issue results from improper error-handling when the 'mmap()'
function fails.
The third vulnerability results from a bad return value when the program
interpreter (linker) is mapped into memory. It is reported that this issue
occurs only in the 2.4.x versions of the Linux kernel.
The fourth issue presents itself because a user can execute a binary with a
malformed interpreter name string. This issue can lead to a system crash.
The final issue resides in the 'execve()' code. This issue may allow an
attacker to disclose sensitive data that can potentially be used to gain
elevated privileges.
These issues are currently undergoing further analysis. This BID will be
updated and divided into separate BIDS in the future.
Linux kernel NAT Handling Memory Corruption Denial of Service
Vulnerability
BugTraq ID: 15531
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/15531
Summary:
Linux kernel is reported prone to a denial-of-service vulnerability.
Due to a design error in the kernel, an attacker can cause a memory
corruption that will ultimately crash the kernel, denying service to
legitimate users.
Linux kernel ELF Core Dump Local Buffer Overflow Vulnerability
BugTraq ID: 13589
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/13589
Summary:
The Linux kernel is susceptible to a local buffer-overflow vulnerability
when attempting to create ELF coredumps. This issue is due to an
integer-overflow flaw that results in a kernel buffer overflow during a
'copy_from_user()' call.
To exploit this vulnerability, a malicious user creates a malicious ELF
executable designed to create a negative 'len' variable in 'elf_core_dump()'.
Local users may exploit this vulnerability to execute arbitrary machine code
in the context of the kernel, facilitating privilege escalation.
**Update: This vulnerability does not exist in the 2.6 kernel tree.
Linux kernel IA32 execve(2) Local Buffer Overflow Vulnerability
BugTraq ID: 14205
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/14205
Summary:
The Linux kernel is susceptible to a local buffer-overflow vulnerability.
This issue is due to a race condition in an ia32 emulation system call that
leads to a memory copy operation that overflows a previously allocated
memory buffer.
During the time between two function calls to obtain buffer sizes, a window
of opportunity exists for attackers to alter memory contents. This race
condition allows local attackers to overwrite critical kernel memory,
facilitating kernel-level machine code execution and privilege escalation.
On multiprocessor computers, attackers can directly alter the memory
contents to exploit this race condition. On uniprocessor computers, a
blocking function call allows attackers to exploit the race condition.
Versions of Linux 2.4 prior to 2.4.32-pre1, and Linux 2.4prior to 2.6.7 are
susceptible to this issue.
This vulnerability affects only computers running on either the ia64 or the
amd64 hardware platforms with ia32 emulation enabled.
Linux kernel ELF Binary Loading Local Denial of Service Vulnerability
BugTraq ID: 12935
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/12935
Summary:
Linux kernel is prone to a potential local denial of service vulnerability.
It is reported that issue exists in the 'load_elf_library' function.
Linux kernel 2.6.11.5 and prior versions are affected by this issue.
Linux kernel Process Spawning Race Condition Environment Variable
Disclosure Vulnerability
BugTraq ID: 11052
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/11052
Summary:
The Linux kernel is prone to a race condition that may potentially expose
information about the environment of a process.
The race condition is reported to occur while a process is spawning. If the
condition is successfully exploited, an attacker could read environment
variables associated with a process they do not own.
Linux kernel Multiple Vulnerabilities
BugTraq ID: 12598
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/12598
Summary:
Linux kernel is reported prone to multiple vulnerabilities. These issues may
allow a local attacker to carry out denial-of-service attacks, access kernel
memory, and potentially gain elevated privileges.
The following specific issues were identified:
- Reportedly, the filesystem Native Language Support ASCII translation table
is affected by a vulnerability that results from the use of incorrect tables
sizes. This issue can lead to a crash.
- Another issue affecting the kernel may allow users to unlock arbitrary
shared-memory segments.
- Another vulnerability is reported to affect the 'netfilter/iptables'
module. An attacker can exploit this issue to crash the kernel or bypass
firewall rules.
- Reportedly, a vulnerability affects the OUTS instruction on the AMD64 and
Intel EM64T architecture. This issue may lead to privilege escalation.
These issues reportedly affect Linux kernel 2.6.x versions.
Due to lack of details, further information is not available at the moment.
This BID will be updated when more information becomes available.
Linux kernel AF_UNIX Arbitrary Kernel Memory Modification Vulnerability
BugTraq ID: 11715
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/11715
Summary:
It is reported that a serialization error exists in the AF_UNIX address
family that creates a race condition. This race condition reportedly allows
local users to repeatedly increment arbitrary kernel memory locations.
This vulnerability allows local users to modify arbitrary kernel memory,
facilitating privilege escalation, or possibly allowing code execution in
the context of the kernel.
Versions prior to 2.4.28 are reportedly affected by this vulnerability.
Linux kernel die_if_kernel Local Denial of Service Vulnerability
BugTraq ID: 16993
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/16993
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability. This
issue is due to a design error in the 'die_if_kernel()' function.
This vulnerability allows local users to panic the kernel, denying further
service to legitimate users.
This issue affects Linux kernel versions prior to 2.6.15.6 running on
Itanium systems.
Linux kernel Local MEMLOCK RLIMIT Bypass Denial Of Service Vulnerability
BugTraq ID: 13769
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/13769
Summary:
The 'linux-2.4.21-mlock.patch' for the Linux kernel contains a security
vulnerability. Reports indicate that the rlimit restrictions do not
correctly account for IPC (Inter-process Communications) functionality; this
may result in unprivileged users having the right to mlock memory.
A local attacker may exploit this issue to deny service for legitimate users.
Linux kernel __keyring_search_one Local Denial of Service Vulnerability
BugTraq ID: 17451
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17451
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability. This
vulnerability arises in the '__keyring_search_one' function. This issue
allows local users to crash the kernel, denying service to legitimate users.
Kernel versions prior to 2.6.16.3 are vulnerable to this issue.
pnmtopng alphas_of_color() Buffer Overflow Vulnerability
BugTraq ID: 15427
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/15427
Summary:
The pnmtopng utility is prone to a buffer-overflow vulnerability. This issue
is due to the application's failure to properly bounds-check user-supplied
data before copying it to an insufficiently sized memory buffer. This issue
reportedly occurs only when the '-alpha' command-line option is used.
This issue allows attackers to create malicious PNM files that, when parsed
by the affected utility, allow arbitrary machine code to be executed. This
occurs in the context of the user running the affected utility.
Linux kernel sysfs_write_file Local Integer Overflow Vulnerability
BugTraq ID: 13091
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/13091
Summary:
A local integer overflow vulnerability affects the Linux kernel. This issue
is due to a mismanagement of integer signedness by the affected '/sys' file
system.
An attacker may leverage this issue to crash the affected computer or
potentially run arbitrary code in the context of the superuser, facilitating
privilege escalation.
Linux kernel Multiple Local Vulnerabilities
BugTraq ID: 11956
Remote: No
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/11956
Summary:
The Linux kernel is reported prone to multiple local vulnerabilities. The
following individual issues are reported:
An integer overflow is reported to exist in 'ip_options_get()' of the
'ip_options.c' kernel source file, this vulnerability is only reported to
exist in the 2.6 kernel tree.
Although unconfirmed, due to the nature of this vulnerability it is
conjectured that this issue may be further leveraged to provide for
arbitrary code execution with ring 0 privileges.
A local attacker may exploit this vulnerability to deny service to
legitimate users. Other attacks are also likely possible.
A second integer overflow vulnerability is reported to exist in the
'vc_resize()' function of the Linux kernel, this vulnerability is reported
to exist in the 2.6 and 2.4 kernel trees.
Although unconfirmed, due to the nature of this vulnerability it is
conjectured that this issue may be further leveraged to provide for
arbitrary code execution with ring 0 privileges.
A local attacker may exploit this vulnerability to deny service to
legitimate users. Other attacks are also likely possible.
A third vulnerability, a memory leak, is reported to exist in
'ip_options_get()' of the 'ip_options.c' kernel source file, this
vulnerability is reported to exist in the 2.6, and 2.4 kernel tree.
A local attacker may exploit this vulnerability to consume kernel heap
memory resources and in doing so may impact system performance ultimately
resulting in a denial of service to legitimate users.
Clam AntiVirus ClamAV Multiple Vulnerabilities
BugTraq ID: 17388
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17388
Summary:
ClamAV is prone to multiple vulnerabilities:
- An integer-overflow vulnerability.
- A format-string vulnerability.
- A denial-of-service vulnerability.
The first two issues may permit attackers to execute arbitrary code, which
can facilitate a compromise of an affected computer.
If an attacker can successfully exploit the denial-of-service issue, this
may crash the affected application, which may aid an attacker in further
attacks if the antivirus software no longer works.
zlib Compression Library Buffer Overflow Vulnerability
BugTraq ID: 14162
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/14162
Summary:
zlib is susceptible to a buffer-overflow vulnerability. This issue is due to
the application's failure to properly validate input data before using it in
a memory copy operation.
In certain circumstances, malformed input data during decompression may
result in a memory buffer being overflowed. This may result in
denial-of-service conditions or may allow remote code to execute in the
context of applications that use the affected library.
zlib Compression Library Decompression Buffer Overflow Vulnerability
BugTraq ID: 14340
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/14340
Summary:
zlib is susceptible to a buffer-overflow vulnerability. This issue is due to
the library's failure to properly handle unexpected input to its
decompression routines.
Certain values used during decompression are incorrectly specified, allowing
invalid inflate input to corrupt memory.
This vulnerability allows attackers to crash applications that use the
affected library. This could also potentially allow for arbitrary code
execution in the context of an affected application.
OpenVPN Client Remote Code Execution Vulnerability
BugTraq ID: 17392
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17392
Summary:
OpenVPN is reported prone to a remote code-execution vulnerability. This
issue is due to a lack of proper sanitization of server-supplied data.
A remote attacker may exploit this issue to execute arbitrary code with
elevated privileges on a vulnerable computer to gain unauthorized access.
To be vulnerable to this issue, client OpenVPN computers must be configured
to use 'up' or 'down' scripts and must have either the 'pull' configuration
directive or a 'client' macro set up.
OpenVPN versions 2.0.0 through 2.0.5 are affected by this issue.
NetPBM pnmtopng Long Text Line Buffer Overflow Vulnerability
BugTraq ID: 15514
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/15514
Summary:
Netpbm 'pnmtopng' is susceptible to a buffer-overflow vulnerability. The
utility fails to do proper bounds checks on user-supplied data before
copying it to an insufficiently sized memory buffer. This issue reportedly
occurs only when the '-text' command-line option is used.
This issue allows attackers to create malicious PNM files that, when parsed
by the affected utility, allow arbitrary machine code to be executed. This
occurs in the context of the user running the affected utility.
This vulnerability was reported in versions 9.20 and 10.0 of Netpbm. Other
versions may also be affected.
KAME Racoon Malformed ISAKMP Packet Headers Denial of Service
Vulnerability
BugTraq ID: 12804
Remote: Yes
Last Updated: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/12804
Summary:
KAME's racoon is reported prone to a vulnerability that may allow a remote
attacker to cause a denial-of-service condition in the application.
This issue arises from a boundary condition error when the application
handles malformed ISAKMP packets.
Versions of racoon prior to 20050307 are considered vulnerable to this issue.
[ IPsec ]
Sysinfo Multiple Input Validation Vulnerabilities
BugTraq ID: 17523
Remote: Yes
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/17523
Summary:
Sysinfo is prone to multiple input-validation vulnerabilities. These issues
are due to a failure in the application to properly sanitize user-supplied
input.
An attacker can exploit these vulnerabilities to execute arbitrary shell
commands in the context of the webserver process. This may help attackers
compromise the underlying system; other attacks are also possible. Remote
attackers may also obtain the installation path.
Sysinfo 1.21 is reported vulnerable. Other versions may be affected as well.
Linux kernel 64-Bit SMP routing_ioctl() Local Denial of Service
Vulnerability
BugTraq ID: 14902
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/14902
Summary:
A local denial-of-service vulnerability affects the Linux kernel on 64-bit
Symmetric Multi-Processor (SMP) platforms.
Specifically, the vulnerability presents itself due to an omitted call to
the 'sockfd_put()' function in the 32-bit-compatible 'routing_ioctl()'
function.
The 32-bit-compatible 'tiocgdev ioctl()' function on x86-64 platforms is
affected by this issue as well.
Asterisk JPEG File Handling Integer Overflow Vulnerability
BugTraq ID: 17561
Remote: Yes
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/17561
Summary:
Asterisk is prone to an integer-overflow vulnerability.
This issue arises when the application handles a malformed JPEG file.
An attacker could exploit this vulnerability to execute arbitrary code in
the context of the vulnerable application.
Linux kernel POSIX Timer Cleanup Handling Local Denial of Service
Vulnerability
BugTraq ID: 15722
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15722
Summary:
A local denial-of-service vulnerability affects the Linux kernel.
The vulnerability arises due to a race-condition error in the handling of
POSIX timer cleanup routines.
A successful attack can result in a kernel crash.
Linux kernel versions 2.6.10 to 2.6.14 are vulnerable to this issue.
Apache libapreq2 Quadratic Behavior Denial of Service Vulnerability
BugTraq ID: 16710
Remote: Yes
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/16710
Summary:
Libapreq2 is prone to a vulnerability that may allow attackers to trigger a
denial-of-service condition.
libapreq2 versions prior to 2.0.7 are vulnerable.
Linux kernel do_coredump() Denial of Service Vulnerability
BugTraq ID: 15723
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15723
Summary:
Linux kernel is prone to a denial-of-service vulnerability caused by a race
condition in 'do_coredump()'.
Successful exploitation can cause the system to stop responding to
legitimate requests.
fetchmail Missing Email Header Remote Denial of Service Vulnerability
BugTraq ID: 15987
Remote: Yes
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15987
Summary:
fetchmail is affected by a remote denial-of-service vulnerability. This
issue is due to the application's failure to handle unexpected input. This
issue occurs only when Fetchmail is configured in 'multidrop' mode.
fetchmail's fetchmailconf Utility Local Information Disclosure
Vulnerability
BugTraq ID: 15179
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15179
Summary:
Fetchmail is susceptible to an information-disclosure vulnerability. This
issue is due to a race condition in the 'fetchmailconf' configuration
utility.
This issue allows local attackers to gain access to potentially sensitive
information, including email authentication credentials, aiding them in
further attacks.
Versions of Fetchmail prior to 6.2.9-rc6 include a vulnerable version of
'fetchmailconf'. Versions of 'fetchmailconf' prior to 1.43.2 and 1.49 are
vulnerable.
Linux kernel icmp_push_reply() Remote Denial Of Service Vulnerability
BugTraq ID: 16044
Remote: Yes
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/16044
Summary:
Linux kernel is prone to a remote denial-of-service vulnerability.
Remote attackers can exploit this to leak kernel memory. Successful
exploitation will result in a crash of the kernel, effectively denying
service to legitimate users.
Linux kernel versions 2.6.12.5 and prior in the 2.6 series are vulnerable to
this issue.
Linux kernel IPV6 Local Denial of Service Vulnerability
BugTraq ID: 15156
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15156
Summary:
Linux kernel is reported prone to a local denial-of-service vulnerability.
This issue arises from an infinite loop when binding IPv6 UDP ports.
Linux kernel time_out_leases printk Local Denial of Service Vulnerability
BugTraq ID: 15627
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15627
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.
Local attackers may trigger this issue by obtaining numerous file-lock
leases, which will consume excessive kernel log memory. Once the leases
timeout, the event will be logged, and kernel memory will be consumed.
This issue allows local attackers to consume excessive kernel memory,
eventually leading to an out-of-memory condition and a denial of service for
legitimate users.
Kernel versions prior to 2.6.15-rc3 are vulnerable to this issue.
Linux kernel IPv6 FlowLable Denial Of Service Vulnerability
BugTraq ID: 15729
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this vulnerability to corrupt kernel memory or
free non-allocated memory. Successful exploitation will crash the kernel,
effectively denying service to legitimate users.
Linux kernel ptrace() CLONE_THREAD Local Denial of Service Vulnerability
BugTraq ID: 15642
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15642
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.
In instances where a process is created via the 'clone()' system call with
the 'CLONE_THREAD' argument ptraced, the kernel fails to properly ensure
that the ptracing process is not attempting to trace itself.
This issue allows local users to crash the kernel, denying service to
legitimate users.
Kernel versions prior to 2.6.14.2 are vulnerable to this issue.
Linux kernel Multiple Security Vulnerabilities
BugTraq ID: 15049
Remote: Yes
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/15049
Summary:
Linux kernel is prone to multiple vulnerabilities. These issues may allow
local and remote attackers to trigger denial-of-service conditions or to
access sensitive kernel memory.
Linux kernel 2.6.x versions are known to be vulnerable at the moment. Other
versions may be affected as well.
Linux kernel Shared Memory Security Restriction Bypass Vulnerability
BugTraq ID: 17587
Remote: No
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/17587
Summary:
The Linux kernel is prone to a vulnerability regarding shared memory access.
A local attacker could potentially gain read and write access to shared
memory and write access to read-only tmpfs filesystems, bypassing security
restrictions.
An attacker can exploit this issue to possibly corrupt applications and
their data when the applications use temporary files or shared memory.
xine Playlist Handling Remote Format String Vulnerability
BugTraq ID: 17579
Remote: Yes
Last Updated: 2006-04-18
Relevant URL: http://www.securityfocus.com/bid/17579
Summary:
xine is reported prone to a remote format-string vulnerability.
This issue arises when the application handles specially-crafted playlist
files. An attacker can exploit this vulnerability by crafting a malicious
file that contains format specifiers and sending the file to an unsuspecting
user.
A successful attack may crash the application or lead to arbitrary code
execution.
All versions of xine are considered vulnerable at the moment.
Linux kernel Multiple Unspecified ISO9660 Filesystem Handling
Vulnerabilities
BugTraq ID: 12837
Remote: No
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/12837
Summary:
The Linux kernel is reported prone to multiple vulnerabilities that occur
because of "range-checking flaws" present in the ISO9660 handling routines.
An attacker may exploit these issues to trigger kernel-based memory
corruption. Ultimately, the attacker may be able to execute arbitrary
malicious code with ring-zero privileges.
These vulnerabilities are reported to be present in the ISO9660 filesystem
handler including Rock Ridge and Juliet extensions for the Linux kernel up
to and including version 2.6.11.
Linux kernel SDLA_XFER Kernel Memory Disclosure Vulnerability
BugTraq ID: 16759
Remote: No
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/16759
Summary:
The Linux kernel is affected by a local memory-disclosure vulnerability.
This issue allows an attacker to read kernel memory. Information gathered
via exploitation may aid malicious users in further attacks.
This issue affects kernel versions 2.4.x up to 2.4.29-rc1, and 2.6.x up to
2.6.5.
Info-ZIP unzip File Name Buffer Overflow Vulnerability
BugTraq ID: 15968
Remote: Yes
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/15968
Summary:
Info-ZIP 'unzip' is susceptible to a filename buffer-overflow vulnerability.
The application fails to properly bounds-check user-supplied data before
copying it into an insufficiently sized memory buffer.
This issue allows attackers to execute arbitrary machine code in the context
of users running the affected application.
Linux kernel Multithreaded itimer Leak Local Denial of Service
Vulnerability
BugTraq ID: 15533
Remote: No
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/15533
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.
This issue allows local users to leak small amounts of kernel memory that
won't be available again until the computer is restarted. By consuming as
many POSIX timers as possible and by employing many different users to
overcome resource limits, attackers may cause the kernel to crash.
Kernel versions 2.6.8 and prior are vulnerable to this issue.
Linux kernel USB Subsystem Local Denial Of Service Vulnerability
BugTraq ID: 14955
Remote: No
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/14955
Summary:
A local denial-of-service vulnerability affects the Linux kernel's USB
subsystem. This issue is due to the kernel's failure to properly handle
unexpected conditions when trying to handle URBs (USB Request Blocks).
Local attackers may exploit this vulnerability to trigger a kernel 'oops' on
computers where the vulnerable USB subsystem is enabled. This would deny
service to legitimate users.
Linux kernel Intel EM64T SYSRET Local Denial of Service Vulnerability
BugTraq ID: 17541
Remote: No
Last Updated: 2006-04-17
Relevant URL: http://www.securityfocus.com/bid/17541
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability. This
issue arises in Intel EM64T CPUs when returning program control using SYSRET.
This vulnerability allows local users to crash the kernel, denying further
service to legitimate users.
Mike Neuman osh Command Line Argument Buffer Overflow Vulnerability
BugTraq ID: 12455
Remote: No
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12455
Summary:
A buffer overflow vulnerability is reported for osh when processing
superfluous command line arguments. The problem likely occurs due to
insufficient bounds checking when copying command line argument data into an
internal memory buffer.
This buffer overflow may be exploited to execute arbitrary code with
superuser privileges.
Mozilla Suite/Firefox JavaScript Lambda Replace Heap Memory Disclosure
Vulnerability
BugTraq ID: 12988
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12988
Summary:
Mozilla Suite/Firefox are reported prone to a memory-disclosure
vulnerability. This issue can allow a remote attacker to access arbitrary
heap memory.
Due to an error in the way 'replace()' handles lambda expressions, a remote
attacker can access arbitrary heap memory from a vulnerable client.
Information harvested in this manner could then aid in further attacks
launched against the vulnerable computer (such as memory-corruption
exploits).
Firefox versions 1.0.1 and 1.0.2 are reported vulnerable. Mozilla 1.7.6 is
vulnerable as well. Other versions may also be affected.
K-Meleon 0.9 is vulnerable to this issue. Older versions may be affected as
well.
Camino 0.8.3 is affected by this issue. Other versions of Camino may be
affected as well.
Blender BlenLoader File Processing Integer Overflow Vulnerability
BugTraq ID: 15981
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/15981
Summary:
Blender is susceptible to an integer-overflow vulnerability. This issue is
due to the application's failure to properly sanitize user-supplied input
before using it in a memory allocation and copy operation.
This issue allows attackers to execute arbitrary machine code in the context
of the user running the affected application.
Mozilla Firefox Large History File Buffer Overflow Vulnerability
BugTraq ID: 15773
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/15773
Summary:
Mozilla Firefox is reportedly prone to a remote denial-of-service
vulnerability.
This issue presents itself when the browser handles a large entry in the
'history.dat' file. An attacker may trigger this issue by enticing a user to
visit a malicious website and by supplying excessive data to be stored in
the affected file.
This may cause a denial-of-service condition.
**UPDATE: Proof-of-concept exploit code has been published. The author of
the code attributes the crash to a buffer-overflow condition. Symantec has
not reproduced the alleged flaw.
GNOME Foundation GDM .ICEauthority Improper File Permissions Vulnerability
BugTraq ID: 17635
Remote: No
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/17635
Summary:
GDM is prone to an improper file-permissions vulnerability.
An attacker can exploit this issue to gain access to sensitive or privileged
information that may facilitate a complete compromise of the vulnerable
computer.
dia xfig File Import Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 17310
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/17310
Summary:
Dia is affected by multiple remote buffer-overflow vulnerabilities. These
issues are due to the application's failure to properly bounds-check
user-supplied input before copying it into insufficiently sized memory
buffers.
These issues allow remote attackers to execute arbitrary machine code in the
context of the user running the affected application to open
attacker-supplied malicious XFig files.
xzgv Image Viewer JPEG File Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 17409
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/17409
Summary:
The 'xzgv' viewer is reported prone to a remote heap-overflow vulnerability.
This issue is reported to present itself when the application handles a
specially crafted JPEG image. A remote attacker may execute arbitrary code
in the context of a user running the application. As a result, the attacker
can gain unauthorized access to the vulnerable computer.
This issue affects 'xzgv' 0.8 and prior. 'zgv' image viewer is vulnerable to
this issue as well.
XFree86 Pixmap Allocation Local Privilege Escalation Vulnerability
BugTraq ID: 14807
Remote: No
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/14807
Summary:
XFree86 is prone to a buffer overrun in its pixmap-processing code.
This issue can potentially allow an attacker to execute arbitrary code and
to escalate privileges. An attacker may possibly gain superuser privileges
by exploiting this issue.
xpdf DCTStream Progressive Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15726
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/15726
Summary:
The 'xpdf' utility is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. As a result, the attacker can gain
unauthorized access to the vulnerable computer.
Reportedly, this issue presents itself in the
'DCTStream::readProgressiveSOF' function residing in the 'xpdf/Stream.cc'
file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
vulnerable as well. Applications using embedded xpdf code may also be
vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version
0.36 of pdftohtml was reported prone to this issue, but earlier versions may
also be affected.
Th 'kpdf' utility reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
GhostScript Insecure Temporary File Creation Vulnerability
BugTraq ID: 11285
Remote: No
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/11285
Summary:
Ghostscript creates temporary files in an insecure manor. This issue is
likely due to a design error that causes the application to fail to verify
the presence of a file before writing to it.
An attacker may leverage this issue to overwrite arbitrary files with the
privileges of an unsuspecting user that activates the vulnerable
application. Reportedly, this issue is unlikely to facilitate privilege
escalation.
Mike Neuman OSH Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 15370
Remote: No
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/15370
Summary:
Osh is susceptible to a buffer overflow vulnerability when processing
environment variables. This issue is due to a flaw in the application that
results in overwriting adjacent environment variables with user-supplied
contents.
This issue may be exploited to execute arbitrary code with superuser
privileges.
IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
BugTraq ID: 9858
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/9858
Summary:
It has been reported that the IP3 NetAccess Appliance is prone to a remote
SQL injection vulnerability. This issue is due to a failure of the
appliance to properly sanitize user input.
This issue may allow an attacker to gain full control of the appliance
through the network administration interface. It may also be possible for a
malicious user to influence database queries in order to view or modify
sensitive information potentially compromising the system or the database.
[ firmware ]
Mozilla GIF Image Processing Library Remote Heap Overflow Vulnerability
BugTraq ID: 12881
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12881
Summary:
Multiple Mozilla products are affected by a remote heap-overflow
vulnerability. This issue affects the GIF image processing library used by
Mozilla Firefox, Mozilla Browser, and Mozilla Thunderbird Mail client.
A successful attack can result in arbitrary code execution and in
unauthorized access to the affected computer. Arbitrary code execution will
take place in the context of a user running a vulnerable application.
*Update: K-Meleon, which is based on the Mozilla Gecko-code base, is also
prone to this issue.
sendmail Asynchronous Signal Handling Remote Code Execution Vulnerability
BugTraq ID: 17192
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17192
Summary:
sendmail is prone to a remote code-execution vulnerability.
Remote attackers may leverage this issue to execute arbitrary code with the
privileges of the application, which typically runs as superuser.
sendmail versions prior to 8.13.6 are vulnerable to this issue.
Mozilla Suite Multiple Remote Vulnerabilities
BugTraq ID: 12659
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12659
Summary:
Multiple remote vulnerabilities affect Mozilla Suite, Firefox, and
Thunderbird, as reported in several Mozilla Foundation Security Advisories:
- 2005-28: An issue affecting the plugin functionality; temporary
directories are created in an insecure manner.
- 2005-22: A dialog-spoofing vulnerability.
- 2005-21: A '.lnk' link file arbitrary file-overwrite vulnerability.
- 2005-20: An XSLT stylesheet information-disclosure vulnerability.
- 2005-19: An information-disclosure issue affecting the form auto-complete
functionality.
- 2005-18: A buffer-overflow vulnerability.
- 2005-17: A dialog-spoofing vulnerability affecting installation
confirmation.
- 2005-15: A heap-overflow vulnerability in UTF8 encoding.
- 2005-15: Multiple spoofing vulnerabilities affecting the SSL 'secure site'
lock icon.
An attacker may leverage these issues to spoof dialog boxes and SSL 'secure
site' icons, to carry out symbolic-link attacks, to execute arbitrary code,
and to access potentially sensitive information.
Please note that this BID will be separated into individual BIDs as soon as
further research into each of the vulnerabilities is completed, at which
time this 'umbrella' BID will be retired.
OpenSSH GSSAPI Credential Disclosure Vulnerability
BugTraq ID: 14729
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/14729
Summary:
OpenSSH is susceptible to a GSSAPI credential-delegation vulnerability.
Specifically, if a user has GSSAPI authentication configured, and
'GSSAPIDelegateCredentials' is enabled, their Kerberos credentials will be
forwarded to remote hosts. This occurs even when the user employs
authentication methods other than GSSAPI to connect, which is not usually
expected.
This vulnerability allows remote attackers to improperly gain access to
GSSAPI credentials, allowing them to use those credentials to access
resources granted to the original principal.
This issue affects versions of OpenSSH prior to 4.2.
OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
BugTraq ID: 14727
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/14727
Summary:
OpenSSH is susceptible to a vulnerability that causes improper activation of
the 'GatewayPorts' option, allowing unintended hosts to use the SSH SOCKS
proxy.
Specifically, if the 'DynamicForward' option is activated, 'GatewayPorts' is
also unconditionally enabled.
This vulnerability allows remote attackers to use the SOCKS proxy to make
arbitrary TCP connections through the configured SSH session, allowing them
to attack computers and services through a connection that was wrongly
thought to be secure.
This issue affects OpenSSH 4.0, and 4.1.
Linux kernel ptrace()d Child Auto-Reap Local Denial of Service
Vulnerability
BugTraq ID: 15625
Remote: No
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/15625
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.
The kernel improperly auto-reaps processes when they are being ptraced,
leading to an invalid pointer. Further operations on this pointer result in
a kernel crash.
This issue allows local users to crash the kernel, denying service to
legitimate users.
Kernel versions prior to 2.6.15 are vulnerable to this issue.
Fenice Remote Buffer Overflow and Denial Of Service Vulnerabilities
BugTraq ID: 17678
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17678
Summary:
Fenice is susceptible to multiple remote vulnerabilities:
- A buffer-overflow vulnerability. The application fails to perform
sufficient bounds checking of user-supplied data before copying it to an
insufficiently sized memory buffer. This issue potentially allows remote
attackers to execute arbitrary machine code in the context of the affected
server process. Failed exploit attempts will likely crash the application,
denying service to legitimate users.
- A denial-of-service vulnerability due to an integer-overflow flaw. This
issue allows remote attackers to crash the affected application, denying
service to legitimate users.
Version 1.10 of Fenice is vulnerable to these issues; other versions may
also be affected.
Linux kernel File Lock Lease Local Denial of Service Vulnerability
BugTraq ID: 15745
Remote: No
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/15745
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.
This issue is triggered when excessive kernel memory is consumed by numerous
file-lock leases. This problem stems from a memory leak in the kernel's
file-lock lease code.
This issue allows local attackers to consume excessive kernel memory,
eventually leading to an out-of-memory condition and ultimately to a denial
of service for legitimate users.
Kernel versions from 2.6.10 through to 2.6.14.2 are vulnerable to this issue.
Perl perl_sv_vcatpvfn Format String Integer Wrap Vulnerability
BugTraq ID: 15629
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/15629
Summary:
Perl is susceptible to a format-string vulnerability. This issue is due to
the programming language's failure to properly handle format specifiers in
formatted-printing functions.
An attacker may leverage this issue to write to arbitrary process memory,
facilitating code execution in the context of the Perl interpreter process.
This can result in unauthorized remote access.
Developers should treat the formatted printing functions in Perl as
equivalently vulnerable to exploitation as the C library versions, and
should properly sanitize all data passed in the format-specifier argument.
All applications that use formatted-printing functions in an unsafe manner
should be considered exploitable.
Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability
BugTraq ID: 12468
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12468
Summary:
Mozilla Firefox is reported prone to a security vulnerability that could
allow a malicious website to bypass drag-and-drop functionality security
policies.
A user can exploit this vulnerability with an image that renders correctly
in the Firefox browser, but is saved with a '.bat' file extension when
dragged and dropped onto the local filesystem.
Since the batch file interpreter on Microsoft Windows is particularly
lenient when it comes to syntax, batch commands appended to the image file
will be executed if the image that was dragged and dropped is invoked.
Update: Netscape 7.2 is reported vulnerable to this issue as well. Other
versions may also be affected.
Multiple Mozilla/Firefox/Thunderbird Vulnerabilities
BugTraq ID: 12407
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12407
Summary:
Mozilla, Firefox, and Thunderbird applications are reported prone to
multiple vulnerabilities. The following specific issues are reported:
- Access-control bypass (Mozilla and Firefox browsers). Although
unconfirmed, this vulnerability presumably may be exploited to access
information pertaining to a target filesystem. For example, an attacker may
be able to determine whether a file exists or not.
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0 and Mozilla Suite versions prior to 1.7.5.
- Status-bar misrepresentation (Mozilla and Firefox browsers). A remote
attacker may exploit this vulnerability to aid in phishing-style attacks
(e.g. to make a malicious site appear authentic).
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0 and Mozilla Suite versions prior to 1.7.5.
- Additional status-bar misrepresentation (Mozilla and Firefox browsers).
Using JavaScript to automate the process, a remote attacker may exploit this
vulnerability to aid in phishing-style attacks (e.g. to make a malicious
site appear authentic).
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0 and Mozilla Suite versions prior to 1.7.5.
- Mozilla and Firefox browsers provide functionality (Alt-Click) to download
files that are linked by URIs to the default download location without
requiring a user prompt. Reports indicate that a malicious site may exploit
this functionality to download a file to the default download location
without user interaction.
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0.
- Clipboard information-disclosure vulnerability (Mozilla and Firefox
browsers). A remote attacker may exploit this vulnerability to steal
clipboard contents, which may reveal potentially sensitive information to a
remote attacker.
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0 and Mozilla Suite versions prior to 1.7.5.
- Additional information-disclosure vulnerability (Mozilla and Firefox
browsers). A remote malicious server may invoke a request against a
vulnerable browser and the browser will respond with proxy-authentication
credentials.
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0 and Mozilla Suite versions prior to 1.7.5.
- Mozilla Thunderbird erroneously responds to cookie requests that are
contained in HTML-based email. Reportedly, a remote attacker may exploit
this vulnerability to track emails to victim users.
This vulnerability is reported to affect Thunderbird versions 0.6 to 0.9 and
Mozilla Suite 1.7 to 1.7.3.
- Local code-execution vulnerability (Mozilla Firefox). The vulnerability
exists in the Livefeed bookmark functionality. If, for example,
'about:config' is displayed when the Livefeed is updated, then arbitrary
code execution may reportedly occur on the affected computer.
This vulnerability is reported to affect Mozilla Firefox versions prior to
1.0.
- Mozilla Thunderbird reportedly fails to handle 'javascript:' URI links.
The affected application employs the default handler for 'javascript:' URIs
that is registered on the host operating system. This is incorrect behavior
and may result in exposure to latent vulnerabilities due to a false sense of
security.
This vulnerability is reported to affect Mozilla Thunderbird versions prior
to 0.9.
This BID will be separated into individual BIDs as soon as further research
into each of the vulnerabilities is completed.
curl / libcurl URL Parser Buffer Overflow Vulnerability
BugTraq ID: 15756
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/15756
Summary:
curl and libcurl are prone to a buffer-overflow vulnerability. This issue is
due to a failure in the library to perform proper bounds checks on
user-supplied data before using it in a finite-sized buffer.
The issues occur when the URL parser function handles an excessively long
URL string.
An attacker can exploit this issue to crash the affected library,
effectively denying service. Arbitrary code execution may also be possible,
which may facilitate a compromise of the underlying system.
Mozilla Suite, Firefox, SeaMonkey, and Thunderbird Multiple Remote
Vulnerabilities
BugTraq ID: 17516
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17516
Summary:
The Mozilla Foundation has released nine security advisories specifying
security vulnerabilities in Mozilla Suite, Firefox, SeaMonkey, and
Thunderbird.
These vulnerabilities allow attackers to:
- execute arbitrary machine code in the context of the vulnerable application
- crash affected applications
- gain elevated privileges in JavaScript code, potentially allowing remote
machine code execution
- gain access to potentially sensitive information
- bypass security checks
- spoof window contents.
Other attacks may also be possible.
The issues described here will be split into individual BIDs as the
information embargo on the Mozilla Bugzilla entries is lifted and as further
information becomes available. This BID will then be retired.
These issues are fixed in:
- Mozilla Firefox versions 1.0.8 and 1.5.0.2
- Mozilla Thunderbird versions 1.0.8 and 1.5.0.2
- Mozilla Suite version 1.7.13
- Mozilla SeaMonkey version 1.0.1
Cyrus SASL Remote Digest-MD5 Denial of Service Vulnerability
BugTraq ID: 17446
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17446
Summary:
Cyrus SASL is affected by a remote denial-of-service vulnerability. This
issue occurs before successful authentication, allowing anonymous remote
attackers to trigger it.
This vulnerability allows remote attackers to crash services using the
affected SASL library, denying service to legitimate users.
This issue reportedly affects version 2.1.18 of Cyrus SASL; other versions
may also be affected.
Mozilla Temporary File Insecure Permissions Information Disclosure
Vulnerability
BugTraq ID: 11522
Remote: No
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/11522
Summary:
Mozilla, Mozilla Firefox, and Mozilla Thunderbird are all reported
susceptible to an information-disclosure vulnerability. The applications
fail to properly ensure secure file permissions on temporary files located
in world-accessible locations.
This vulnerability allows local attackers to access the contents of
potentially sensitive files, which may aid them in further attacks.
Cisco IOS EIGRP Goodbye Message Denial Of Service and Unauthorized
Access Vulnerability
BugTraq ID: 14877
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/14877
Summary:
Cisco IOS is vulnerable to a denial-of-service and unauthorized access
vulnerability.
An attacker can exploit this issue to cause denial-of-service conditions in
the EIGRP implementation of selective neighbors and potentially intercept,
modify and redirect messages.
Cisco is tracking this vulnerability as bug id CSCsc13698.
[ fiemware ]
Mozilla Browser Network News Transport Protocol Remote Heap Overflow
Vulnerability
BugTraq ID: 12131
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/12131
Summary:
A remote heap-overflow vulnerability affects Mozilla Browser's network news
transport protocol (NNTP) functionality. This issue is due to the
application's failure to properly validate the length of user-supplied
strings before copying them into dynamically allocated process buffers.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This may
facilitate unauthorized access or privilege escalation.
Ethereal Multiple Protocol Dissector Vulnerabilities In Versions Prior To 0.99.0
BugTraq ID: 17682
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17682
Summary:
Several vulnerabilities in Ethereal have been disclosed by the vendor. The
reported issues are in various protocol dissectors.
These issues include:
- Buffer-overflow vulnerabilities
- Denial-of-service vulnerabilities
- Infinite loop denial-of-service vulnerabilities
- Unspecified denial-of-service vulnerabilities
- Off-by-one overflow vulnerabilities
These issues could allow remote attackers to execute arbitrary machine code
in the context of the vulnerable application. Attackers could also crash the
affected application.
Various vulnerabilities affect different versions of Ethereal, from 0.8.5
through to 0.10.14.
xpdf JPX Stream Reader Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15721
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/15721
Summary:
The 'xpdf' utility is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. As a result, the attacker can gain
unauthorized access to the vulnerable computer.
Reportedly, this issue presents itself in the 'JPXStream::readCodestream'
function residing in the 'xpdf/JPXStream.cc' file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
prone to this vulnerability as well. Applications using embedded xpdf code
may also be vulnerable.
The 'kpdf' utility reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
Mozilla Thunderbird Multiple Remote Information Disclosure
Vulnerabilities
BugTraq ID: 16881
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/16881
Summary:
Mozilla Thunderbird is susceptible to multiple remote information-disclosure
vulnerabilities. These issues are due to the application's failure to
properly enforce the restriction for downloading remote content in email
messages.
These issues allow remote attackers to gain access to potentially sensitive
information, aiding them in further attacks. Attackers may also exploit
these issues to know whether and when users read email messages.
Mozilla Thunderbird version 1.5 is vulnerable to these issues; other
versions may also be affected.
Mozilla Thunderbird IFRAME JavaScript Execution Vulnerability
BugTraq ID: 16770
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/16770
Summary:
Mozilla Thunderbird is prone to a script-execution vulnerability.
The vulnerability presents itself when an attacker supplies a specially
crafted email to a user containing malicious script code in an IFRAME and
the user tries to reply to the mail. Arbitrary JavaScript can be executed
even if the user has disabled JavaScript execution in the client.
Mozilla Thunderbird 1.0.7 and prior versions are reportedly affected.
Mozilla Browser/Firefox Chrome Window Spoofing Vulnerability
BugTraq ID: 14919
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/14919
Summary:
Mozilla and Firefox browsers are prone to a window-spoofing vulnerability.
An attacker can exploit this vulnerability to enhance phishing-style attacks.
Multiple Mozilla Products Memory Corruption/Code Injection/Access
Restriction Bypass Vulnerabilities
BugTraq ID: 16476
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/16476
Summary:
Multiple Mozilla products are prone to multiple vulnerabilities. These
issues include various memory-corruption, code-injection, and
access-restriction-bypass vulnerabilities. Other undisclosed issues may have
also been addressed in the various updated vendor applications.
Successful exploitation of these issues may permit an attacker to execute
arbitrary code in the context of the affected application. This may
facilitate a compromise of the affected computer; other attacks are also
possible.
Mozilla Browser/Firefox Chrome Page Loading Restriction Bypass Privilege
Escalation Weakness
BugTraq ID: 14920
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/14920
Summary:
Mozilla Browser/Firefox are prone to a potential arbitrary code-execution
weakness.
Specifically, an attacker can load privileged 'chrome' pages from an
unprivileged 'about:' page. This issue does not pose a threat unless it is
combined with a same-origin violation issue.
If successfully exploited, this issue may allow a remote attacker to execute
arbitrary code and gain unauthorized remote access to a computer. This would
occur in the context of the user running the browser.
Mozilla Suite, Firefox And Thunderbird Multiple Vulnerabilities
BugTraq ID: 14242
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/14242
Summary:
The Mozilla Foundation has released 12 security advisories specifying
security vulnerabilities in Mozilla Suite, Firefox, and Thunderbird.
These vulnerabilities allow attackers to execute arbitrary machine code in
the context of the vulnerable application, to bypass security checks, and to
execute script code in the context of targeted websites to disclose
confidential information; other attacks are also possible.
These vulnerabilities have been addressed in Firefox version 1.0.5 and in
Mozilla Suite 1.7.9. At this time, Mozilla Thunderbird has not been fixed.
The issues described here will be split into individual BIDs as further
analysis is completed. This BID will then be retired.
Reportedly, Netscape is also vulnerable to the issue described in MFSA
2005-47. Due to the nature of Netscape's fork from the Mozilla codebase,
Netscape is also likely affected by most if not all of the issues that
affect Mozilla Firefox. This has not been confirmed at this time.
Mozilla Suite And Firefox DOM Property Overrides Code Execution
Vulnerability
BugTraq ID: 13645
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/13645
Summary:
Mozilla Suite and Mozilla Firefox are affected by a code execution
vulnerability. This issue is due to a failure in the application to
properly verify Document Object Model (DOM) property values.
An attacker may leverage this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable Web browser, ultimately
facilitating a compromise of the affected computer.
This issue is reportedly a variant of BID 13233. Further details are
scheduled to be released in the future, and this BID will be updated
accordingly.
Mozilla Suite And Firefox Document Object Model Nodes Code Execution
Vulnerability
BugTraq ID: 13233
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/13233
Summary:
Mozilla Suite and Mozilla Firefox are affected by a code execution
vulnerability. This issue is due to a failure in the application to
properly verify Document Object Model (DOM) property values.
An attacker may leverage this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable Web browser, ultimately
facilitating a compromise of the affected computer.
It should be noted that this issue was previously reported in BID 13208
(Mozilla Suite Multiple Code Execution, Cross-Site Scripting, And Policy
Bypass Vulnerabilities); it has been assigned its own BID.
Paul A. Rombouts PDNSD DNS Query Denial Of Service Vulnerability
BugTraq ID: 17694
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17694
Summary:
The pdnsd DNS server is prone to a remote denial-of-service vulnerability.
This issue is due to a failure in the application to properly handle DNS
queries.
An attacker can exploit this issue to consume excessive memory, and then to
crash the affected service, effectively denying service to legitimate users.
The vendor has addressed this issue in version 1.2.4-par; earlier versions
are reportedly vulnerable.
ISC BIND TSIG Zone Transfer Denial Of Service Vulnerability
BugTraq ID: 17692
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17692
Summary:
ISC BIND is prone to a remote denial-of-service vulnerability. This issue is
due to a failure in the application to properly handle malformed TSIG
(Secret Key Transaction Authentication for DNS) replies.
To exploit this issue, attackers must be able to send messages with a
correct TSIG during a zone transfer, limiting the potential for remote
exploits significantly.
An attacker can exploit this issue to crash the affected service,
effectively denying service to legitimate users.
3Com Baseline Switch 2848-SFP Plus Remote Denial Of Service Vulnerability
BugTraq ID: 17686
Remote: Yes
Last Updated: 2006-04-25
Relevant URL: http://www.securityfocus.com/bid/17686
Summary:
3Com Baseline Switch 2848-SFP Plus is susceptible to a remote denial of
service vulnerability. This issue is reportedly due to certain malformed
traffic that results in a denial of service condition.
It is reported that this issue may result in the crash of the device,
denying further network services to legitimate users. The vendor states that
this issue results in the device becoming unstable.
3Com Baseline Switch 2848-SFP Plus firmware versions prior to 1.0.2.0 are
vulnerable.
[ firmware ]
xpdf StreamPredictor Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15725
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/15725
Summary:
The 'xpdf' viewer is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. As a result, the attacker can gain
unauthorized access to the vulnerable computer.
This issue is reported to present itself in the
'StreamPredictor::StreamPredictor' function residing in the 'xpdf/Stream.cc'
file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
prone to this vulnerability as well. Applications using embedded xpdf code
may also be vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version
0.36 of pdftohtml was reported prone to this issue, but earlier versions may
also be affected.
The 'kpdf ' viewer reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
Multiple Vendor DNS Message Decompression Remote Denial of Service
Vulnerability
BugTraq ID: 13729
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/13729
Summary:
Multiple DNS vendors are susceptible to a remote denial-of-service
vulnerability. This issue affects both DNS servers and clients.
This issue arises when an affected application handles a specially crafted
DNS message.
A successful attack would crash the affected client or server.
Mozilla Firefox iframe.contentWindow.focus Buffer Overflow Vulnerability
BugTraq ID: 17671
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/17671
Summary:
Mozilla Firefox is prone to a buffer-overflow vulnerability when rendering
malformed JavaScript content. An attacker could exploit this issue to cause
the browser to fail or potentially execute arbitrary code.
Firefox version 1.5.0.2 and earlier versions running on Windows and Linux
platforms are affected.
xpdf DCTStream Baseline Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15727
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/15727
Summary:
The 'xpdf' viewer is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. This can result in the attacker gaining
unauthorized access to the vulnerable computer.
This issue is reported to present itself in the 'CTStream::readBaselineSOF'
function residing in the 'xpdf/Stream.cc' file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
prone to this vulnerability as well. Applications using embedded xpdf code
may also be vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version
0.36 of pdftohtml was reported prone to this issue, however, earlier
versions may also be affected.
The 'kpdf' viewer reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
Blender BVF File Import Python Code Execution Vulnerability
BugTraq ID: 17663
Remote: Yes
Last Updated: 2006-04-24
Relevant URL: http://www.securityfocus.com/bid/17663
Summary:
Blender is susceptible to a Python code-execution vulnerability. This issue
is due to the application's failure to properly sanitize user-supplied input
before using it in a Python 'eval' statement.
This issue allows attackers to execute arbitrary Python code in the context
of the user running the affected application.
More information about the gull-annonces
mailing list