[gull-annonces] Résumé SecurityFocus Newsletter #335/336
Marc SCHAEFER
schaefer at alphanet.ch
Wed Feb 8 10:40:19 CET 2006
kpdf and kword Multiple Unspecified Buffer and Integer Overflow
Vulnerabilities
BugTraq ID: 16143
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16143
Summary:
kpdf and kword are prone to multiple buffer and integer overflows.
Successful exploitation could result in arbitrary code execution in the
context of the user running the vulnerable application.
Specific details of these issues are not currently available. This record
will be updated when more information becomes available.
The kdegraphics package and KPDF versions 3.4.3 and earlier, and KOffice and
KWord versions 1.4.2 and earlier are vulnerable.
xpdf DCTStream Progressive Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15726
Remote: Yes
Last Updated: 2006-02-01
Relevant URL: http://www.securityfocus.com/bid/15726
Summary:
The 'xpdf' utility is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the applications fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. As a result, the attacker can gain
unauthorized access to the vulnerable computer.
It is reported that this issue presents itself in the
'DCTStream::readProgressiveSOF' function residing in the 'xpdf/Stream.cc'
file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
vulnerable as well. Applications using embedded xpdf code may also be
vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version
0.36 of pdftohtml was reported prone to this issue, but earlier versions may
also be affected.
Th 'kpdf' utility reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
xpdf JPX Stream Reader Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15721
Remote: Yes
Last Updated: 2006-02-01
Relevant URL: http://www.securityfocus.com/bid/15721
Summary:
The xpdf utility is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the applications fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. This can result in the attacker gaining
unauthorized access to the vulnerable computer.
It is reported that this issue presents itself in the
'JPXStream::readCodestream' function residing in the 'xpdf/JPXStream.cc'
file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
prone to this vulnerability as well. Applications using embedded xpdf code
may also be vulnerable.
The kpdf utility reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
xpdf StreamPredictor Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15725
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15725
Summary:
The 'xpdf' viewer is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to perform
proper boundary checks before copying user-supplied data into process
buffers. A remote attacker may execute arbitrary code in the context of a
user running the application. As a result, the attacker can gain
unauthorized access to the vulnerable computer.
This issue is reported to present itself in the
'StreamPredictor::StreamPredictor' function residing in the 'xpdf/Stream.cc'
file.
This issue is reported to affect xpdf 3.01, but earlier versions are likely
prone to this vulnerability as well. Applications using embedded xpdf code
may also be vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version
0.36 of pdftohtml was reported prone to this issue, but earlier versions may
also be affected.
The 'kpdf ' viewer reportedly incorporates vulnerable xpdf code. Version 0.5
of kpdf is prone to this issue, but other versions may also be affected.
Sylpheed LDIF Import Remote Buffer Overflow Vulnerability
BugTraq ID: 15363
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15363
Summary:
Sylpheed is prone to a buffer-overflow vulnerability.
A buffer overflow can occur when an unsuspecting user imports a malicious
LFID file into an address book.
Exploitation of this vulnerability may allow an attacker to gain
unauthorized access to the computer in the context of the Sylpheed client.
Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source
Vulnerability
BugTraq ID: 13471
Remote: No
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/13471
Summary:
Crypt::SSLeay is prone to a security vulnerability. Reports indicate that
the library employs a file from a world-writable location for its fallback
entropy source. The module defaults to this file if a proper entropy source
is not set.
If the affected library is using the insecure file as a source of entropy, a
local attacker may replace the contents of the file with known text. This
known text is then employed to seed cryptographic operations. This may lead
to weak cryptographic operations.
gdb Multiple Vulnerabilities
BugTraq ID: 13697
Remote: Yes
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/13697
Summary:
gdb is reportedly affected by multiple vulnerabilities. These issues can
allow an attacker to execute arbitrary code and commands on an affected
computer. A successful attack may allow the attacker to gain elevated
privileges or unauthorized access.
The following specific issues were identified:
- a remote heap-overflow vulnerability when loading malformed object files.
- a local privilege-escalation vulnerability.
gdb 6.3 is reportedly affected by these issues; other versions are likely
vulnerable as well. GNU binutils 2.14 and 2.15 are affected by the
heap-overflow issue as well.
Net-SNMP Fixproc Insecure Temporary File Creation Vulnerability
BugTraq ID: 13715
Remote: No
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/13715
Summary:
A local insecure temporary file-creation vulnerability affects Net-SNMP's
fixproc. This issue is due to the utility's failure to securely create
temporary files in world-writable locations.
An attacker may leverage this issue to corrupt, write to, or create
arbitrary files, as well as execute arbitrary code with the privileges of
the user or process running the vulnerable script. This may facilitate
privilege escalation.
Net-SNMP Unspecified Remote Stream-Based Protocol Denial Of Service
Vulnerability
BugTraq ID: 14168
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14168
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability. The issue is
exposed when Net-SNMP is configured to have an open stream-based protocol
port, such as TCP.
The exact details describing this issue are not available. This BID will be
updated when further details are made available.
ImageMagick File Name Handling Remote Format String Vulnerability
BugTraq ID: 12717
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/12717
Summary:
ImageMagick is reported prone to a remote format-string vulnerability.
Reportedly, this issue arises when the application handles malformed
filenames. An attacker can exploit this vulnerability by crafting a
malicious file with a name that contains format specifiers and sending the
file to an unsuspecting user.
Note that other attack vectors also exist that may not require user
interaction, since the application can be used with custom printing systems
and web applications.
A successful attack may crash the application or lead to arbitrary code
execution.
All versions of ImageMagick are considered vulnerable at the moment.
ImageMagick Image Filename Remote Command Execution Vulnerability
BugTraq ID: 16093
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16093
Summary:
ImageMagick is prone to a remote shell command-execution vulnerability.
Successful exploitation can allow arbitrary commands to be executed in the
context of the affected user. Note that this issue could also be exploited
through other applications that use ImageMagick as the default image viewer.
ImageMagick 6.2.4.5 is reportedly vulnerable. Other versions may be affected
as well.
Apache mod_ssl Custom Error Document Remote Denial Of Service
Vulnerability
BugTraq ID: 16152
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16152
Summary:
Apache's mod_ssl module is susceptible to a remote denial-of-service
vulnerability. A flaw in the module results in a NULL-pointer dereference
that causes the server to crash. This issue is present only when virtual
hosts are configured with a custom 'ErrorDocument' statement for '400'
errors or 'SSLEngine optional'.
Depending on the configuration of Apache, attackers may crash the entire
webserver or individual child processes. Repeated attacks are required to
deny service to legitimate users when Apache is configured for multiple
child processes to handle connections.
This issue affects Apache 2.x versions.
Apache mod_imap Referer Cross-Site Scripting Vulnerability
BugTraq ID: 15834
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15834
Summary:
Apache's mod_imap module is prone to a cross-site scripting vulnerability.
This issue is due to the module's failure to properly sanitize user-supplied
input.
An attacker may leverage this issue to have arbitrary script code executed
in the browser of an unsuspecting user in the context of the affected site.
This may facilitate the theft of cookie-based authentication credentials as
well as other attacks.
Apache HTTP Request Smuggling Vulnerability
BugTraq ID: 14106
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14106
Summary:
Apache is prone to an HTTP-request-smuggling attack.
A specially crafted request with a 'Transfer-Encoding: chunked' header and a
'Content-Length' header can cause the server to forward a reassembled
request with the original 'Content-Length' header. As a result, the
malicious request may piggyback on the valid HTTP request.
This attack may result in cache poisoning, cross-site scripting, session
hijacking, and other attacks.
This issue was originally described in BID 13873 (Multiple Vendor Multiple
HTTP Request Smuggling Vulnerabilities). Due to the availability of more
details and vendor confirmation, the issue is now a new BID.
Apache mod_ssl CRL Handling Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 14366
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14366
Summary:
mod_ssl is prone to an off-by-one buffer overflow condition.
The vulnerability arising in the mod_ssl CRL verification callback allows
for potential memory corruption when a malicious CRL is handled.
An attacker may exploit this issue to trigger a denial of service condition.
It is conjectured that arbitrary code execution may be possible as well.
Convert-UUlib Perl Module Buffer Overflow Vulnerability
BugTraq ID: 13401
Remote: Yes
Last Updated: 2006-01-27
Relevant URL: http://www.securityfocus.com/bid/13401
Summary:
Convert-UUlib Perl module is prone to a remotely exploitable buffer-overflow
vulnerability.
This condition may be leveraged to overwrite sensitive program control
variables, allowing a remote attacker to control the process's execution
flow.
This BID will be updated as soon as further information regarding this issue
is made available.
OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
BugTraq ID: 14727
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/14727
Summary:
OpenSSH is susceptible to a vulnerability that causes improper activation of
the 'GatewayPorts' option, allowing unintended hosts to use the SSH SOCKS
proxy.
Specifically, if the 'DynamicForward' option is activated, 'GatewayPorts' is
also unconditionally enabled.
This vulnerability allows remote attackers to use the SOCKS proxy to make
arbitrary TCP connections through the configured SSH session, allowing them
to attack computers and services through a connection that was wrongly
thought to be secure.
This issue affects OpenSSH 4.0, and 4.1.
OpenSSH scp Shell Command Execution Vulnerability
BugTraq ID: 16369
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16369
Summary:
OpenSSH is susceptible to an scp shell command-execution vulnerability. This
issue is due to the application's failure to properly sanitize user-supplied
input before using it in a 'system()' function call.
This issue allows attackers to execute arbitrary shell commands with the
privileges of users executing a vulnerable version of scp.
This issue reportedly affects version 4.2 of OpenSSH. Other versions may
also be affected.
OpenSSH GSSAPI Credential Disclosure Vulnerability
BugTraq ID: 14729
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14729
Summary:
OpenSSH is susceptible to a GSSAPI credential-delegation vulnerability.
Specifically, if a user has GSSAPI authentication configured, and
'GSSAPIDelegateCredentials' is enabled, their Kerberos credentials will be
forwarded to remote hosts. This occurs even when the user uses
authentication methods other than GSSAPI to connect, which is not usually
expected.
This vulnerability allows remote attackers to improperly gain access to
GSSAPI credentials, allowing them to use the credentials to access resources
granted to the original principal.
This issue affects versions of OpenSSH prior to 4.2.
Cisco VPN 3000 Concentrator Malformed HTTP Packet Remote Denial of
Service Vulnerability
BugTraq ID: 16394
Remote: Yes
Last Updated: 2006-02-01
Relevant URL: http://www.securityfocus.com/bid/16394
Summary:
Cisco VPN 3000 Concentrator is prone to a remote denial-of-service
vulnerability when handling a specially crafted HTTP packet.
A successful attack can cause the device to restart.
[ firmware ]
Cisco IOS Multiple Unspecified EIGRP Vulnerabilities
BugTraq ID: 14877
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14877
Summary:
Cisco IOS is susceptible to multiple unspecified EIGRP vulnerabilities.
Further details are currently unavailable. This BID will be updated as more
information is disclosed.
Due to the nature of the protocol, attackers likely require access to hosts
in networks operating with the vulnerable protocol.
[ firmware ]
MySQL mysql_install_db Insecure Temporary File Creation Vulnerability
BugTraq ID: 13660
Remote: No
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/13660
Summary:
MySQL is reportedly affected by a vulnerability that can allow local
attackers to gain unauthorized access to the database or gain elevated
privileges. This issue results from a design error due to the creation of
temporary files in an insecure manner.
The vulnerability affects the 'mysql_install_db' script.
Due to the nature of the script, an attacker may create database accounts or
gain elevated privileges.
MySQL versions prior to 4.0.12 and MySQL 5.x releases 5.0.4 and prior are
reported to be affected.
Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
BugTraq ID: 13676
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/13676
Summary:
A denial-of-service vulnerability exists for the TCP RFC 1323. The issue
resides in the Protection Against Wrapped Sequence Numbers (PAWS) technique
that was included to increase overall TCP performance.
When TCP 'timestamps' are enabled, both hosts at the endpoints of a TCP
connection employ internal clocks to mark TCP headers with a 'timestamp'
value.
When TCP PAWS is configured to employ timestamp values, this functionality
exposes TCP PAWS implementations to a denial-of-service vulnerability.
The issue manifests if an attacker transmits a sufficient TCP PAWS packet to
a vulnerable computer. The attacker sets a large value as the packet
timestamp. When the target computer processes this packet, the internal
timer is updated to the large value that the attacker supplied. This causes
all other valid packets that are received subsequent to an attack to be
dropped, because they are deemed to be too old or invalid. This type of
attack will effectively deny service for a target connection.
ht://Dig Config Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 12442
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/12442
Summary:
ht://Dig is reported prone to a cross-site scripting vulnerability. This
issue is due to a failure of the application to properly sanitize
user-supplied URI data prior to including it in dynamically generated Web
page content.
All versions of ht://Dig are considered vulnerable at the moment.
Lynx URI Handlers Arbitrary Command Execution Vulnerability
BugTraq ID: 15395
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/15395
Summary:
Lynx is prone to an arbitrary command-execution vulnerability. This issue is
due to the application's failure to properly sanitize user-supplied input.
A remote attacker can exploit this vulnerability by tricking a victim user
into following a malicious link, thus enabling the attacker to execute
arbitrary commands in the context of the victim user.
Perl perl_sv_vcatpvfn Format String Integer Wrap Vulnerability
BugTraq ID: 15629
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/15629
Summary:
Perl is susceptible to a format-string vulnerability. This issue is due to
the programming language's failure to properly handle format specifiers in
formatted printing functions.
An attacker may leverage this issue to write to arbitrary process memory,
facilitating code execution in the context of the Perl interpreter process.
This can result in unauthorized remote access.
Developers should treat the formatted printing functions in Perl as
equivalently vulnerable to exploitation as the C library versions, and
should properly sanitize all data passed in the format specifier argument.
All applications that use formatted printing functions in an unsafe manner
should be considered exploitable.
OpenSSL Insecure Protocol Negotiation Weakness
BugTraq ID: 15071
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15071
Summary:
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue
is due to the implementation of the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option
to maintain compatibility with third-party software.
This issue presents itself when two peers try to negotiate the protocol they
wish to communicate with. Attackers who can intercept and modify the SSL
communications may exploit this weakness to force SSL version 2 to be chosen.
The attacker may then exploit various insecurities in SSL version 2 to gain
access to or tamper with the cleartext communications between the targeted
client and server.
Note that the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the
frequently used 'SSL_OP_ALL' option.
SSL peers that are configured to disallow SSL version 2 are not affected by
this issue.
GNU Mailman Attachment Scrubber UTF8 Filename Denial Of Service
Vulnerability
BugTraq ID: 15408
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15408
Summary:
GNU Mailman is prone to denial-of-service attacks. This issue affects the
attachment scrubber utility.
The vulnerability could be triggered by mailing-list posts and will impact
the availability of mailing lists hosted by the application.
GNU Mailman Large Date Data Denial Of Service Vulnerability
BugTraq ID: 16248
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16248
Summary:
GNU Mailman is prone to a denial-of-service attack. This issue affects the
email date parsing functionality of Mailman.
The vulnerability could be triggered by mailing-list posts and will impact
the availability of mailing lists hosted by the application.
MyDNS DNS Query Denial Of Service Vulnerability
BugTraq ID: 16431
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16431
Summary:
MyDNS is prone to a remote denial-of-service vulnerability. This issue is
due to a failure in the application to properly handle DNS queries.
An attacker can exploit this issue to crash the affected service,
effectively denying service to legitimate users.
The vendor has addressed this issue in version 1.1.0; earlier versions are
reportedly vulnerable.
gzip zgrep Arbitrary Command Execution Vulnerability
BugTraq ID: 13582
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/13582
Summary:
zgrep is reportedly affected by an arbitrary command execution vulnerability.
An attacker may execute arbitrary commands through zgrep command arguments
to potentially gain unauthorized access to the affected computer. It should
be noted that this issue only poses a security threat if the arguments
originate from a malicious source.
zgrep 1.2.4 was reported vulnerable. Other versions may be affected as well.
bzip2 chmod File Permission Modification Race Condition Weakness
BugTraq ID: 12954
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/12954
Summary:
The 'bzip2' utility is reported prone to a security weakness. The issue is
present only when an archive is extracted into a world- or group-writeable
directory. It is reported that bzip2 employs non-atomic procedures to write
a file and later changes the permissions on the newly extracted file.
A local attacker may leverage this issue to modify file permissions of
target files.
This weakness is reported to affect bzip2 version 1.0.2 and previous
versions.
Edgewall Software Trac HTML WikiProcessor Wiki Content HTML Injection
Vulnerability
BugTraq ID: 16198
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16198
Summary:
Trac is prone to an HTML-injection vulnerability. This issue is due to a
failure in the application to properly sanitize user-supplied input before
using it in dynamically generated content.
Attacker-supplied HTML and script code would be executed in the context of
the affected website, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user; other attacks are also
possible.
Edgewall Software Trac Search Module SQL Injection Vulnerability
BugTraq ID: 15720
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15720
Summary:
Trac is prone to an SQL injection vulnerability. This issue is due to a
failure in the application to properly sanitize user-supplied input before
using it in an SQL query.
Successful exploitation could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in the
underlying database implementation.
unalz Archive Filename Buffer Overflow Vulnerability
BugTraq ID: 15577
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15577
Summary:
The 'unalz' utility is prone to a buffer-overflow vulnerability. This issue
is exposed when the application extracts an ALZ archive that contains a file
with a long name.
An attacker could exploit this vulnerability to execute arbitrary code in
the context of the user who extracts a malicious archive.
Arescom Net DSL 1000 telnet Denial of Service Vulnerability
BugTraq ID: 4067
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/4067
Summary:
The Arescom NETDSL 1000 Series ADSL router provides a telnet-based
management interface for configuration. An attacker can crash this interface
by repeatedly connecting and sending long strings (256 characters) when
prompted for a password. This does not affect normal router function, but
shuts down the management console until the router is powered down and
restarted.
[ firmware ]
Mozilla Firefox XBL -MOZ-BINDING Property Cross-Domain Scripting
Vulnerability
BugTraq ID: 16427
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16427
Summary:
Mozilla Firefox is prone to a security vulnerability that may let a Web page
execute malicious script code in the context of an arbitrary domain.
The issue affects the '-moz-binding' property.
This could allow a malicious site to access the properties of a trusted site
and facilitate various attacks including disclosure of sensitive information.
Multiple Mozilla Products Memory Corruption/Code Injection/Access
Restriction Bypass Vulnerabilities
BugTraq ID: 16476
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16476
Summary:
Multiple Mozilla products are prone to multiple vulnerabilities. These
issues include various memory-corruption, code-injection, and
access-restriction-bypass vulnerabilities. Other undisclosed issues may have
also been addressed in the various updated vendor applications.
Successful exploitation of these issues may permit an attacker to execute
arbitrary code in the context of the affected application. This may
facilitate a compromise of the affected computer; other attacks are also
possible.
Mozilla Thunderbird File Attachment Spoofing Vulnerability
BugTraq ID: 16271
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16271
Summary:
Mozilla Thunderbird is prone to a file-attachment spoofing vulnerability.
Successful exploitation may allow attackers to place malicious files on a
user's computer by tricking users into saving seemingly safe attachments. If
the user subsequently opens the file, this vulnerability may facilitate
arbitrary code execution in the context of the user.
Thunderbird versions prior to 1.5 are affected.
Mozilla Firefox Large History File Buffer Overflow Vulnerability
BugTraq ID: 15773
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15773
Summary:
Mozilla Firefox is reportedly prone to a remote denial-of-service
vulnerability.
This issue presents itself when the browser handles a large entry in the
'history.dat' file. An attacker may trigger this issue by enticing a user to
visit a malicious website and supplying excessive data to be stored in the
affected file.
This may cause a denial-of-service condition.
**UPDATE: Proof-of-concept exploit code has been published. The author of
the code attributes the crash to a buffer-overflow condition. The alleged
flaw cannot be reproduced by Symantec.
GIT Remote Buffer Overflow Vulnerability
BugTraq ID: 16417
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16417
Summary:
GIT is prone to a remote buffer-overflow vulnerability.
The issue presents itself when a large symbolic link in an index file is
processed. A successful attack may result in arbitrary code execution in the
context of the user.
Linux Kernel dm-crypt Local Information Disclosure Vulnerability
BugTraq ID: 16301
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16301
Summary:
The Linux kernel dm-crypt module is susceptible to a local
information-disclosure vulnerability. This issue is due to the module's
failure to properly zero-sensitive memory buffers before freeing the memory.
This issue may allow local attackers to gain access to potentially sensitive
memory that contains information on the cryptographic key used for the
encrypted storage. This may aid them in further attacks.
This issue affects the 2.6 series of the Linux kernel.
Linux Kernel Multiple Security Vulnerabilities
BugTraq ID: 16414
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16414
Summary:
Linux kernel is prone to multiple vulnerabilities. These issues can allow
local and remote attackers to trigger denial-of-service conditions or to
corrupt memory to potentially execute arbitrary code.
These issues affect kernel versions 2.6.15 and prior.
Linux Kernel 64-Bit SMP Routing_ioctl() Local Denial of Service
Vulnerability
BugTraq ID: 14902
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14902
Summary:
A local denial of service vulnerability affects the Linux on 64 bit
Symmetric Multi-Processor (SMP) platforms.
Specifically, the vulnerability presents itself due to an omitted call to
the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()'
function.
The 32-bit compatible 'tiocgdev ioctl()' function on x86-64 platforms is
affected by this issue as well.
Linux Kernel IPv6 FlowLable Denial Of Service Vulnerability
BugTraq ID: 15729
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux Kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this vulnerability to corrupt kernel memory or
free non-allocated memory. Successful exploitation will result in a crash of
the kernel, effectively denying service to legitimate users.
Linux Kernel PTrace CLONE_THREAD Local Denial of Service Vulnerability
BugTraq ID: 15642
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15642
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.
In instances where a process is created via the 'clone()' system call with
the 'CLONE_THREAD' argument ptraced, the kernel fails to properly ensure
that the ptracing process is not attempting to trace itself.
This issue allows local users to crash the kernel, denying service to
legitimate users.
Kernel versions prior to 2.6.14.2 are vulnerable to this issue.
Linux Kernel Time_Out_Leases PrintK Local Denial of Service Vulnerability
BugTraq ID: 15627
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15627
Summary:
Linux kernel is susceptible to a local denial of service vulnerability.
This issue is triggered by consuming excessive kernel log memory by
obtaining numerous file lock leases. Once the leases timeout, the event will
be logged, and kernel memory will be consumed.
This issue allows local attackers to consume excessive kernel memory,
eventually leading to an out-of-memory condition, and a denial of service
for legitimate users.
Kernel versions prior to 2.6.15-rc3 are vulnerable to this issue.
Linux Kernel Multiple Unspecified ISO9660 Filesystem Handling
Vulnerabilities
BugTraq ID: 12837
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/12837
Summary:
The Linux kernel is reported prone to multiple vulnerabilities that occur
because of "range-checking flaws" present in the ISO9660 handling routines.
An attacker may exploit these issues to trigger kernel-based memory
corruption. Ultimately, the attacker may be able to execute arbitrary
malicious code with ring-zero privileges.
These vulnerabilities are reported to be present in the ISO9660 filesystem
handler including Rock Ridge and Juliet extensions for the Linux kernel up
to and including version 2.6.11.
Eterm LibAST Library Local Buffer Overflow Vulnerability
BugTraq ID: 16350
Remote: No
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16350
Summary:
Eterm LibAST library is prone to a local buffer-overflow vulnerability.
An attacker can trigger this issue by supplying a long filename through the
'-X' option of Eterm. A successful attack can corrupt memory and facilitate
arbitrary code execution with the privileges of the 'utmp' user.
LibAST versions 0.6.1 and prior are vulnerable to this issue.
Note that other applications using the affected library may be vulnerable as
well.
GNOME Evolution Inline XML File Attachment Buffer Overflow Vulnerability
BugTraq ID: 16408
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16408
Summary:
GNOME Evolution email client is prone to a denial-of-service vulnerability
when processing messages containing inline XML file attachments with
excessively long strings.
Dave Carrigan Auth_LDAP Remote Format String Vulnerability
BugTraq ID: 16177
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16177
Summary:
Dave Carrigan's auth_ldap is susceptible to a remote format-string
vulnerability. This issue is due to the application's failure to properly
sanitize user-supplied input before using it in the format-specifier of a
formatted printing function.
This issue likely arises only if auth_ldap has been enabled and is used for
user authentication.
This issue allows remote attackers to execute arbitrary machine code in the
context of Apache webservers that use the affected module. This may
facilitate the compromise of affected computers.
Ethereal Service Location Protocol Dissection Stack Buffer Overflow
Vulnerability
BugTraq ID: 15158
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/15158
Summary:
A remote buffer-overflow vulnerability affects Ethereal. This issue is due
to the application's failure to securely copy network-derived data into
sensitive process buffers. The specific issue resides in the Service
Location Protocol dissector.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This may
facilitate unauthorized access or privilege escalation.
This issue may be exploited by a single TCP packet to port 427, since
Ethereal does not keep track of connection states. This allows malicious
users to spoof the origin of attacks and to exploit this vulnerability when
no services are actively listening on TCP port 427.
Note that this issue was originally disclosed in BID 15148 "Ethereal
Multiple Protocol Dissector Vulnerabilities In Versions Prior To 0.10.13".
Ethereal Multiple Protocol Dissector Vulnerabilities In Versions Prior To 0.10.13
BugTraq ID: 15148
Remote: Yes
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/15148
Summary:
Several vulnerabilities in Ethereal have been disclosed by the vendor. The
reported issues are in various protocol dissectors.
These issues include:
- Buffer-overflow vulnerabilities
- Null-pointer dereference denial-of-service vulnerabilities
- Infinite loop denial-of-service vulnerabilities
- Memory exhaustion denial-of-service vulnerabilities
- Division by zero denial-of-service vulnerabilities
- Invalid pointer free() attempt denial-of-service vulnerabilities
- Unspecified denial-of-service vulnerabilities
These issues could allow remote attackers to execute arbitrary machine code
in the context of the vulnerable application. Attackers could also crash the
affected application.
Various vulnerabilities affect different versions of Ethereal, from 0.7.7
through to 0.10.12.
sudo Perl Environment Variable Handling Security Bypass Vulnerability
BugTraq ID: 15394
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15394
Summary:
sudo is prone to a security bypass vulnerability that could lead to
arbitrary code execution. This issue is due to an error in the application
when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment
variables when tainting is ignored.
An attacker can exploit this vulnerability to bypass security restrictions
and include arbitrary library files.
An attacker must have the ability to run Perl scripts through sudo to
exploit this vulnerability.
sudo Python Environment Variable Handling Security Bypass Vulnerability
BugTraq ID: 16184
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16184
Summary:
sudo is prone to a security bypass vulnerability that could lead to
arbitrary code execution. This issue is due to an error in the application
when handling environment variables.
A local attacker with the ability to run Python scripts can exploit this
vulnerability to gain access to an interactive Python prompt. Attackers may
then execute arbitrary code with elevated privileges, facilitating the
complete compromise of affected computers.
An attacker must have the ability to run Python scripts through sudo to
exploit this vulnerability.
This issue is similar to BID 15394 (sudo Perl Environment Variable Handling
Security Bypass Vulnerability).
Multiple Vendor Spoofed IGMP Report Denial Of Service Vulnerability
BugTraq ID: 5020
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/5020
Summary:
Internet Group Management Protocol (IGMP) specifies guidelines for the
management of Internet Multicast Routing management.
An arbitrary host may deny service to a system on the same segment of
network. In a situation where a multicast router sends a membership report
request, a host sending a unicast membership report response to the primary
responder can prevent the responder from sending a message to the multicast
router. In doing so, the router will not receive a response from any host,
and thus the transmission will timeout and cease.
This vulnerability may additionally affect other operating systems, though
it is currently unknown which implementations may be vulnerable.
Fcron Convert-FCronTab Local Buffer Overflow Vulnerability
BugTraq ID: 16467
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16467
Summary:
Fcron is susceptible to a local buffer-overflow vulnerability. This issue is
due to the application's failure to properly bounds-check user-supplied data
before copying it to an insufficiently sized memory buffer.
This issue allows local attackers to execute arbitrary machine code with
superuser privileges, since the affected utility is installed
setuid-superuser by default in some installations. This allows attackers to
completely compromise affected computers.
Fcron version 3.0 is affected by this issue; previous versions may also be
affected.
Update: This issue is now retired. Further analysis reveals that this issue
cannot be exploited for code execution; therefore, this is not a
vulnerability.
IPSec-Tools IKE Message Handling Denial of Service Vulnerability
BugTraq ID: 15523
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15523
Summary:
IPsec-Tools is prone to a denial-of-service vulnerability. This issue is due
to a failure in the application to handle exceptional conditions when in
'AGGRESSIVE' mode.
An attacker can exploit this issue to crash the application, thus denying
service to legitimate users.
These vulnerabilities were discovered by, and may be reproduced by, the
University of Oulu Secure Programming Group PROTOS IPSec Test Suite.
FFmpeg libavcodec Heap Buffer Overflow Vulnerability
BugTraq ID: 15743
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15743
Summary:
FFmpeg's libavcodec is susceptible to a heap buffer-overflow vulnerability.
This issue is due to the library's failure to properly bounds-check
user-supplied data before using it in memory allocation and copy operations.
Attackers may exploit this vulnerability to execute arbitrary code in the
context of applications that use an affected version of the libavcodec
library.
An attacker can exploit this issue by enticing a user to open a malformed
PNG file with an application that uses a vulnerable version of libavcodec.
If the application is configured as the default handler for PNG files, this
could present a viable web or email attack vector -- when the PNG is clicked
from an appropriate client application, the application using the vulnerable
library will automatically be invoked.
UIM LibUIM Environment Variables Privilege Escalation Weakness
BugTraq ID: 15007
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15007
Summary:
Uim is reported prone to a privilege escalation weakness.
An attacker that has local interactive access to a system that has a
vulnerable application installed may potentially exploit this weakness to
escalate privileges.
This issue is reported to affect all stable versions prior to 0.4.9.1, and
in development versions prior to 0.5.0.1.
CGI.pm Start_Form Cross-Site Scripting Vulnerability
BugTraq ID: 8231
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/8231
Summary:
CGI.pm is prone to cross-site scripting attacks under some circumstances.
This issue occurs because the 'start_form()' function (or other functions
that use this function) does not sufficiently sanitize HTML and script code
when a form action isn't specified. This could expose scripts that use the
function to cross-site scripting attacks.
Safe.pm Unsafe Code Execution Vulnerability
BugTraq ID: 6111
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/6111
Summary:
When Perl code is executed within a Safe compartment, it cannot access
variables outside of the compartment unless the outside code chooses to
share the variables with the code inside the compartment.
If code inside a Safe compartment is executed via 'Safe->reval()' twice, it
can change its operation mask the second time. This could allow the code to
access variables outside the Safe compartment.
GD Graphics Library Remote Integer Overflow Vulnerability
BugTraq ID: 11523
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/11523
Summary:
The GD Graphics Library (gdlib) is affected by an integer overflow that
facilitates a heap overflow. This issue is due to the library's failure to
do proper sanity checking on size values contained within image-format files.
An attacker may leverage this issue to manipulate process heap memory,
potentially leading to code execution and compromise of the computer running
the affected library.
Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 16171
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16171
Summary:
Multiple remote buffer-overflow vulnerabilities affect Bogofilter. These
issues are due to the application's failure to properly handle invalid input
sequences and to validate the length of user-supplied strings before copying
them into static process buffers.
An attacker may exploit these issue to cause a denial-of-service condition
or possibly to execute arbitrary code with the privileges of the vulnerable
application. This may facilitate unauthorized access or privilege escalation.
Note that successful exploitation requires that Bogofilter be used with a
Unicode database.
XMame Multiple Local Command Line Argument Buffer Overflow
Vulnerabilities
BugTraq ID: 16203
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16203
Summary:
XMame is prone to locally exploitable buffer-overflow vulnerabilities. These
issues are due to insufficient bounds checking of command-line parameters.
Successful exploitation on some systems could result in execution of
malicious instructions with elevated privileges, since XMame may be
installed with setuid-superuser privileges.
XMame version 0.102 is vulnerable to these issues; other versions may also
be affected.
This issue may be related to BID 7773 (XMame Lang Local Buffer Overflow
Vulnerability).
LSH Seed File File Descriptor Leakage Vulnerability
BugTraq ID: 16357
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16357
Summary:
lsh may leak file descriptors that may allow a local attacker to access
sensitive information or to cause a denial-of-service condition.
lsh 2.0.1 is reportedly vulnerable. Other versions may be affected as well.
Multiple Vendor KernFS LSEEK Local Kernel Memory Disclosure Vulnerability
BugTraq ID: 16173
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16173
Summary:
The 'kernfs' filesystem in both NetBSD and OpenBSD is prone to a kernel
memory disclosure vulnerability. This issue arises due to insufficient
sanitization of user-supplied arguments passed to the 'lseek()' system call.
An attacker may use information disclosed through this attack to launch
other attacks against a computer and potentially to aid in a complete
compromise.
Note that OpenBSD has completely removed kernfs since OpenBSD 3.8; version
3.7 had kernfs support disabled in their GENERIC kernel, and has never
mounted the kernfs filesystem by default.
FreeBSD TCP SACK Remote Denial Of Service Vulnerability
BugTraq ID: 16466
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16466
Summary:
FreeBSD is susceptible to a remote denial-of-service vulnerability. This
issue is due to a flaw in affected kernels that potentially results in an
infinite-loop condition when handling TCP SACK packets.
This issue allows remote attackers to cause affected kernels to enter into
an infinite loop, denying further network service to legitimate users.
Samba Directory Access Control List Remote Integer Overflow Vulnerability
BugTraq ID: 11973
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/11973
Summary:
A remotely exploitable integer-overflow vulnerability affects Samba's
directory access control list (DACL) processing functionality. This issue is
due to the application's failure to properly perform sanity checking on
calculated data sizes before copying data into static process buffers.
An attacker with access to an SMB share may leverage this issue to overwrite
the heap of the affected process, facilitating code execution with superuser
privileges.
More information about the gull-annonces
mailing list