[gull-annonces] Résumé SecurityFocus Newsletter #335/336

Marc SCHAEFER schaefer at alphanet.ch
Wed Feb 8 10:40:19 CET 2006


kpdf and kword Multiple Unspecified Buffer and Integer Overflow 
Vulnerabilities
BugTraq ID: 16143
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16143
Summary:
kpdf and kword are prone to multiple buffer and integer overflows. 
Successful exploitation could result in arbitrary code execution in the 
context of the user running the vulnerable application.

Specific details of these issues are not currently available. This record 
will be updated when more information becomes available.

The kdegraphics package and KPDF versions 3.4.3 and earlier, and KOffice and 
KWord versions 1.4.2 and earlier are vulnerable.

xpdf DCTStream Progressive Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15726
Remote: Yes
Last Updated: 2006-02-01
Relevant URL: http://www.securityfocus.com/bid/15726
Summary:
The 'xpdf' utility is reported prone to a remote buffer-overflow 
vulnerability. This issue exists because the applications fails to perform 
proper boundary checks before copying user-supplied data into process 
buffers. A remote attacker may execute arbitrary code in the context of a 
user running the application. As a result, the attacker can gain 
unauthorized access to the vulnerable computer.

It is reported that this issue presents itself in the 
'DCTStream::readProgressiveSOF' function residing in the 'xpdf/Stream.cc' 
file.

This issue is reported to affect xpdf 3.01, but earlier versions are likely 
vulnerable as well. Applications using embedded xpdf code may also be 
vulnerable.

The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version 
0.36 of pdftohtml was reported prone to this issue, but earlier versions may 
also be affected.

Th 'kpdf' utility reportedly incorporates vulnerable xpdf code. Version 0.5 
of kpdf is prone to this issue, but other versions may also be affected.

xpdf JPX Stream Reader Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15721
Remote: Yes
Last Updated: 2006-02-01
Relevant URL: http://www.securityfocus.com/bid/15721
Summary:

The xpdf utility is reported prone to a remote buffer-overflow 
vulnerability. This issue exists because the applications fails to perform 
proper boundary checks before copying user-supplied data into process 
buffers. A remote attacker may execute arbitrary code in the context of a 
user running the application. This can result in the attacker gaining 
unauthorized access to the vulnerable computer.

It is reported that this issue presents itself in the 
'JPXStream::readCodestream' function residing in the 'xpdf/JPXStream.cc' 
file.

This issue is reported to affect xpdf 3.01, but earlier versions are likely 
prone to this vulnerability as well. Applications using embedded xpdf code 
may also be vulnerable.

The kpdf utility reportedly incorporates vulnerable xpdf code. Version 0.5 
of kpdf is prone to this issue, but other versions may also be affected.

xpdf StreamPredictor Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 15725
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15725
Summary:

The 'xpdf' viewer is reported prone to a remote buffer-overflow 
vulnerability. This issue exists because the application fails to perform 
proper boundary checks before copying user-supplied data into process 
buffers. A remote attacker may execute arbitrary code in the context of a 
user running the application. As a result, the attacker can gain 
unauthorized access to the vulnerable computer.

This issue is reported to present itself in the 
'StreamPredictor::StreamPredictor' function residing in the 'xpdf/Stream.cc' 
file.

This issue is reported to affect xpdf 3.01, but earlier versions are likely 
prone to this vulnerability as well. Applications using embedded xpdf code 
may also be vulnerable.

The 'pdftohtml' utility also includes vulnerable versions of xpdf. Version 
0.36 of pdftohtml was reported prone to this issue, but earlier versions may 
also be affected.

The 'kpdf ' viewer reportedly incorporates vulnerable xpdf code. Version 0.5 
of kpdf is prone to this issue, but other versions may also be affected.

Sylpheed LDIF Import Remote Buffer Overflow Vulnerability
BugTraq ID: 15363
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15363
Summary:
Sylpheed is prone to a buffer-overflow vulnerability.

A buffer overflow can occur when an unsuspecting user imports a malicious 
LFID file into an address book.

Exploitation of this vulnerability may allow an attacker to gain 
unauthorized access to the computer in the context of the Sylpheed client.

Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source 
Vulnerability
BugTraq ID: 13471
Remote: No
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/13471
Summary:
Crypt::SSLeay is prone to a security vulnerability. Reports indicate that 
the library employs a file from a world-writable location for its fallback 
entropy source. The module defaults to this file if a proper entropy source 
is not set.

If the affected library is using the insecure file as a source of entropy, a 
local attacker may replace the contents of the file with known text. This 
known text is then employed to seed cryptographic operations. This may lead 
to weak cryptographic operations.

gdb Multiple Vulnerabilities
BugTraq ID: 13697
Remote: Yes
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/13697
Summary:
gdb is reportedly affected by multiple vulnerabilities. These issues can 
allow an attacker to execute arbitrary code and commands on an affected 
computer. A successful attack may allow the attacker to gain elevated 
privileges or unauthorized access.

The following specific issues were identified:

- a remote heap-overflow vulnerability when loading malformed object files.
- a local privilege-escalation vulnerability.

gdb 6.3 is reportedly affected by these issues; other versions are likely 
vulnerable as well. GNU binutils 2.14 and 2.15 are affected by the 
heap-overflow issue as well.

Net-SNMP Fixproc Insecure Temporary File Creation Vulnerability
BugTraq ID: 13715
Remote: No
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/13715
Summary:
A local insecure temporary file-creation vulnerability affects Net-SNMP's 
fixproc. This issue is due to the utility's failure to securely create 
temporary files in world-writable locations.

An attacker may leverage this issue to corrupt, write to, or create 
arbitrary files, as well as execute arbitrary code with the privileges of 
the user or process running the vulnerable script. This may facilitate 
privilege escalation.

Net-SNMP Unspecified Remote Stream-Based Protocol Denial Of Service 
Vulnerability
BugTraq ID: 14168
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14168
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability. The issue is 
exposed when Net-SNMP is configured to have an open stream-based protocol 
port, such as TCP.

The exact details describing this issue are not available. This BID will be 
updated when further details are made available.

ImageMagick File Name Handling Remote Format String Vulnerability
BugTraq ID: 12717
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/12717
Summary:
ImageMagick is reported prone to a remote format-string vulnerability.

Reportedly, this issue arises when the application handles malformed 
filenames. An attacker can exploit this vulnerability by crafting a 
malicious file with a name that contains format specifiers and sending the 
file to an unsuspecting user.

Note that other attack vectors also exist that may not require user 
interaction, since the application can be used with custom printing systems 
and web applications.

A successful attack may crash the application or lead to arbitrary code 
execution.

All versions of ImageMagick are considered vulnerable at the moment.

ImageMagick Image Filename Remote Command Execution Vulnerability
BugTraq ID: 16093
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16093
Summary:
ImageMagick is prone to a remote shell command-execution vulnerability.

Successful exploitation can allow arbitrary commands to be executed in the 
context of the affected user. Note that this issue could also be exploited 
through other applications that use ImageMagick as the default image viewer.

ImageMagick 6.2.4.5 is reportedly vulnerable. Other versions may be affected 
as well.

Apache mod_ssl Custom Error Document Remote Denial Of Service 
Vulnerability
BugTraq ID: 16152
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16152
Summary:
Apache's mod_ssl module is susceptible to a remote denial-of-service 
vulnerability. A flaw in the module results in a NULL-pointer dereference 
that causes the server to crash. This issue is present only when virtual 
hosts are configured with a custom 'ErrorDocument' statement for '400' 
errors or 'SSLEngine optional'.

Depending on the configuration of Apache, attackers may crash the entire 
webserver or individual child processes. Repeated attacks are required to 
deny service to legitimate users when Apache is configured for multiple 
child processes to handle connections.

This issue affects Apache 2.x versions.

Apache mod_imap Referer Cross-Site Scripting Vulnerability
BugTraq ID: 15834
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15834
Summary:
Apache's mod_imap module is prone to a cross-site scripting vulnerability. 
This issue is due to the module's failure to properly sanitize user-supplied 
input.

An attacker may leverage this issue to have arbitrary script code executed 
in the browser of an unsuspecting user in the context of the affected site. 
This may facilitate the theft of cookie-based authentication credentials as 
well as other attacks.

Apache HTTP Request Smuggling Vulnerability
BugTraq ID: 14106
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14106
Summary:
Apache is prone to an HTTP-request-smuggling attack.

A specially crafted request with a 'Transfer-Encoding: chunked' header and a 
'Content-Length' header can cause the server to forward a reassembled 
request with the original 'Content-Length' header. As a result, the 
malicious request may piggyback on the valid HTTP request.

This attack may result in cache poisoning, cross-site scripting, session 
hijacking, and other attacks.

This issue was originally described in BID 13873 (Multiple Vendor Multiple 
HTTP Request Smuggling Vulnerabilities). Due to the availability of more 
details and vendor confirmation, the issue is now a new BID.

Apache mod_ssl CRL Handling Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 14366
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14366
Summary:
mod_ssl is prone to an off-by-one buffer overflow condition.

The vulnerability arising in the mod_ssl CRL verification callback allows 
for potential memory corruption when a malicious CRL is handled.

An attacker may exploit this issue to trigger a denial of service condition. 
It is conjectured that arbitrary code execution may be possible as well.

Convert-UUlib Perl Module Buffer Overflow Vulnerability
BugTraq ID: 13401
Remote: Yes
Last Updated: 2006-01-27
Relevant URL: http://www.securityfocus.com/bid/13401
Summary:
Convert-UUlib Perl module is prone to a remotely exploitable buffer-overflow 
vulnerability.

This condition may be leveraged to overwrite sensitive program control 
variables, allowing a remote attacker to control the process's execution 
flow.

This BID will be updated as soon as further information regarding this issue 
is made available.

OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
BugTraq ID: 14727
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/14727
Summary:
OpenSSH is susceptible to a vulnerability that causes improper activation of 
the 'GatewayPorts' option, allowing unintended hosts to use the SSH SOCKS 
proxy.

Specifically, if the 'DynamicForward' option is activated, 'GatewayPorts' is 
also unconditionally enabled.

This vulnerability allows remote attackers to use the SOCKS proxy to make 
arbitrary TCP connections through the configured SSH session, allowing them 
to attack computers and services through a connection that was wrongly 
thought to be secure.

This issue affects OpenSSH 4.0, and 4.1.

OpenSSH scp Shell Command Execution Vulnerability
BugTraq ID: 16369
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16369
Summary:
OpenSSH is susceptible to an scp shell command-execution vulnerability. This 
issue is due to the application's failure to properly sanitize user-supplied 
input before using it in a 'system()' function call.

This issue allows attackers to execute arbitrary shell commands with the 
privileges of users executing a vulnerable version of scp.

This issue reportedly affects version 4.2 of OpenSSH. Other versions may 
also be affected.

OpenSSH GSSAPI Credential Disclosure Vulnerability
BugTraq ID: 14729
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14729
Summary:
OpenSSH is susceptible to a GSSAPI credential-delegation vulnerability.

Specifically, if a user has GSSAPI authentication configured, and 
'GSSAPIDelegateCredentials' is enabled, their Kerberos credentials will be 
forwarded to remote hosts. This occurs even when the user uses 
authentication methods other than GSSAPI to connect, which is not usually 
expected.

This vulnerability allows remote attackers to improperly gain access to 
GSSAPI credentials, allowing them to use the credentials to access resources 
granted to the original principal.

This issue affects versions of OpenSSH prior to 4.2.

Cisco VPN 3000 Concentrator Malformed HTTP Packet Remote Denial of 
Service Vulnerability
BugTraq ID: 16394
Remote: Yes
Last Updated: 2006-02-01
Relevant URL: http://www.securityfocus.com/bid/16394
Summary:

Cisco VPN 3000 Concentrator is prone to a remote denial-of-service 
vulnerability when handling a specially crafted HTTP packet.

A successful attack can cause the device to restart.

[ firmware ]

Cisco IOS Multiple Unspecified EIGRP Vulnerabilities
BugTraq ID: 14877
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14877
Summary:
Cisco IOS is susceptible to multiple unspecified EIGRP vulnerabilities.

Further details are currently unavailable. This BID will be updated as more 
information is disclosed.

Due to the nature of the protocol, attackers likely require access to hosts 
in networks operating with the vulnerable protocol.

[ firmware ]

MySQL mysql_install_db Insecure Temporary File Creation Vulnerability
BugTraq ID: 13660
Remote: No
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/13660
Summary:
MySQL is reportedly affected by a vulnerability that can allow local 
attackers to gain unauthorized access to the database or gain elevated 
privileges. This issue results from a design error due to the creation of 
temporary files in an insecure manner.

The vulnerability affects the 'mysql_install_db' script.

Due to the nature of the script, an attacker may create database accounts or 
gain elevated privileges.

MySQL versions prior to 4.0.12 and MySQL 5.x releases 5.0.4 and prior are 
reported to be affected.

Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
BugTraq ID: 13676
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/13676
Summary:
A denial-of-service vulnerability exists for the TCP RFC 1323. The issue 
resides in the Protection Against Wrapped Sequence Numbers (PAWS) technique 
that was included to increase overall TCP performance.

When TCP 'timestamps' are enabled, both hosts at the endpoints of a TCP 
connection employ internal clocks to mark TCP headers with a 'timestamp' 
value.

When TCP PAWS is configured to employ timestamp values, this functionality 
exposes TCP PAWS implementations to a denial-of-service vulnerability.

The issue manifests if an attacker transmits a sufficient TCP PAWS packet to 
a vulnerable computer. The attacker sets a large value as the packet 
timestamp. When the target computer processes this packet, the internal 
timer is updated to the large value that the attacker supplied. This causes 
all other valid packets that are received subsequent to an attack to be 
dropped, because they are deemed to be too old or invalid. This type of 
attack will effectively deny service for a target connection.

ht://Dig Config Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 12442
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/12442
Summary:
ht://Dig is reported prone to a cross-site scripting vulnerability.  This 
issue is due to a failure of the application to properly sanitize 
user-supplied URI data prior to including it in dynamically generated Web 
page content.

All versions of ht://Dig are considered vulnerable at the moment.

Lynx URI Handlers Arbitrary Command Execution Vulnerability
BugTraq ID: 15395
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/15395
Summary:
Lynx is prone to an arbitrary command-execution vulnerability. This issue is 
due to the application's failure to properly sanitize user-supplied input.

A remote attacker can exploit this vulnerability by tricking a victim user 
into following a malicious link, thus enabling the attacker to execute 
arbitrary commands in the context of the victim user.

Perl perl_sv_vcatpvfn Format String Integer Wrap Vulnerability
BugTraq ID: 15629
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/15629
Summary:
Perl is susceptible to a format-string vulnerability. This issue is due to 
the programming language's failure to properly handle format specifiers in 
formatted printing functions.

An attacker may leverage this issue to write to arbitrary process memory, 
facilitating code execution in the context of the Perl interpreter process. 
This can result in unauthorized remote access.

Developers should treat the formatted printing functions in Perl as 
equivalently vulnerable to exploitation as the C library versions, and 
should properly sanitize all data passed in the format specifier argument.

All applications that use formatted printing functions in an unsafe manner 
should be considered exploitable.

OpenSSL Insecure Protocol Negotiation Weakness
BugTraq ID: 15071
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15071
Summary:
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue 
is due to the implementation of the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option 
to maintain compatibility with third-party software.

This issue presents itself when two peers try to negotiate the protocol they 
wish to communicate with. Attackers who can intercept and modify the SSL 
communications may exploit this weakness to force SSL version 2 to be chosen.

The attacker may then exploit various insecurities in SSL version 2 to gain 
access to or tamper with the cleartext communications between the targeted 
client and server.

Note that the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the 
frequently used 'SSL_OP_ALL' option.

SSL peers that are configured to disallow SSL version 2 are not affected by 
this issue.

GNU Mailman Attachment Scrubber UTF8 Filename Denial Of Service 
Vulnerability
BugTraq ID: 15408
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15408
Summary:
GNU Mailman is prone to denial-of-service attacks. This issue affects the 
attachment scrubber utility.

The vulnerability could be triggered by mailing-list posts and will impact 
the availability of mailing lists hosted by the application.

GNU Mailman Large Date Data Denial Of Service Vulnerability
BugTraq ID: 16248
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16248
Summary:
GNU Mailman is prone to a denial-of-service attack. This issue affects the 
email date parsing functionality of Mailman.

The vulnerability could be triggered by mailing-list posts and will impact 
the availability of mailing lists hosted by the application.

MyDNS DNS Query Denial Of Service Vulnerability
BugTraq ID: 16431
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16431
Summary:

MyDNS is prone to a remote denial-of-service vulnerability. This issue is 
due to a failure in the application to properly handle DNS queries.

An attacker can exploit this issue to crash the affected service, 
effectively denying service to legitimate users.

The vendor has addressed this issue in version 1.1.0; earlier versions are 
reportedly vulnerable.

gzip zgrep Arbitrary Command Execution Vulnerability
BugTraq ID: 13582
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/13582
Summary:
zgrep is reportedly affected by an arbitrary command execution vulnerability.

An attacker may execute arbitrary commands through zgrep command arguments 
to potentially gain unauthorized access to the affected computer.  It should 
be noted that this issue only poses a security threat if the arguments 
originate from a malicious source.

zgrep 1.2.4 was reported vulnerable.  Other versions may be affected as well.

bzip2 chmod File Permission Modification Race Condition Weakness
BugTraq ID: 12954
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/12954
Summary:
The 'bzip2' utility is reported prone to a security weakness. The issue is 
present only when an archive is extracted into a world- or group-writeable 
directory. It is reported that bzip2 employs non-atomic procedures to write 
a file and later changes the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of 
target files.

This weakness is reported to affect bzip2 version 1.0.2 and previous 
versions.

Edgewall Software Trac HTML WikiProcessor Wiki Content HTML Injection 
Vulnerability
BugTraq ID: 16198
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16198
Summary:
Trac is prone to an HTML-injection vulnerability. This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of 
the affected website, potentially allowing for theft of cookie-based 
authentication credentials. An attacker could also exploit this issue to 
control how the site is rendered to the user; other attacks are also 
possible.

Edgewall Software Trac Search Module SQL Injection Vulnerability
BugTraq ID: 15720
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15720
Summary:
Trac is prone to an SQL injection vulnerability. This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in an SQL query.

Successful exploitation could allow an attacker to compromise the 
application, access or modify data, or exploit vulnerabilities in the 
underlying database implementation.

unalz Archive Filename Buffer Overflow Vulnerability
BugTraq ID: 15577
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/15577
Summary:

The 'unalz' utility is prone to a buffer-overflow vulnerability. This issue 
is exposed when the application extracts an ALZ archive that contains a file 
with a long name.

An attacker could exploit this vulnerability to execute arbitrary code in 
the context of the user who extracts a malicious archive.

Arescom Net DSL 1000 telnet Denial of Service Vulnerability
BugTraq ID: 4067
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/4067
Summary:
The Arescom NETDSL 1000 Series ADSL router provides a telnet-based 
management interface for configuration. An attacker can crash this interface 
by repeatedly connecting and sending long strings (256 characters) when 
prompted for a password. This does not affect normal router function, but 
shuts down the management console until the router is powered down and 
restarted.

[ firmware ]

Mozilla Firefox XBL -MOZ-BINDING Property Cross-Domain Scripting 
Vulnerability
BugTraq ID: 16427
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16427
Summary:
Mozilla Firefox is prone to a security vulnerability that may let a Web page 
execute malicious script code in the context of an arbitrary domain.

The issue affects the '-moz-binding' property.

This could allow a malicious site to access the properties of a trusted site 
and facilitate various attacks including disclosure of sensitive information.

Multiple Mozilla Products Memory Corruption/Code Injection/Access 
Restriction Bypass Vulnerabilities
BugTraq ID: 16476
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16476
Summary:
Multiple Mozilla products are prone to multiple vulnerabilities. These 
issues include various memory-corruption, code-injection, and 
access-restriction-bypass vulnerabilities. Other undisclosed issues may have 
also been addressed in the various updated vendor applications.

Successful exploitation of these issues may permit an attacker to execute 
arbitrary code in the context of the affected application. This may 
facilitate a compromise of the affected computer; other attacks are also 
possible.

Mozilla Thunderbird File Attachment Spoofing Vulnerability
BugTraq ID: 16271
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16271
Summary:
Mozilla Thunderbird is prone to a file-attachment spoofing vulnerability.

Successful exploitation may allow attackers to place malicious files on a 
user's computer by tricking users into saving seemingly safe attachments. If 
the user subsequently opens the file, this vulnerability may facilitate 
arbitrary code execution in the context of the user.

Thunderbird versions prior to 1.5 are affected.

Mozilla Firefox Large History File Buffer Overflow Vulnerability
BugTraq ID: 15773
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15773
Summary:
Mozilla Firefox is reportedly prone to a remote denial-of-service 
vulnerability.

This issue presents itself when the browser handles a large entry in the 
'history.dat' file. An attacker may trigger this issue by enticing a user to 
visit a malicious website and supplying excessive data to be stored in the 
affected file.

This may cause a denial-of-service condition.

**UPDATE: Proof-of-concept exploit code has been published. The author of 
the code attributes the crash to a buffer-overflow condition. The alleged 
flaw cannot be reproduced by Symantec.

GIT Remote Buffer Overflow Vulnerability
BugTraq ID: 16417
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16417
Summary:
GIT is prone to a remote buffer-overflow vulnerability.

The issue presents itself when a large symbolic link in an index file is 
processed. A successful attack may result in arbitrary code execution in the 
context of the user.

Linux Kernel dm-crypt Local Information Disclosure Vulnerability
BugTraq ID: 16301
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16301
Summary:
The Linux kernel dm-crypt module is susceptible to a local 
information-disclosure vulnerability. This issue is due to the module's 
failure to properly zero-sensitive memory buffers before freeing the memory.

This issue may allow local attackers to gain access to potentially sensitive 
memory that contains information on the cryptographic key used for the 
encrypted storage. This may aid them in further attacks.

This issue affects the 2.6 series of the Linux kernel.

Linux Kernel Multiple Security Vulnerabilities
BugTraq ID: 16414
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16414
Summary:
Linux kernel is prone to multiple vulnerabilities. These issues can allow 
local and remote attackers to trigger denial-of-service conditions or to 
corrupt memory to potentially execute arbitrary code.

These issues affect kernel versions 2.6.15 and prior.

Linux Kernel 64-Bit SMP Routing_ioctl() Local Denial of Service 
Vulnerability
BugTraq ID: 14902
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/14902
Summary:
A local denial of service vulnerability affects the Linux on 64 bit 
Symmetric Multi-Processor (SMP) platforms.

Specifically, the vulnerability presents itself due to an omitted call to 
the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' 
function.

The 32-bit compatible 'tiocgdev ioctl()' function on x86-64 platforms is 
affected by this issue as well.

Linux Kernel IPv6 FlowLable Denial Of Service Vulnerability
BugTraq ID: 15729
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux Kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this vulnerability to corrupt kernel memory or 
free non-allocated memory. Successful exploitation will result in a crash of 
the kernel, effectively denying service to legitimate users.

Linux Kernel PTrace CLONE_THREAD Local Denial of Service Vulnerability
BugTraq ID: 15642
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15642
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.

In instances where a process is created via the 'clone()' system call with 
the 'CLONE_THREAD' argument ptraced, the kernel fails to properly ensure 
that the ptracing process is not attempting to trace itself.

This issue allows local users to crash the kernel, denying service to 
legitimate users.

Kernel versions prior to 2.6.14.2 are vulnerable to this issue.

Linux Kernel Time_Out_Leases PrintK Local Denial of Service Vulnerability
BugTraq ID: 15627
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15627
Summary:
Linux kernel is susceptible to a local denial of service vulnerability.

This issue is triggered by consuming excessive kernel log memory by 
obtaining numerous file lock leases. Once the leases timeout, the event will 
be logged, and kernel memory will be consumed.

This issue allows local attackers to consume excessive kernel memory, 
eventually leading to an out-of-memory condition, and a denial of service 
for legitimate users.

Kernel versions prior to 2.6.15-rc3 are vulnerable to this issue.

Linux Kernel Multiple Unspecified ISO9660 Filesystem Handling 
Vulnerabilities
BugTraq ID: 12837
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/12837
Summary:
The Linux kernel is reported prone to multiple vulnerabilities that occur 
because of "range-checking flaws" present in the ISO9660 handling routines.

An attacker may exploit these issues to trigger kernel-based memory 
corruption. Ultimately, the attacker may be able to execute arbitrary 
malicious code with ring-zero privileges.

These vulnerabilities are reported to be present in the ISO9660 filesystem 
handler including Rock Ridge and Juliet extensions for the Linux kernel up 
to and including version 2.6.11.

Eterm LibAST Library Local Buffer Overflow Vulnerability
BugTraq ID: 16350
Remote: No
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16350
Summary:
Eterm LibAST library is prone to a local buffer-overflow vulnerability.

An attacker can trigger this issue by supplying a long filename through the 
'-X' option of Eterm. A successful attack can corrupt memory and facilitate 
arbitrary code execution with the privileges of the 'utmp' user.

LibAST versions 0.6.1 and prior are vulnerable to this issue.

Note that other applications using the affected library may be vulnerable as 
well.

GNOME Evolution Inline XML File Attachment Buffer Overflow Vulnerability
BugTraq ID: 16408
Remote: Yes
Last Updated: 2006-01-30
Relevant URL: http://www.securityfocus.com/bid/16408
Summary:

GNOME Evolution email client is prone to a denial-of-service vulnerability 
when processing messages containing inline XML file attachments with 
excessively long strings.

Dave Carrigan Auth_LDAP Remote Format String Vulnerability
BugTraq ID: 16177
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16177
Summary:
Dave Carrigan's auth_ldap is susceptible to a remote format-string 
vulnerability. This issue is due to the application's failure to properly 
sanitize user-supplied input before using it in the format-specifier of a 
formatted printing function.

This issue likely arises only if auth_ldap has been enabled and is used for 
user authentication.

This issue allows remote attackers to execute arbitrary machine code in the 
context of Apache webservers that use the affected module. This may 
facilitate the compromise of affected computers.

Ethereal Service Location Protocol Dissection Stack Buffer Overflow 
Vulnerability
BugTraq ID: 15158
Remote: Yes
Last Updated: 2006-01-31
Relevant URL: http://www.securityfocus.com/bid/15158
Summary:
A remote buffer-overflow vulnerability affects Ethereal. This issue is due 
to the application's failure to securely copy network-derived data into 
sensitive process buffers. The specific issue resides in the Service 
Location Protocol dissector.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This may 
facilitate unauthorized access or privilege escalation.

This issue may be exploited by a single TCP packet to port 427, since 
Ethereal does not keep track of connection states. This allows malicious 
users to spoof the origin of attacks and to exploit this vulnerability when 
no services are actively listening on TCP port 427.

Note that this issue was originally disclosed in BID 15148 "Ethereal 
Multiple Protocol Dissector Vulnerabilities In Versions Prior To 0.10.13".

Ethereal Multiple Protocol Dissector Vulnerabilities In Versions Prior To 0.10.13
BugTraq ID: 15148
Remote: Yes
Last Updated: 2006-01-29
Relevant URL: http://www.securityfocus.com/bid/15148
Summary:
Several vulnerabilities in Ethereal have been disclosed by the vendor. The 
reported issues are in various protocol dissectors.

These issues include:
- Buffer-overflow vulnerabilities
- Null-pointer dereference denial-of-service vulnerabilities
- Infinite loop denial-of-service vulnerabilities
- Memory exhaustion denial-of-service vulnerabilities
- Division by zero denial-of-service vulnerabilities
- Invalid pointer free() attempt denial-of-service vulnerabilities
- Unspecified denial-of-service vulnerabilities

These issues could allow remote attackers to execute arbitrary machine code 
in the context of the vulnerable application. Attackers could also crash the 
affected application.

Various vulnerabilities affect different versions of Ethereal, from 0.7.7 
through to 0.10.12.

sudo Perl Environment Variable Handling Security Bypass Vulnerability
BugTraq ID: 15394
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15394
Summary:
sudo is prone to a security bypass vulnerability that could lead to 
arbitrary code execution. This issue is due to an error in the application 
when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment 
variables when tainting is ignored.

An attacker can exploit this vulnerability to bypass security restrictions 
and include arbitrary library files.

An attacker must have the ability to run Perl scripts through sudo to 
exploit this vulnerability.

sudo Python Environment Variable Handling Security Bypass Vulnerability
BugTraq ID: 16184
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16184
Summary:
sudo is prone to a security bypass vulnerability that could lead to 
arbitrary code execution. This issue is due to an error in the application 
when handling environment variables.

A local attacker with the ability to run Python scripts can exploit this 
vulnerability to gain access to an interactive Python prompt. Attackers may 
then execute arbitrary code with elevated privileges, facilitating the 
complete compromise of affected computers.

An attacker must have the ability to run Python scripts through sudo to 
exploit this vulnerability.

This issue is similar to BID 15394 (sudo Perl Environment Variable Handling 
Security Bypass Vulnerability).

Multiple Vendor Spoofed IGMP Report Denial Of Service Vulnerability
BugTraq ID: 5020
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/5020
Summary:
Internet Group Management Protocol (IGMP) specifies guidelines for the 
management of Internet Multicast Routing management.

An arbitrary host may deny service to a system on the same segment of 
network. In a situation where a multicast router sends a membership report 
request, a host sending a unicast membership report response to the primary 
responder can prevent the responder from sending a message to the multicast 
router. In doing so, the router will not receive a response from any host, 
and thus the transmission will timeout and cease.

This vulnerability may additionally affect other operating systems, though 
it is currently unknown which implementations may be vulnerable.

Fcron Convert-FCronTab Local Buffer Overflow Vulnerability
BugTraq ID: 16467
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16467
Summary:
Fcron is susceptible to a local buffer-overflow vulnerability. This issue is 
due to the application's failure to properly bounds-check user-supplied data 
before copying it to an insufficiently sized memory buffer.

This issue allows local attackers to execute arbitrary machine code with 
superuser privileges, since the affected utility is installed 
setuid-superuser by default in some installations. This allows attackers to 
completely compromise affected computers.

Fcron version 3.0 is affected by this issue; previous versions may also be 
affected.

Update: This issue is now retired. Further analysis reveals that this issue 
cannot be exploited for code execution; therefore, this is not a 
vulnerability.

IPSec-Tools IKE Message Handling Denial of Service Vulnerability
BugTraq ID: 15523
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15523
Summary:
IPsec-Tools is prone to a denial-of-service vulnerability. This issue is due 
to a failure in the application to handle exceptional conditions when in 
'AGGRESSIVE' mode.

An attacker can exploit this issue to crash the application, thus denying 
service to legitimate users.

These vulnerabilities were discovered by, and may be reproduced by, the 
University of Oulu Secure Programming Group PROTOS IPSec Test Suite.

FFmpeg libavcodec Heap Buffer Overflow Vulnerability
BugTraq ID: 15743
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15743
Summary:
FFmpeg's libavcodec is susceptible to a heap buffer-overflow vulnerability. 
This issue is due to the library's failure to properly bounds-check 
user-supplied data before using it in memory allocation and copy operations.

Attackers may exploit this vulnerability to execute arbitrary code in the 
context of applications that use an affected version of the libavcodec 
library.

An attacker can exploit this issue by enticing a user to open a malformed 
PNG file with an application that uses a vulnerable version of libavcodec. 
If the application is configured as the default handler for PNG files, this 
could present a viable web or email attack vector -- when the PNG is clicked 
from an appropriate client application, the application using the vulnerable 
library will automatically be invoked.

UIM LibUIM Environment Variables Privilege Escalation Weakness
BugTraq ID: 15007
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/15007
Summary:
Uim is reported prone to a privilege escalation weakness.

An attacker that has local interactive access to a system that has a 
vulnerable application installed may potentially exploit this weakness to 
escalate privileges.

This issue is reported to affect all stable versions prior to 0.4.9.1, and 
in development versions prior to 0.5.0.1.

CGI.pm Start_Form Cross-Site Scripting Vulnerability
BugTraq ID: 8231
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/8231
Summary:
CGI.pm is prone to cross-site scripting attacks under some circumstances. 
This issue occurs because the 'start_form()' function (or other functions 
that use this function) does not sufficiently sanitize HTML and script code 
when a form action isn't specified. This could expose scripts that use the 
function to cross-site scripting attacks.

Safe.pm Unsafe Code Execution Vulnerability
BugTraq ID: 6111
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/6111
Summary:
When Perl code is executed within a Safe compartment, it cannot access 
variables outside of the compartment unless the outside code chooses to 
share the variables with the code inside the compartment.

If code inside a Safe compartment is executed via 'Safe->reval()' twice, it 
can change its operation mask the second time. This could allow the code to 
access variables outside the Safe compartment.

GD Graphics Library Remote Integer Overflow Vulnerability
BugTraq ID: 11523
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/11523
Summary:
The GD Graphics Library (gdlib) is affected by an integer overflow that 
facilitates a heap overflow. This issue is due to the library's failure to 
do proper sanity checking on size values contained within image-format files.

An attacker may leverage this issue to manipulate process heap memory, 
potentially leading to code execution and compromise of the computer running 
the affected library.

Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 16171
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16171
Summary:
Multiple remote buffer-overflow vulnerabilities affect Bogofilter. These 
issues are due to the application's failure to properly handle invalid input 
sequences and to validate the length of user-supplied strings before copying 
them into static process buffers.

An attacker may exploit these issue to cause a denial-of-service condition 
or possibly to execute arbitrary code with the privileges of the vulnerable 
application. This may facilitate unauthorized access or privilege escalation.

Note that successful exploitation requires that Bogofilter be used with a 
Unicode database.

XMame Multiple Local Command Line Argument Buffer Overflow 
Vulnerabilities
BugTraq ID: 16203
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16203
Summary:
XMame is prone to locally exploitable buffer-overflow vulnerabilities. These 
issues are due to insufficient bounds checking of command-line parameters.

Successful exploitation on some systems could result in execution of 
malicious instructions with elevated privileges, since XMame may be 
installed with setuid-superuser privileges.

XMame version 0.102 is vulnerable to these issues; other versions may also 
be affected.

This issue may be related to BID 7773 (XMame Lang Local Buffer Overflow 
Vulnerability).

LSH Seed File File Descriptor Leakage Vulnerability
BugTraq ID: 16357
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16357
Summary:
lsh may leak file descriptors that may allow a local attacker to access 
sensitive information or to cause a denial-of-service condition.

lsh 2.0.1 is reportedly vulnerable. Other versions may be affected as well.

Multiple Vendor KernFS LSEEK Local Kernel Memory Disclosure Vulnerability
BugTraq ID: 16173
Remote: No
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16173
Summary:
The 'kernfs' filesystem in both NetBSD and OpenBSD is prone to a kernel 
memory disclosure vulnerability. This issue arises due to insufficient 
sanitization of user-supplied arguments passed to the 'lseek()' system call.

An attacker may use information disclosed through this attack to launch 
other attacks against a computer and potentially to aid in a complete 
compromise.

Note that OpenBSD has completely removed kernfs since OpenBSD 3.8; version 
3.7 had kernfs support disabled in their GENERIC kernel, and has never 
mounted the kernfs filesystem by default.

FreeBSD TCP SACK Remote Denial Of Service Vulnerability
BugTraq ID: 16466
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/16466
Summary:
FreeBSD is susceptible to a remote denial-of-service vulnerability. This 
issue is due to a flaw in affected kernels that potentially results in an 
infinite-loop condition when handling TCP SACK packets.

This issue allows remote attackers to cause affected kernels to enter into 
an infinite loop, denying further network service to legitimate users.

Samba Directory Access Control List Remote Integer Overflow Vulnerability
BugTraq ID: 11973
Remote: Yes
Last Updated: 2006-02-07
Relevant URL: http://www.securityfocus.com/bid/11973
Summary:
A remotely exploitable integer-overflow vulnerability affects Samba's 
directory access control list (DACL) processing functionality. This issue is 
due to the application's failure to properly perform sanity checking on 
calculated data sizes before copying data into static process buffers.

An attacker with access to an SMB share may leverage this issue to overwrite 
the heap of the affected process, facilitating code execution with superuser 
privileges.



More information about the gull-annonces mailing list