[gull-annonces] Résumé SecurityFocus Newsletter #348
Marc SCHAEFER
schaefer at alphanet.ch
Wed May 3 09:04:43 CEST 2006
ASTERISK JPEG FILE HANDLING INTEGER OVERFLOW VULNERABILITY
BugTraq ID: 17561
Last Updated: 2006-05-01
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17561
Summary:
Asterisk is prone to an integer-overflow vulnerability.
This issue arises when the application handles a malformed
JPEG file.
An attacker could exploit this vulnerability to execute arbitrary
code in the context of the vulnerable application.
ASTERISK VOICEMAIL UNAUTHORIZED ACCESS VULNERABILITY
BugTraq ID: 15336
Last Updated: 2006-05-01
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15336
Summary:
Asterisk is prone to an unauthorized-access vulnerability. This
issue is due to a failure in the application to properly verify user-
supplied input.
Successful exploitation will grant an attacker access to a victim
user's voicemail and to any '.wav/.WAV' files currently on the
affected system.
CLAM ANTIVIRUS FRESHCLAM REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 17754
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17754
Summary:
ClamAV's freshclam utility is susceptible to a remote buffer-
overflow vulnerability. The utility fails to perform sufficient
boundary checks in server-supplied HTTP data before copying it to an
insufficiently sized memory buffer.
To exploit this issue, attackers must subvert webservers in the
ClamAV database server pool. Or, they would perform DNS-based
attacks or man-in-the-middle attacks to cause affected freshclam
applications to connect to attacker-controlled webservers.
This issue allows remote attackers to execute arbitrary machine code
in the context of the freshclam utility. The affected utility may
run with superuser privileges, aiding remote attackers in the
complete compromise of affected computers.
ClamAV versions 0.88 and 0.88.1 are affected by this issue.
ETHEREAL MULTIPLE PROTOCOL DISSECTOR VULNERABILITIES IN VERSIONS PRIOR
BugTraq ID: 17682
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17682
Summary:
Several vulnerabilities in Ethereal have been disclosed by the vendor. The
reported issues are in various protocol dissectors. These issues include:
- Buffer-overflow vulnerabilities
- Denial-of-service vulnerabilities
- Infinite loop denial-of-service vulnerabilities
- Unspecified denial-of-service vulnerabilities
- Off-by-one overflow vulnerabilities
These issues could allow remote attackers to execute arbitrary
machine code in the context of the vulnerable application. Attackers
could also crash the affected application.
Various vulnerabilities affect different versions of Ethereal, from
0.8.5 through to 0.10.14.
LIBTIFF DOUBLE FREE MEMORY CORRUPTION VULNERABILITY
BugTraq ID: 17733
Last Updated: 2006-04-28
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17733
Summary:
Applications using the LibTIFF library are prone to a double-free
vulnerability; a fix is available.
Attackers may be able to exploit this issue to cause denial-of-
service conditions in affected applications using a vulnerable
version of the library; arbitrary code execution may also be
possible.
LIBTIFF MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 17730
Last Updated: 2006-04-28
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17730
Summary:
LibTIFF is affected by multiple denial-of-service vulnerabilities.
An attacker can exploit these vulnerabilities to cause a denial of
service in applications using the affected library.
LIBTIFF TIFFFETCHDATA INTEGER OVERFLOW VULNERABILITY
BugTraq ID: 17732
Last Updated: 2006-04-28
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17732
Summary:
Applications using the LibTIFF library are prone to an integer-
overflow vulnerability.
An attacker could exploit this vulnerability to execute arbitrary
code in the context of the vulnerable application that uses the
affected library. Failed exploit attempts will likely cause denial-of-
service conditions.
LINUX KERNEL 64-BIT SMP ROUTING_IOCTL() LOCAL DENIAL OF SERVICE
BugTraq ID: 14902
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14902
Summary:
A local denial-of-service vulnerability affects the Linux kernel on
64-bit Symmetric Multi-Processor (SMP) platforms.
Specifically, the vulnerability presents itself due to an omitted
call to the 'sockfd_put()' function in the 32-bit-compatible
'routing_ioctl()' function.
The 32-bit-compatible 'tiocgdev ioctl()' function on x86-64
platforms is affected by this issue as well.
LINUX KERNEL CIFS CHROOT SECURITY RESTRICTION BYPASS VULNERABILITY
BugTraq ID: 17742
Last Updated: 2006-04-29
Remote: No
Relevant URL: http://www.securityfocus.com/bid/17742
Summary:
The Linux Kernel is prone to a vulnerability that allows attackers
to bypass a security restriction. This issue is due to a failure in
the kernel to properly sanitize user-supplied data.
The problem affects chroot inside of an SMB-mounted filesystem
('cifs'). A local attacker who is bounded by the chroot can exploit
this issue to bypass the chroot restriction and gain unauthorized
access to the filesystem.
LINUX KERNEL FIB_SEQ_START LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 13267
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/13267
Summary:
A local denial-of-service vulnerability affects the Linux kernel.
A local attacker may leverage this issue to cause an affected Linux
kernel to panic, effectively denying service to legitimate users.
Although only the Linux kernel version 2.6.9 is reported vulnerable,
other versions are likely vulnerable as well.
LINUX KERNEL FILE LOCK LEASE LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15745
Last Updated: 2006-05-02
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15745
Summary:
Linux kernel is susceptible to a local denial-of-service
vulnerability.
This issue is triggered when excessive kernel memory is consumed by
numerous file-lock leases. This problem stems from a memory leak in
the kernel's file-lock lease code.
This issue allows local attackers to consume excessive kernel
memory, eventually leading to an out-of-memory condition and
ultimately to a denial of service for legitimate users.
Kernel versions from 2.6.10 through to 2.6.14.2 are vulnerable to
this issue.
LINUX KERNEL INVALIDATE_INODE_PAGES2 LOCAL INTEGER OVERFLOW
VULNERABILITY
BugTraq ID: 15846
Last Updated: 2006-05-02
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15846
Summary:
Linux kernel is prone to a local integer-overflow vulnerability.
A successful attack can result in a kernel crash. Arbitrary code
execution may be possible as well, but this has not been confirmed.
All 2.6.x versions of the Linux kernel are considered vulnerable at
the moment.
LINUX KERNEL IPV6 LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15156
Last Updated: 2006-05-01
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15156
Summary:
Linux Kernel is reported prone to a local denial-of-service
vulnerability.
This issue arises from an infinite loop when binding IPv6 UDP ports.
LINUX KERNEL IPV6 FLOWLABLE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15729
Last Updated: 2006-05-02
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux Kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this vulnerability to corrupt kernel
memory or free non-allocated memory. Successful exploitation will
crash the kernel, effectively denying service to legitimate users.
LINUX KERNEL ISO FILE SYSTEM DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 14614
Last Updated: 2006-04-28
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14614
Summary:
The kernel driver for compressed ISO filesystems is prone to a denial-of-
service vulnerability. This issue is due to a failure in the driver
to properly sanitize input data.
When attempting to mount a malicious compressed ISO image, the
kernel crashes.
LINUX KERNEL MULTIPLE SECURITY VULNERABILITIES
BugTraq ID: 15049
Last Updated: 2006-04-29
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15049
Summary:
Linux kernel is prone to multiple vulnerabilities. These issues may
allow local and remote attackers to trigger denial-of-service
conditions or to access sensitive kernel memory.
Linux kernel 2.6.x versions are known to be vulnerable at the
moment. Other versions may be affected as well.
LINUX KERNEL NAT HANDLING MEMORY CORRUPTION DENIAL OF SERVICE
BugTraq ID: 15531
Last Updated: 2006-05-01
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15531
Summary:
Linux Kernel is reported prone to a denial-of-service vulnerability.
Due to a design error in the kernel, an attacker can cause a memory
corruption that will ultimately crash the kernel, denying service to
legitimate users.
LINUX KERNEL NETFILTER IPT_RECENT REMOTE DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 14791
Last Updated: 2006-04-28
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14791
Summary:
Linux Kernel is reported prone to a local denial-of-service
vulnerability.
An attacker can exploit this issue by sending specially crafted
packets to a vulnerable computer employing the 'ipt_recent' module.
A successful attack can cause a denial-of-service condition.
LINUX KERNEL POSIX TIMER CLEANUP HANDLING LOCAL DENIAL OF SERVICE
BugTraq ID: 15722
Last Updated: 2006-05-02
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15722
Summary:
A local denial-of-service vulnerability affects the Linux kernel.
The vulnerability arises due to a race-condition error in the
handling of POSIX timer cleanup routines.
A successful attack can result in a kernel crash.
Linux kernel versions 2.6.10 to 2.6.14 are vulnerable to this issue.
LINUX KERNEL PTRACE CLONE_THREAD LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15642
Last Updated: 2006-05-02
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15642
Summary:
Linux kernel is susceptible to a local denial-of-service
vulnerability.
In instances where a process is created via the 'clone()' system
call with the 'CLONE_THREAD' argument ptraced, the kernel fails to
properly ensure that the ptracing process is not attempting to
trace itself.
This issue allows local users to crash the kernel, denying service
to legitimate users.
Kernel versions prior to 2.6.14.2 are vulnerable to this issue.
LINUX KERNEL PTRACED CHILD AUTO-REAP LOCAL DENIAL OF SERVICE
BugTraq ID: 15625
Last Updated: 2006-05-01
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15625
Summary:
Linux kernel is susceptible to a local denial-of-service
vulnerability.
The kernel improperly auto-reaps processes when they are being
ptraced, leading to an invalid pointer. Further operations on this
pointer result in a kernel crash.
This issue allows local users to crash the kernel, denying service
to legitimate users.
Kernel versions prior to 2.6.15 are vulnerable to this issue.
LINUX KERNEL RAW_SENDMSG() KERNEL MEMORY ACCESS VULNERABILITY
BugTraq ID: 14787
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14787
Summary:
Linux Kernel is prone to a kernel memory-access vulnerability.
This issue affects the 'raw_sendmsg()' function and can allow a
local attacker to access kernel memory or manipulate the hardware
state due to unauthorized access to I/O ports.
Linux kernel 2.6.10 is reportedly vulnerable, but other versions are
likely to be affected as well.
LINUX KERNEL SCSI PROCFS DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 14790
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14790
Summary:
The Linux kernel is prone to a denial-of-service vulnerability. The
kernel is affected by a memory leak, which eventually can result in
a denial of service.
A local attacker can exploit this vulnerability by making repeated
reads to the '/proc/scsi/sg/devices' file, which will exhaust kernel
memory and lead to a denial of service.
LINUX KERNEL SMBFS CHROOT SECURITY RESTRICTION BYPASS VULNERABILITY
BugTraq ID: 17735
Last Updated: 2006-04-29
Remote: No
Relevant URL: http://www.securityfocus.com/bid/17735
Summary:
The Linux Kernel is prone to a vulnerability that allows attackers
to bypass a security restriction. This issue is due to a failure in
the kernel to properly sanitize user-supplied data.
The problem affects chroot inside of an SMB-mounted filesystem
('smbfs'). A local attacker who is bounded by the chroot can exploit
this issue to bypass the chroot restriction and gain unauthorized
access to the filesystem.
LINUX KERNEL SENDMSG() LOCAL BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 14785
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14785
Summary:
Linux kernel is prone to a local buffer-overflow vulnerability.
The vulnerability affects 'sendmsg()' when malformed user-supplied
data is copied from userland to kernel memory.
A successful attack can allow a local attacker to trigger an
overflow, which may lead to a denial-of-service condition due to
memory corruption. Arbitrary code execution resulting in privilege
escalation is possible as well.
LINUX KERNEL USB SUBSYSTEM LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 14955
Last Updated: 2006-04-29
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14955
Summary:
A local denial-of-service vulnerability affects the Linux kernel's
USB subsystem. This issue is due to the kernel's failure to
properly handle unexpected conditions when trying to handle URBs
(USB Request Blocks).
Local attackers may exploit this vulnerability to trigger a kernel
'oops' on computers where the vulnerable USB subsystem is enabled.
This would deny service to legitimate users.
LINUX KERNEL ZLIB INVALID MEMORY ACCESS LOCAL DENIAL OF SERVICE
BugTraq ID: 14719
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14719
Summary:
The Linux kernel is reported prone to a local denial-of-service
vulnerability. This issue arises because the software fails to
handle exceptional conditions in a proper manner.
This can allow a local attacker to deny service to legitimate
users due to a kernel oops. Since the zlib library is used
throughout the kernel, attackers may likely find various avenues
to exploit this issue.
LINUX KERNEL ZLIB LOCAL NULL POINTER DEREFERENCE DENIAL OF SERVICE
BugTraq ID: 14720
Last Updated: 2006-04-28
Remote: No
Relevant URL: http://www.securityfocus.com/bid/14720
Summary:
The Linux kernel is prone to a denial-of-service vulnerability. This
issue is due to a failure in the application to properly handle
malformed compressed files.
An attacker can exploit this vulnerability to cause a kernel crash,
effectively denying service to legitimate users.
LINUX ORINOCO DRIVER REMOTE INFORMATION DISCLOSURE VULNERABILITY
BugTraq ID: 15085
Last Updated: 2006-04-29
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15085
Summary:
The Orinoco drivers for Linux kernels are susceptible to a remote
information-disclosure vulnerability. This issue is due to the
driver sending uninitialized kernel memory in small network packets.
Remote attackers may exploit this issue to access potentially
sensitive kernel memory, aiding them in further attacks.
MPLAYER MULTIPLE INTEGER OVERFLOW VULNERABILITIES
BugTraq ID: 17295
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17295
Summary:
MPlayer is susceptible to two integer-overflow vulnerabilities. An
attacker may exploit these issues to execute arbitrary code with the
privileges of the user that activated the vulnerable application.
This may help the attacker gain unauthorized access or escalate
privileges.
MPlayer version 1.0.20060329 is affected by these issues; other
versions may also be affected.
MOZILLA FIREFOX LARGE HISTORY FILE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 15773
Last Updated: 2006-04-29
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15773
Summary:
Mozilla Firefox is reportedly prone to a remote denial-of-service
vulnerability.
This issue presents itself when the browser handles a large entry in
the 'history.dat' file. An attacker may trigger this issue by
enticing a user to visit a malicious website and by supplying
excessive data to be stored in the affected file.
This may cause a denial-of-service condition.
**UPDATE: Proof-of-concept exploit code has been published. The
author of the code attributes the crash to a buffer-overflow
condition. Symantec has not reproduced the alleged flaw.
MOZILLA SUITE, FIREFOX, SEAMONKEY, AND THUNDERBIRD MULTIPLE REMOTE
BugTraq ID: 17516
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17516
Summary:
The Mozilla Foundation has released nine security advisories
specifying security vulnerabilities in Mozilla Suite, Firefox,
SeaMonkey, and Thunderbird.
These vulnerabilities allow attackers to:
- execute arbitrary machine code in the context of the vulnerable
application
- crash affected applications
- gain elevated privileges in JavaScript code, potentially allowing
remote machine code execution
- gain access to potentially sensitive information
- bypass security checks
- spoof window contents.
Other attacks may also be possible.
The issues described here will be split into individual BIDs as
the information embargo on the Mozilla Bugzilla entries is lifted
and as further information becomes available. This BID will then
be retired.
These issues are fixed in:
- Mozilla Firefox versions 1.0.8 and 1.5.0.2
- Mozilla Thunderbird versions 1.0.8 and 1.5.0.2
- Mozilla Suite version 1.7.13
- Mozilla SeaMonkey version 1.0.1
MOZILLA THUNDERBIRD MULTIPLE REMOTE INFORMATION DISCLOSURE
VULNERABILITIES
BugTraq ID: 16881
Last Updated: 2006-04-29
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16881
Summary:
Mozilla Thunderbird is susceptible to multiple remote information-
disclosure vulnerabilities. These issues are due to the
application's failure to properly enforce the restriction for
downloading remote content in email messages.
These issues allow remote attackers to gain access to potentially
sensitive information, aiding them in further attacks. Attackers
may also exploit these issues to know whether and when users read
email messages.
Mozilla Thunderbird version 1.5 is vulnerable to these issues; other
versions may also be affected.
MULTIPLE MOZILLA PRODUCTS MEMORY CORRUPTION/CODE INJECTION/ACCESS
BugTraq ID: 16476
Last Updated: 2006-04-29
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16476
Summary:
Multiple Mozilla products are prone to multiple vulnerabilities.
These issues include various memory-corruption, code-injection, and
access-restriction-bypass vulnerabilities. Other undisclosed issues
may have also been addressed in the various updated vendor
applications.
Successful exploitation of these issues may permit an attacker to
execute arbitrary code in the context of the affected application.
This may facilitate a compromise of the affected computer; other
attacks are also possible.
MULTIPLE VENDOR UNACEV2 ARCHIVE FILE NAME BUFFER OVERFLOW
VULNERABILITY
BugTraq ID: 14759
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14759
Summary:
Multiple products are prone to a buffer overflow when handling ACE
archives that contain files with overly long names.
This may be exploited to execute arbitrary code in the context of
the user who is running the application. The vulnerability is
considered remotely exploitable in nature because malicious ACE
archives will likely originate from an external, untrusted source.
MYSQL REMOTE INFORMATION DISCLOSURE AND BUFFER OVERFLOW
VULNERABILITIES
BugTraq ID: 17780
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17780
Summary:
MySQL is susceptible to multiple remote vulnerabilities. The issues are:
- A buffer-overflow vulnerability due to insufficient bounds-
checking of user-supplied data prior to copying it to an
insufficiently sized memory-buffer. This issue allows remote
attackers to execute arbitrary machine code in the context of
affected database servers. Failed exploit attempts likely
result in crashing the server and denying further service to
legitimate users.
- Two information-disclosure vulnerabilities due to insufficient input-
sanitization and bounds-checking of user-supplied data. These
issues allow remote users to gain access to potentially sensitive
information that may aid them in further attacks.
PERL PERL_SV_VCATPVFN FORMAT STRING INTEGER WRAP VULNERABILITY
BugTraq ID: 15629
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15629
Summary:
Perl is susceptible to a format-string vulnerability. This issue is
due to the programming language's failure to properly handle format
specifiers in formatted-printing functions.
An attacker may leverage this issue to write to arbitrary process
memory, facilitating code execution in the context of the Perl
interpreter process. This can result in unauthorized remote access.
Developers should treat the formatted printing functions in Perl as
equivalently vulnerable to exploitation as the C library versions,
and should properly sanitize all data passed in the format-
specifier argument.
All applications that use formatted-printing functions in an unsafe
manner should be considered exploitable.
RSYNC RECEIVE_XATTR INTEGER OVERFLOW VULNERABILITY
BugTraq ID: 17788
Last Updated: 2006-05-02
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17788
Summary:
The rsync utility is susceptible to a remote integer-overflow
vulnerability. This issue is due to a failure of the application to
properly ensure that user-supplied input does not result in the
overflowing of integer values. This may result in user-supplied data
being copied past the end of a memory buffer.
Attackers may exploit this issue to execute arbitrary machine code
in the context of the affected application, facilitating in the
compromise of affected computers.
Versions of rsync prior to 2.6.8 that have had the 'xattrs.diff'
patch applied are vulnerable to this issue.
RESMGR UNAUTHORIZED USB DEVICE ACCESS VULNERABILITY
BugTraq ID: 17752
Last Updated: 2006-05-02
Remote: No
Relevant URL: http://www.securityfocus.com/bid/17752
Summary:
The resmgr module is prone to a vulnerability that permits
unauthorized access to USB devices.
A successful exploit of this issue would result in a bypass of
access controls leading to a false sense of security and a possible
loss of confidentiality if data is intercepted; other attacks are
also possible.
TRAC WIKI MACRO REMOTE HTML INJECTION VULNERABILITIES
BugTraq ID: 17741
Last Updated: 2006-04-29
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17741
Summary:
Trac is prone to multiple, unspecified HTML-injection
vulnerabilities.
Attacker-supplied HTML and script code would be executed in the
context of the affected website, potentially allowing attackers to
steal cookie-based authentication credentials. An attacker could
also exploit these issues to control how the site is rendered to the
user; other attacks are also possible.
Trac versions prior to 0.9.5. are affected by these issues.
XINE FILENAME HANDLING REMOTE FORMAT STRING VULNERABILITY
BugTraq ID: 17769
Last Updated: 2006-05-01
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17769
Summary:
The xine package is susceptible to a remote format-string
vulnerability.
This issue arises when the application handles specially crafted
filenames. An attacker can exploit this vulnerability by crafting a
malicious filename that contains format specifiers and then coercing
unsuspecting users to try to execute the affected application with
the malicious filename as an argument.
A successful attack may crash the application or lead to arbitrary
code execution.
Version 0.99.4 of xine is vulnerable to this issue; other versions
may also be affected.
More information about the gull-annonces
mailing list