Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: "David R. Bergstein" <dbergstein@×××××××.net>
To: tobias@×××××××××.de, glpv@×××××××××.org
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [GLVP 200403-01] Gentoo Linux Pending Vulnerabilities
Date: Sat, 27 Mar 2004 16:58:48
Message-Id: 4065B2B9.20900@comcast.net
In Reply to: [gentoo-security] [GLVP 200403-01] Gentoo Linux Pending Vulnerabilities by Tobias Weisserth
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 Tobias Weisserth wrote:
5
6 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 | Gentoo Linux Pending Vulnerabilities GLVP 200403-01
8 | Unofficial Announcement
9 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10 | glvp@×××××××××.org
11 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
12 |
13 |
14 | Abstract: This email is a compilation of known but unresolved
15 | vulnerabilities and security issues in Gentoo Linux. This GLPV email
16 | will be issued each Saturday as a reminder and warning for Gentoo users
17 | about unresolved security critical bugs of packages in the Gentoo
18 | Portage tree. This is an unofficial email, not associated with the
19 | Gentoo Linux security team. Since I am far from perfect, this mail may
20 | contain errors. Please report them if you spot them.
21 |
22
23 Tobias,
24
25 First of all, I want to thank you for your proactive effort to get these
26 ~ security vulnerabilities addressed within the gentoo community. In
27 that light I wanted to let you know about a problem with the first
28 report that you posted to gentoo-security.
29
30 There seems to be an issue with the way this report is being transmitted
31 by your mail client (Ximian evolution). Although your gpg signature is
32 verifying correctly from my Mozilla 1.6 client, the "id=" portion of the
33 gentoo bugzilla URLs seem to have extra information that is rendering
34 the URLs as invalid. This also appears to be occurring in several other
35 URLs that have the "=" sign included.
36
37 You can see samples of this in the text quoted below from my end.
38
39 Regards,
40
41 - - David
42
43 - --
44 David R. Bergstein
45 Systems Engineer and Blues Musician
46 http://home.comcast.net/~dbergstein
47 Heart of Blue - bookings on-line at http://www.heartofblue.com
48 OpenPGP Public Key 0xE1F138CA - For info see http://www.gnupg.org
49 http://home.comcast.net/~dbergstein/gpg/dbergstein.asc
50 Key fingerprint = C86E CA2A 4171 AC73 91D7 3DCE 8832 D764 E1F1 38CA
51
52 "Beware of bugs in the above code; I have only proved it correct, not
53 tried it."
54 -- Donald Knuth
55
56
57 |
58 | Comments, suggestions and reports about errors are welcome at
59 | glpv@×××××××××.org
60 |
61 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
62 |
63 | *****************
64 | Package: Linux kernel
65 | Versions: 2.2 up to and including 2.2.25, 2.4 up to to and including
66 | 2.4.24, 2.6 up to to and including 2.6.2
67 | Subject: Linux kernel do_mremap VMA limit local privilege escalation
68 | vulnerability
69 | Risk: critical
70 | Date: 01/03/2004
71 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42024
72 | Cross Reference:
73 | http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
74 |
75 | Description:
76 |
77 | See the cross reference.
78 |
79 | *****************
80 |
81 | *****************
82 | Package: Ethereal
83 | Versions: 0.8.14 - 0.10.2
84 | Subject: Multiple (13) Ethereal remote overflows discovered=20
85 | Risk: critical
86 | Date: 23/03/2004
87 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45543
88 | Cross Reference: http://security.e-matters.de/advisories/032004.html
89 |
90 | Description:
91 |
92 | See the cross reference.
93 |
94 | *****************
95 |
96 | *****************
97 | Package: xfsdump
98 | Versions: ?
99 | Subject: xfsdump creates files insecurely
100 | Risk: critical
101 | Date: 10/04/2003
102 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D19406
103 | Cross Reference:
104 | ftp://patches.sgi.com/support/free/security/advisories/20030404-01-P
105 |
106 | Description:
107 |
108 | xfsdq in xfsdump does not create quota information files securely, which
109 | allows local users to gain root privileges.
110 |
111 | *****************
112 |
113 | *****************
114 | Package: Firebird
115 | Versions: ?
116 | Subject: Environment Variable Buffer Overflow Vulnerability
117 | Risk: critical
118 | Date: 10/05/2003
119 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D20837
120 | Cross Reference: http://securityfocus.com/bid/7546/info/
121 |
122 | Description:
123 |
124 | Interbase is a database distributed and maintained by Borland. It is
125 | available for Unix and Linux operating systems. As Firebird is based on
126 | Borland/Inprise Interbase source code, it is very likely that Interbase
127 | is prone to this issue also.
128 |
129 | A buffer overflow has been discovered in the setuid root program
130 | gds_inet_server, packaged with Firebird. This problem could allow a
131 | local user to execute the program with strings of arbitrary length. By
132 | using a custom crafted string, the attacker could overwrite stack
133 | memory, including the return address of a function, and potentially
134 | execute arbitrary code as root.
135 |
136 | *****************
137 |
138 | *****************
139 | Package: imagemagick
140 | Versions: ?
141 | Subject: insecure temporary file
142 | Risk: low/medium
143 | Date: 27/06/2003
144 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24001
145 | Cross Reference: http://www.debian.org/security/2003/dsa-331
146 |
147 | Description:
148 |
149 | See cross reference.
150 |
151 | *****************
152 |
153 | *****************
154 | Package: OpenLDAP
155 | Versions: ?
156 | Subject: Denial of Service and other (non-security) fixes=20
157 | Risk: critical
158 | Date: 04/07/2003
159 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D26728
160 | Cross Reference: http://www.openldap.org/its/index.cgi?findid=3D2390
161 |
162 | Description:
163 |
164 | A failed password extended operation (password EXOP) can cause openldap
165 | to, if using the back-ldbm backend, attempt to free memory which was
166 | never allocated, resulting in a segfault. The back-bdb backend, on the
167 | other hand, has a memory leak in the same code. Both conditions can be
168 | triggered remotely.
169 |
170 | See the Bugzilla entry for more information.
171 |
172 | *****************
173 |
174 | *****************
175 | Package: Gentoo Portage
176 | Versions: ?
177 | Subject: emerge security - running as root and digital signatures
178 | Risk: medium/high
179 | Date: 08/02/2002
180 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D5902
181 | Cross Reference: none
182 |
183 | Description:
184 |
185 | Running emerge as root is only necessary for the merge step. Unpacking,
186 | setup and compilation should be done as a normal user (say, "nobody").
187 | Merging should never overwrite an existing file without user
188 | authorisation.
189 |
190 | At the moment there are a couple of ways to get root from portage:
191 |
192 | 1) through a trojaned build process
193 | 2) through a trojaned source that gets installed and executed by root
194 |
195 | Running the build process as a normal user avoids 1). Not overwriting
196 | exist=
197 | ing files avoids 2), unless the user is installing some new root
198 | daemon/program, then they're screwed anyway.
199 |
200 | *****************
201 |
202 | *****************
203 | Package: scorched3d
204 | Versions: 36.2 and ?
205 | Subject: format string crashes server and client
206 | Risk: low/medium (denial of service)
207 | Date: 24/01/2004
208 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D39302
209 | Cross Reference: none
210 |
211 | Description:
212 |
213 | games-strategy/scorched3d-36.2 suffers from a format string problem that
214 | crashes clients and servers. If this is used while playing standalone,
215 | the client will crash. If this is used while playing on a server, the
216 | server will crash, and all clients will be disconnected.
217 |
218 | *****************
219 |
220 | *****************
221 | Package: 8139too driver
222 | Versions: ?
223 | Subject: 8139too driver icmp leak
224 | Risk: high
225 | Date: 01/06/2003
226 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24661
227 | Cross Reference:
228 | http://www.atstake.com/research/advisories/2003/a010603-1.txt
229 |
230 | Description:
231 |
232 | Multiple platform ethernet Network Interface Card (NIC) device
233 | drivers incorrectly handle frame padding, allowing an attacker to view
234 | slices of previously transmitted packets or portions of kernel memory.
235 | This vulnerability is the result of incorrect implementations of RFC
236 | requirements and poor programming practices, the combination
237 | of which results in several variations of this information leakage
238 | vulnerability.
239 |
240 | *****************
241 |
242 | *****************
243 | Package: pam
244 | Versions: ?
245 | Subject: pam_console setup broken
246 | Risk: critical
247 | Date: 23/10/2003
248 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D31877
249 | Cross Reference: none
250 |
251 | Description:
252 |
253 | Reproducible: Always
254 | Steps to Reproduce:
255 | 1. login in on on a virtual terminal as normal user
256 | 2. check permissions on pam_console managed devices
257 | for example:
258 | ls -l /dev/floppy/0
259 | 3. press <Ctrl><Alt><Del>
260 | 4. wait for comp to reboot
261 | 5. login on on any virtual terminal as root
262 | 6. repeat step 2
263 |
264 | Actual Results:
265 | /dev/floppy/0 is still owned by the last logged in user!
266 | same problem with serial ports!
267 | same problem with cdroms/zips/usb-storage devices/...
268 | same prob with all devices managed by pam_console!!!
269 |
270 | Expected Results:
271 | devices should have ownership from devfsd.conf or root:root!
272 |
273 | *****************
274 |
275 | *****************
276 | Package: FreeRadius
277 | Versions: <=3D 0.9.3
278 | Subject: rlm_smb module stack overflow vulnerability
279 | Risk: critical
280 | Date: 26/11/2003
281 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34424
282 | Cross Reference: http://www.s-quadra.com/advisories/Adv-20031126.txt
283 |
284 | Description:
285 |
286 | See cross reference.
287 |
288 | *****************
289 |
290 | *****************
291 | Package: irssi
292 | Versions: 0.8.9 and ?, x86 not affected
293 | Subject: remotely crash another user's irssi client
294 | Risk: low/medium
295 | Date: 11/12/2203
296 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D35614
297 | Cross Reference: none
298 |
299 | Description:
300 |
301 | See Bugzilla entry.
302 |
303 | *****************
304 |
305 | *****************
306 | Package: nscd
307 | Versions: ?
308 | Subject: nscd dns spoof attack
309 | Risk: critical
310 | Date: 01/02/2004
311 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40067
312 | Cross Reference: none
313 |
314 | Description:
315 |
316 | nscd will reverse an IP address and later use the forward of it for
317 | lookups allowing for spoof attack which can be used to gather passwords
318 | and other data.
319 |
320 | *****************
321 |
322 | *****************
323 | Package: xscreensaver
324 | Versions: 4.14 and ?
325 | Subject: file in /tmp, symlink attack
326 | Risk: high/critical
327 | Date: 11/02/2204
328 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41253
329 | Cross Reference: none
330 |
331 | Description:
332 |
333 | See Bugzilla entry.
334 |
335 | *****************
336 |
337 | *****************
338 | Package: metamail
339 | Versions: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others
340 | Subject: format string bugs and buffer overflows
341 | Risk: critical
342 | Date: 18/02/2004
343 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42133
344 | Cross Reference:
345 |
346 http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html
347 |
348 | Description:
349 |
350 | See cross reference.
351 |
352 | *****************
353 |
354 | *****************
355 | Package: msyslog
356 | Versions: !=3D 1.09d or 1.08f
357 | Subject: buffer overflows
358 | Risk: critical
359 | Date: 10/04/2003
360 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42963
361 | Cross Reference:
362 | http://sourceforge.net/forum/forum.php?forum_id=3D267918
363 |
364 | Description:
365 |
366 | See Bugzilla entry.
367 |
368 | *****************
369 |
370 | *****************
371 | Package: monit
372 | Versions: < 4.1.1
373 | Subject: remote vulnerability
374 | Risk: critical
375 | Date: 07/03/2004
376 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43967
377 | Cross Reference: http://www.tildeslash.com/monit/
378 |
379 | Description:
380 |
381 | No description available.
382 |
383 | *****************
384 |
385 | *****************
386 | Package: Unreal engine
387 | Versions: ?
388 | Subject: Format string bug in EpicGames Unreal engine
389 | Risk: critical
390 | Date: 10/03/2004
391 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44351
392 | Cross Reference:
393 | http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0
394 |
395 | Description:
396 |
397 | The problem is a format string bug in the Classes management.
398 | Each time a client connects to a server it sends the names of the
399 | objects it uses (called classes).
400 |
401 | If an attacker uses a class name containing format parameters (as %n,
402 | %s and so on) he will be able to crash or also to execute malicious
403 | code on the remote server.
404 |
405 | *****************
406 |
407 | *****************
408 | Package: clamav
409 | Versions: < 0.70-rc
410 | Subject: RAR DOS vulnerability
411 | Risk: critical
412 | Date: 22/03/2004
413 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45357
414 | Cross Reference: http://secunia.com/advisories/11177/
415 |
416 | Description:
417 |
418 | A vulnerability has been discovered in Clam AntiVirus, which can be
419 | exploited by malicious people to cause a DoS (Denial-of-Service).
420 |
421 | An unspecified error within the processing of certain RAR archives (e.g.
422 | some of those generated by the Bagle virus) may cause a crash.
423 |
424 | *****************
425 |
426 | *****************
427 | Package: GNU Automake
428 | Versions: < 1.8.3
429 | Subject: Insecure Temporary Directory Creation Symbolic Link
430 | Vulnerability
431 | Risk: high/critical
432 | Date: 08/03/2004
433 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45646
434 | Cross Reference: http://www.securityfocus.com/bid/9816/info/
435 |
436 | Description:
437 |
438 | See cross reference.
439 |
440 | *****************
441 |
442 | *****************
443 | Package: apache, mod_cgi
444 | Versions: 2.0.47
445 | Subject: Apache 2.0.47 & mod_cgi: denial of service
446 | Risk: critical
447 | Date: 31/07/2003
448 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29893
449 | Cross Reference:
450 | http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3D22030
451 |
452 | Description:
453 |
454 | If a cgi script under mod_cgi outputs more than 4096 bytes of stderr
455 | before it finishes writing to and closing its stdout, the write() in the
456 | cgi script containing the 4097th byte of stderr will hang indefinitely,
457 | hanging the script's execution.
458 |
459 | This appears to be cause by the fact that mod_cgi reads all stdout
460 | output first, and then begins reading stderr output. APR's file_io
461 | which is handling the streams will only buffer 4096 characters before
462 | further writes by the script to stderr will hang, waiting for mod_cgi to
463 | read some of the data from the stream via APR file_io.
464 |
465 | *****************
466 |
467 | *****************
468 | Package: courier-imap
469 | Versions: see cross reference
470 | Subject: Multiple Remote Buffer Overflow Vulnerabilities
471 | Risk: critical
472 | Date: 11/03/2004
473 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45584
474 | Cross Reference: http://www.securityfocus.com/bid/9845/info/
475 |
476 | Description:
477 |
478 | Multiple buffer overflow vulnerabilities have been identified in Courier
479 | MTA, Courier SqWebMail, and Courier-IMAP. These vulnerabilities may
480 | allow a remote attacker to execute arbitrary code on a vulnerable system
481 | in order to gain unauthorized access.
482 |
483 | *****************
484 |
485 | *****************
486 | Package: Mozilla
487 | Versions: < 1.6
488 | Subject: Cross-domain exploit on zombie document with event handlers
489 | Risk: critical
490 | Date: 25/02/2004
491 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43072
492 | Cross Reference: http://www.securityfocus.com/archive/1/355233
493 |
494 | Description:
495 |
496 | When linking to a new page it is still possible to interact with the old
497 | page before the new page has been successfully loaded (zombie document).
498 | Any javascript events fired will be invoked in the context of the new
499 | page, making cross site scripting possible if the pages belong to
500 | different domains.
501 |
502 | *****************
503 |
504 | *****************
505 | Package: fetchmail
506 | Versions: <=3D 6.2.4
507 | Subject: email denial of service
508 | Risk: low/medium
509 | Date: 16/10/2003
510 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D37717
511 | Cross Reference: http://xforce.iss.net/xforce/xfdb/13450
512 |
513 | Description:
514 |
515 | Fetchmail is a full-featured remote mail-retrieval and forwarding
516 | utility for Unix that uses the POP3 and IMAP protocols. Fetchmail
517 | version 6.2.4 is vulnerable to a denial of service attack. By sending a
518 | specially-crafted email, a remote attacker can cause the program to
519 | crash.
520 |
521 | *****************
522 |
523 | *****************
524 | Package: RealOne Player and RealPlayer 8
525 | Versions: ?
526 | Subject: arbitrary code execution
527 | Risk: critical
528 | Date: 04/02/2004?
529 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40469
530 | Cross Reference:
531 | http://www.service.real.com/help/faq/security/040123_player/EN/
532 |
533 | Description:
534 |
535 | RealNetworks, Inc. has recently been made aware of security
536 | vulnerabilities that could potentially allow an attacker to run
537 | arbitrary code on a user's machine.
538 |
539 | The specific exploits were:
540 |
541 | * Exploit 1: To operate remote Javascript from the domain of the
542 | URL opened by a SMIL file or other file.
543 | * Exploit 2: To fashion RMP files which allow an attacker to
544 | download and execute arbitrary code on a user's machine.
545 | * Exploit 3: To fashion media files to create Buffer Overrun
546 | errors.
547 |
548 | While we have not received reports of anyone actually being attacked
549 | with this exploit, all security vulnerabilities are taken very seriously
550 | by RealNetworks. RealNetworks has found and fixed the problem.
551 |
552 | *****************
553 |
554 | *****************
555 | Package: mpg123
556 | Versions: ?
557 | Subject: heap overflow, arbitrary code execution
558 | Risk: high
559 | Date: 06/02/2004
560 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40631
561 | Cross Reference: http://www.debian.org/security/2004/dsa-435
562 |
563 | Description:
564 |
565 | A vulnerability was discovered in mpg123, a command-line mp3 player,
566 | whereby a response from a remote HTTP server could overflow a buffer
567 | allocated on the heap, potentially permitting execution of arbitrary
568 | code with the privileges of the user invoking mpg123. In order for
569 | this vulnerability to be exploited, mpg321 would need to request an
570 | mp3 stream from a malicious remote server via HTTP.
571 |
572 | *****************
573 |
574 | *****************
575 | Package: Samba, Linux kernel
576 | Versions: Samba 3.x, Linux kernel 2.6.x
577 | Subject: Samba 3.x + kernel 2.6.x local root vulnerability
578 | Risk: high
579 | Date: 09/02/2004
580 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41800
581 | Cross Reference: http://www.securityfocus.com/archive/1/353217
582 |
583 | Description:
584 |
585 | See cross reference.
586 |
587 | *****************
588 |
589 | *****************
590 | Package: uudeview
591 | Versions: < 0.5.20
592 | Subject: buffer overflow vulnerabilities, remote arbitrary code
593 | execution
594 | Risk: high
595 | Date: 02/03/2004
596 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44859
597 | Cross Reference:
598 | http://www.securitytracker.com/alerts/2004/Mar/1009291.html
599 |
600 | Description:
601 |
602 | It is reported that a remote user can create a malicious MIME file
603 | (.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe extensions) that, when
604 | processed by a target user, will cause UUDeview to crash or execute
605 | arbitrary code. The code will run with the privileges of the target user
606 | or application.
607 |
608 | *****************
609 |
610 | *****************
611 | Package: MySQl
612 | Versions: all
613 | Subject: Symlink bug / tmpfile bug
614 | Risk: low/medium
615 | Date: 24/03/2004
616 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45727
617 | Cross Reference: http://nettwerked.mg2.org/advisories/mysqlbug
618 |
619 | Description:
620 |
621 | See cross reference.
622 |
623 | *****************
624 |
625 | *****************
626 | Package: pwlib
627 | Versions: < 1.6.0
628 | Subject: multiple vulnerabilities allow remote DoS attacks and possibly
629 | execution of arbitrary code
630 | Risk: high
631 | Date: 13/01/2004
632 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45846
633 | Cross Reference:
634 | http://www.postincrement.com/openh323/nissc_vulnerabilty.html
635 |
636 | Description:
637 |
638 | See cross reference.
639 |
640 | *****************
641 |
642 | *****************
643 | Package: iproute
644 | Versions: ?
645 | Subject: local denial of service attack
646 | Risk: medium/high
647 | Date: 24/11/2003
648 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34294
649 | Cross Reference: http://rhn.redhat.com/errata/RHSA-2003-316.html
650 |
651 | Description:
652 |
653 | Herbert Xu reported that iproute can accept spoofed messages sent on the
654 | kernel netlink interface by other users on the local machine. This could
655 | lead to a local denial of service attack. The Common Vulnerabilities and
656 | Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to
657 | this issue.
658 |
659 | *****************
660 |
661 | *****************
662 | Package: openhbci-plugin-ddvcard
663 | Versions: ?
664 | Subject: openhbci-plugin-ddvcard can destroy hbci-cards
665 | Risk: critical
666 | Date: 13/01/2004
667 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38201
668 | Cross Reference:
669 | http://sourceforge.net/mailarchive/forum.php?thread_id=3D3743892&forum_id=
670 | =3D926
671 |
672 | Description:
673 |
674 | See cross reference (German) and Bugzilla entry.
675 |
676 | *****************
677 |
678 | *****************
679 | Package: tcpdump
680 | Versions: ?
681 | Subject: denial of service, or possibly execute arbitrary
682 | code as the 'pcap' user
683 | Risk: medium/high
684 | Date: 14/01/2004
685 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38206
686 | Cross Reference: none
687 |
688 | Description:
689 |
690 | Tcpdump is a command-line tool for monitoring network traffic.
691 |
692 | George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
693 | versions prior to 3.8.1. The Common Vulnerabilities and Exposures
694 | project
695 | (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
696 |
697 | Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
698 | routines of tcpdump versions up to and including 3.8.1.
699 |
700 | Remote attackers could potentially exploit these issues by sending
701 | carefully-crafted packets to a victim. If the victim uses tcpdump,
702 | these
703 | pakets could result in a denial of service, or possibly execute
704 | arbitrary
705 | code as the 'pcap' user.
706 |
707 | Users of tcpdump are advised to upgrade to these erratum packages, which
708 | contain backported security patches and are not vulnerable to these
709 | issues.
710 |
711 | *****************
712 |
713 | *****************
714 | Package: kdepim
715 | Versions: from KDE 3.1.0 to 3.1.4
716 | Subject: buffer overflow in the file information reader of VCF files
717 | Risk: high/critical
718 | Date: 14/01/2004
719 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38256
720 | Cross Reference:
721 | http://www.kde.org/info/security/advisory-20040114-1.txt
722 |
723 | Description:
724 |
725 | A carefully crafted .VCF file potentially enables local attackers to
726 | compromise the privacy of a victim's data or execute arbitrary commands
727 | with the victim's privileges.
728 |
729 | By default, file information reading is disabled for remote files.
730 | However, if previews are enabled for remote files, remote attackers may
731 | be able to compromise the victim's account.
732 |
733 | *****************
734 |
735 | *****************
736 | Package: dcron
737 | Versions: 2.9
738 | Subject: dcron installs init script suid 4755
739 | Risk: medium
740 | Date: 25/02/2004
741 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42908
742 | Cross Reference: http://dev.gentoo.org/~solar/misc/dcron-2.9-r2.diff
743 |
744 | Description:
745 |
746 | See Bugzilla entry.
747 |
748 | *****************
749 |
750 | *****************
751 | Package: xine
752 | Versions: ?
753 | Subject: Symlink bug / tmpfile bug in xine-check and xine-bugreport
754 | Risk: low/medium
755 | Date: 19/03/2004
756 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45448
757 | Cross Reference: http://nettwerked.mg2.org/advisories/xinebug
758 |
759 | Description:
760 |
761 | See cross reference.
762 |
763 | *****************
764 |
765 | *****************
766 | Package: phpBB
767 | Versions: ?
768 | Subject: Multiple vulnerabilities
769 | Risk: critical
770 | Date: 13/03/2004
771 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45482
772 | Cross Reference: http://www.securityfocus.com/bid/9865
773 |
774 | Description:
775 |
776 | See Bugzilla entry and cross reference.
777 |
778 | *****************
779 |
780 | *****************
781 | Package: SquidGuard
782 | Versions: <=3D 1.2.0
783 | Subject: NULL URL Character Unauthorized Access Vulnerability
784 | Risk: critical
785 | Date: 19/03/2004
786 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45491
787 | Cross Reference: http://www.securityfocus.com/bid/9919/info/
788 |
789 | Description:
790 |
791 | Reportedly SquidGaurd is prone to a remote NULL URL character
792 | unauthorized access vulnerability. This issue is due to a failure of the
793 | application to properly filter out invalid URIs.
794 |
795 | Successful exploitation of this issue may allow a remote attacker to
796 | bypass access controls resulting in unauthorized access to
797 | attacker-specified resources. This may allow the attacker to gain
798 | unauthorized access to sensitive resources.
799 |
800 | *****************
801 |
802 | *****************
803 | Package: Jetty
804 | Versions: < 4.2.19
805 | Subject: Unspecified Denial Of Service Vulnerability
806 | Risk: high/critical
807 | Date: 18/03/2004
808 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45552
809 | Cross Reference: http://www.securityfocus.com/bid/9917
810 |
811 | Description:
812 |
813 | See cross reference.
814 |
815 | *****************
816 |
817 | *****************
818 | Package: oftpd
819 | Versions: 0.3.6 and possibly others
820 | Subject: remote DoS vulnerability
821 | Risk: medium/high
822 | Date: 04/03/2004
823 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45738
824 | Cross Reference: http://www.time-travellers.org/oftpd/oftpd-dos.html
825 |
826 | Description:
827 |
828 | Denial of service. An ftp server can be taken offline with a simple
829 | telnet connection.
830 |
831 | *****************
832 |
833 | *****************
834 | Package: libxml2
835 | Versions: 2.6.x
836 | Subject: URI Parsing Buffer Overflow Vulnerabilities
837 | Risk: high/critical
838 | Date: 24/02/2004
839 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42735
840 | Cross Reference: http://secunia.com/advisories/10958/
841 |
842 | Description:
843 |
844 | Yuuichi Teranishi has discovered some vulnerabilities in libxml2, which
845 | potentially can be exploited by malicious people to compromise a
846 | vulnerable system.
847 |
848 | The vulnerabilities are caused due to boundary errors in nanohttp and
849 | nanoftp when parsing overly long URIs. This can be exploited to cause a
850 | buffer overflow by supplying an overly long URI (about 4096 bytes).
851 |
852 | Successful exploitation may potentially allow execution of arbitrary
853 | code.
854 |
855 | *****************
856 |
857 | *****************
858 | Package: inn
859 | Versions: < 2.4.1?
860 | Subject: ?
861 | Risk: ?
862 | Date: 17/09/2003
863 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29020
864 | Cross Reference: none
865 |
866 | Description:
867 |
868 | See Bugzilla entry.
869 |
870 | *****************
871 |
872 | *****************
873 | Package: mplayer
874 | Versions: ?
875 | Subject: /dev/misc/rtc permissions change & sysctl.conf addition
876 | Risk: low/medium?
877 | Date: 11/09/2003
878 | Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D28486
879 | Cross Reference: none
880 |
881 | Description:
882 |
883 | See Bugzilla entry.
884 |
885 | *****************
886 |
887 | If you spotted any errors or you're aware of additional
888 | references/information, please drop me a note at glpv@×××××××××.org.
889 |
890 | This list is far from complete. As of today it only contains entries
891 | from Bugzilla that haven't been fixed yet. There are probably many
892 | issues that haven't found their way into Bugzilla at all.
893 |
894 |
895 | kind regards,
896 | Tobias Weisserth
897 |
898 |
899
900 -----BEGIN PGP SIGNATURE-----
901 Version: GnuPG v1.2.3 (MingW32)
902 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
903
904 iD8DBQFAZbK2iDLXZOHxOMoRAsd3AKDXu236o59vYgZ5gov9l2KzrVQnPwCeOzUD
905 XxwXgrRDnnRorCwfgYyx5YI=
906 =R8S5
907 -----END PGP SIGNATURE-----
908
909 --
910 gentoo-security@g.o mailing list
Report Message
Find on MARC Find on Google Groups