1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Tobias Weisserth wrote: |
5 |
|
6 |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
| Gentoo Linux Pending Vulnerabilities GLVP 200403-01 |
8 |
| Unofficial Announcement |
9 |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
10 |
| glvp@×××××××××.org |
11 |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
12 |
| |
13 |
| |
14 |
| Abstract: This email is a compilation of known but unresolved |
15 |
| vulnerabilities and security issues in Gentoo Linux. This GLPV email |
16 |
| will be issued each Saturday as a reminder and warning for Gentoo users |
17 |
| about unresolved security critical bugs of packages in the Gentoo |
18 |
| Portage tree. This is an unofficial email, not associated with the |
19 |
| Gentoo Linux security team. Since I am far from perfect, this mail may |
20 |
| contain errors. Please report them if you spot them. |
21 |
| |
22 |
|
23 |
Tobias, |
24 |
|
25 |
First of all, I want to thank you for your proactive effort to get these |
26 |
~ security vulnerabilities addressed within the gentoo community. In |
27 |
that light I wanted to let you know about a problem with the first |
28 |
report that you posted to gentoo-security. |
29 |
|
30 |
There seems to be an issue with the way this report is being transmitted |
31 |
by your mail client (Ximian evolution). Although your gpg signature is |
32 |
verifying correctly from my Mozilla 1.6 client, the "id=" portion of the |
33 |
gentoo bugzilla URLs seem to have extra information that is rendering |
34 |
the URLs as invalid. This also appears to be occurring in several other |
35 |
URLs that have the "=" sign included. |
36 |
|
37 |
You can see samples of this in the text quoted below from my end. |
38 |
|
39 |
Regards, |
40 |
|
41 |
- - David |
42 |
|
43 |
- -- |
44 |
David R. Bergstein |
45 |
Systems Engineer and Blues Musician |
46 |
http://home.comcast.net/~dbergstein |
47 |
Heart of Blue - bookings on-line at http://www.heartofblue.com |
48 |
OpenPGP Public Key 0xE1F138CA - For info see http://www.gnupg.org |
49 |
http://home.comcast.net/~dbergstein/gpg/dbergstein.asc |
50 |
Key fingerprint = C86E CA2A 4171 AC73 91D7 3DCE 8832 D764 E1F1 38CA |
51 |
|
52 |
"Beware of bugs in the above code; I have only proved it correct, not |
53 |
tried it." |
54 |
-- Donald Knuth |
55 |
|
56 |
|
57 |
| |
58 |
| Comments, suggestions and reports about errors are welcome at |
59 |
| glpv@×××××××××.org |
60 |
| |
61 |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
62 |
| |
63 |
| ***************** |
64 |
| Package: Linux kernel |
65 |
| Versions: 2.2 up to and including 2.2.25, 2.4 up to to and including |
66 |
| 2.4.24, 2.6 up to to and including 2.6.2 |
67 |
| Subject: Linux kernel do_mremap VMA limit local privilege escalation |
68 |
| vulnerability |
69 |
| Risk: critical |
70 |
| Date: 01/03/2004 |
71 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42024 |
72 |
| Cross Reference: |
73 |
| http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt |
74 |
| |
75 |
| Description: |
76 |
| |
77 |
| See the cross reference. |
78 |
| |
79 |
| ***************** |
80 |
| |
81 |
| ***************** |
82 |
| Package: Ethereal |
83 |
| Versions: 0.8.14 - 0.10.2 |
84 |
| Subject: Multiple (13) Ethereal remote overflows discovered=20 |
85 |
| Risk: critical |
86 |
| Date: 23/03/2004 |
87 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45543 |
88 |
| Cross Reference: http://security.e-matters.de/advisories/032004.html |
89 |
| |
90 |
| Description: |
91 |
| |
92 |
| See the cross reference. |
93 |
| |
94 |
| ***************** |
95 |
| |
96 |
| ***************** |
97 |
| Package: xfsdump |
98 |
| Versions: ? |
99 |
| Subject: xfsdump creates files insecurely |
100 |
| Risk: critical |
101 |
| Date: 10/04/2003 |
102 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D19406 |
103 |
| Cross Reference: |
104 |
| ftp://patches.sgi.com/support/free/security/advisories/20030404-01-P |
105 |
| |
106 |
| Description: |
107 |
| |
108 |
| xfsdq in xfsdump does not create quota information files securely, which |
109 |
| allows local users to gain root privileges. |
110 |
| |
111 |
| ***************** |
112 |
| |
113 |
| ***************** |
114 |
| Package: Firebird |
115 |
| Versions: ? |
116 |
| Subject: Environment Variable Buffer Overflow Vulnerability |
117 |
| Risk: critical |
118 |
| Date: 10/05/2003 |
119 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D20837 |
120 |
| Cross Reference: http://securityfocus.com/bid/7546/info/ |
121 |
| |
122 |
| Description: |
123 |
| |
124 |
| Interbase is a database distributed and maintained by Borland. It is |
125 |
| available for Unix and Linux operating systems. As Firebird is based on |
126 |
| Borland/Inprise Interbase source code, it is very likely that Interbase |
127 |
| is prone to this issue also. |
128 |
| |
129 |
| A buffer overflow has been discovered in the setuid root program |
130 |
| gds_inet_server, packaged with Firebird. This problem could allow a |
131 |
| local user to execute the program with strings of arbitrary length. By |
132 |
| using a custom crafted string, the attacker could overwrite stack |
133 |
| memory, including the return address of a function, and potentially |
134 |
| execute arbitrary code as root. |
135 |
| |
136 |
| ***************** |
137 |
| |
138 |
| ***************** |
139 |
| Package: imagemagick |
140 |
| Versions: ? |
141 |
| Subject: insecure temporary file |
142 |
| Risk: low/medium |
143 |
| Date: 27/06/2003 |
144 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24001 |
145 |
| Cross Reference: http://www.debian.org/security/2003/dsa-331 |
146 |
| |
147 |
| Description: |
148 |
| |
149 |
| See cross reference. |
150 |
| |
151 |
| ***************** |
152 |
| |
153 |
| ***************** |
154 |
| Package: OpenLDAP |
155 |
| Versions: ? |
156 |
| Subject: Denial of Service and other (non-security) fixes=20 |
157 |
| Risk: critical |
158 |
| Date: 04/07/2003 |
159 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D26728 |
160 |
| Cross Reference: http://www.openldap.org/its/index.cgi?findid=3D2390 |
161 |
| |
162 |
| Description: |
163 |
| |
164 |
| A failed password extended operation (password EXOP) can cause openldap |
165 |
| to, if using the back-ldbm backend, attempt to free memory which was |
166 |
| never allocated, resulting in a segfault. The back-bdb backend, on the |
167 |
| other hand, has a memory leak in the same code. Both conditions can be |
168 |
| triggered remotely. |
169 |
| |
170 |
| See the Bugzilla entry for more information. |
171 |
| |
172 |
| ***************** |
173 |
| |
174 |
| ***************** |
175 |
| Package: Gentoo Portage |
176 |
| Versions: ? |
177 |
| Subject: emerge security - running as root and digital signatures |
178 |
| Risk: medium/high |
179 |
| Date: 08/02/2002 |
180 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D5902 |
181 |
| Cross Reference: none |
182 |
| |
183 |
| Description: |
184 |
| |
185 |
| Running emerge as root is only necessary for the merge step. Unpacking, |
186 |
| setup and compilation should be done as a normal user (say, "nobody"). |
187 |
| Merging should never overwrite an existing file without user |
188 |
| authorisation. |
189 |
| |
190 |
| At the moment there are a couple of ways to get root from portage: |
191 |
| |
192 |
| 1) through a trojaned build process |
193 |
| 2) through a trojaned source that gets installed and executed by root |
194 |
| |
195 |
| Running the build process as a normal user avoids 1). Not overwriting |
196 |
| exist= |
197 |
| ing files avoids 2), unless the user is installing some new root |
198 |
| daemon/program, then they're screwed anyway. |
199 |
| |
200 |
| ***************** |
201 |
| |
202 |
| ***************** |
203 |
| Package: scorched3d |
204 |
| Versions: 36.2 and ? |
205 |
| Subject: format string crashes server and client |
206 |
| Risk: low/medium (denial of service) |
207 |
| Date: 24/01/2004 |
208 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D39302 |
209 |
| Cross Reference: none |
210 |
| |
211 |
| Description: |
212 |
| |
213 |
| games-strategy/scorched3d-36.2 suffers from a format string problem that |
214 |
| crashes clients and servers. If this is used while playing standalone, |
215 |
| the client will crash. If this is used while playing on a server, the |
216 |
| server will crash, and all clients will be disconnected. |
217 |
| |
218 |
| ***************** |
219 |
| |
220 |
| ***************** |
221 |
| Package: 8139too driver |
222 |
| Versions: ? |
223 |
| Subject: 8139too driver icmp leak |
224 |
| Risk: high |
225 |
| Date: 01/06/2003 |
226 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24661 |
227 |
| Cross Reference: |
228 |
| http://www.atstake.com/research/advisories/2003/a010603-1.txt |
229 |
| |
230 |
| Description: |
231 |
| |
232 |
| Multiple platform ethernet Network Interface Card (NIC) device |
233 |
| drivers incorrectly handle frame padding, allowing an attacker to view |
234 |
| slices of previously transmitted packets or portions of kernel memory. |
235 |
| This vulnerability is the result of incorrect implementations of RFC |
236 |
| requirements and poor programming practices, the combination |
237 |
| of which results in several variations of this information leakage |
238 |
| vulnerability. |
239 |
| |
240 |
| ***************** |
241 |
| |
242 |
| ***************** |
243 |
| Package: pam |
244 |
| Versions: ? |
245 |
| Subject: pam_console setup broken |
246 |
| Risk: critical |
247 |
| Date: 23/10/2003 |
248 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D31877 |
249 |
| Cross Reference: none |
250 |
| |
251 |
| Description: |
252 |
| |
253 |
| Reproducible: Always |
254 |
| Steps to Reproduce: |
255 |
| 1. login in on on a virtual terminal as normal user |
256 |
| 2. check permissions on pam_console managed devices |
257 |
| for example: |
258 |
| ls -l /dev/floppy/0 |
259 |
| 3. press <Ctrl><Alt><Del> |
260 |
| 4. wait for comp to reboot |
261 |
| 5. login on on any virtual terminal as root |
262 |
| 6. repeat step 2 |
263 |
| |
264 |
| Actual Results: |
265 |
| /dev/floppy/0 is still owned by the last logged in user! |
266 |
| same problem with serial ports! |
267 |
| same problem with cdroms/zips/usb-storage devices/... |
268 |
| same prob with all devices managed by pam_console!!! |
269 |
| |
270 |
| Expected Results: |
271 |
| devices should have ownership from devfsd.conf or root:root! |
272 |
| |
273 |
| ***************** |
274 |
| |
275 |
| ***************** |
276 |
| Package: FreeRadius |
277 |
| Versions: <=3D 0.9.3 |
278 |
| Subject: rlm_smb module stack overflow vulnerability |
279 |
| Risk: critical |
280 |
| Date: 26/11/2003 |
281 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34424 |
282 |
| Cross Reference: http://www.s-quadra.com/advisories/Adv-20031126.txt |
283 |
| |
284 |
| Description: |
285 |
| |
286 |
| See cross reference. |
287 |
| |
288 |
| ***************** |
289 |
| |
290 |
| ***************** |
291 |
| Package: irssi |
292 |
| Versions: 0.8.9 and ?, x86 not affected |
293 |
| Subject: remotely crash another user's irssi client |
294 |
| Risk: low/medium |
295 |
| Date: 11/12/2203 |
296 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D35614 |
297 |
| Cross Reference: none |
298 |
| |
299 |
| Description: |
300 |
| |
301 |
| See Bugzilla entry. |
302 |
| |
303 |
| ***************** |
304 |
| |
305 |
| ***************** |
306 |
| Package: nscd |
307 |
| Versions: ? |
308 |
| Subject: nscd dns spoof attack |
309 |
| Risk: critical |
310 |
| Date: 01/02/2004 |
311 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40067 |
312 |
| Cross Reference: none |
313 |
| |
314 |
| Description: |
315 |
| |
316 |
| nscd will reverse an IP address and later use the forward of it for |
317 |
| lookups allowing for spoof attack which can be used to gather passwords |
318 |
| and other data. |
319 |
| |
320 |
| ***************** |
321 |
| |
322 |
| ***************** |
323 |
| Package: xscreensaver |
324 |
| Versions: 4.14 and ? |
325 |
| Subject: file in /tmp, symlink attack |
326 |
| Risk: high/critical |
327 |
| Date: 11/02/2204 |
328 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41253 |
329 |
| Cross Reference: none |
330 |
| |
331 |
| Description: |
332 |
| |
333 |
| See Bugzilla entry. |
334 |
| |
335 |
| ***************** |
336 |
| |
337 |
| ***************** |
338 |
| Package: metamail |
339 |
| Versions: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others |
340 |
| Subject: format string bugs and buffer overflows |
341 |
| Risk: critical |
342 |
| Date: 18/02/2004 |
343 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42133 |
344 |
| Cross Reference: |
345 |
| |
346 |
http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html |
347 |
| |
348 |
| Description: |
349 |
| |
350 |
| See cross reference. |
351 |
| |
352 |
| ***************** |
353 |
| |
354 |
| ***************** |
355 |
| Package: msyslog |
356 |
| Versions: !=3D 1.09d or 1.08f |
357 |
| Subject: buffer overflows |
358 |
| Risk: critical |
359 |
| Date: 10/04/2003 |
360 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42963 |
361 |
| Cross Reference: |
362 |
| http://sourceforge.net/forum/forum.php?forum_id=3D267918 |
363 |
| |
364 |
| Description: |
365 |
| |
366 |
| See Bugzilla entry. |
367 |
| |
368 |
| ***************** |
369 |
| |
370 |
| ***************** |
371 |
| Package: monit |
372 |
| Versions: < 4.1.1 |
373 |
| Subject: remote vulnerability |
374 |
| Risk: critical |
375 |
| Date: 07/03/2004 |
376 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43967 |
377 |
| Cross Reference: http://www.tildeslash.com/monit/ |
378 |
| |
379 |
| Description: |
380 |
| |
381 |
| No description available. |
382 |
| |
383 |
| ***************** |
384 |
| |
385 |
| ***************** |
386 |
| Package: Unreal engine |
387 |
| Versions: ? |
388 |
| Subject: Format string bug in EpicGames Unreal engine |
389 |
| Risk: critical |
390 |
| Date: 10/03/2004 |
391 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44351 |
392 |
| Cross Reference: |
393 |
| http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0 |
394 |
| |
395 |
| Description: |
396 |
| |
397 |
| The problem is a format string bug in the Classes management. |
398 |
| Each time a client connects to a server it sends the names of the |
399 |
| objects it uses (called classes). |
400 |
| |
401 |
| If an attacker uses a class name containing format parameters (as %n, |
402 |
| %s and so on) he will be able to crash or also to execute malicious |
403 |
| code on the remote server. |
404 |
| |
405 |
| ***************** |
406 |
| |
407 |
| ***************** |
408 |
| Package: clamav |
409 |
| Versions: < 0.70-rc |
410 |
| Subject: RAR DOS vulnerability |
411 |
| Risk: critical |
412 |
| Date: 22/03/2004 |
413 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45357 |
414 |
| Cross Reference: http://secunia.com/advisories/11177/ |
415 |
| |
416 |
| Description: |
417 |
| |
418 |
| A vulnerability has been discovered in Clam AntiVirus, which can be |
419 |
| exploited by malicious people to cause a DoS (Denial-of-Service). |
420 |
| |
421 |
| An unspecified error within the processing of certain RAR archives (e.g. |
422 |
| some of those generated by the Bagle virus) may cause a crash. |
423 |
| |
424 |
| ***************** |
425 |
| |
426 |
| ***************** |
427 |
| Package: GNU Automake |
428 |
| Versions: < 1.8.3 |
429 |
| Subject: Insecure Temporary Directory Creation Symbolic Link |
430 |
| Vulnerability |
431 |
| Risk: high/critical |
432 |
| Date: 08/03/2004 |
433 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45646 |
434 |
| Cross Reference: http://www.securityfocus.com/bid/9816/info/ |
435 |
| |
436 |
| Description: |
437 |
| |
438 |
| See cross reference. |
439 |
| |
440 |
| ***************** |
441 |
| |
442 |
| ***************** |
443 |
| Package: apache, mod_cgi |
444 |
| Versions: 2.0.47 |
445 |
| Subject: Apache 2.0.47 & mod_cgi: denial of service |
446 |
| Risk: critical |
447 |
| Date: 31/07/2003 |
448 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29893 |
449 |
| Cross Reference: |
450 |
| http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3D22030 |
451 |
| |
452 |
| Description: |
453 |
| |
454 |
| If a cgi script under mod_cgi outputs more than 4096 bytes of stderr |
455 |
| before it finishes writing to and closing its stdout, the write() in the |
456 |
| cgi script containing the 4097th byte of stderr will hang indefinitely, |
457 |
| hanging the script's execution. |
458 |
| |
459 |
| This appears to be cause by the fact that mod_cgi reads all stdout |
460 |
| output first, and then begins reading stderr output. APR's file_io |
461 |
| which is handling the streams will only buffer 4096 characters before |
462 |
| further writes by the script to stderr will hang, waiting for mod_cgi to |
463 |
| read some of the data from the stream via APR file_io. |
464 |
| |
465 |
| ***************** |
466 |
| |
467 |
| ***************** |
468 |
| Package: courier-imap |
469 |
| Versions: see cross reference |
470 |
| Subject: Multiple Remote Buffer Overflow Vulnerabilities |
471 |
| Risk: critical |
472 |
| Date: 11/03/2004 |
473 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45584 |
474 |
| Cross Reference: http://www.securityfocus.com/bid/9845/info/ |
475 |
| |
476 |
| Description: |
477 |
| |
478 |
| Multiple buffer overflow vulnerabilities have been identified in Courier |
479 |
| MTA, Courier SqWebMail, and Courier-IMAP. These vulnerabilities may |
480 |
| allow a remote attacker to execute arbitrary code on a vulnerable system |
481 |
| in order to gain unauthorized access. |
482 |
| |
483 |
| ***************** |
484 |
| |
485 |
| ***************** |
486 |
| Package: Mozilla |
487 |
| Versions: < 1.6 |
488 |
| Subject: Cross-domain exploit on zombie document with event handlers |
489 |
| Risk: critical |
490 |
| Date: 25/02/2004 |
491 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43072 |
492 |
| Cross Reference: http://www.securityfocus.com/archive/1/355233 |
493 |
| |
494 |
| Description: |
495 |
| |
496 |
| When linking to a new page it is still possible to interact with the old |
497 |
| page before the new page has been successfully loaded (zombie document). |
498 |
| Any javascript events fired will be invoked in the context of the new |
499 |
| page, making cross site scripting possible if the pages belong to |
500 |
| different domains. |
501 |
| |
502 |
| ***************** |
503 |
| |
504 |
| ***************** |
505 |
| Package: fetchmail |
506 |
| Versions: <=3D 6.2.4 |
507 |
| Subject: email denial of service |
508 |
| Risk: low/medium |
509 |
| Date: 16/10/2003 |
510 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D37717 |
511 |
| Cross Reference: http://xforce.iss.net/xforce/xfdb/13450 |
512 |
| |
513 |
| Description: |
514 |
| |
515 |
| Fetchmail is a full-featured remote mail-retrieval and forwarding |
516 |
| utility for Unix that uses the POP3 and IMAP protocols. Fetchmail |
517 |
| version 6.2.4 is vulnerable to a denial of service attack. By sending a |
518 |
| specially-crafted email, a remote attacker can cause the program to |
519 |
| crash. |
520 |
| |
521 |
| ***************** |
522 |
| |
523 |
| ***************** |
524 |
| Package: RealOne Player and RealPlayer 8 |
525 |
| Versions: ? |
526 |
| Subject: arbitrary code execution |
527 |
| Risk: critical |
528 |
| Date: 04/02/2004? |
529 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40469 |
530 |
| Cross Reference: |
531 |
| http://www.service.real.com/help/faq/security/040123_player/EN/ |
532 |
| |
533 |
| Description: |
534 |
| |
535 |
| RealNetworks, Inc. has recently been made aware of security |
536 |
| vulnerabilities that could potentially allow an attacker to run |
537 |
| arbitrary code on a user's machine. |
538 |
| |
539 |
| The specific exploits were: |
540 |
| |
541 |
| * Exploit 1: To operate remote Javascript from the domain of the |
542 |
| URL opened by a SMIL file or other file. |
543 |
| * Exploit 2: To fashion RMP files which allow an attacker to |
544 |
| download and execute arbitrary code on a user's machine. |
545 |
| * Exploit 3: To fashion media files to create Buffer Overrun |
546 |
| errors. |
547 |
| |
548 |
| While we have not received reports of anyone actually being attacked |
549 |
| with this exploit, all security vulnerabilities are taken very seriously |
550 |
| by RealNetworks. RealNetworks has found and fixed the problem. |
551 |
| |
552 |
| ***************** |
553 |
| |
554 |
| ***************** |
555 |
| Package: mpg123 |
556 |
| Versions: ? |
557 |
| Subject: heap overflow, arbitrary code execution |
558 |
| Risk: high |
559 |
| Date: 06/02/2004 |
560 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40631 |
561 |
| Cross Reference: http://www.debian.org/security/2004/dsa-435 |
562 |
| |
563 |
| Description: |
564 |
| |
565 |
| A vulnerability was discovered in mpg123, a command-line mp3 player, |
566 |
| whereby a response from a remote HTTP server could overflow a buffer |
567 |
| allocated on the heap, potentially permitting execution of arbitrary |
568 |
| code with the privileges of the user invoking mpg123. In order for |
569 |
| this vulnerability to be exploited, mpg321 would need to request an |
570 |
| mp3 stream from a malicious remote server via HTTP. |
571 |
| |
572 |
| ***************** |
573 |
| |
574 |
| ***************** |
575 |
| Package: Samba, Linux kernel |
576 |
| Versions: Samba 3.x, Linux kernel 2.6.x |
577 |
| Subject: Samba 3.x + kernel 2.6.x local root vulnerability |
578 |
| Risk: high |
579 |
| Date: 09/02/2004 |
580 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41800 |
581 |
| Cross Reference: http://www.securityfocus.com/archive/1/353217 |
582 |
| |
583 |
| Description: |
584 |
| |
585 |
| See cross reference. |
586 |
| |
587 |
| ***************** |
588 |
| |
589 |
| ***************** |
590 |
| Package: uudeview |
591 |
| Versions: < 0.5.20 |
592 |
| Subject: buffer overflow vulnerabilities, remote arbitrary code |
593 |
| execution |
594 |
| Risk: high |
595 |
| Date: 02/03/2004 |
596 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44859 |
597 |
| Cross Reference: |
598 |
| http://www.securitytracker.com/alerts/2004/Mar/1009291.html |
599 |
| |
600 |
| Description: |
601 |
| |
602 |
| It is reported that a remote user can create a malicious MIME file |
603 |
| (.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe extensions) that, when |
604 |
| processed by a target user, will cause UUDeview to crash or execute |
605 |
| arbitrary code. The code will run with the privileges of the target user |
606 |
| or application. |
607 |
| |
608 |
| ***************** |
609 |
| |
610 |
| ***************** |
611 |
| Package: MySQl |
612 |
| Versions: all |
613 |
| Subject: Symlink bug / tmpfile bug |
614 |
| Risk: low/medium |
615 |
| Date: 24/03/2004 |
616 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45727 |
617 |
| Cross Reference: http://nettwerked.mg2.org/advisories/mysqlbug |
618 |
| |
619 |
| Description: |
620 |
| |
621 |
| See cross reference. |
622 |
| |
623 |
| ***************** |
624 |
| |
625 |
| ***************** |
626 |
| Package: pwlib |
627 |
| Versions: < 1.6.0 |
628 |
| Subject: multiple vulnerabilities allow remote DoS attacks and possibly |
629 |
| execution of arbitrary code |
630 |
| Risk: high |
631 |
| Date: 13/01/2004 |
632 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45846 |
633 |
| Cross Reference: |
634 |
| http://www.postincrement.com/openh323/nissc_vulnerabilty.html |
635 |
| |
636 |
| Description: |
637 |
| |
638 |
| See cross reference. |
639 |
| |
640 |
| ***************** |
641 |
| |
642 |
| ***************** |
643 |
| Package: iproute |
644 |
| Versions: ? |
645 |
| Subject: local denial of service attack |
646 |
| Risk: medium/high |
647 |
| Date: 24/11/2003 |
648 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34294 |
649 |
| Cross Reference: http://rhn.redhat.com/errata/RHSA-2003-316.html |
650 |
| |
651 |
| Description: |
652 |
| |
653 |
| Herbert Xu reported that iproute can accept spoofed messages sent on the |
654 |
| kernel netlink interface by other users on the local machine. This could |
655 |
| lead to a local denial of service attack. The Common Vulnerabilities and |
656 |
| Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to |
657 |
| this issue. |
658 |
| |
659 |
| ***************** |
660 |
| |
661 |
| ***************** |
662 |
| Package: openhbci-plugin-ddvcard |
663 |
| Versions: ? |
664 |
| Subject: openhbci-plugin-ddvcard can destroy hbci-cards |
665 |
| Risk: critical |
666 |
| Date: 13/01/2004 |
667 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38201 |
668 |
| Cross Reference: |
669 |
| http://sourceforge.net/mailarchive/forum.php?thread_id=3D3743892&forum_id= |
670 |
| =3D926 |
671 |
| |
672 |
| Description: |
673 |
| |
674 |
| See cross reference (German) and Bugzilla entry. |
675 |
| |
676 |
| ***************** |
677 |
| |
678 |
| ***************** |
679 |
| Package: tcpdump |
680 |
| Versions: ? |
681 |
| Subject: denial of service, or possibly execute arbitrary |
682 |
| code as the 'pcap' user |
683 |
| Risk: medium/high |
684 |
| Date: 14/01/2004 |
685 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38206 |
686 |
| Cross Reference: none |
687 |
| |
688 |
| Description: |
689 |
| |
690 |
| Tcpdump is a command-line tool for monitoring network traffic. |
691 |
| |
692 |
| George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump |
693 |
| versions prior to 3.8.1. The Common Vulnerabilities and Exposures |
694 |
| project |
695 |
| (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. |
696 |
| |
697 |
| Jonathan Heusser discovered two additional flaws in the ISAKMP decoding |
698 |
| routines of tcpdump versions up to and including 3.8.1. |
699 |
| |
700 |
| Remote attackers could potentially exploit these issues by sending |
701 |
| carefully-crafted packets to a victim. If the victim uses tcpdump, |
702 |
| these |
703 |
| pakets could result in a denial of service, or possibly execute |
704 |
| arbitrary |
705 |
| code as the 'pcap' user. |
706 |
| |
707 |
| Users of tcpdump are advised to upgrade to these erratum packages, which |
708 |
| contain backported security patches and are not vulnerable to these |
709 |
| issues. |
710 |
| |
711 |
| ***************** |
712 |
| |
713 |
| ***************** |
714 |
| Package: kdepim |
715 |
| Versions: from KDE 3.1.0 to 3.1.4 |
716 |
| Subject: buffer overflow in the file information reader of VCF files |
717 |
| Risk: high/critical |
718 |
| Date: 14/01/2004 |
719 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38256 |
720 |
| Cross Reference: |
721 |
| http://www.kde.org/info/security/advisory-20040114-1.txt |
722 |
| |
723 |
| Description: |
724 |
| |
725 |
| A carefully crafted .VCF file potentially enables local attackers to |
726 |
| compromise the privacy of a victim's data or execute arbitrary commands |
727 |
| with the victim's privileges. |
728 |
| |
729 |
| By default, file information reading is disabled for remote files. |
730 |
| However, if previews are enabled for remote files, remote attackers may |
731 |
| be able to compromise the victim's account. |
732 |
| |
733 |
| ***************** |
734 |
| |
735 |
| ***************** |
736 |
| Package: dcron |
737 |
| Versions: 2.9 |
738 |
| Subject: dcron installs init script suid 4755 |
739 |
| Risk: medium |
740 |
| Date: 25/02/2004 |
741 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42908 |
742 |
| Cross Reference: http://dev.gentoo.org/~solar/misc/dcron-2.9-r2.diff |
743 |
| |
744 |
| Description: |
745 |
| |
746 |
| See Bugzilla entry. |
747 |
| |
748 |
| ***************** |
749 |
| |
750 |
| ***************** |
751 |
| Package: xine |
752 |
| Versions: ? |
753 |
| Subject: Symlink bug / tmpfile bug in xine-check and xine-bugreport |
754 |
| Risk: low/medium |
755 |
| Date: 19/03/2004 |
756 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45448 |
757 |
| Cross Reference: http://nettwerked.mg2.org/advisories/xinebug |
758 |
| |
759 |
| Description: |
760 |
| |
761 |
| See cross reference. |
762 |
| |
763 |
| ***************** |
764 |
| |
765 |
| ***************** |
766 |
| Package: phpBB |
767 |
| Versions: ? |
768 |
| Subject: Multiple vulnerabilities |
769 |
| Risk: critical |
770 |
| Date: 13/03/2004 |
771 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45482 |
772 |
| Cross Reference: http://www.securityfocus.com/bid/9865 |
773 |
| |
774 |
| Description: |
775 |
| |
776 |
| See Bugzilla entry and cross reference. |
777 |
| |
778 |
| ***************** |
779 |
| |
780 |
| ***************** |
781 |
| Package: SquidGuard |
782 |
| Versions: <=3D 1.2.0 |
783 |
| Subject: NULL URL Character Unauthorized Access Vulnerability |
784 |
| Risk: critical |
785 |
| Date: 19/03/2004 |
786 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45491 |
787 |
| Cross Reference: http://www.securityfocus.com/bid/9919/info/ |
788 |
| |
789 |
| Description: |
790 |
| |
791 |
| Reportedly SquidGaurd is prone to a remote NULL URL character |
792 |
| unauthorized access vulnerability. This issue is due to a failure of the |
793 |
| application to properly filter out invalid URIs. |
794 |
| |
795 |
| Successful exploitation of this issue may allow a remote attacker to |
796 |
| bypass access controls resulting in unauthorized access to |
797 |
| attacker-specified resources. This may allow the attacker to gain |
798 |
| unauthorized access to sensitive resources. |
799 |
| |
800 |
| ***************** |
801 |
| |
802 |
| ***************** |
803 |
| Package: Jetty |
804 |
| Versions: < 4.2.19 |
805 |
| Subject: Unspecified Denial Of Service Vulnerability |
806 |
| Risk: high/critical |
807 |
| Date: 18/03/2004 |
808 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45552 |
809 |
| Cross Reference: http://www.securityfocus.com/bid/9917 |
810 |
| |
811 |
| Description: |
812 |
| |
813 |
| See cross reference. |
814 |
| |
815 |
| ***************** |
816 |
| |
817 |
| ***************** |
818 |
| Package: oftpd |
819 |
| Versions: 0.3.6 and possibly others |
820 |
| Subject: remote DoS vulnerability |
821 |
| Risk: medium/high |
822 |
| Date: 04/03/2004 |
823 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45738 |
824 |
| Cross Reference: http://www.time-travellers.org/oftpd/oftpd-dos.html |
825 |
| |
826 |
| Description: |
827 |
| |
828 |
| Denial of service. An ftp server can be taken offline with a simple |
829 |
| telnet connection. |
830 |
| |
831 |
| ***************** |
832 |
| |
833 |
| ***************** |
834 |
| Package: libxml2 |
835 |
| Versions: 2.6.x |
836 |
| Subject: URI Parsing Buffer Overflow Vulnerabilities |
837 |
| Risk: high/critical |
838 |
| Date: 24/02/2004 |
839 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42735 |
840 |
| Cross Reference: http://secunia.com/advisories/10958/ |
841 |
| |
842 |
| Description: |
843 |
| |
844 |
| Yuuichi Teranishi has discovered some vulnerabilities in libxml2, which |
845 |
| potentially can be exploited by malicious people to compromise a |
846 |
| vulnerable system. |
847 |
| |
848 |
| The vulnerabilities are caused due to boundary errors in nanohttp and |
849 |
| nanoftp when parsing overly long URIs. This can be exploited to cause a |
850 |
| buffer overflow by supplying an overly long URI (about 4096 bytes). |
851 |
| |
852 |
| Successful exploitation may potentially allow execution of arbitrary |
853 |
| code. |
854 |
| |
855 |
| ***************** |
856 |
| |
857 |
| ***************** |
858 |
| Package: inn |
859 |
| Versions: < 2.4.1? |
860 |
| Subject: ? |
861 |
| Risk: ? |
862 |
| Date: 17/09/2003 |
863 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29020 |
864 |
| Cross Reference: none |
865 |
| |
866 |
| Description: |
867 |
| |
868 |
| See Bugzilla entry. |
869 |
| |
870 |
| ***************** |
871 |
| |
872 |
| ***************** |
873 |
| Package: mplayer |
874 |
| Versions: ? |
875 |
| Subject: /dev/misc/rtc permissions change & sysctl.conf addition |
876 |
| Risk: low/medium? |
877 |
| Date: 11/09/2003 |
878 |
| Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D28486 |
879 |
| Cross Reference: none |
880 |
| |
881 |
| Description: |
882 |
| |
883 |
| See Bugzilla entry. |
884 |
| |
885 |
| ***************** |
886 |
| |
887 |
| If you spotted any errors or you're aware of additional |
888 |
| references/information, please drop me a note at glpv@×××××××××.org. |
889 |
| |
890 |
| This list is far from complete. As of today it only contains entries |
891 |
| from Bugzilla that haven't been fixed yet. There are probably many |
892 |
| issues that haven't found their way into Bugzilla at all. |
893 |
| |
894 |
| |
895 |
| kind regards, |
896 |
| Tobias Weisserth |
897 |
| |
898 |
| |
899 |
|
900 |
-----BEGIN PGP SIGNATURE----- |
901 |
Version: GnuPG v1.2.3 (MingW32) |
902 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
903 |
|
904 |
iD8DBQFAZbK2iDLXZOHxOMoRAsd3AKDXu236o59vYgZ5gov9l2KzrVQnPwCeOzUD |
905 |
XxwXgrRDnnRorCwfgYyx5YI= |
906 |
=R8S5 |
907 |
-----END PGP SIGNATURE----- |
908 |
|
909 |
-- |
910 |
gentoo-security@g.o mailing list |