1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Pending Vulnerabilities GLVP 200403-01 |
3 |
Unofficial Announcement |
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
glvp@×××××××××.org |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
|
8 |
|
9 |
Abstract: This email is a compilation of known but unresolved |
10 |
vulnerabilities and security issues in Gentoo Linux. This GLPV email |
11 |
will be issued each Saturday as a reminder and warning for Gentoo users |
12 |
about unresolved security critical bugs of packages in the Gentoo |
13 |
Portage tree. This is an unofficial email, not associated with the |
14 |
Gentoo Linux security team. Since I am far from perfect, this mail may |
15 |
contain errors. Please report them if you spot them. |
16 |
|
17 |
How to contribute: You can help make Gentoo an even better Linux |
18 |
experience by contributing any bugs you notice to bugs.gentoo.org and |
19 |
inform me about it. This is a guideline as how to contribute best: |
20 |
|
21 |
Skim through security related channels like bugtraq, full-disclosure, |
22 |
any announcements other distributions offer and security related media |
23 |
and press reports. |
24 |
|
25 |
Activate your curiosity: if you notice a package that might be included |
26 |
in the Gentoo Linux Portage tree, confirm it's in Portage and check its |
27 |
version in Portage (stable). Is an affected version in Portage? You may |
28 |
need to check whether any patching has been done already. If in doubt, |
29 |
assume that the bug still exists. |
30 |
|
31 |
Browse the bugs in bugs.gentoo.org and see whether the issue is already |
32 |
known. If the issue is already known but not included in any GLPV |
33 |
announcement then please send me a mail at glpv@×××××××××.org and don't |
34 |
forget to mention the bug identifier from Bugzilla. If the bug is not |
35 |
yet in Bugzilla then enter it into Bugzilla. Include any external |
36 |
reference in your Bugzilla entry and inform me about this new pending |
37 |
vulnerability so I can include it here. |
38 |
|
39 |
Comments, suggestions and reports about errors are welcome at |
40 |
glpv@×××××××××.org |
41 |
|
42 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
43 |
|
44 |
***************** |
45 |
Package: Linux kernel |
46 |
Versions: 2.2 up to and including 2.2.25, 2.4 up to to and including |
47 |
2.4.24, 2.6 up to to and including 2.6.2 |
48 |
Subject: Linux kernel do_mremap VMA limit local privilege escalation |
49 |
vulnerability |
50 |
Risk: critical |
51 |
Date: 01/03/2004 |
52 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42024 |
53 |
Cross Reference: |
54 |
http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt |
55 |
|
56 |
Description: |
57 |
|
58 |
See the cross reference. |
59 |
|
60 |
***************** |
61 |
|
62 |
***************** |
63 |
Package: Ethereal |
64 |
Versions: 0.8.14 - 0.10.2 |
65 |
Subject: Multiple (13) Ethereal remote overflows discovered=20 |
66 |
Risk: critical |
67 |
Date: 23/03/2004 |
68 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45543 |
69 |
Cross Reference: http://security.e-matters.de/advisories/032004.html |
70 |
|
71 |
Description: |
72 |
|
73 |
See the cross reference. |
74 |
|
75 |
***************** |
76 |
|
77 |
***************** |
78 |
Package: xfsdump |
79 |
Versions: ? |
80 |
Subject: xfsdump creates files insecurely |
81 |
Risk: critical |
82 |
Date: 10/04/2003 |
83 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D19406 |
84 |
Cross Reference: |
85 |
ftp://patches.sgi.com/support/free/security/advisories/20030404-01-P |
86 |
|
87 |
Description: |
88 |
|
89 |
xfsdq in xfsdump does not create quota information files securely, which |
90 |
allows local users to gain root privileges. |
91 |
|
92 |
***************** |
93 |
|
94 |
***************** |
95 |
Package: Firebird |
96 |
Versions: ? |
97 |
Subject: Environment Variable Buffer Overflow Vulnerability |
98 |
Risk: critical |
99 |
Date: 10/05/2003 |
100 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D20837 |
101 |
Cross Reference: http://securityfocus.com/bid/7546/info/ |
102 |
|
103 |
Description: |
104 |
|
105 |
Interbase is a database distributed and maintained by Borland. It is |
106 |
available for Unix and Linux operating systems. As Firebird is based on |
107 |
Borland/Inprise Interbase source code, it is very likely that Interbase |
108 |
is prone to this issue also. |
109 |
|
110 |
A buffer overflow has been discovered in the setuid root program |
111 |
gds_inet_server, packaged with Firebird. This problem could allow a |
112 |
local user to execute the program with strings of arbitrary length. By |
113 |
using a custom crafted string, the attacker could overwrite stack |
114 |
memory, including the return address of a function, and potentially |
115 |
execute arbitrary code as root. |
116 |
|
117 |
***************** |
118 |
|
119 |
***************** |
120 |
Package: imagemagick |
121 |
Versions: ? |
122 |
Subject: insecure temporary file |
123 |
Risk: low/medium |
124 |
Date: 27/06/2003 |
125 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24001 |
126 |
Cross Reference: http://www.debian.org/security/2003/dsa-331 |
127 |
|
128 |
Description: |
129 |
|
130 |
See cross reference. |
131 |
|
132 |
***************** |
133 |
|
134 |
***************** |
135 |
Package: OpenLDAP |
136 |
Versions: ? |
137 |
Subject: Denial of Service and other (non-security) fixes=20 |
138 |
Risk: critical |
139 |
Date: 04/07/2003 |
140 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D26728 |
141 |
Cross Reference: http://www.openldap.org/its/index.cgi?findid=3D2390 |
142 |
|
143 |
Description: |
144 |
|
145 |
A failed password extended operation (password EXOP) can cause openldap |
146 |
to, if using the back-ldbm backend, attempt to free memory which was |
147 |
never allocated, resulting in a segfault. The back-bdb backend, on the |
148 |
other hand, has a memory leak in the same code. Both conditions can be |
149 |
triggered remotely. |
150 |
|
151 |
See the Bugzilla entry for more information. |
152 |
|
153 |
***************** |
154 |
|
155 |
***************** |
156 |
Package: Gentoo Portage |
157 |
Versions: ? |
158 |
Subject: emerge security - running as root and digital signatures |
159 |
Risk: medium/high |
160 |
Date: 08/02/2002 |
161 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D5902 |
162 |
Cross Reference: none |
163 |
|
164 |
Description: |
165 |
|
166 |
Running emerge as root is only necessary for the merge step. Unpacking, |
167 |
setup and compilation should be done as a normal user (say, "nobody"). |
168 |
Merging should never overwrite an existing file without user |
169 |
authorisation. |
170 |
|
171 |
At the moment there are a couple of ways to get root from portage: |
172 |
|
173 |
1) through a trojaned build process |
174 |
2) through a trojaned source that gets installed and executed by root |
175 |
|
176 |
Running the build process as a normal user avoids 1). Not overwriting |
177 |
exist= |
178 |
ing files avoids 2), unless the user is installing some new root |
179 |
daemon/program, then they're screwed anyway. |
180 |
|
181 |
***************** |
182 |
|
183 |
***************** |
184 |
Package: scorched3d |
185 |
Versions: 36.2 and ? |
186 |
Subject: format string crashes server and client |
187 |
Risk: low/medium (denial of service) |
188 |
Date: 24/01/2004 |
189 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D39302 |
190 |
Cross Reference: none |
191 |
|
192 |
Description: |
193 |
|
194 |
games-strategy/scorched3d-36.2 suffers from a format string problem that |
195 |
crashes clients and servers. If this is used while playing standalone, |
196 |
the client will crash. If this is used while playing on a server, the |
197 |
server will crash, and all clients will be disconnected. |
198 |
|
199 |
***************** |
200 |
|
201 |
***************** |
202 |
Package: 8139too driver |
203 |
Versions: ? |
204 |
Subject: 8139too driver icmp leak |
205 |
Risk: high |
206 |
Date: 01/06/2003 |
207 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24661 |
208 |
Cross Reference: |
209 |
http://www.atstake.com/research/advisories/2003/a010603-1.txt |
210 |
|
211 |
Description: |
212 |
|
213 |
Multiple platform ethernet Network Interface Card (NIC) device |
214 |
drivers incorrectly handle frame padding, allowing an attacker to view |
215 |
slices of previously transmitted packets or portions of kernel memory. |
216 |
This vulnerability is the result of incorrect implementations of RFC |
217 |
requirements and poor programming practices, the combination |
218 |
of which results in several variations of this information leakage |
219 |
vulnerability. |
220 |
|
221 |
***************** |
222 |
|
223 |
***************** |
224 |
Package: pam |
225 |
Versions: ? |
226 |
Subject: pam_console setup broken |
227 |
Risk: critical |
228 |
Date: 23/10/2003 |
229 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D31877 |
230 |
Cross Reference: none |
231 |
|
232 |
Description: |
233 |
|
234 |
Reproducible: Always |
235 |
Steps to Reproduce: |
236 |
1. login in on on a virtual terminal as normal user |
237 |
2. check permissions on pam_console managed devices |
238 |
for example: |
239 |
ls -l /dev/floppy/0 |
240 |
3. press <Ctrl><Alt><Del> |
241 |
4. wait for comp to reboot |
242 |
5. login on on any virtual terminal as root |
243 |
6. repeat step 2 |
244 |
|
245 |
Actual Results: |
246 |
/dev/floppy/0 is still owned by the last logged in user! |
247 |
same problem with serial ports! |
248 |
same problem with cdroms/zips/usb-storage devices/... |
249 |
same prob with all devices managed by pam_console!!! |
250 |
|
251 |
Expected Results: |
252 |
devices should have ownership from devfsd.conf or root:root! |
253 |
|
254 |
***************** |
255 |
|
256 |
***************** |
257 |
Package: FreeRadius |
258 |
Versions: <=3D 0.9.3 |
259 |
Subject: rlm_smb module stack overflow vulnerability |
260 |
Risk: critical |
261 |
Date: 26/11/2003 |
262 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34424 |
263 |
Cross Reference: http://www.s-quadra.com/advisories/Adv-20031126.txt |
264 |
|
265 |
Description: |
266 |
|
267 |
See cross reference. |
268 |
|
269 |
***************** |
270 |
|
271 |
***************** |
272 |
Package: irssi |
273 |
Versions: 0.8.9 and ?, x86 not affected |
274 |
Subject: remotely crash another user's irssi client |
275 |
Risk: low/medium |
276 |
Date: 11/12/2203 |
277 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D35614 |
278 |
Cross Reference: none |
279 |
|
280 |
Description: |
281 |
|
282 |
See Bugzilla entry. |
283 |
|
284 |
***************** |
285 |
|
286 |
***************** |
287 |
Package: nscd |
288 |
Versions: ? |
289 |
Subject: nscd dns spoof attack |
290 |
Risk: critical |
291 |
Date: 01/02/2004 |
292 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40067 |
293 |
Cross Reference: none |
294 |
|
295 |
Description: |
296 |
|
297 |
nscd will reverse an IP address and later use the forward of it for |
298 |
lookups allowing for spoof attack which can be used to gather passwords |
299 |
and other data. |
300 |
|
301 |
***************** |
302 |
|
303 |
***************** |
304 |
Package: xscreensaver |
305 |
Versions: 4.14 and ? |
306 |
Subject: file in /tmp, symlink attack |
307 |
Risk: high/critical |
308 |
Date: 11/02/2204 |
309 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41253 |
310 |
Cross Reference: none |
311 |
|
312 |
Description: |
313 |
|
314 |
See Bugzilla entry. |
315 |
|
316 |
***************** |
317 |
|
318 |
***************** |
319 |
Package: metamail |
320 |
Versions: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others |
321 |
Subject: format string bugs and buffer overflows |
322 |
Risk: critical |
323 |
Date: 18/02/2004 |
324 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42133 |
325 |
Cross Reference: |
326 |
http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html |
327 |
|
328 |
Description: |
329 |
|
330 |
See cross reference. |
331 |
|
332 |
***************** |
333 |
|
334 |
***************** |
335 |
Package: msyslog |
336 |
Versions: !=3D 1.09d or 1.08f |
337 |
Subject: buffer overflows |
338 |
Risk: critical |
339 |
Date: 10/04/2003 |
340 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42963 |
341 |
Cross Reference: |
342 |
http://sourceforge.net/forum/forum.php?forum_id=3D267918 |
343 |
|
344 |
Description: |
345 |
|
346 |
See Bugzilla entry. |
347 |
|
348 |
***************** |
349 |
|
350 |
***************** |
351 |
Package: monit |
352 |
Versions: < 4.1.1 |
353 |
Subject: remote vulnerability |
354 |
Risk: critical |
355 |
Date: 07/03/2004 |
356 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43967 |
357 |
Cross Reference: http://www.tildeslash.com/monit/ |
358 |
|
359 |
Description: |
360 |
|
361 |
No description available. |
362 |
|
363 |
***************** |
364 |
|
365 |
***************** |
366 |
Package: Unreal engine |
367 |
Versions: ? |
368 |
Subject: Format string bug in EpicGames Unreal engine |
369 |
Risk: critical |
370 |
Date: 10/03/2004 |
371 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44351 |
372 |
Cross Reference: |
373 |
http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0 |
374 |
|
375 |
Description: |
376 |
|
377 |
The problem is a format string bug in the Classes management. |
378 |
Each time a client connects to a server it sends the names of the |
379 |
objects it uses (called classes). |
380 |
|
381 |
If an attacker uses a class name containing format parameters (as %n, |
382 |
%s and so on) he will be able to crash or also to execute malicious |
383 |
code on the remote server. |
384 |
|
385 |
***************** |
386 |
|
387 |
***************** |
388 |
Package: clamav |
389 |
Versions: < 0.70-rc |
390 |
Subject: RAR DOS vulnerability |
391 |
Risk: critical |
392 |
Date: 22/03/2004 |
393 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45357 |
394 |
Cross Reference: http://secunia.com/advisories/11177/ |
395 |
|
396 |
Description: |
397 |
|
398 |
A vulnerability has been discovered in Clam AntiVirus, which can be |
399 |
exploited by malicious people to cause a DoS (Denial-of-Service). |
400 |
|
401 |
An unspecified error within the processing of certain RAR archives (e.g. |
402 |
some of those generated by the Bagle virus) may cause a crash. |
403 |
|
404 |
***************** |
405 |
|
406 |
***************** |
407 |
Package: GNU Automake |
408 |
Versions: < 1.8.3 |
409 |
Subject: Insecure Temporary Directory Creation Symbolic Link |
410 |
Vulnerability |
411 |
Risk: high/critical |
412 |
Date: 08/03/2004 |
413 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45646 |
414 |
Cross Reference: http://www.securityfocus.com/bid/9816/info/ |
415 |
|
416 |
Description: |
417 |
|
418 |
See cross reference. |
419 |
|
420 |
***************** |
421 |
|
422 |
***************** |
423 |
Package: apache, mod_cgi |
424 |
Versions: 2.0.47 |
425 |
Subject: Apache 2.0.47 & mod_cgi: denial of service |
426 |
Risk: critical |
427 |
Date: 31/07/2003 |
428 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29893 |
429 |
Cross Reference: |
430 |
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3D22030 |
431 |
|
432 |
Description: |
433 |
|
434 |
If a cgi script under mod_cgi outputs more than 4096 bytes of stderr |
435 |
before it finishes writing to and closing its stdout, the write() in the |
436 |
cgi script containing the 4097th byte of stderr will hang indefinitely, |
437 |
hanging the script's execution. |
438 |
|
439 |
This appears to be cause by the fact that mod_cgi reads all stdout |
440 |
output first, and then begins reading stderr output. APR's file_io |
441 |
which is handling the streams will only buffer 4096 characters before |
442 |
further writes by the script to stderr will hang, waiting for mod_cgi to |
443 |
read some of the data from the stream via APR file_io. |
444 |
|
445 |
***************** |
446 |
|
447 |
***************** |
448 |
Package: courier-imap |
449 |
Versions: see cross reference |
450 |
Subject: Multiple Remote Buffer Overflow Vulnerabilities |
451 |
Risk: critical |
452 |
Date: 11/03/2004 |
453 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45584 |
454 |
Cross Reference: http://www.securityfocus.com/bid/9845/info/ |
455 |
|
456 |
Description: |
457 |
|
458 |
Multiple buffer overflow vulnerabilities have been identified in Courier |
459 |
MTA, Courier SqWebMail, and Courier-IMAP. These vulnerabilities may |
460 |
allow a remote attacker to execute arbitrary code on a vulnerable system |
461 |
in order to gain unauthorized access. |
462 |
|
463 |
***************** |
464 |
|
465 |
***************** |
466 |
Package: Mozilla |
467 |
Versions: < 1.6 |
468 |
Subject: Cross-domain exploit on zombie document with event handlers |
469 |
Risk: critical |
470 |
Date: 25/02/2004 |
471 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43072 |
472 |
Cross Reference: http://www.securityfocus.com/archive/1/355233 |
473 |
|
474 |
Description: |
475 |
|
476 |
When linking to a new page it is still possible to interact with the old |
477 |
page before the new page has been successfully loaded (zombie document). |
478 |
Any javascript events fired will be invoked in the context of the new |
479 |
page, making cross site scripting possible if the pages belong to |
480 |
different domains. |
481 |
|
482 |
***************** |
483 |
|
484 |
***************** |
485 |
Package: fetchmail |
486 |
Versions: <=3D 6.2.4 |
487 |
Subject: email denial of service |
488 |
Risk: low/medium |
489 |
Date: 16/10/2003 |
490 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D37717 |
491 |
Cross Reference: http://xforce.iss.net/xforce/xfdb/13450 |
492 |
|
493 |
Description: |
494 |
|
495 |
Fetchmail is a full-featured remote mail-retrieval and forwarding |
496 |
utility for Unix that uses the POP3 and IMAP protocols. Fetchmail |
497 |
version 6.2.4 is vulnerable to a denial of service attack. By sending a |
498 |
specially-crafted email, a remote attacker can cause the program to |
499 |
crash. |
500 |
|
501 |
***************** |
502 |
|
503 |
***************** |
504 |
Package: RealOne Player and RealPlayer 8 |
505 |
Versions: ? |
506 |
Subject: arbitrary code execution |
507 |
Risk: critical |
508 |
Date: 04/02/2004? |
509 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40469 |
510 |
Cross Reference: |
511 |
http://www.service.real.com/help/faq/security/040123_player/EN/ |
512 |
|
513 |
Description: |
514 |
|
515 |
RealNetworks, Inc. has recently been made aware of security |
516 |
vulnerabilities that could potentially allow an attacker to run |
517 |
arbitrary code on a user's machine. |
518 |
|
519 |
The specific exploits were: |
520 |
|
521 |
* Exploit 1: To operate remote Javascript from the domain of the |
522 |
URL opened by a SMIL file or other file. |
523 |
* Exploit 2: To fashion RMP files which allow an attacker to |
524 |
download and execute arbitrary code on a user's machine. |
525 |
* Exploit 3: To fashion media files to create Buffer Overrun |
526 |
errors. |
527 |
|
528 |
While we have not received reports of anyone actually being attacked |
529 |
with this exploit, all security vulnerabilities are taken very seriously |
530 |
by RealNetworks. RealNetworks has found and fixed the problem. |
531 |
|
532 |
***************** |
533 |
|
534 |
***************** |
535 |
Package: mpg123 |
536 |
Versions: ? |
537 |
Subject: heap overflow, arbitrary code execution |
538 |
Risk: high |
539 |
Date: 06/02/2004 |
540 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40631 |
541 |
Cross Reference: http://www.debian.org/security/2004/dsa-435 |
542 |
|
543 |
Description: |
544 |
|
545 |
A vulnerability was discovered in mpg123, a command-line mp3 player, |
546 |
whereby a response from a remote HTTP server could overflow a buffer |
547 |
allocated on the heap, potentially permitting execution of arbitrary |
548 |
code with the privileges of the user invoking mpg123. In order for |
549 |
this vulnerability to be exploited, mpg321 would need to request an |
550 |
mp3 stream from a malicious remote server via HTTP. |
551 |
|
552 |
***************** |
553 |
|
554 |
***************** |
555 |
Package: Samba, Linux kernel |
556 |
Versions: Samba 3.x, Linux kernel 2.6.x |
557 |
Subject: Samba 3.x + kernel 2.6.x local root vulnerability |
558 |
Risk: high |
559 |
Date: 09/02/2004 |
560 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41800 |
561 |
Cross Reference: http://www.securityfocus.com/archive/1/353217 |
562 |
|
563 |
Description: |
564 |
|
565 |
See cross reference. |
566 |
|
567 |
***************** |
568 |
|
569 |
***************** |
570 |
Package: uudeview |
571 |
Versions: < 0.5.20 |
572 |
Subject: buffer overflow vulnerabilities, remote arbitrary code |
573 |
execution |
574 |
Risk: high |
575 |
Date: 02/03/2004 |
576 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44859 |
577 |
Cross Reference: |
578 |
http://www.securitytracker.com/alerts/2004/Mar/1009291.html |
579 |
|
580 |
Description: |
581 |
|
582 |
It is reported that a remote user can create a malicious MIME file |
583 |
(.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe extensions) that, when |
584 |
processed by a target user, will cause UUDeview to crash or execute |
585 |
arbitrary code. The code will run with the privileges of the target user |
586 |
or application. |
587 |
|
588 |
***************** |
589 |
|
590 |
***************** |
591 |
Package: MySQl |
592 |
Versions: all |
593 |
Subject: Symlink bug / tmpfile bug |
594 |
Risk: low/medium |
595 |
Date: 24/03/2004 |
596 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45727 |
597 |
Cross Reference: http://nettwerked.mg2.org/advisories/mysqlbug |
598 |
|
599 |
Description: |
600 |
|
601 |
See cross reference. |
602 |
|
603 |
***************** |
604 |
|
605 |
***************** |
606 |
Package: pwlib |
607 |
Versions: < 1.6.0 |
608 |
Subject: multiple vulnerabilities allow remote DoS attacks and possibly |
609 |
execution of arbitrary code |
610 |
Risk: high |
611 |
Date: 13/01/2004 |
612 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45846 |
613 |
Cross Reference: |
614 |
http://www.postincrement.com/openh323/nissc_vulnerabilty.html |
615 |
|
616 |
Description: |
617 |
|
618 |
See cross reference. |
619 |
|
620 |
***************** |
621 |
|
622 |
***************** |
623 |
Package: iproute |
624 |
Versions: ? |
625 |
Subject: local denial of service attack |
626 |
Risk: medium/high |
627 |
Date: 24/11/2003 |
628 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34294 |
629 |
Cross Reference: http://rhn.redhat.com/errata/RHSA-2003-316.html |
630 |
|
631 |
Description: |
632 |
|
633 |
Herbert Xu reported that iproute can accept spoofed messages sent on the |
634 |
kernel netlink interface by other users on the local machine. This could |
635 |
lead to a local denial of service attack. The Common Vulnerabilities and |
636 |
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to |
637 |
this issue. |
638 |
|
639 |
***************** |
640 |
|
641 |
***************** |
642 |
Package: openhbci-plugin-ddvcard |
643 |
Versions: ? |
644 |
Subject: openhbci-plugin-ddvcard can destroy hbci-cards |
645 |
Risk: critical |
646 |
Date: 13/01/2004 |
647 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38201 |
648 |
Cross Reference: |
649 |
http://sourceforge.net/mailarchive/forum.php?thread_id=3D3743892&forum_id= |
650 |
=3D926 |
651 |
|
652 |
Description: |
653 |
|
654 |
See cross reference (German) and Bugzilla entry. |
655 |
|
656 |
***************** |
657 |
|
658 |
***************** |
659 |
Package: tcpdump |
660 |
Versions: ? |
661 |
Subject: denial of service, or possibly execute arbitrary |
662 |
code as the 'pcap' user |
663 |
Risk: medium/high |
664 |
Date: 14/01/2004 |
665 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38206 |
666 |
Cross Reference: none |
667 |
|
668 |
Description: |
669 |
|
670 |
Tcpdump is a command-line tool for monitoring network traffic. |
671 |
|
672 |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump |
673 |
versions prior to 3.8.1. The Common Vulnerabilities and Exposures |
674 |
project |
675 |
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. |
676 |
|
677 |
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding |
678 |
routines of tcpdump versions up to and including 3.8.1. |
679 |
|
680 |
Remote attackers could potentially exploit these issues by sending |
681 |
carefully-crafted packets to a victim. If the victim uses tcpdump, |
682 |
these |
683 |
pakets could result in a denial of service, or possibly execute |
684 |
arbitrary |
685 |
code as the 'pcap' user. |
686 |
|
687 |
Users of tcpdump are advised to upgrade to these erratum packages, which |
688 |
contain backported security patches and are not vulnerable to these |
689 |
issues. |
690 |
|
691 |
***************** |
692 |
|
693 |
***************** |
694 |
Package: kdepim |
695 |
Versions: from KDE 3.1.0 to 3.1.4 |
696 |
Subject: buffer overflow in the file information reader of VCF files |
697 |
Risk: high/critical |
698 |
Date: 14/01/2004 |
699 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38256 |
700 |
Cross Reference: |
701 |
http://www.kde.org/info/security/advisory-20040114-1.txt |
702 |
|
703 |
Description: |
704 |
|
705 |
A carefully crafted .VCF file potentially enables local attackers to |
706 |
compromise the privacy of a victim's data or execute arbitrary commands |
707 |
with the victim's privileges. |
708 |
|
709 |
By default, file information reading is disabled for remote files. |
710 |
However, if previews are enabled for remote files, remote attackers may |
711 |
be able to compromise the victim's account. |
712 |
|
713 |
***************** |
714 |
|
715 |
***************** |
716 |
Package: dcron |
717 |
Versions: 2.9 |
718 |
Subject: dcron installs init script suid 4755 |
719 |
Risk: medium |
720 |
Date: 25/02/2004 |
721 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42908 |
722 |
Cross Reference: http://dev.gentoo.org/~solar/misc/dcron-2.9-r2.diff |
723 |
|
724 |
Description: |
725 |
|
726 |
See Bugzilla entry. |
727 |
|
728 |
***************** |
729 |
|
730 |
***************** |
731 |
Package: xine |
732 |
Versions: ? |
733 |
Subject: Symlink bug / tmpfile bug in xine-check and xine-bugreport |
734 |
Risk: low/medium |
735 |
Date: 19/03/2004 |
736 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45448 |
737 |
Cross Reference: http://nettwerked.mg2.org/advisories/xinebug |
738 |
|
739 |
Description: |
740 |
|
741 |
See cross reference. |
742 |
|
743 |
***************** |
744 |
|
745 |
***************** |
746 |
Package: phpBB |
747 |
Versions: ? |
748 |
Subject: Multiple vulnerabilities |
749 |
Risk: critical |
750 |
Date: 13/03/2004 |
751 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45482 |
752 |
Cross Reference: http://www.securityfocus.com/bid/9865 |
753 |
|
754 |
Description: |
755 |
|
756 |
See Bugzilla entry and cross reference. |
757 |
|
758 |
***************** |
759 |
|
760 |
***************** |
761 |
Package: SquidGuard |
762 |
Versions: <=3D 1.2.0 |
763 |
Subject: NULL URL Character Unauthorized Access Vulnerability |
764 |
Risk: critical |
765 |
Date: 19/03/2004 |
766 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45491 |
767 |
Cross Reference: http://www.securityfocus.com/bid/9919/info/ |
768 |
|
769 |
Description: |
770 |
|
771 |
Reportedly SquidGaurd is prone to a remote NULL URL character |
772 |
unauthorized access vulnerability. This issue is due to a failure of the |
773 |
application to properly filter out invalid URIs. |
774 |
|
775 |
Successful exploitation of this issue may allow a remote attacker to |
776 |
bypass access controls resulting in unauthorized access to |
777 |
attacker-specified resources. This may allow the attacker to gain |
778 |
unauthorized access to sensitive resources. |
779 |
|
780 |
***************** |
781 |
|
782 |
***************** |
783 |
Package: Jetty |
784 |
Versions: < 4.2.19 |
785 |
Subject: Unspecified Denial Of Service Vulnerability |
786 |
Risk: high/critical |
787 |
Date: 18/03/2004 |
788 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45552 |
789 |
Cross Reference: http://www.securityfocus.com/bid/9917 |
790 |
|
791 |
Description: |
792 |
|
793 |
See cross reference. |
794 |
|
795 |
***************** |
796 |
|
797 |
***************** |
798 |
Package: oftpd |
799 |
Versions: 0.3.6 and possibly others |
800 |
Subject: remote DoS vulnerability |
801 |
Risk: medium/high |
802 |
Date: 04/03/2004 |
803 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45738 |
804 |
Cross Reference: http://www.time-travellers.org/oftpd/oftpd-dos.html |
805 |
|
806 |
Description: |
807 |
|
808 |
Denial of service. An ftp server can be taken offline with a simple |
809 |
telnet connection. |
810 |
|
811 |
***************** |
812 |
|
813 |
***************** |
814 |
Package: libxml2 |
815 |
Versions: 2.6.x |
816 |
Subject: URI Parsing Buffer Overflow Vulnerabilities |
817 |
Risk: high/critical |
818 |
Date: 24/02/2004 |
819 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42735 |
820 |
Cross Reference: http://secunia.com/advisories/10958/ |
821 |
|
822 |
Description: |
823 |
|
824 |
Yuuichi Teranishi has discovered some vulnerabilities in libxml2, which |
825 |
potentially can be exploited by malicious people to compromise a |
826 |
vulnerable system. |
827 |
|
828 |
The vulnerabilities are caused due to boundary errors in nanohttp and |
829 |
nanoftp when parsing overly long URIs. This can be exploited to cause a |
830 |
buffer overflow by supplying an overly long URI (about 4096 bytes). |
831 |
|
832 |
Successful exploitation may potentially allow execution of arbitrary |
833 |
code. |
834 |
|
835 |
***************** |
836 |
|
837 |
***************** |
838 |
Package: inn |
839 |
Versions: < 2.4.1? |
840 |
Subject: ? |
841 |
Risk: ? |
842 |
Date: 17/09/2003 |
843 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29020 |
844 |
Cross Reference: none |
845 |
|
846 |
Description: |
847 |
|
848 |
See Bugzilla entry. |
849 |
|
850 |
***************** |
851 |
|
852 |
***************** |
853 |
Package: mplayer |
854 |
Versions: ? |
855 |
Subject: /dev/misc/rtc permissions change & sysctl.conf addition |
856 |
Risk: low/medium? |
857 |
Date: 11/09/2003 |
858 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D28486 |
859 |
Cross Reference: none |
860 |
|
861 |
Description: |
862 |
|
863 |
See Bugzilla entry. |
864 |
|
865 |
***************** |
866 |
|
867 |
If you spotted any errors or you're aware of additional |
868 |
references/information, please drop me a note at glpv@×××××××××.org. |
869 |
|
870 |
This list is far from complete. As of today it only contains entries |
871 |
from Bugzilla that haven't been fixed yet. There are probably many |
872 |
issues that haven't found their way into Bugzilla at all. |
873 |
|
874 |
|
875 |
kind regards, |
876 |
Tobias Weisserth |
877 |
|
878 |
|
879 |
-- |
880 |
*************************************************** |
881 |
____ _____ |
882 |
| _ \| ____| Tobias Weisserth |
883 |
| | | | _| tobias@weisserth.[de|com|net|org] |
884 |
_| |_| | |___ http://www.weisserth.org |
885 |
(_)____/|_____| |
886 |
|
887 |
Encrypted mail is welcome. |
888 |
Key and fingerprint: http://imprint.weisserth.org |
889 |
|
890 |
*************************************************** |