xloadimage -- arbitrary command execution when handling compressed files

Tavis Ormandy discovered that xli and xloadimage attempt to decompress images by piping them through gunzip or similar decompression tools. Unfortunately, the unsanitized file name is included as part of the command. This is dangerous, as in some situations, such as mailcap processing, an attacke...

CVE-2005-0439

Removed by vendor...

f2c: Insecure temporary file creation

Background f2c is a Fortran to C translator. Portage uses this package in some ebuilds to build Fortran sources. Description Javier Fernandez-Sanguino Pena from the Debian Security Audit Team discovered that f2c creates temporary files in world-writeable directories with predictable names. Impact...

DEBIAN-CVE-2004-1294

The mget function in cmds.c for tnftp 20030825 allows remote FTP servers to overwrite arbitrary files via FTP responses containing file names with / slash characters...

CVE-2004-1336

The xdvizilla script in tetex-bin 2.0.2 creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack...

CVE-2004-1336

The xdvizilla script in tetex-bin 2.0.2 creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack...

Debian DSA-154-1 : fam - privilege escalation

A flawwas discovered in FAM's group handling. In the effect users are unable to read FAM directories they have group read and execute permissions on. However, also unprivileged users can potentially learn names of files that only users in root's group should be able to view. This problem been fix...

Bugzilla XSS / Insecure Temporary File Names

Binary data 1555.prm...

a2ps -- insecure command line argument handling

Rudolf Polzer reports: a2ps builds a command line for file containing an unescaped version of the file name, thus might call external programs described by the file name. Running a cronjob over a public writable directory a2ps-ing all files in it - or simply typing "a2ps .txt" in /tmp - is...

RHEL 2.1 / 3 : sysstat (RHSA-2004:053)

Updated sysstat packages that fix various bugs and security issues are now available. Sysstat is a tool for gathering system statistics. Isag is a utility for graphically displaying these statistics. A bug was found in the Red Hat sysstat package post and trigger scripts, which used insecure...

security flaw

Multiple stack-based buffer overflows in the getheader function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testi...

CVE-2004-0234

Multiple stack-based buffer overflows in the getheader function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testi...

CVE-2003-1539

Cross-site scripting XSS vulnerability in ONEdotOH Simple File Manager SFM before 0.21 allows remote attackers to inject arbitrary web script or HTML via 1 file names and 2 directory names...

Vulnerabilitiy in Drag and Zip

=================================== - Product: Drag and Zip - Version: 3.0 - Offsite: http://www.canyonsw.com - Authors: Canyon Software - Problem: Buffer Overflow =================================== General Description The vulnerability found by me in this product, does not represent the big...

CVE-2002-0875

Vulnerability in FAM 2.6.8, 2.6.6, and other versions allows unprivileged users to obtain the names of files whose access is restricted to the root group...

CVE-2002-1395

Internet Message IM 141-18 and earlier uses predictable file and directory names, which allows local users to 1 obtain unauthorized directory permissions via a temporary directory used by impwagent, and 2 overwrite and create arbitrary files via immknmz...

CVE-2002-1395

CVE-2002-1395 affects Internet Message (IM) and its components impwagent and immknmz. The Debian advisory notes insecure handling of temporary files: impwagent creates a temporary directory in /tmp with predictable names, allowing local users to obtain unauthorized directory permissions, and immk...

Sun Cobalt RaQ 4.0 - Predictable Temporary Filename Symbolic Link Attack

source: https://www.securityfocus.com/bid/5529/info A vulnerability has been reported in Cobalt RaQ that may allow attackers to obtain elevated privileges. The vulnerability exists in the /usr/lib/authenticate utility which is used by Apache for authentication purposes. Reportedly, the utility...

CVE-2000-0006

strace allows local users to read arbitrary files via memory mapped file names...

CVE-1999-1440

Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is...