6526 matches found
typespeed -- arbitrary code execution
Debian reports: Ulf Härnhammar from the Debian Security Audit Project discovered a problem in typespeed, a touch-typist trainer disguised as game. This could lead to a local attacker executing arbitrary code...
unace -- multiple vulnerabilities
Ulf Härnhammar reports: There are buffer overflows when extracting, testing or listing specially prepared ACE archives. There are directory traversal bugs when extracting ACE archives. There are also buffer overflows when dealing with long 17000 characters command line arguments. Secunia reports:...
cyrus-imapd -- multiple buffer overflow vulnerabilities
The Cyrus IMAP Server ChangeLog states: Fix possible single byte overflow in mailbox handling code. Fix possible single byte overflows in the imapd annotate extension. Fix stack buffer overflows in fetchnews exploitable by peer news server, backend exploitable by admin, and in imapd exploitable b...
lighttpd -- script source disclosure vulnerability
The lighttpd website reports: In lighttpd 1.3.7 and below it is possible to fetch the source files which should be handled by CGI or FastCGI applications. The vulnerability is in the handling of urlencoded trailing NUL bytes. Installations that do not use CGI or FastCGI are not affected...
sympa -- buffer overflow in "queue"
Erik Sjölund discovered a vulnerability in Sympa. The queue application processes messages received via aliases. It contains a buffer overflow in the usage of sprintf. In some configurations, it may allow an attacker to execute arbitrary code as the sympa user...
xpcd -- buffer overflow
Debian Project reports: Erik Sjolund discovered a buffer overflow in pcdsvgaview, an SVGA PhotoCD viewer. xpcd-svga is part of xpcd and uses svgalib to display graphics on the Linux console for which root permissions are required. A malicious user could overflow a fixed-size buffer and may cause...
awstats -- arbitrary command execution
Several input validation errors exist in AWStats that allow a remote unauthenticated attacker to execute arbitrary commands with the priviliges of the web server. These programming errors involve CGI parameters including loadplugin, logfile, pluginmode, update, and possibly others. Additionally,...
xview -- multiple buffer overflows in xv_parse_one
A Debian Security Advisory reports: Erik Sjölund discovered that programs linked against xview are vulnerable to a number of buffer overflows in the XView library. When the overflow is triggered in a program which is installed setuid root a malicious user could perhaps execute arbitrary code as...
gnupg -- OpenPGP symmetric encryption vulnerability
Serge Mister and Robert Zuccherato reports that the OpenPGP protocol is vulnerable to a cryptographic attack when using symmetric encryption in an automated way. David Shaw reports about the impact: This attack, while very significant from a cryptographic point of view, is not generally effective...
xli -- integer overflows in image size calculations
Tavis Ormandy discovered several integer overflows in xli's image size handling. A maliciously crafted image may be able to cause a heap buffer overflow and execute arbitrary code...
postgresql -- multiple buffer overflows in PL/PgSQL parser
The PL/PgSQL parser in postgresql is vulnerable to several buffer overflows. These could be exploited by a remote attacker to execute arbitrary code with the permissions of the postgresql server by running a specially crafted query...
mozilla -- insecure temporary directory vulnerability
A Mozilla Foundation Security Advisory reports: A predictable name is used for the plugin temporary directory. A malicious local user could symlink this to the victim's home directory and wait for the victim to run Firefox. When Firefox shuts down the victim's directory would be erased...
wu-ftpd -- remote globbing DoS vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of an input validation vulnerability in version 2.6.2 of WU-FPTD could allow for a denial of service of the system by resource exhaustion. The vulnerability specifically exists in the wufnmatch function in wufnmatch.c. When a pattern...
gftp -- directory traversal vulnerability
A Debian Security Advisory reports: Albert Puigsech Galicia discovered a directory traversal vulnerability in a proprietary FTP client CAN-2004-1376 which is also present in gftp, a GTK+ FTP client. A malicious server could provide a specially crafted filename that could cause arbitrary files to ...
ngircd -- format string vulnerability
A No System Group security advisory reports that ngircd is vulnerable to a format string vulnerability in the LogResolver function of log.c, if IDENT support is enabled. This could allow a remote attacker to execute arbitrary code with the permissions of the ngircd daemon, which is root by defaul...
squid -- DoS on failed PUT/POST requests vulnerability
The squid patches page notes: An inconsistent state is entered on a failed PUT/POST request making a high risk for segmentation faults or other strange errors...
python -- SimpleXMLRPCServer.py allows unrestricted traversal
According to Python Security Advisory PSF-2005-001, The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC...
htdig -- cross site scripting vulnerability
Michael Krax reports a vulnerability within htdig. The vulnerability lies within an unsanitized config parameter, allowing a malicious attacker to execute arbitrary scripting code on the target's browser. This might allow the attacker to obtain the user's cookies which are associated with the sit...
enscript -- multiple vulnerabilities
Erik Sjölund discovered several issues in enscript: it suffers from several buffer overflows, quotes and shell escape characters are insufficiently sanitized in filenames, and it supported taking input from an arbitrary command pipe, with unwanted side effects...
perl -- vulnerabilities in PERLIO_DEBUG handling
Kevin Finisterre discovered bugs in perl's I/O debug support: The environmental variable PERLIODEBUG is honored even by the set-user-ID perl command usually named sperl or suidperl. As a result, a local attacker may be able to gain elevated privileges. CVE-2005-0155 A buffer overflow may occur in...
phpmyadmin -- increased privilege vulnerability
The phpMyAdmin team reports: Escaping of the "" character was not properly done, giving a wildcard privilege when editing db-specific privileges with phpMyAdmin...
postgresql -- multiple vulnerabilities
Multiple vulnerabilities had been reported in various versions of PostgreSQL: The EXECUTE restrictions can be bypassed by using the AGGREGATE function, which is missing a permissions check. A buffer overflow exists in gram.y which could allow an attacker to execute arbitrary code by sending a lar...
emacs -- movemail format string vulnerability
Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. They can be exploited when connecting to a malicious POP server and can allow an attacker can execute arbitrary code under the privileges of the user running Emacs...
squid -- correct handling of oversized HTTP reply headers
The squid patches page notes: This patch addresses a HTTP protocol mismatch related to oversized reply headers. In addition it enhances the cache.log reporting on reply header parsing failures to make it easier to track down which sites are malfunctioning. It is believed that this bug may lead to...
mod_python -- information leakage vulnerability
Mark J Cox reports: Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation modpython. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extr...
squirrelmail -- XSS and remote code injection vulnerabilities
A SquirrelMail Security Advisory reports: SquirrelMail 1.4.4 has been released to resolve a number of security issues disclosed below. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release. Remote File Inclusion Manoel Zaninetti reported an issue in...
squid -- buffer overflow in WCCP recvfrom() call
According to the Squid Proxy Cache Security Update Advisory SQUID-2005:3, The WCCP recvfrom call accepts more data than will fit in the allocated buffer. An attacker may send a larger-than-normal WCCP message to Squid and overflow this buffer. Severity: The bug is important because it allows remo...
clamav -- zip handling DoS vulnerability
The clamav daemon is vulnerable to a DoS vulnerability due to insufficient handling of malformed zip files which can crash the clamav daemon...
f2c -- insecure temporary files
Javier Fernández-Sanguino Peña reports two temporary file vulnerability within f2c. The vulnerabilities are caused due to weak temporary file handling. An attacker could create an symbolic link, causing a local user running f2c to overwrite the symlinked file. This could give the attacker elevate...
gallery -- cross-site scripting
Gallery includes several cross-site scripting vulnerabilities that could allow malicious content to be injected...
ngircd -- buffer overflow vulnerability
Florian Westphal discovered a buffer overflow in ngircd which can be used remotely crash the server and possibly execute arbitrary code...
p5-DBI -- insecure temporary file creation vulnerability
Javier Fernández-Sanguino Peña reports: The DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library...
zhcon -- unauthorized file access
Martin Joey Schulze reports: Erik Sjöund discovered that zhcon, a fast console CJK system using the Linux framebuffer, accesses a user-controlled configuration file with elevated privileges. Thus, it is possible to read arbitrary files. When installed from the FreeBSD Ports Collection, zhcon is...
bind9 -- denial of service
Problem description A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named8 will exit. Impact On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the...
bind -- buffer overrun vulnerability
An ISC advisory reports a buffer overrun vulnerability within bind. The vulnerability could result in a Denial of Service. A workaround is available by disabling recursion and glue fetching...
squid -- possible cache-poisoning via malformed HTTP responses
The squid patches page notes: This patch makes Squid considerably stricter while parsing the HTTP protocol. A Content-length header should only appear once in a valid request or response. Multiple Content-length headers, in conjunction with specially crafted requests, may allow Squid's cache to b...
postgresql -- privilege escalation vulnerability
John Heasman and others disovered that non-privileged users could use the LOAD extension to load arbitrary libraries into the postgres server process space. This could be used by non-privileged local users to execute arbitrary code with the privileges of the postgresql server...
kdelibs -- insecure temporary file creation
Davide Madrisan reports: The dcopidlng' script in the KDE library package kdelibs-3.3.2/dcop/dcopidlng/dcopidlng creates temporary files in a unsecure manner. Note: dcopidlng is only used at build time, so only users installing KDE are vulnerable, not users already running KDE...
gforge -- directory traversal vulnerability
An STG Security Advisory reports: GForge CVS module made by Dragos Moinescu and another module made by Ronald Petty have a directory traversal vulnerability. ... malicious attackers can read arbitrary directory lists...
evolution -- arbitrary code execution vulnerability
Martin Joey Schulze reports: Max Vozeler discovered an integer overflow in the helper application camel-lock-helper which runs setuid root or setgid mail inside of Evolution, a free groupware suite. A local attacker can cause the setuid root helper to execute arbitrary code with elevated privileg...
yamt -- buffer overflow and directory traversal issues
Stanislav Brabec discovered errors in yamt's path name handling that lead to buffer overflows and directory traversal issues. When processing a file with a maliciously crafted ID3 tag, yamt might overwrite arbitrary files or possibly execute arbitrary code. The SuSE package ChangeLog contains:...
konversation -- shell script command injection
Konversation comes with Perl scripts that do not properly escape shell characters on executing a script. This makes it possible to attack Konversation with shell script command injection...
newsgrab -- insecure file and directory creation
The newsgrab script uses insecure permissions during the creation of the local output directory and downloaded files. After a file is created, permissions on it are set using the mode value of the newsgroup posting. This can potentially be a problem when the mode is not restrictive enough. In...
newsgrab -- directory traversal vulnerability
The newsgrab script creates files by using the names provided in the newsgroup messages in a perl open call. This is done without performing any security checks to prevent a directory traversal. A specially crafted newsgroup message could cause newsgrab to drop an attachment anywhere on the file...
ethereal -- multiple protocol dissectors vulnerabilities
An Ethreal Security Advisories reports: Issues have been discovered in the following protocol dissectors: The COPS dissector could go into an infinite loop. CVE: CAN-2005-0006 The DLSw dissector could cause an assertion. CVE: CAN-2005-0007 The DNP dissector could cause memory corruption. CVE:...
newsfetch -- server response buffer overflow vulnerability
The newsfetch program uses the sscanf function to read information from server responses into static memory buffers. Unfortunately this is done without any proper bounds checking. As a result long server responses may cause an overflow when a newsgroup listing is requested from an NNTP server...
squid -- denial-of-service vulnerabilities
The Squid team reported several denial-of-service vulnerabilities related to the handling of DNS responses and NT Lan Manager messages. These may allow an attacker to crash the Squid cache...
newspost -- server response buffer overflow vulnerability
The newspost program uses a function named socketgetline to read server responses from the network socket. Unfortunately this function does not check the length of the buffer in which the read data is stored and only stops reading when a newline character is found. A malicious NNTP server could u...
opera -- "data:" URI handler spoofing vulnerability
A Secunia Advisory reports: Michael Holzt has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to an error in the processing of "data:" URIs, causing wrong information to be shown in a...
mysql-scripts -- mysqlaccess insecure temporary file creation
The Debian Security Team reports: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also coul...