unzoo -- Directory Traversal Vulnerability

Secunia reports: Doubles has discovered a vulnerability in Unzoo, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when unpacking archives. This can be exploited via a directory traversal attack to...

sudo -- environmental variable CDPATH is not cleared

A sudo bug report says: sudo doesn't unset the CDPATH variable, which leads to possible security problems...

cabextract -- insecure directory handling

cabextract has insufficient checks for file names that contain ../. This can cause files to be extracted to the parent directory...

socat -- format string vulnerability

Socat Security Advisory 1 states: socat up to version 1.4.0.2 contains a syslog based format string vulnerability. This issue was originally reported by CoKi on 19 Oct.2004 http://www.nosystem.com.ar/advisories/advisory-07.txt. Further investigation showed that this vulnerability could under some...

p5-Archive-Zip -- virus detection evasion

An AMaViS Security Announcement reports that a vulnerability exist in the Archive::Zip Perl module which may lead to bypass of malicious code in anti-virus programs by creating specially crafted ZIP files...

egroupware -- arbitrary file download in JiNN

eGroupWare contains a bug in the JiNN component that allows a remote attacker to download arbitrary files...

acroread5 -- mailListIsPdf() buffer overflow vulnerability

An iDEFENSE Security Advisory reports: Remote exploitation of a buffer overflow in version 5.09 of Adobe Acrobat Reader for Unix could allow for execution of arbitrary code. The vulnerability specifically exists in a the function mailListIsPdf. This function checks if the input file is an email...

tiff -- multiple integer overflows

Dmitry V. Levin discovered numerous integer overflow bugs in libtiff. Most of these bugs are related to memory management, and are believed to be exploitable for arbitrary code execution...

tiff -- RLE decoder heap overflows

Chris Evans discovered several heap buffer overflows in libtiff's RLE decoder. These overflows could be triggered by a specially-crafted TIFF image file, resulting in an application crash and possibly arbitrary code execution...

libwmf -- multiple vulnerabilities

Mitre reports: Multiple buffer overflows in the gd graphics library libgd 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than...

ecartis -- unauthorised access to admin interface

A Debian security advisory reports: A problem has been discovered in ecartis, a mailing-list manager, which allows an attacker in the same domain as the list admin to gain administrator privileges and alter list settings...

phpmyadmin -- remote command execution vulnerability

From the phpMyAdmin 2.6.0p2 release notes: If PHP is not running in safe mode, a problem in the MIME-based transformation system with an "external" transformation allows to execute any command with the privileges of the web server's user...

unarj -- directory traversal vulnerability

unarj has insufficient checks for filenames that contain ... This can allow an attacker to overwrite arbitrary files with the permissions of the user running unarj...

bogofilter -- RFC 2047 decoder denial-of-service vulnerability

The bogofilter team has been provided with a test case of a malformatted non-conformant RFC-2047 encoded word that can cause bogofilter versions 0.92.7 and prior to try to write a NUL byte into a memory location that is either one byte past the end of a flex buffer or to a location that is the...

realplayer -- arbitrary file deletion and other vulnerabilities

An NGSSoftware Insight Security Research Advisory reports: Two vulnerabilities have been discovered in RealPlayer which may potentially be leveraged to allow remote code execution, or may used in combination with the Real Metadata Package File Deletion vulnerability to reliably delete files from ...

konqueror -- Password Disclosure for SMB Shares

When browsing SMB shares with Konqueror, shares with authentication show up with hidden password in the browser bar. It is possible to store the URL as a shortcut on the desktop where the password is then available in plain text...

horde -- cross-site scripting vulnerability in help window

A Horde Team announcement states that a potential cross-site scripting vulnerability in the help window has been corrected. The vulnerability appears to involve the handling of the topic and module parameters of the help window template...

mail-notification -- denial-of-service vulnerability

Caused by an untested return value, and a resulting null pointer dereference, it is possible for an attacker to crash the application. However, the attacker must first hijack the connection between Mail Notification and the Gmail or IMAP server...

zip -- long path buffer overflow

A HexView security advisory reports: When zip performs recursive folder compression, it does not check for the length of resulting path. If the path is too long, a buffer overflow occurs leading to stack corruption and segmentation fault. It is possible to exploit this vulnerability by embedding ...

xerces-c2 -- Attribute blowup denial-of-service

Amit Klein reports about Xerces-C++: An attacker can craft a malicious XML document, which uses XML attributes in a way that inflicts a denial of service condition on the target machine XML parser. The result of this attack is that the XML parser consumes all the CPU...

mpg123 -- buffer overflow in URL handling

Carlos Barros reports that mpg123 contains two buffer overflows. These vulnerabilities can potentially lead to execution of arbitrary code. The first buffer overflow can occur when mpg123 parses a URL with a user-name/password field that is more than 256 characters long. This problem can be...

mod_ssl -- SSLCipherSuite bypass

It is possible for clients to use any cipher suite configured by the virtual host, whether or not a certain cipher suite is selected for a specific directory. This might result in clients using a weaker encryption than originally configured...

samba -- remote file disclosure

According to a Samba Team security notice: A security vulnerability has been located in Samba 2.2.x = 2.2.11 and Samba 3.0.x = 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for th...

groff -- groffer uses temporary files unsafely

The groffer script in the groff package 1.18 and later versions allows local users to overwrite files via a symlink attack on temporary files...

Boundary checking errors in syscons

The syscons CONSSCRSHOT ioctl2 does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. It may be possible to cause the CONSSCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive...

samba -- potential remote DoS vulnerability

Karol Wiesek at iDEFENSE reports: A remote attacker could cause an smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Although samba.org classifies this as a DoS vulnerability, several members of th...

icecast -- HTTP header overflow

It is possible to execute remote code simply using HTTP request plus 31 headers followed by a shellcode that will be executed directly...

squid -- SNMP module denial-of-service vulnerability

The Squid-2.5 patches page notes: If a certain malformed SNMP request is received squid restarts with a Segmentation Fault error. This only affects squid installations where SNMP is explicitly enabled via "make config". As a workaround, SNMP can be disabled by defining "snmpport 0" in squid.conf...

wordpress -- XSS in administration panel

Pages in the administration panel of Wordpress are vulnerable for XSS attacks...

linux_base -- vulnerabilities in Red Hat 7.1 libraries

Trevor Johnson reported that the Red Hat Linux RPMs used by linuxbase contained multiple older vulnerabilities, such as a DNS resolver issue and critical bugs in X font handling and XPM image handling...

zinf -- potential buffer overflow playlist support

The audio player Zinf is vulnerable to a buffer-overflow bug in the management of the playlist files...

CUPS -- local information disclosure

Certain methods of authenticated remote printing in CUPS can disclose user names and passwords in the log files. A workaround for this problem is to set more strict access permissions on the CUPS logfiles...

cyrus-sasl -- dynamic library loading and set-user-ID applications

The Cyrus SASL library, libsasl, contains functions which may load dynamic libraries. These libraries may be loaded from the path specified by the environmental variable SASLPATH, which in some situations may be fully controlled by a local attacker. Thus, if a set-user-ID application such as chsh...

freeradius -- denial-of-service vulnerability

A remote attacker may be able to crash the freeRADIUS Server due to three independant bugs in the function which does improper checking values while processing RADIUS attributes...

getmail -- symlink vulnerability during maildir delivery

David Watson reports a symlink vulnerability in getmail. If run as root not the recommended mode of operation, a local user may be able to cause getmail to write files in arbitrary directories via a symlink attack on subdirectories of the maildir...

jabberd -- denial-of-service vulnerability

José Antonio Calvo discovered a bug in the Jabber 1.x server. According to Matthias Wimmer: Without this patch, it is possible to remotly crash jabberd14, if there is access to one of the following types of network sockets: Socket accepting client connections Socket accepting connections from oth...

powerdns -- DoS vulnerability

PowerDNS is vulnerable to a temporary denial-of-service vulnerability that can be triggered using a random stream of bytes...

sudo -- sudoedit information disclosure

A new feature of sudo 1.6.8 called "sudoedit" a safe editing facility may allow users to read files to which they normally have no access...

gnu-radius -- SNMP-related denial-of-service

An iDEFENSE security advisory reports: Remote exploitation of an input validation error in version 1.2 of GNU radiusd could allow a denial of service. The vulnerability specifically exists within the asndecodestring function defined in snmplib/asn1.c. When a very large unsigned number is supplied...

subversion -- WebDAV fails to protect metadata

In some situations, subversion metadata may be unexpectedly disclosed via WebDAV. A subversion advisory states: modauthzsvn, the Apache httpd module which does path-based authorization on Subversion repositories, is not correctly protecting all metadata on unreadable paths. This security issue is...

gdk-pixbuf -- image decoding vulnerabilities

Chris Evans discovered several flaws in the gdk-pixbuf XPM image decoder: Heap-based overflow in pixbufcreatefromxpm Stack-based overflow in xpmextractcolor Integer overflows in io-ico.c Some of these flaws are believed to be exploitable...

php -- vulnerability in RFC 1867 file upload processing

Stefano Di Paola discovered an issue with PHP that could allow someone to upload a file to any directory writeable by the httpd process. Any sanitizing performed on the prepended directory path is ignored. This bug can only be triggered if the $FILES element name contains an underscore...

apache -- apr_uri_parse IPv6 address handling vulnerability

The Apache Software Foundation Security Team discovered a programming error in the apr-util library function apruriparse. When parsing IPv6 literal addresses, it is possible that a length is incorrectly calculated to be negative, and this value is passed to memcpy. This may result in an exploitab...

mod_dav -- lock related denial-of-service

A malicious user with DAV write privileges can trigger a null pointer dereference in the Apache moddav module. This could cause the server to become unavailable...

apache -- ap_resolve_env buffer overflow

SITIC discovered a vulnerability in Apache 2's handling of environmental variable settings in the httpd configuration files the main httpd.conf' and .htaccess' files. According to a SITIC advisory: The buffer overflow occurs when expanding $ENVVAR constructs in .htaccess or httpd.conf files. The...

php -- php_variables memory disclosure

Stefano Di Paola reports: Bad array parsing in phpvariables.c could lead to show arbitrary memory content such as pieces of php code and other data. This affects all GET, POST or COOKIES variables...

xpm -- image decoding vulnerabilities

Chris Evans discovered several vulnerabilities in the libXpm image decoder: A stack-based buffer overflow in xpmParseColors An integer overflow in xpmParseColors A stack-based buffer overflow in ParsePixels and ParseAndPutPixels The X11R6.8.1 release announcement reads: This version is purely a...

mozilla -- multiple heap buffer overflows

Several heap buffer overflows were discovered and fixed in the most recent versions of Mozilla, Firefox, and Thunderbird. These overflows may occur when: Using the "Send Page" function. Checking mail on a malicious POP3 server. Processing non-ASCII URLs. Each of these vulnerabilities may be...

mozilla -- vCard stack buffer overflow

Georgi Guninski discovered a stack buffer overflow which may be triggered when viewing email messages with vCard attachments...

mozilla -- scripting vulnerabilities

Several scripting vulnerabilities were discovered and corrected in Mozilla: CVE-2004-0905 javascript; links dragged onto another frame or page allows an attacker to steal or modify sensitive information from other sites. The user could be convinced to drag obscurred links in the context of a game...