mozilla -- vCard stack buffer overflow

Georgi Guninski discovered a stack buffer overflow which may be triggered when viewing email messages with vCard attachments...

mozilla -- BMP decoder vulnerabilities

Gael Delalleau discovered several integer overflows in Mozilla's BMP decoder that can result in denial-of-service or arbitrary code execution...

postgresql-contrib -- insecure temporary file creation

The makeoidjoinscheck script in the PostgreSQL RDBMS has insecure handling of temporary files, which could lead to an attacker overwriting arbitrary files with the credentials of the user running the makeoidjoinscheck script...

mysql -- heap buffer overflow with prepared statements

There is a buffer overflow in the prepared statements API libmysqlclient when a statement containing thousands of placeholders is executed...

libxine -- multiple vulnerabilities in VideoCD handling

A xine security announcement states: Several string overflows on the stack have been fixed in xine-lib, some of them can be used for remote buffer overflow exploits leading to the execution of arbitrary code with the permissions of the user running a xine-lib based media application. Stack-based...

libxine -- DVD subpicture decoder heap overflow

A xine security announcement states: A heap overflow has been found in the DVD subpicture decoder of xine-lib. This can be used for a remote heap overflow exploit, which can, on some systems, lead to or help in executing malicious code with the permissions of the user running a xine-lib based med...

webmin -- insecure temporary file creation at installation time

The Webmin developers documented a security issue in the release notes for version 1.160: Fixed a security hole in the maketemp.pl script, used to create the /tmp/.webmin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a...

samba3 DoS attack

Code found in nmbd and smbd may allow a remote attacker to effectively crash the nmbd server or use the smbd server to exhaust the system memory...

krb5 -- double-free vulnerabilities

An advisory published by the MIT Kerberos team says: The MIT Kerberos 5 implementation's Key Distribution Center KDC program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire...

imlib2 -- BMP decoder buffer overflow

Marcus Meissner discovered that imlib2's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability. There appears to be both a stack-based and a heap-based buffer overflow that are believed to be exploitable for arbitrary code executio...

krb5 -- ASN.1 decoder denial-of-service vulnerability

An advisory published by the MIT Kerberos team says: The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable to a denial-of-service attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack. An unauthenticated remote attacker can cause a KDC or...

gaim -- heap overflow exploitable by malicious GroupWise server

Sean infamous42md reports that a malicious GroupWise messaging server may be able to exploit a heap buffer overflow in gaim, leading to arbitrary code execution...

gaim -- Content-Length header denial-of-service vulnerability

Sean infamous42md reports: When a remote server provides a large "content-length" header value, Gaim will attempt to allocate a buffer to store the content, however this allocation attempt will cause Gaim to crash if the length exceeds the amount of possible memory. This happens when reading...

gaim -- multiple buffer overflows

Sean infamous42md reports several situations in gaim that may result in exploitable buffer overflows: Rich Text Format RTF messages in Novell GroupWise protocol Unsafe use of gethostbyname in zephyr protocol URLs which are over 2048 bytes long once decoded...

imlib -- BMP decoder heap buffer overflow

Marcus Meissner discovered that imlib's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability. It is believed that this bug could be exploited for arbitrary code execution...

tor -- remote DoS and loss of anonymity

Tor has various remote crashes which could lead to a remote denial-of-service and be used to defeat clients anonymity. It is not expected that these vulnerabilities are exploitable for arbitrary code execution...

ImageMagick -- BMP decoder buffer overflow

Marcus Meissner discovered that ImageMagick's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability...

icecast -- Cross-Site Scripting Vulnerability

Caused by improper filtering of HTML code in the status display, it is possible for a remote user to execute scripting code in the target user's browser...

openoffice -- document disclosure

OpenOffice creates a working directory in /tmp on startup, and uses this directory to temporarily store document content. However, the permissions of the created directory may allow other user on the system to read these files, potentially exposing information the user likely assumed was...

cups -- print queue browser denial-of-service

If the CUPS server cupsd receives a zero-length UDP message, it will disable its print queue browser service...

hafiye -- lack of terminal escape sequence filtering

A siyahsapka.org advisory reads: Hafiye-1.0 doesnt filter the payload when printing it to the terminal. A malicious attacker can send packets with escape sequence payloads to exploit this vulnerability. If Hafiye has been started with -n packet count option , the vulnerability could allow remote...

ifmail -- unsafe set-user-ID application

Niels Heinen reports that ifmail allows one to specify a configuration file. Since ifmail runs set-user-ID news', this may allow a local attacker to write to arbitrary files or execute arbitrary commands as the news' user...

nss -- exploitable buffer overflow in SSLv2 protocol handler

ISS X-Force reports that a remotely exploitable buffer overflow exists in the Netscape Security Services NSS library's implementation of SSLv2. From their advisory: The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv...

kdelibs -- konqueror cross-domain cookie injection

According to a KDE Security Advisory: WESTPOINT internet reconnaissance services alerted the KDE security team that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. Web sites operating under the affected domains can set HTTP...

gaim -- malicious smiley themes

The Gaim Security Issues page documents a problem with installing smiley themes from an untrusted source: To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command...

fidogate -- write files as `news' user

Neils Heinen reports that the setuid news' binaries installed as part of fidogate may be used to create files or append to file with the privileges of the news' user by setting the LOGFILE environmental variable...

imwheel -- insecure handling of PID file

A Computer Academic Underground advisory describes the consequences of imwheel's handling of the process ID file PID file: imwheel exclusively uses a predictably named PID file for management of multiple imwheel processes. A race condition exists when the -k command-line option is used to kill...

imp3 -- XSS hole in the HTML viewer

The script vulnerabilities can only be exposed with certain browsers and allow XSS attacks when viewing HTML messages with the HTML MIME viewer...

xv -- exploitable buffer overflows

In a Bugtraq posting, infamous41mdathotpop.com reported: there are at least 5 exploitable buffer and heap overflows in the image handling code. this allows someone to craft a malicious image, trick a user into viewing the file in xv, and upon viewing that image execute arbitrary code under...

squid -- NTLM authentication denial-of-service vulnerability

A remote attacker is able to cause a denial-of-service situation, when NTLM authentication is enabled in squid. NTLM authentication uses two functions which lack correct offset checking...

mysql -- mysqlhotcopy insecure temporary file creation

According to Christian Hammers: mysqlhotcopy created temporary files in /tmp which had predictable filenames and such could be used for a tempfile run attack. Jeroen van Wolffelaar is credited with discovering the issue...

a2ps -- insecure command line argument handling

Rudolf Polzer reports: a2ps builds a command line for file containing an unescaped version of the file name, thus might call external programs described by the file name. Running a cronjob over a public writable directory a2ps-ing all files in it - or simply typing "a2ps .txt" in /tmp - is...

courier-imap -- format string vulnerability in debug mode

An iDEFENSE security advisory describes a format string vulnerability that could be exploited when Courier-IMAP is run in debug mode DEBUGLOGIN set...

tnftpd -- remotely exploitable vulnerability

lukemftpd8 is an enhanced BSD FTP server produced within the NetBSD project. The sources for lukemftpd are shipped with some versions of FreeBSD, however it is not built or installed by default. The build system option WANTLUKEMFTPD must be set to build and install lukemftpd. NOTE: An exception i...

cacti -- SQL injection

Fernando Quintero reports that Cacti 0.8.5a suffers from a SQL injection attack where an attacker can change the password for any Cacti user. This attack is not possible if the PHP option magicquotesgpc is set to On, which is the default for PHP in FreeBSD...

Ruby insecure file permissions in the CGI session management

According to a Debian Security Advisory: Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore and presumably PStore ... implementations store session information insecurely. They simply create files, ignoring...

sharutils -- buffer overflows

From Gentoo advisory GLSA 200410-01: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit the...

rsync -- path sanitizing vulnerability

An rsync security advisory reports: There is a path-sanitizing bug that affects daemon mode in all recent rsync versions including 2.6.2 but only if chroot is disabled. The bug may allow a remote user to access files outside of an rsync module's configured path with the privileges configured for...

gaim remotely exploitable vulnerabilities in MSN component

Sebastian Krahmer discovered several remotely exploitable buffer overflow vulnerabilities in the MSN component of gaim. In two places in the MSN protocol plugins object.c and slp.c, strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's...

acroread uudecoder input validation error

An iDEFENSE security advisory reports: Remote exploitation of an input validation error in the uudecoding feature of Adobe Acrobat Reader Unix 5.0 allows an attacker to execute arbitrary code. The Unix and Linux versions of Adobe Acrobat Reader 5.0 automatically attempt to convert uuencoded...

Mutiple browser frame injection vulnerability

A class of bugs affecting many web browsers in the same way was discovered. A Secunia advisory reports: The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a nam...

qt -- image loader vulnerabilities

Qt contains several vulnerabilities related to image loading, including possible crashes when loading corrupt GIF, BMP, or JPEG images. Most seriously, Chris Evans reports that the BMP crash is actually due to a heap buffer overflow. It is believed that an attacker may be able to construct a BMP...

kdelibs insecure temporary file handling

According to a KDE Security Advisory, KDE may sometimes create temporary files without properly checking the ownership and type of the target path. This could allow a local attacker to cause KDE applications to overwrite arbitrary files...

ImageMagick png vulnerability fix

Glenn Randers-Pehrson has contributed a fix for the png vulnerabilities discovered by Chris Evans...

libpng stack-based buffer overflow and other code concerns

Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS Denial of Service...

gnomevfs -- unsafe URI handling

Alexander Larsson reports that some versions of gnome-vfs and MidnightCommander contain a number of extfs' scripts that do not properly validate user input. If an attacker can cause her victim to process a specially-crafted URI, arbitrary commands can be executed with the privileges of the victim...

SpamAssassin -- denial-of-service in tokenize_headers

According to the SpamAssassin 2.64 release announcement: Security fix prevents a denial of service attack open to certain malformed messages; this DoS affects all SpamAssassin 2.5x and 2.6x versions to date. The issue appears to be triggered by overly long message headers...

popfile file disclosure

John Graham-Cumming reports that certain configurations of POPFile may allow the retrieval of any files with the extensions .gif, .png, .ico, .css, as well as some files with the extension .html...

gnutls -- certificate chain verification DoS

Patric Hornik reports on a problem in the certificate chain verification procedures of GnuTLS that may result in a denial-of-service vulnerability: The certificate chain should be verified from last root certificate to the first certificate. Otherwise a lot of unauthorized CPU processing can be...

mozilla -- SOAPParameter integer overflow

zen-parse discovered and iDEFENSE reported an exploitable integer overflow in a scriptable Mozilla component SOAPParameter': Improper input validation to the SOAPParameter object constructor in Netscape and Mozilla allows execution of arbitrary code. The SOAPParameter object's constructor contain...