lbreakout2 vulnerability in environment variable handling

Ulf Härnhammar discovered an exploitable vulnerability in lbreakout2's environmental variable handling. In several instances, the contents of the HOME environmental variable are copied to a stack or global buffer without range checking. A local attacker may use this vulnerability to acquire...

Apache 2 mod_ssl denial-of-service

Joe Orton reports a memory leak in Apache 2's modssl. A remote attacker may issue HTTP requests on an HTTPS port, causing an error. Due to a bug in processing this condition, memory associated with the connection is not freed. Repeated requests can result in consuming all available memory...

jailed processes can attach to other jails

A programming error has been found in the jailattach2 system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jailattach system call would fail only after changing the...

metamail format string bugs and buffer overflows

Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile, PrintHeader, and ShareThisHeader. These vulnerabilities could be triggered by a maliciously formatted email message if metamail' or splitmail' is used to proce...

many out-of-sequence TCP packets denial-of-service

FreeBSD does not limit the number of TCP segments that may be held in a reassembly queue. A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP there are many such services, including HTTP, SMTP, and FTP. By sending many...

wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed

Glenn Stewart reports a bug in wu-ftpd's ftpaccess restricted-uid'/restricted-gid' directives: Users can get around the restriction to their home directory by issuing a simple chmod command on their home directory. On the next ftp log in, the user will have '/' as their root directory. Matt...

file disclosure in phpMyAdmin

Lack of proper input validation in phpMyAdmin may allow an attacker to obtain the contents of any file on the target system that is readable by the web server...

mnGoSearch buffer overflow in UdmDocToTextBuf()

Jedi/Sector One reported the following on the full-disclosure list: Every document is stored in multiple parts according to its sections description, body, etc in databases. And when the content has to be sent to the client, UdmDocToTextBuf concatenates those parts together and skips metadata...

mozilla -- hostname spoofing bug

When processing URIs that contain an unqualified host name-- specifically, a domain name of only one component-- Mozilla will perform matching against the first component of the domain name in SSL certificates. In other words, in some situations, a certificate issued to "www.example.com" will be...

Buffer overflow in Mutt 1.4

Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code...

Buffer overflows in XFree86 servers

A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on...

clamav remote denial-of-service

clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav...

ModSecurity for Apache 2.x remote off-by-one overflow

When the directive "SecFilterScanPost" is enabled, the Apache 2.x version of ModSecurity is vulnerable to an off-by-one overflow...

Samba 3.0.x password initialization bug

From the Samba 3.0.2 release notes: Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script...

libxml2 stack buffer overflow in URI parsing

Yuuichi Teranishi reported a crash in libxml2's URI handling when a long URL is supplied. The implementation in nanohttp.c and nanoftp.c uses a 4K stack buffer, and longer URLs will overwrite the stack. This could result in denial-of-service or arbitrary code execution in applications using libxm...

Apache-SSL optional client certificate vulnerability

From the Apache-SSL security advisory: If configured with SSLVerifyClient set to 1 or 3 client certificates optional and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate. All the attacker needed ...

jailed processes can manipulate host routing tables

A programming error resulting in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process. Jailed processes running with superuser privileges could modify host routing tables. This could result in a variety of consequences including packets being sent...

Courier mail services: remotely exploitable buffer overflows

The Courier set of mail services use a common Unicode library. This library contains buffer overflows in the converters for two popular Japanese character encodings. These overflows may be remotely exploitable, triggered by a maliciously formatted email message that is later processed by one of t...

shmat reference counting bug

A programming error in the shmat2 system call can result in a shared memory segment's reference count being erroneously incremented. It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or writ...

racoon -- improper certificate handling

Thomas Walpuski noted when OpenSSL would detect an error condition for a peer certificate, racoon mistakenly ignored the error. This could allow five invalid certificate states to properly be used for authentication...

GNU libtool insecure temporary file handling

libtool attempts to create a temporary directory in which to write scratch files needed during processing. A malicious user may create a symlink and then manipulate the directory so as to write to files to which she normally has no permissions. This has been reported as a symlink vulnerability'',...

mksnap_ffs clears file system options

The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnapffs8 command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value. A regularly...

gallery -- remote code injection via HTTP_POST_VARS

A web server running Gallery can be exploited for arbitrary PHP code execution through the use of a maliciously crafted URL...

Several remotely exploitable buffer overflows in gaim

Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory: While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After...

php -- readfile() DoS vulnerability

A SUSE Security advisory reports: A bug in the readfile function of php4 could be used to to crash the httpd running the php4 code when accessing files with a multiple of the architectures page size leading to a denial of service...

mysql -- ALTER MERGE denial of service vulnerability

Dean Ellis reported a denial of service vulnerability in the MySQL server: Multiple threads ALTERing the same or different MERGE tables to change the UNION eventually crash the server or hang the individual threads. Note that a script demonstrating the problem is included in the MySQL bug report...

kdepim exploitable buffer overflow in VCF reader

A buffer overflow is present in some versions of the KDE personal information manager kdepim which may be triggered when processing a specially crafted VCF file...

Vulnerabilities in H.323 implementations

The NISCC and the OUSPG developed a test suite for the H.323 protocol. This test suite has uncovered vulnerabilities in several H.323 implementations with impacts ranging from denial-of-service to arbitrary code execution. In the FreeBSD Ports Collection, pwlib' is directly affected. Other...

racoon security association deletion vulnerability

A remote attacker may use specially crafted IKE/ISAKMP messages to cause racoon to delete security associations. This could result in denial-of-service or possibly cause sensitive traffic to be transmitted in plaintext, depending upon configuration...

leafnode fetchnews denial-of-service triggered by truncated transmission

When a downloaded news article ends prematurely, i. e. when the server sends CRLF.CRLF before sending a blank line, fetchnews may wait indefinitely for data that never arrives. Workaround: configure "minlines=1" or use a bigger value in the configuration file. Found by Toni Viemerö...

Buffer overflow in INN control message handling

A small, fixed-size stack buffer is used to construct a filename based on a received control message. This could result in a stack buffer overflow...

fsp buffer overflow and directory traversal vulnerabilities

The Debian security team reported a pair of vulnerabilities in fsp: A vulnerability was discovered in fsp, client utilities for File Service Protocol FSP, whereby a remote user could both escape from the FSP root directory CAN-2003-1022, and also overflow a fixed-length buffer to execute arbitrar...

mailman XSS in admin script

Dirk Mueller reports: I've found a cross-site scripting vulnerability in the admin interface of mailman 2.1.3 that allows, under certain circumstances, for anyone to retrieve the valid session cookie...

L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump

Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running tcpdump' process...

SQL injection vulnerability in phpnuke

Multiple researchers have discovered multiple SQL injection vulnerabilities in some versions of Php-Nuke. These vulnerabilities may lead to information disclosure, compromise of the Php-Nuke site, or compromise of the back-end database...

lftp HTML parsing vulnerability

A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP...

Mathopd buffer overflow

Mathopd contains a buffer overflow in the preparereply function that may be remotely exploitable...

rsync buffer overflow in server mode

When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk...

racoon remote denial of service vulnerability (IKE Generic Payload Header)

When racoon receives an IKE message with an incorrectly constructed Generic Payload Header, it may behave erratically, going into a tight loop and dropping connections...

pound remotely exploitable vulnerability

An unknown remotely exploitable vulnerability was disclosed. Robert Segall writes: a security vulnerability was brought to my attention many thanks to Akira Higuchi. Everyone running any previous version should upgrade to 1.6 immediately - the vulnerability may allow a remote exploit. No exploits...

mod_python denial-of-service vulnerability in parse_qs

An attacker may cause Apache with modpython to crash by using a specially constructed query string...

bind8 negative cache poison attack

A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain...

ElGamal sign+encrypt keys created by GnuPG can be compromised

Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked. The following summary was written by Werner Koch, GnuPG author: Phong Nguyen identified a severe bug in...

sircd -- remote operator privilege escalation vulnerability

Secunia reports: A vulnerability has been reported in sircd, which can be exploited by malicious users to gain operator privileges. The problem is that any user reportedly can set their usermode to operator. The vulnerability has been reported in versions 0.5.2 and 0.5.3. Other versions may also ...

zebra/quagga denial of service vulnerability

A remote attacker could cause zebra/quagga to crash by sending a malformed telnet command to their management port...

mailman denial-of-service vulnerability in MailCommandHandler

A malformed message could cause mailman to crash...

proftpd IP address access control list breakage

Jindrich Makovicka reports a regression in proftpd's handling of IP address access control lists IP ACLs. Due to this regression, some IP ACLs are treated as allow all''...

grip -- CDDB response multiple matches buffer overflow vulnerability

Joseph VanAndel reports that grip is vulnerability to a buffer overflow vulnerability when receiving more than 16 CDDB responses. This could lead to a crash in grip and potentially execution arbitrary code. A workaround is to disable CDDB lookups...

kpopup -- local root exploit and local denial of service

Mitre CVE reports: Format string vulnerability in main.cpp in kpopup 0.9.1-0.9.5pre2 allows local users to cause a denial of service segmentation fault and possibly execute arbitrary code via format string specifiers in command line arguments. misc.cpp in KPopup 0.9.1 trusts the PATH variable whe...

fetchmail -- address parsing vulnerability

Fetchmail can be crashed by a malicious email message...