Samba: Data disclosure

Background Samba is a suite of SMB and CIFS client/server programs. Description Samba does not properly check memory boundaries when handling trans, rans2, and nttrans requests. Impact A remote attacker could send specially crafted requests to a Samba daemon, leading to the disclosure of arbitrar...

PDFjam: Multiple vulnerabilities

Background PDFjam is a small collection of shell scripts to edit PDF documents, including pdfnup, pdfjoin and pdf90. Description Martin Vaeth reported multiple untrusted search path vulnerabilities CVE-2008-5843. Marcus Meissner of the SUSE Security Team reported that temporary files are created...

gEDA: Insecure temporary file creation

Background gEDA is an Electronic Design Automation tool used for electrical circuit design. Description Dmitry E. Oboukhov reported an insecure temporary file usage within the sch2eaglepos.sh script. Impact A local attacker could perform symlink attacks to overwrite arbitrary files with the...

Irrlicht: User-assisted execution of arbitrary code

Background The Irrlicht Engine is an open source cross-platform high performance realtime 3D engine written in C++. Description An unspecified component of the B3D loader is vulnerable to a buffer overflow due to missing boundary checks. Impact A remote attacker could entice a user to open a...

OpenTTD: Execution of arbitrary code

Background OpenTTD is a clone of Transport Tycoon Deluxe. Description Multiple buffer overflows have been reported in OpenTTD, when storing long for client names CVE-2008-3547, in the TruncateString function in src/gfx.cpp CVE-2008-3576 and in src/openttd.cpp when processing a large filename...

Audacity: User-assisted execution of arbitrary code

Background Audacity is a free cross-platform audio editor. Description Houssamix discovered a boundary error in the Stringparse::getnonspacequoted function in lib-src/allegro/strparse.cpp. Impact A remote attacker could entice a user into importing a specially crafted .gro file, resulting in the...

ZNC: Privilege escalation

Background ZNC is an advanced IRC bouncer. Description cnu discovered multiple CRLF injection vulnerabilities in ZNC's webadmin module. Impact A remote authenticated attacker could modify the znc.conf configuration file and gain privileges via newline characters in e.g. the QuitMessage field, and...

Vinagre: User-assisted execution of arbitrary code

Background Vinagre is a VNC Client for the GNOME Desktop. Description Alfredo Ortega Core Security Technologies reported a format string error in the vinagreutilsshowerror function in src/vinagre-utils.c. Impact A remote attacker could entice a user into opening a specially crafted .vnc file or...

DevIL: User-assisted execution of arbitrary code

Background Developer's Image Library DevIL is a cross-platform image library. Description Stefan Cornelius Secunia Research discovered two boundary errors within the iGetHdrHeader function in src-IL/src/ilhdr.c. Impact A remote attacker could entice a user to open a specially crafted Radiance RGB...

KTorrent: Multiple vulnerabilitites

Background KTorrent is a BitTorrent program for KDE. Description The web interface plugin does not restrict access to the torrent upload functionality CVE-2008-5905 and does not sanitize request parameters properly CVE-2008-5906 . Impact A remote attacker could send specially crafted parameters t...

GNU Emacs, XEmacs: Multiple vulnerabilities

Background GNU Emacs and XEmacs are highly extensible and customizable text editors. edit-utils are miscellaneous extensions to XEmacs. Description Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By shipping a .flc accompanying a source file .c for example and setting...

xterm: User-assisted arbitrary commands execution

Background xterm is a terminal emulator for the X Window system. Description Paul Szabo reported an insufficient input sanitization when processing Device Control Request Status String DECRQSS sequences. Impact A remote attacker could entice a user to display a file containing specially crafted...

Valgrind: Untrusted search path

Background Valgrind is an open-source memory debugger. Description Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the current working directory, executing commands specified there. Impact A local attacker could prepare a specially crafted .valgrindrc file and entice a user to ru...

OpenSSL: Certificate validation error

Background OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer SSL v2/v3 and Transport Layer Security TLS v1 as well as a general purpose cryptography library. Description The Google Security Team reported that several functions incorrectly check the result after calling the...

sudo: Privilege escalation

Background sudo allows a system administrator to give users the ability to run commands as other users. Description Harald Koenig discovered that sudo incorrectly handles group specifications in RunasAlias and related entries when a group is specified in the list using %group syntax, to allow a...

Scilab: Insecure temporary file usage

Background Scilab is a scientific software package for numerical computations. Description Dmitry E. Oboukhov reported an insecure temporary file usage within the scilink, scidoc and scidem scripts. Impact A local attacker could perform symlink attacks to overwrite arbitrary files with the...

Net-SNMP: Denial of service

Background Net-SNMP is a collection of tools for generating and retrieving SNMP data. Description Oscar Mira-Sanchez reported an integer overflow in the netsnmpcreatesubtreecache function in agent/snmpagent.c when processing GETBULK requests. Impact A remote attacker could send a specially crafte...

Pidgin: Multiple vulnerabilities

Background Pidgin formerly Gaim is an instant messaging client for a variety of instant messaging protocols. It is based on the libpurple instant messaging library. Description Multiple vulnerabilities have been discovered in Pidgin and the libpurple library: A participant to the TippingPoint ZDI...

noip-updater: Execution of arbitrary code

Background noip-updater is a tool used for updating IP addresses of dynamic DNS records at no-ip.com. Description xenomuta found out that the GetNextLine function in noip2.c misses a length check, leading to a stack-based buffer overflow. Impact A remote attacker could exploit this vulnerability ...

GnuTLS: Certificate validation error

Background GnuTLS is an open-source implementation of TLS 1.0 and SSL 3.0. Description Martin von Gagern reported that the gnutlsx509verifycertificate function in lib/x509/verify.c trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate. Impact A...

Avahi: Denial of service

Background Avahi is a system that facilitates service discovery on a local network. Description Hugo Dias reported a failed assertion in the originatesfromlocallegacyunicastsocket function in avahi-core/server.c when processing mDNS packets with a source port of 0. Impact A remote attacker could...

Adobe Reader: User-assisted execution of arbitrary code

Background Adobe Reader formerly Adobe Acrobat Reader is a closed-source PDF reader. Description An unspecified vulnerability can be triggered by a malformed PDF document, as demonstrated by 2008-HI2.pdf CVE-2008-2549. Peter Vreugdenhil, Dyon Balding, Will Dormann, Damian Frizza, and Greg MacManu...

MPlayer: Multiple vulnerabilities

Background MPlayer is a media player including support for a wide range of audio and video formats. Description Multiple vulnerabilities have been reported in MPlayer: A stack-based buffer overflow was found in the strreadpacket function in libavformat/psxstr.c when processing crafted STR files...

Online-Bookmarks: Multiple vulnerabilities

Background Online-Bookmarks is a web-based bookmark management system to store your bookmarks, favorites and links. Description The following vulnerabilities were reported: Authentication bypass when directly requesting certain pages CVE-2004-2155. Insufficient input validation in the login...

NDISwrapper: Arbitrary remote code execution

Background NDISwrapper is a Linux kernel module that enables the use of Microsoft Windows drivers for wireless network devices. Description Anders Kaseorg reported multiple buffer overflows related to long ESSIDs. Impact A physically proximate attacker could send packets over a wireless network...

Tremulous: User-assisted execution of arbitrary code

Background Tremulous is a team-based First Person Shooter game. Description It has been reported that Tremulous includes a vulnerable version of the ioQuake3 engine GLSA 200605-12, CVE-2006-2236. Impact A remote attacker could entice a user to connect to a malicious games server, possibly resulti...

Streamripper: Multiple vulnerabilities

Background Streamripper is a tool for extracting and recording mp3 files from a Shoutcast stream. Description Stefan Cornelius from Secunia Research reported multiple buffer overflows in the httpparsescheader, httpgetpls and httpgetm3u functions in lib/http.c when parsing overly long HTTP headers...

pdnsd: Denial of Service and cache poisoning

Background pdnsd is a proxy DNS server with permanent caching that is designed to cope with unreachable DNS servers. Description Two issues have been reported in pdnsd: The pexecquery function in src/dnsquery.c does not properly handle many entries in the answer section of a DNS reply, related to...

JHead: Multiple vulnerabilities

Background JHead is an exif jpeg header manipulation tool. Description Marc Merlin and John Dong reported multiple vulnerabilities in JHead: A buffer overflow in the DoCommand function when processing the cmd argument and related to potential string overflows CVE-2008-4575. An insecure creation o...

D-Bus: Denial of service

Background D-Bus is a daemon providing a framework for applications to communicate with one another. Description schelte reported that the dbussignaturevalidate function can trigger a failed assertion when processing a message containing a malformed signature. Impact A local user could send a...

VLC: Multiple vulnerabilities

Background VLC is a cross-platform media player and streaming server. Description Tobias Klein reported the following vulnerabilities: A stack-based buffer overflow when processing CUE image files in modules/access/vcd/cdrom.c CVE-2008-5032. A stack-based buffer overflow when processing RealText...

Imlib2: User-assisted execution of arbitrary code

Background Imlib2 is replacement library from the Enlightenment project for libraries like libXpm. Description Julien Danjou reported a pointer arithmetic error and a heap-based buffer overflow within the load function of the XPM image loader. Impact A remote attacker could entice a user to proce...

Ampache: Insecure temporary file usage

Background Ampache is a PHP based tool for managing, updating and playing audio files via a web interface. Description Dmitry E. Oboukhov reported an insecure temporary file usage within the gather-messages.sh script. Impact A local attacker could perform symlink attacks to overwrite arbitrary...

ClamAV: Multiple vulnerabilities

Background Clam AntiVirus is a free anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Description Moritz Jodeit reported an off-by-one error within the getunicodename function in libclamav/vbaextract.c when processing VBA project files CVE-2008-5050. Ilja van...

phpCollab: Multiple vulnerabilities

Background phpCollab is a web-enabled groupware and project management software written in PHP. It uses SQL-based database backends. Description Multiple vulnerabilities have been found in phpCollab: rgod reported that data sent to general/sendpassword.php via the loginForm parameter is not...

PowerDNS: Multiple vulnerabilities

Background The PowerDNS Nameserver is an authoritative-only nameserver which uses a flexible backend architecture. Description Daniel Drown reported an error when receiving a HINFO CH query CVE-2008-5277. Brian J. Dowling of Simplicity Communications discovered a previously unknown security...

Ruby: Multiple vulnerabilities

Background Ruby is an interpreted object-oriented programming language. The elaborate standard library includes an HTTP server "WEBRick" and a class for XML parsing "REXML". Description Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of...

JasPer: User-assisted execution of arbitrary code

Background The JasPer Project is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 jpeg2k standard. Description Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer: Multiple integer...

aview: Insecure temporary file usage

Background aview is an ASCII image viewer and animation player. Description Dmitry E. Oboukhov reported that aview uses the "/tmp/aview$$.pgm" file in an insecure manner when processing files. Impact A local attacker could perform symlink attacks to overwrite arbitrary files on the system with th...

Dovecot: Multiple vulnerabilities

Background Dovecot is an IMAP and POP3 server written with security primarily in mind. Description Several vulnerabilities were found in Dovecot: The "k" right in the aclplugin does not work as expected CVE-2008-4577, CVE-2008-4578 The dovecot.conf is world-readable, providing improper protection...

POV-Ray: User-assisted execution of arbitrary code

Background POV-Ray is a well known open-source ray tracer. Description POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray's buil...

Honeyd: Insecure temporary file creation

Background Honeyd is a small daemon that creates virtual hosts on a network. Description Dmitry E. Oboukhov reported an insecure temporary file usage within the "test.sh" script. Impact A local attacker could perform symlink attacks and overwrite arbitrary files with the privileges of the user...

OpenOffice.org: Multiple vulnerabilities

Background OpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities. Description Two heap-based buffer overflows when processing WMF files CVE-2008-2237 and EMF files...

Archive::Tar: Directory traversal vulnerability

Background Archive::Tar is a Perl module for creation and manipulation of tar files. Description Jonathan Smith of rPath reported that Archive::Tar does not check for ".." in file names. Impact A remote attacker could entice a user or automated system to extract a specially crafted tar archive,...

OpenSC: Insufficient protection of smart card PIN

Background OpenSC is a smart card application that allows reading and writing via PKCS11. Description Chaskiel M Grundman reported that OpenSC uses weak permissions ADMIN file control information of 00 for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4. Impact A...

CUPS: Multiple vulnerabilities

Background CUPS is the Common Unix Printing System. Description Several buffer overflows were found in: The readrle16 function in imagetops CVE-2008-3639, found by regenrecht, reported via ZDI The WriteProlog function in texttops CVE-2008-3640, found by regenrecht, reported via ZDI The...

Mgetty: Insecure temporary file usage

Background Mgetty is a set of fax and voice modem programs. Description Dmitry E. Oboukhov reported that the "spooldir" directory in fax/faxspool.in is created in an insecure manner. Impact A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the...

IPsec-Tools: racoon Denial of service

Background IPsec-Tools is a port of KAME's implementation of the IPsec utilities. It contains a collection of network monitoring tools, including racoon, ping, and ping6. Description Two Denial of Service vulnerabilities have been reported in racoon: The vendor reported a memory leak in...

Mantis: Multiple vulnerabilities

Background Mantis is a PHP/MySQL/Web based bugtracking system. Description Multiple issues have been reported in Mantis: EgiX reported that manageprojpage.php does not correctly sanitize the sort parameter before passing it to createfunction in core/utilityapi.php CVE-2008-4687. Privileges of...

enscript: User-assisted execution of arbitrary code

Background enscript is a powerful ASCII to PostScript file converter. Description Two stack-based buffer overflows in the readspecialescape function in src/psgen.c have been reported. Ulf Harnhammar of Secunia Research discovered a vulnerability related to the "setfilename" command CVE-2008-3863,...