PowerDNS Recursor: DNS Cache Poisoning

Background The PowerDNS Recursor is an advanced recursing nameserver. Description Amit Klein of Trusteer reported that insufficient randomness is used to calculate the TRXID values and the UDP source port numbers CVE-2008-1637. Thomas Biege of SUSE pointed out that a prior fix to resolve this iss...

CUPS: Integer overflow vulnerability

Background CUPS provides a portable printing layer for UNIX-based operating systems. Description Thomas Pollet reported a possible integer overflow vulnerability in the PNG image handling in the file filter/image-png.c. Impact A malicious user might be able to execute arbitrary code with the...

Sun JDK/JRE: Multiple vulnerabilities

Background The Sun Java Development Kit JDK and the Sun Java Runtime Environment JRE provide the Sun Java platform. Description Multiple vulnerabilities have been discovered in Sun Java: Daniel Soeder discovered that a long codebase attribute string in a JNLP file will overflow a stack variable...

rsync: Execution of arbitrary code

Background rsync is a file transfer program to keep remote directories synchronized. Description Sebastian Krahmer of SUSE reported an integer overflow in the expanditemlist function in the file util.c which might lead to a heap-based buffer overflow when extended attribute xattr support is...

Poppler: User-assisted execution of arbitrary code

Background Poppler is a cross-platform PDF rendering library originally based on Xpdf. Description Kees Cook from the Ubuntu Security Team reported that the CairoFont::create function in the file CairoFontEngine.cc does not verify the type of an embedded font object inside a PDF file before...

PHP Toolkit: Data disclosure and Denial of service

Background PHP Toolkit is a utility to manage parallel installations of PHP within Gentoo. It is executed by the PHP ebuilds at setup. Description Toni Arnold, David Sveningsson, Michal Bartoszkiewicz, and Joseph reported that php-select does not quote parameters passed to the "tr" command, which...

Speex: User-assisted execution of arbitrary code

Background Speex is an audio compression format designed for speech that is free of patent restrictions. Description oCERT reported that the Speex library does not properly validate the "mode" value it derives from Speex streams, allowing for array indexing vulnerabilities inside multiple player...

libpng: Execution of arbitrary code

Background libpng is a free ANSI C library used to process and manipulate PNG images. Description Tavis Ormandy of the Google Security Team discovered that libpng does not handle zero-length unknown chunks in PNG files correctly, which might lead to memory corruption in applications that call...

Opera: Multiple vulnerabilities

Background Opera is a fast web browser that is available free of charge. Description Michal Zalewski reported two vulnerabilities, memory corruption when adding news feed sources from a website CVE-2008-1761 as well as when processing HTML CANVAS elements to use scaled images CVE-2008-1762...

Asterisk: Multiple vulnerabilities

Background Asterisk is an open source telephony engine and tool kit. Description Asterisk upstream developers reported multiple vulnerabilities: The Call Detail Record Postgres logging engine cdrpgsql does not correctly escape the ANI and DNIS arguments before using them in SQL statements...

gnome-screensaver: Privilege escalation

Background gnome-screensaver is a screensaver, designed to integrate with the Gnome desktop, that can replace xscreensaver. Description gnome-screensaver incorrectly handles the results of the getpwuid function in the file src/setuid.c when using directory servers like NIS during a network outage...

policyd-weight: Insecure temporary file creation

Background policyd-weight is a Perl policy daemon for the Postfix MTA intended to eliminate forged envelope senders and HELOs. Description Chris Howells reported that policyd-weight creates and uses the "/tmp/.policyd-weight/" directory in an insecure manner. Impact A local attacker could exploit...

am-utils: Insecure temporary file creation

Background am-utils is a collection of utilities for use with the Berkeley Automounter. Description Tavis Ormandy discovered that, when creating temporary files, the 'expn' utility does not check whether the file already exists. Impact A local attacker could exploit the vulnerability via a symlin...

Tomcat: Multiple vulnerabilities

Background Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages. Description The following vulnerabilities were reported: Delian Krustev discovered that the JULI logging component does not properly enforce access restrictions, allowing web...

lighttpd: Multiple vulnerabilities

Background lighttpd is a lightweight high-performance web server. Description Julien Cayzax discovered that an insecure default setting exists in moduserdir in lighttpd. When userdir.path is not set the default value used is $HOME. It should be noted that the "nobody" user's $HOME is "/"...

PECL APC: Buffer Overflow

Background PECL Alternative PHP Cache PECL APC is a free, open, and robust framework for caching and optimizing PHP intermediate code. Description Daniel Papasian discovered a stack-based buffer overflow in the apcsearchpaths function in the file apc.c when processing long filenames. Impact A...

NX: User-assisted execution of arbitrary code

Background NoMachine's NX establishes remote connections to X11 desktops over small bandwidth links. NX and NX Node are the compression core libraries, whereas NX is used by FreeNX and NX Node by the binary-only NX servers. Description Multiple integer overflow and buffer overflow vulnerabilities...

UnZip: User-assisted execution of arbitrary code

Background Info-ZIP's UnZip is a tool to list and extract files inside PKZIP compressed files. Description Tavis Ormandy of the Google Security Team discovered that the NEEDBITS macro in the inflatedynamic function in the file inflate.c can be invoked using invalid buffers, which can lead to a...

MySQL: Multiple vulnerabilities

Background MySQL is a popular multi-threaded, multi-user SQL server. Description Multiple vulnerabilities have been reported in MySQL: Mattias Jonsson reported that a "RENAME TABLE" command against a table with explicit "DATA DIRECTORY" and "INDEX DIRECTORY" options would overwrite the file to...

OpenSSH: Privilege escalation

Background OpenSSH is a complete SSH protocol implementation that includes an SFTP client and server support. Description Two issues have been discovered in OpenSSH: Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH sessions using X11 forwarding even when it cannot bin...

bzip2: Denial of service

Background bzip2 is a free and open source lossless data compression program. Description The Oulu University discovered that bzip2 does not properly check offsets provided by the bzip2 file, leading to a buffer overread. Impact Remote attackers can entice a user or automated system to open a...

CUPS: Multiple vulnerabilities

Background CUPS provides a portable printing layer for UNIX-based operating systems. Description Multiple vulnerabilities have been reported in CUPS: regenrecht VeriSign iDefense discovered that the cgiCompileSearch function used in several CGI scripts in CUPS' administration interface does not...

MIT Kerberos 5: Multiple vulnerabilities

Background MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. kadmind is the MIT Kerberos 5 administration daemon, KDC is the Key Distribution Center. Description Two vulnerabilities were found in the Kerberos 4 support in KDC: A global variable is not set for...

Wireshark: Denial of service

Background Wireshark is a network protocol analyzer with a graphical front-end. Description Multiple unspecified errors exist in the SCTP, SNMP, and TFTP dissectors. Impact A remote attacker could cause a Denial of Service by sending a malformed packet. Workaround Disable the SCTP, SNMP, and TFTP...

ssl-cert eclass: Certificate disclosure

Background The ssl-cert eclass is a code module used by Gentoo ebuilds to generate SSL certificates. Description Robin Johnson reported that the docert function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as srccompile or srcinstall, which will result in...

OpenLDAP: Denial of Service vulnerabilities

Background OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. Description The following errors have been discovered in OpenLDAP: Tony Blake discovered an error which exists within the normalisation of "objectClasses" CVE-2007-5707. Thomas Sesselmann...

ViewVC: Multiple vulnerabilities

Background ViewVC is a browser interface for CVS and Subversion version control repositories. Description Multiple unspecified errors were reportedly fixed by the ViewVC development team. Impact A remote attacker could send a specially crafted URL to the server to list CVS or SVN commits on...

Dovecot: Multiple vulnerabilities

Background Dovecot is a lightweight, fast and easy to configure IMAP and POP3 mail server. Description Dovecot uses the group configured via the "mailextragroups" setting, which should be used to create lockfiles in the /var/mail directory, when accessing arbitrary files CVE-2008-1199. Dovecot do...

Adobe Acrobat Reader: Insecure temporary file creation

Background Acrobat Reader is a PDF reader released by Adobe. Description SUSE reported that the "acroread" wrapper script does not create temporary files in a secure manner when handling SSL certificates CVE-2008-0883. Impact A local attacker could exploit this vulnerability to overwrite arbitrar...

MoinMoin: Multiple vulnerabilities

Background MoinMoin is an advanced, easy to use and extensible Wiki Engine. Description Multiple vulnerabilities have been discovered: A vulnerability exists in the file wikimacro.py because the macroGetval function does not properly enforce ACLs CVE-2008-1099. A directory traversal vulnerability...

PCRE: Buffer overflow

Background PCRE is a Perl-compatible regular expression library. GLib includes a copy of PCRE. Description PCRE contains a buffer overflow vulnerability when processing a character class containing a very large number of characters with codepoints greater than 255. Impact A remote attacker could...

Website META Language: Insecure temporary file usage

Background Website META Language is a free and extensible Webdesigner's off-line HTML generation toolkit for Unix. Description Temporary files are handled insecurely in the files wmlbackend/p1ipp/ipp.src, wmlcontrib/wmg.cgi, and wmlbackend/p3eperl/eperlsys.c, allowing users to overwrite or delete...

LIVE555 Media Server: Denial of service

Background LIVE555 Media Server is a set of libraries for multimedia streaming. Description Luigi Auriemma reported a signedness error in the parseRTSPRequestString function when processing short RTSP queries. Impact A remote attacker could send a specially crafted RTSP query to the vulnerable...

Sarg: Remote execution of arbitrary code

Background Sarg Squid Analysis Report Generator is a tool that provides many informations about the Squid web proxy server users activities: time, sites, traffic, etc. Description Sarg doesn't properly check its input for abnormal content when processing Squid log files. Impact A remote attacker...

International Components for Unicode: Multiple vulnerabilities

Background International Components for Unicode is a set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. Description Will Drewry Google Security reported a vulnerability in the regular expression engine when using back references to capture \0...

Apache: Multiple vulnerabilities

Background The Apache HTTP server is one of the most popular web servers on the Internet. Description Adrian Pastor and Amir Azam ProCheckUp reported that the HTTP Method specifier header is not properly sanitized when the HTTP return code is "413 Request Entity too large" CVE-2007-6203. The...

MPlayer: Multiple buffer overflows

Background MPlayer is a media player incuding support for a wide range of audio and video formats. Description The following errors have been discovered in MPlayer: Felipe Manzano and Anibal Sacco Core Security Technologies reported an array indexing error in the file libmpdemux/demuxmov.c when...

PDFlib: Multiple buffer overflows

Background PDFlib is a library for generating PDF on the fly. Description poplix reported multiple boundary errors in the pdcfsearchfopen function when processing overly long filenames. Impact A remote attacker could send specially crafted content to a vulnerable application using PDFlib, possibl...

Cacti: Multiple vulnerabilities

Background Cacti is a web-based network graphing and reporting tool. Description The following inputs are not properly sanitized before being processed: "viewtype" parameter in the file graph.php, "filter" parameter in the file graphview.php, "action" and "loginusername" parameters in the file...

phpMyAdmin: SQL injection vulnerability

Background phpMyAdmin is a free web-based database administration tool. Description Richard Cunningham reported that phpMyAdmin uses the $REQUEST variable of $GET and $POST as a source for its parameters. Impact An attacker could entice a user to visit a malicious web application that sets an...

Ghostscript: Buffer overflow

Background Ghostscript is a suite of software based on an interpreter for PostScript and PDF. Description Chris Evans Google Security discovered a stack-based buffer overflow within the zseticcspace function in the file zicc.c when processing a PostScript file containing a long "Range" array in a...

VLC: Multiple vulnerabilities

Background VLC is a cross-platform media player and streaming server. Description Multiple vulnerabilities were found in VLC: Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd, ParseSSA, and ParseVplayer functions in the...

Vobcopy: Insecure temporary file creation

Background Vobcopy is a tool for decrypting and copying DVD .vob files to a hard disk. Description Joey Hess reported that vobcopy appends data to the file "/tmp/vobcopy.bla" in an insecure manner. Impact A local attacker could exploit this vulnerability to conduct symlink attacks and append data...

lighttpd: Multiple vulnerabilities

Background lighttpd is a lightweight high-performance web server. Description lighttpd contains a calculation error when allocating the global file descriptor array CVE-2008-0983. Furthermore, it sends the source of a CGI script instead of returning a 500 error Internal Server Error when the fork...

Evolution: Format string vulnerability

Background Evolution is a GNOME groupware application. Description Ulf Harnhammar from Secunia Research discovered a format string error in the emfmultipartencrypted function in the file mail/em-format.c when reading certain data e.g. the "Version:" field from an encrypted e-mail. Impact A remote...

Opera: Multiple vulnerabilities

Background Opera is a fast web browser that is available free of charge. Description Mozilla discovered that Opera does not handle input to file form fields properly, allowing scripts to manipulate the file path CVE-2008-1080. Max Leonov found out that image comments might be treated as scripts,...

Win32 binary codecs: Multiple vulnerabilities

Background Win32 binary codecs provide support for video and audio playback. Description Multiple buffer overflow, heap overflow, and integer overflow vulnerabilities were discovered in the Quicktime plugin when processing MOV, FLC, SGI, H.264 and FPX files. Impact A remote attacker could entice ...

Paramiko: Information disclosure

Background Paramiko is a Secure Shell Server implementation written in Python. Description Dwayne C. Litzenberger reported that the file "common.py" does not properly use RandomPool when using threads or forked processes. Impact A remote attacker could predict the values generated by applications...

SWORD: Shell command injection

Background SWORD is a library for Bible study software. Description Dan Dennison reported that the diatheke.pl script used in SWORD does not properly sanitize shell meta-characters in the "range" parameter before processing it. Impact A remote attacker could provide specially crafted input to a...

SplitVT: Privilege escalation

Background SplitVT is a program for splitting terminals into two shells. Description Mike Ashton reported that SplitVT does not drop group privileges before executing the xprop utility. Impact A local attacker could exploit this vulnerability to gain the "utmp" group privileges. Workaround There ...