Qt: Buffer overflow

Background Qt is a cross-platform GUI framework, which is used e.g. by KDE. Description Dirk Mueller from the KDE development team discovered a boundary error in file qutfcodec.cpp when processing Unicode strings. Impact A remote attacker could send a specially crafted Unicode string to a...

ImageMagick: Multiple vulnerabilities

Background ImageMagick is a collection of tools and libraries for manipulating various image formats. Description regenrecht reported multiple infinite loops in functions ReadDCMImage and ReadXCFImage CVE-2007-4985, multiple integer overflows when handling certain types of images CVE-2007-4986,...

MLDonkey: Privilege escalation

Background MLDonkey is a peer-to-peer filesharing client that connects to several different peer-to-peer networks, including Overnet and BitTorrent. Description The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so that the MLDonkey service can run under a user with low privileges...

HPLIP: Privilege escalation

Background The Hewlett-Packard Linux Imaging and Printing system HPLIP provides drivers for HP's inkjet and laser printers, scanners and fax machines. It integrates with the Common UNIX Printing System CUPS and Scanner Access Now Easy SANE. Description Kees Cook from the Ubuntu Security team...

OpenOffice.org: Heap-based buffer overflow

Background OpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities. Description iDefense Labs reported that the TIFF parsing code uses untrusted values to calculate...

Star: Directory traversal vulnerability

Background The Star program provides the ability to create and extract tar archives. Description Robert Buchholz of the Gentoo Security team discovered a directory traversal vulnerability in the hasdotdot function which does not identify //.. slash slash dot dot sequences in file names inside tar...

TRAMP: Insecure temporary file creation

Background TRAMP is a remote file editing package for GNU Emacs, a highly extensible and customizable text editor. Description Stefan Monnier discovered that the tramp-make-tramp-temp-file function creates temporary files in an insecure manner. Impact A local attacker could create symbolic links ...

TikiWiki: Arbitrary command execution

Background TikiWiki is an open source content management system written in PHP. Description ShAnKaR reported that input passed to the "f" array parameter in tiki-graphformula.php is not properly verified before being used to execute PHP functions. Impact An attacker could execute arbitrary code...

util-linux: Local privilege escalation

Background util-linux is a suite of Linux programs including mount and umount, programs used to mount and unmount filesystems. Description Ludwig Nussel discovered that the checkspecialmountprog and checkspecialumountprog functions call setuid and setgid in the wrong order and do not check the...

PDFKit, ImageKits: Buffer overflow

Background PDFKit is a framework for rendering of PDF content in GNUstep applications. ImageKits is a collection of frameworks to support imaging in GNUstep applications. Description Maurycy Prodeus discovered an integer overflow vulnerability possibly leading to a stack-based buffer overflow in...

The Sleuth Kit: Integer underflow

Background The Sleuth Kit is a collection of file system and media management forensic analysis tools. Description Jean-Sebastien Guay-Leroux reported an integer underflow in the fileprintf function of the "file" utility which is bundled with The Sleuth Kit CVE-2007-1536, GLSA 200703-26. Note tha...

Balsa: Buffer overflow

Background Balsa is a highly configurable email client for GNOME. Description Evil Ninja Squirrel discovered a stack-based buffer overflow in the irfetchseq function when receiving a long response to a FETCH command CVE-2007-5007. Impact A remote attacker could entice a user to connect to a...

KDM: Local privilege escalation

Background KDM is the Display Manager for the graphical desktop environment KDE. It is part of the kdebase package. Description Kees Huijgen discovered an error when checking the credentials which can lead to a login without specifying a password. This only occurs when auto login is configured fo...

X.Org X server: Composite local privilege escalation

Background The X Window System is a graphical windowing system based on a client/server model. Description Aaron Plattner discovered a buffer overflow in the compNewPixmap function when copying data from a large pixel depth pixmap into a smaller pixel depth pixmap. Impact A local attacker could...

DenyHosts: Denial of service

Background DenyHosts is designed to monitor SSH servers for repeated failed login attempts. Description Daniel B. Cid discovered that DenyHosts used an incomplete regular expression to parse failed login attempts, a different issue than GLSA 200701-01. Impact A remote unauthenticated attacker can...

Ampache: Multiple vulnerabilities

Background Ampache is a PHP-based tool for managing, updating and playing audio files via a web interface. Description LT discovered that the "match" parameter in albums.php is not properly sanitized before being processed. The Ampache development team also reported an error when handling user...

SKK Tools: Insecure temporary file creation

Background SKK is a Japanese input method for Emacs. Description skkdic-expr.c insecurely writes temporary files to a location in the form $TMPDIR/skkdic$PID.pag,dir,db, where $PID is the process ID. Impact A local attacker could create symbolic links in the directory where the temporary files ar...

T1Lib: Buffer overflow

Background T1Lib is a library for rasterizing bitmaps from Adobe Type 1 fonts. Description Hamid Ebadi discovered a boundary error in the intT1EnvGetCompletePath function which can lead to a buffer overflow when processing an overly long filename. Impact A remote attacker could entice a user to...

X Font Server: Multiple Vulnerabilities

Background The X.Org X11 X Font Server provides a standard mechanism for an X server to communicate with a font renderer. Description iDefense reported that the xfs init script does not correctly handle a race condition when setting permissions of a temporary file CVE-2007-3103. Sean Larsson...

KOffice, KWord, KPDF, KDE Graphics Libraries: Stack-based buffer overflow

Background KOffice is an integrated office suite for KDE. KWord is the KOffice word processor. KPDF is a KDE-based PDF viewer included in the kdegraphics package. Description KPDF includes code from xpdf that is vulnerable to an integer overflow in the StreamPredictor::StreamPredictor function...

NX 2.1: User-assisted execution of arbitrary code

Background NoMachine's NX establishes remote connections to X11 desktops over small bandwidth links. NX and NX Node are the compression core libraries, whereas NX is used by FreeNX and NX Node by the binary-only NX servers. Description Chris Evans reported an integer overflow within the FreeType...

QGit: Insecure temporary file creation

Background QGit is a graphical interface to git repositories that allows you to browse revisions history, view patch content and changed files. Description Raphael Marichez discovered that the DataLoader::doStart method creates temporary files in an insecure manner and executes them. Impact A loc...

libsndfile: Buffer overflow

Background libsndfile is a library for reading and writing various formats of audio files including WAV and FLAC. Description Robert Buchholz of the Gentoo Security team discovered that the flacbuffercopy function does not correctly handle FLAC streams with variable block sizes which leads to a...

Tk: Buffer overflow

Background Tk is a toolkit for creating graphical user interfaces. Description Reinhard Max discovered a boundary error in Tk when processing an interlaced GIF with two frames where the second is smaller than the first one. Impact A remote attacker could entice a user to open a specially crafted...

PHP: Multiple vulnerabilities

Background PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Description Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip Olausson reported integer overflows in the gdImageCreate and...

libvorbis: Multiple vulnerabilities

Background libvorbis is the reference implementation of the Xiph.org Ogg Vorbis audio file format. It is used by many applications for playback of Ogg Vorbis files. Description David Thiel of iSEC Partners discovered a heap-based buffer overflow in the 01inverse function in res0.c and a boundary...

OpenSSL: Multiple vulnerabilities

Background OpenSSL is an implementation of the Secure Socket Layer and Transport Layer Security protocols. Description Moritz Jodeit reported an off-by-one error in the SSLgetsharedciphers function, resulting from an incomplete fix of CVE-2006-3738. A flaw has also been reported in the...

RPCSEC_GSS library: Buffer overflow

Background librpcsecgss is an implementation of RPCSECGSS for secure RPC communications. Description A stack based buffer overflow has been discovered in the svcauthgssvalidate function in file lib/rpc/svcauthgss.c when processing an overly long string in a RPC message. Impact A remote attacker...

Bugzilla: Multiple vulnerabilities

Background Bugzilla is a web application designed to help with managing software development. Description Masahiro Yamada found that from the 2.17.1 version, Bugzilla does not properly sanitize the content of the "buildid" parameter when filing bugs CVE-2007-4543. The next two vulnerabilities onl...

Lighttpd: Buffer overflow

Background Lighttpd is a lightweight HTTP web server. Description Mattias Bengtsson and Philip Olausson have discovered a buffer overflow vulnerability in the function fcgienvadd in the file modfastcgi.c when processing overly long HTTP headers. Impact A remote attacker could send a specially...

teTeX: Multiple buffer overflows

Background teTeX is a complete TeX distribution for editing documents. Description Mark Richters discovered a buffer overflow in the opensty function in file mkind.c. Other vulnerabilities have also been discovered in the same file but might not be exploitable CVE-2007-0650. Tetex also includes...

BEA JRockit: Multiple vulnerabilities

Background BEA JRockit provides tools, utilities, and a complete runtime environment for developing and running applications using the Java programming language. Description An integer overflow vulnerability exists in the embedded ICC profile image parser CVE-2007-2788, an unspecified vulnerabili...

rsync: Two buffer overflows

Background rsync is a file transfer program to keep remote directories synchronized. Description Sebastian Krahmer from the SUSE Security Team discovered two off-by-one errors in the function "fname" in file sender.c when processing overly long directory names. Impact A remote attacker could enti...

ClamAV: Multiple vulnerabilities

Background Clam AntiVirus is an open source GPL anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Description Nikolaos Rangos discovered a vulnerability in ClamAV which exists because the recipient address extracted from email messages is not properly sanitize...

Poppler: Two buffer overflow vulnerabilities

Background Poppler is a cross-platform PDF rendering library originally based on Xpdf. Description Poppler and Xpdf are vulnerable to an integer overflow in the StreamPredictor::StreamPredictor function, and a stack overflow in the StreamPredictor::getNextLine function. The original vulnerability...

PhpWiki: Authentication bypass

Background PhpWiki is an application that creates a web site where anyone can edit the pages through HTML forms. Description The PhpWiki development team reported an authentication error within the file lib/WikiUser/LDAP.php when binding to an LDAP server with an empty password. Impact A remote...

GDM: Local Denial of service

Background GDM is the GNOME display manager. Description The result of a gstrsplit call is incorrectly parsed in the files daemon/gdm.c, daemon/gdmconfig.c, gui/gdmconfig.c and gui/gdmflexiserver.c, allowing for a null pointer dereference. Impact A local user could send a crafted message to...

id3lib: Insecure temporary file creation

Background id3lib is an open-source, cross-platform software development library for reading, writing, and manipulating ID3v1 and ID3v2 tags. Description Nikolaus Schulz discovered that the function RenderV2ToFile in file src/tagfile.cpp creates temporary files in an insecure manner. Impact A loc...

GNU Tar: Directory traversal vulnerability

Background The GNU Tar program provides the ability to create tar archives, as well as various other kinds of manipulation. Description Dmitry V. Levin discovered a directory traversal vulnerability in the containsdotdot function in file src/names.c. Impact By enticing a user to extract a special...

Eggdrop: Buffer overflow

Background Eggdrop is an IRC bot extensible with C or Tcl. Description Bow Sineath discovered a boundary error in the file mod/server.mod/servrmsg.c when processing overly long private messages sent by an IRC server. Impact A remote attacker could entice an Eggdrop user to connect the bot to a...

flac123: Buffer overflow

Background flac123 is a command-line application for playing FLAC audio files. Description A possible buffer overflow vulnerability has been reported in the localvcentryparsevalue function in vorbiscomment.c. Impact An attacker could entice a user to play a specially crafted audio file, which cou...

RealPlayer: Buffer overflow

Background RealPlayer is a multimedia player capable of handling multiple multimedia file formats. Description A stack-based buffer overflow vulnerability has been reported in the SmilTimeValue::parseWallClockValue function in smlprstime.cpp when handling HH:mm:ss.f type time formats. Impact By...

KVIrc: Remote arbitrary code execution

Background KVIrc is a free portable IRC client based on Qt. Description Stefan Cornelius from Secunia Research discovered that the "parseIrcUrl" function in file src/kvirc/kernel/kviircurl.cpp does not properly sanitise parts of the URI when building the command for KVIrc's internal script system...

po4a: Insecure temporary file creation

Background po4a is a set of tools for helping with the translation of documentation. Description The po4a development team reported a race condition in the gettextize function when creating the file "/tmp/gettextization.failed.po". Impact A local attacker could perform a symlink attack, possibly...

Streamripper: Buffer overflow

Background Streamripper is a tool for extracting and recording mp3 files from a Shoutcast stream. Description Chris Rohlf discovered several boundary errors in the httplibparsescheader function when processing HTTP headers. Impact A remote attacker could entice a user to connect to a malicious...

MIT Kerberos 5: Multiple vulnerabilities

Background MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. kadmind is the MIT Kerberos 5 administration daemon. Description A stack buffer overflow CVE-2007-3999 has been reported in svcauthgssvalidate of the RPC library of kadmind. Another vulnerability...

Opera: Multiple vulnerabilities

Background Opera is a multi-platform web browser. Description An error known as "a virtual function call on an invalid pointer" has been discovered in the JavaScript engine CVE-2007-4367. Furthermore, iDefense Labs reported that an already-freed pointer may be still used under unspecified...

Qt: Multiple format string vulnerabilities

Background Qt is a cross-platform GUI framework, which is used e.g. by KDE. Description Tim Brown of Portcullis Computer Security Ltd and Dirk Mueller of KDE reported multiple format string errors in qWarning calls in files qtextedit.cpp, qdatatable.cpp, qsqldatabase.cpp, qsqlindex.cpp,...

NVIDIA drivers: Denial of service

Background The NVIDIA drivers provide support for NVIDIA graphic boards. Description Gregory Shikhman discovered that the default Gentoo setup of NVIDIA drivers creates the /dev/nvidia with insecure file permissions. Impact A local attacker could send arbitrary values into the devices, possibly...

Apache mod_jk: Directory traversal

Background Apache modjk is a connector for the Tomcat web server. Description Apache modjk decodes the URL within Apache before passing them to Tomcat, which decodes them a second time. Impact A remote attacker could browse a specially crafted URL on an Apache server running modjk, possibly gaini...