Metamail: Buffer overflow

Background Metamail is a program that decodes MIME encoded mail. Description Ulf Harnhammar discovered a buffer overflow in Metamail when processing mime boundraries. Impact By sending a specially crafted email, attackers could potentially exploit this vulnerability to crash Metamail or to execut...

Heimdal: rshd privilege escalation

Background Heimdal is a free implementation of Kerberos 5. Description An unspecified privilege escalation vulnerability in the rshd server of Heimdal has been reported. Impact Authenticated users could exploit the vulnerability to escalate privileges or to change the ownership and content of...

PEAR-Auth: Potential authentication bypass

Background PEAR-Auth is a PEAR package that provides methods to create a PHP based authentication system. Description Matt Van Gundy discovered that PEAR-Auth did not correctly validate data passed to the DB and LDAP containers. Impact A remote attacker could possibly exploit this vulnerability t...

Crypt::CBC: Insecure initialization vector

Background Crypt::CBC is a Perl module to encrypt data using cipher block chaining CBC. Description Lincoln Stein discovered that Crypt::CBC fails to handle 16 bytes long initializiation vectors correctly when running in the RandomIV mode, resulting in a weaker encryption because the second part ...

zoo: Buffer overflow

Background zoo is a file archiving utility for maintaining collections of files, written by Rahul Dhesi. Description zoo is vulnerable to a new buffer overflow due to insecure use of the strcpy function when trying to create an archive from certain directories or filenames. Impact An attacker cou...

Freeciv: Denial of service

Background Freeciv is an open source turn-based multiplayer strategy game, similar to the famous Civilization series. Description Luigi Auriemma discovered that Freeciv could be tricked into the allocation of enormous chunks of memory when trying to uncompress malformed data packages, possibly...

Cube: Multiple vulnerabilities

Background Cube is an open source first person shooter game engine supporting multiplayer via LAN or internet. Description Luigi Auriemma reported that Cube is vulnerable to a buffer overflow in the sgetstr function CVE-2006-1100 and that the sgetstr and getint functions fail to verify the length...

SquirrelMail: Cross-site scripting and IMAP command injection

Background SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP protocols. Description SquirrelMail does not validate the rightframe parameter in webmail.php, possibly allowing frame replacement or cross-site scripting CVE-2006-0188. Martijn Brinkers and Scott Hughes...

flex: Potential insecure code generation

Background flex is a programming tool used to generate scanners programs which recognize lexical patterns in text. Description Chris Moore discovered a buffer overflow in a special class of lexicographical scanners generated by flex. Only scanners generated by grammars which use either REJECT, or...

GnuPG: Incorrect signature verification

Background The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software that may be used without restriction, as it does not rely on any patented algorithms. GnuPG can be used to digitally sign messages, a method of ensuring the authenticity of a message using...

GNU tar: Buffer overflow

Background GNU tar is the standard GNU utility for creating and manipulating tar archives, a common format used for creating backups and distributing files on UNIX-like systems. Description Jim Meyering discovered a flaw in the handling of certain header fields that could result in a buffer...

zoo: Stack-based buffer overflow

Background zoo is a file archiving utility for maintaining collections of files, written by Rahul Dhesi. Description Jean-Sebastien Guay-Leroux discovered a boundary error in the fullpath function in misc.c when processing overly long file and directory names in ZOO archives. Impact An attacker...

IMAP Proxy: Format string vulnerabilities

Background IMAP Proxy also known as up-imapproxy proxies IMAP transactions between an IMAP client and an IMAP server. Description Steve Kemp discovered two format string errors in IMAP Proxy. Impact A remote attacker could design a malicious IMAP server and entice someone to connect to it using...

MPlayer: Multiple integer overflows

Background MPlayer is a media player capable of handling multiple multimedia file formats. Description MPlayer makes use of the FFmpeg library, which is vulnerable to a heap overflow in the avcodecdefaultgetbuffer function discovered by Simon Kilvington see GLSA 200601-06. Furthermore, AFI Securi...

teTeX, pTeX, CSTeX: Multiple overflows in included XPdf code

Background teTex is a complete TeX distribution. It is used for creating and manipulating LaTeX documents. CSTeX is a TeX distribution with Czech and Slovak support. pTeX is and ASCII publishing TeX distribution. Description CSTeX, teTex, and pTeX include XPdf code to handle PDF files. This XPdf...

WordPress: SQL injection vulnerability

Background WordPress is a PHP and MySQL based content management and publishing system. Description Patrik Karlsson reported that WordPress 1.5.2 makes use of an insufficiently filtered User Agent string in SQL queries related to comments posting. This vulnerability was already fixed in the...

noweb: Insecure temporary file creation

Background noweb is a simple, extensible, and language independent literate programming tool. Description Javier Fernandez-Sanguino has discovered that the lib/toascii.nw and shell/roff.mm scripts insecurely create temporary files with predictable filenames. Impact A local attacker could create...

GraphicsMagick: Format string vulnerability

Background GraphicsMagick is a collection of tools to read, write and manipulate images in many formats. Description The SetImageInfo function was found vulnerable to a format string mishandling. Daniel Kobras discovered that the handling of "%"-escaped sequences in filenames passed to the functi...

GPdf: heap overflows in included Xpdf code

Background GPdf is a Gnome PDF viewer. Description Dirk Mueller found a heap overflow vulnerability in the XPdf codebase when handling splash images that exceed size of the associated bitmap. Impact An attacker could entice a user to open a specially crafted PDF file with GPdf, potentially...

OpenSSH, Dropbear: Insecure use of system() call

Background OpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality. Dropbear is an SSH server and client designed with a small memory footprint that includes OpenSSH scp...

GnuPG: Incorrect signature verification

Background GnuPG The GNU Privacy Guard is a free replacement for PGP Pretty Good Privacy. As GnuPG does not rely on any patented algorithms, it can be used without any restrictions. gpgv is the OpenPGP signature verification tool provided by the GnuPG system. Description Tavis Ormandy of the Gent...

BomberClone: Remote execution of arbitrary code

Background BomberClone is a remake of the classic game "BomberMan". It supports multiple players via IP network connection. Description Stefan Cornelius of the Gentoo Security team discovered multiple missing buffer checks in BomberClone's code. Impact By sending overly long error messages to the...

libtasn1, GNU TLS: Security flaw in DER decoding

Background Libtasn1 is a library used to parse ASN.1 Abstract Syntax Notation One objects, and perform DER Distinguished Encoding Rules decoding. Libtasn1 is included with the GNU TLS library, which is used by applications to provide a cryptographically secure communications channel. Description...

Sun JDK/JRE: Applet privilege escalation

Background Sun's JDK and JRE provide interpreters for Java Applets in a sandboxed environment. These implementations provide the Java Web Start technology that can be used for easy client-side deployment of Java applications. Description Applets executed using JRE or JDK can use "reflection" APIs...

ImageMagick: Format string vulnerability

Background ImageMagick is an application suite to manipulate and convert images. It is often used as a utility backend by web applications like forums, content management systems or picture galleries. Description The SetImageInfo function was found vulnerable to a format string mishandling. Danie...

KPdf: Heap based overflow

Background KPdf is a KDE-based PDF viewer included in the kdegraphics package. Description KPdf includes Xpdf code to handle PDF files. Dirk Mueller discovered that the Xpdf code is vulnerable a heap based overflow in the splash rasterizer engine. Impact An attacker could entice a user to open a...

Xpdf, Poppler: Heap overflow

Background Xpdf is a PDF file viewer that runs under the X Window System. Poppler is a PDF rendering library based on the Xpdf 3.0 code base. Description Dirk Mueller has reported a vulnerability in Xpdf. It is caused by a missing boundary check in the splash rasterizer engine when handling PDF...

ADOdb: PostgresSQL command injection

Background ADOdb is an abstraction library for PHP creating a common API for a wide range of database backends. Description Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. Impact By sending specifically crafted requests to an application that uses ADOdb and a...

Apache: Multiple vulnerabilities

Background The Apache HTTP server is one of the most popular web servers on the Internet. modimap provides support for server-side image maps; modssl provides secure HTTP connections. Description Apache's modimap fails to properly sanitize the "Referer" directive of imagemaps in some cases, leavi...

GStreamer FFmpeg plugin: Heap-based buffer overflow

Background The GStreamer FFmpeg plugin uses code from the FFmpeg library to provide fast colorspace conversion and multimedia decoders to the GStreamer open source media framework. Description The GStreamer FFmpeg plugin contains derived code from the FFmpeg library, which is vulnerable to a heap...

MyDNS: Denial of service

Background MyDNS is a DNS server using a MySQL database as a backend. It is designed to allow for fast updates and small resource usage. Description MyDNS contains an unspecified flaw that may allow a remote Denial of Service. Impact An attacker could cause a Denial of Service by sending malforme...

Xpdf, Poppler, GPdf, libextractor, pdftohtml: Heap overflows

Background Xpdf is a PDF file viewer that runs under the X Window System. Poppler is a PDF rendering library based on the Xpdf 3.0 code base. GPdf is a PDF file viewer for the GNOME 2 platform, also based on Xpdf. libextractor is a library which includes Xpdf code to extract arbitrary meta-data...

Paros: Default administrator password

Background Paros is an intercepting proxy between a web server and a client meant to be used for security assessments. It allows the user to watch and modify the HTTPS traffic. Description Andrew Christensen discovered that in older versions of Paros the database component HSQLDB is installed wit...

LibAST: Privilege escalation

Background LibAST is a utility library that was originally intended to accompany Eterm, but may be used by various other applications. Description Michael Jennings discovered an exploitable buffer overflow in the configuration engine of LibAST. Impact The vulnerability can be exploited to gain...

Trac: Cross-site scripting vulnerability

Background Trac is a minimalistic web-based project management, wiki and bug tracking system including a Subversion interface. Description Christophe Truc discovered that Trac fails to properly sanitize input passed in the URL. Impact A remote attacker could exploit this to inject and execute...

Gallery: Cross-site scripting vulnerability

Background Gallery is a web application written in PHP which is used to organize and publish photo albums. It allows multiple users to build and maintain their own albums. It also supports the mirroring of images on other servers. Description Peter Schumacher discovered that Gallery fails to...

KDE kjs: URI heap overflow vulnerability

Background KDE is a feature-rich graphical desktop environment for Linux and Unix-like Operating Systems. kjs is the javascript interpreter used in Konqueror and other parts of KDE. Description Maksim Orlovich discovered an incorrect bounds check in kjs when handling URIs. Impact By enticing a us...

Sun and Blackdown Java: Applet privilege escalation

Background Sun and Blackdown both provide implementations of the Java Development Kit JDK and Java Runtime Environment JRE. Description Adam Gowdiak discovered multiple vulnerabilities in the Java Runtime Environment's Reflection APIs that may allow untrusted applets to elevate privileges. Impact...

Blender: Heap-based buffer overflow

Background Blender is an open source software for 3D modeling, animation, rendering, post-production, interactive creation and playback. Description Damian Put has reported a flaw due to an integer overflow in the "getbhead" function, leading to a heap overflow when processing malformed ".blend"...

Wine: Windows Metafile SETABORTPROC vulnerability

Background Wine is a free implementation of Windows APIs for Unix-like systems. Description H D Moore discovered that Wine implements the insecure-by-design SETABORTPROC GDI Escape function for Windows Metafile WMF files. Impact An attacker could entice a user to open a specially crafted Windows...

ClamAV: Remote execution of arbitrary code

Background ClamAV is a GPL virus scanner. Description Zero Day Initiative ZDI reported a heap buffer overflow vulnerability. The vulnerability is due to an incorrect boundary check of the user-supplied data prior to copying it to an insufficiently sized memory buffer. The flaw occurs when the...

xine-lib, FFmpeg: Heap-based buffer overflow

Background xine is a GPL high-performance, portable and reusable multimedia playback engine. xine-lib is xine's core engine. FFmpeg is a very fast video and audio converter and is used in xine-lib. Description Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The flaw is due to ...

mod_auth_pgsql: Multiple format string vulnerabilities

Background modauthpgsql is an Apache2 module that allows user authentication against a PostgreSQL database. Description The error logging functions of modauthpgsql fail to validate certain strings before passing them to syslog, resulting in format string vulnerabilities. Impact An unauthenticated...

VMware Workstation: Vulnerability in NAT networking

Background VMware Workstation is a powerful virtual machine for developers and system administrators. Description Tim Shelton discovered that vmnet-natd, the host module providing NAT-style networking for VMware guest operating systems, is unable to process incorrect 'EPRT' and 'PORT' FTP request...

HylaFAX: Multiple vulnerabilities

Background HylaFAX is an enterprise-class system for sending and receiving facsimile messages and for sending alpha-numeric pages. Description Patrice Fournier discovered that HylaFAX runs the notify script on untrusted user input. Furthermore, users can log in without a password when HylaFAX is...

KPdf, KWord: Multiple overflows in included Xpdf code

Background KPdf is a KDE-based PDF viewer included in the kdegraphics package. KWord is a KDE-based word processor also included in the koffice package. Description KPdf and KWord both include Xpdf code to handle PDF files. This Xpdf code is vulnerable to several heap overflows GLSA 200512-08 as...

pinentry: Local privilege escalation

Background pinentry is a collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol. Description Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered that the pinentry ebuild incorrectly sets the permissions of the pinentry binaries upon installation, s...

XnView: Privilege escalation

Background XnView is an efficient multimedia viewer, browser and converter, distributed free for non-commercial use. Description Krzysiek Pawlik of Gentoo Linux discovered that the XnView package for IA32 used the DTRPATH field insecurely, causing the dynamic loader to search for shared libraries...

scponly: Multiple privilege escalation issues

Background scponly is a restricted shell, allowing only a few predefined commands. It is often used as a complement to OpenSSH to provide access to remote users without providing any remote execution privileges. Description Max Vozeler discovered that the scponlyc command allows users to chroot...

OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows in libUil library

Background OpenMotif provides a free version of the Motif toolkit for open source applications. The OpenMotif libraries are included in the AMD64 x86 emulation X libraries, which emulate the x86 32-bit architecture on the AMD64 64-bit architecture. Description xfocus discovered two potential buff...