rssh: Privilege escalation

Background rssh is a restricted shell, allowing only a few commands like scp or sftp. It is often used as a complement to OpenSSH to provide limited access to users. Description Max Vozeler discovered that the rsshchroothelper command allows local users to chroot into arbitrary directories. Impac...

NBD Tools: Buffer overflow in NBD server

Background The NBD Tools are the Network Block Device utilities allowing one to use remote block devices over a TCP/IP network. It includes a userland NBD server. Description Kurt Fitzner discovered that the NBD server allocates a request buffer that fails to take into account the size of the rep...

Dropbear: Privilege escalation

Background Dropbear is an SSH server and client with a small memory footprint. Description Under certain conditions Dropbear could fail to allocate a sufficient amount of memory, possibly resulting in a buffer overflow. Impact By sending specially crafted data to the server, authenticated users...

Mantis: Multiple vulnerabilities

Background Mantis is a web-based bugtracking system written in PHP. Description Tobias Klein discovered that Mantis contains several vulnerabilities, including: a file upload vulnerability. an injection vulnerability in filters. an SQL injection vulnerability in the user-management page. a port...

CenterICQ: Multiple vulnerabilities

Background CenterICQ is a text-based instant messaging interface that supports multiple protocols. It includes the ktools library, which provides text-mode user interface controls. Description Gentoo developer Wernfried Haas discovered that when the "Enable peer-to-peer communications" option is...

Opera: Command-line URL shell command injection

Background Opera is a multi-platform web browser. Description Peter Zelezny discovered that the shell script used to launch Opera parses shell commands that are enclosed within backticks in the URL provided via the command line. Impact A remote attacker could exploit this vulnerability by enticin...

Xpdf, GPdf, CUPS, Poppler: Multiple vulnerabilities

Background Xpdf and GPdf are PDF file viewers that run under the X Window System. Poppler is a PDF rendering library based on Xpdf code. The Common UNIX Printing System CUPS is a cross-platform print spooler. It makes use of Xpdf code to handle PDF files. Description infamous41md discovered that...

cURL: Off-by-one errors in URL handling

Background cURL is a command line tool for transferring files with URL syntax, supporting numerous protocols. Description Stefan Esser from the Hardened-PHP Project has reported a vulnerability in cURL that allows for a local buffer overflow when cURL attempts to parse specially crafted URLs. The...

OpenLDAP, Gauche: RUNPATH issues

Background OpenLDAP is a suite of LDAP-related application and development tools. Gauche is an R5RS Scheme interpreter. Description Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths into the list of directories that are searched for libraries at runtime. Impact A local attacke...

Ethereal: Buffer overflow in OSPF protocol dissector

Background Ethereal is a feature-rich network protocol analyzer. It provides protocol analyzers for various network flows, including one for Open Shortest Path First OSPF Interior Gateway Protocol. Description iDEFENSE reported a possible overflow due to the lack of bounds checking in the...

Xmail: Privilege escalation through sendmail

Background Xmail is an Internet and intranet mail server. Description iDEFENSE reported that the AddressFromAtPtr function in the sendmail program fails to check bounds on arguments passed from other functions, and as a result an exploitable stack overflow condition occurs when specifying the "-t...

Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol implementation

Background Openswan is an implementation of IPsec for Linux. IPsec-Tools is a port of KAME's implementation of the IPsec utilities, including racoon, an Internet Key Exchange daemon. Internet Key Exchange version 1 IKEv1, a derivate of ISAKMP, is an important part of IPsec. IPsec is widely used t...

phpMyAdmin: Multiple vulnerabilities

Background phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the web. Description Stefan Esser from Hardened-PHP reported about multiple vulnerabilties found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable importblacklist to open...

Perl: Format string errors can lead to code execution

Background Perl is a stable, cross-platform programming language created by Larry Wall. It contains printf functions that allows construction of strings from format specifiers and parameters, like the C printf functions. A well-known class of vulnerabilities, called format string errors, result o...

Webmin, Usermin: Format string vulnerability

Background Webmin is a web-based interface for Unix-like systems. Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators. Description Jack Louis discovered that the Webmin and Usermin "miniserv.pl" web server component is vulnerable to a Perl...

Inkscape: Buffer overflow

Background Inkscape is an Open Source vector graphics editor using the W3C standard Scalable Vector Graphics SVG file format. Description Joxean Koret has discovered that Inkscape incorrectly allocates memory when opening an SVG file, creating the possibility of a buffer overflow if the SVG file...

chmlib, KchmViewer: Stack-based buffer overflow

Background chmlib is a library for dealing with Microsoft ITSS and CHM format files. KchmViewer is a CHM viewer that includes its own copy of the chmlib library. Description Sven Tantau reported about a buffer overflow vulnerability in chmlib. The function "chmdecompressblock" does not properly...

Macromedia Flash Player: Remote arbitrary code execution

Background The Macromedia Flash Player is a renderer for the popular SWF filetype which is commonly used to provide interactive websites, digital experiences and mobile content. Description When handling a SWF file, the Macromedia Flash Player incorrectly validates the frame type identifier store...

phpSysInfo: Multiple vulnerabilities

Background phpSysInfo displays various system stats via PHP scripts. Description Christopher Kunz from the Hardened-PHP Project discovered that phpSysInfo is vulnerable to local file inclusion, cross-site scripting and a HTTP Response Splitting attacks. Impact A local attacker may exploit the fil...

eix: Insecure temporary file creation

Background eix is a small utility for searching ebuilds with indexing for fast results. Description Eric Romang discovered that eix creates a temporary file with a predictable name. eix creates a temporary file in /tmp/eix..sync where is the process ID of the shell running eix. Impact A local...

Horde Application Framework: XSS vulnerability

Background The Horde Application Framework is a general-purpose web application framework written in PHP, providing classes for handling preferences, compression, browser detection, connection tracking, MIME, and more. Description The Horde Team reported a potential XSS vulnerability. Horde fails...

FUSE: mtab corruption through fusermount

Background FUSE Filesystem in Userspace allows implementation of a fully functional filesystem in a userspace program. The fusermount utility is used to mount/unmount FUSE file systems. Description Thomas Biege discovered that fusermount fails to securely handle special characters specified in...

GNUMP3d: Directory traversal and insecure temporary file creation

Background GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and other media formats. Description Ludwig Nussel from SUSE Linux has identified two vulnerabilities in GNUMP3d. GNUMP3d fails to properly check for the existence of /tmp/index.lok before writing to the file, allowing fo...

Smb4k: Local unauthorized file access

Background Smb4K is a SMB/CIFS share browser for KDE. Description A vulnerability leading to unauthorized file access has been found. A pre-existing symlink from /tmp/sudoers and /tmp/super.tab to a textfile will cause Smb4k to write the contents of these files to the target of the symlink, as...

GTK+ 2, GdkPixbuf: Multiple XPM decoding vulnerabilities

Background GTK+ the GIMP Toolkit is a toolkit for creating graphical user interfaces. The GdkPixbuf library provides facilities for image handling. It is available as a standalone library and also packaged with GTK+ 2. Description iDEFENSE reported a possible heap overflow in the XPM loader...

Sylpheed, Sylpheed-Claws: Buffer overflow in LDIF importer

Background Sylpheed is a lightweight email client and newsreader. Sylpheed-Claws is a 'bleeding edge' version of Sylpheed. They both support the import of address books in LDIF Lightweight Directory Interchange Format. Description Colin Leroy reported buffer overflow vulnerabilities in Sylpheed a...

Scorched 3D: Multiple vulnerabilities

Background Scorched 3D is a clone of the classic "Scorched Earth" DOS game, adding features like a 3D island environment and Internet multiplayer capabilities. Description Luigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several...

PHP: Multiple vulnerabilities

Background PHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the modphp module or the CGI version and also stand-alone in a CLI. Description Multiple vulnerabilities have been found and fixed in PHP: a possible $GLOBALS...

Lynx: Arbitrary command execution

Background Lynx is a fully-featured WWW client for users running cursor-addressable, character-cell display devices such as vt100 terminals and terminal emulators. Description iDefense labs discovered a problem within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. D...

linux-ftpd-ssl: Remote buffer overflow

Background linux-ftpd-ssl is the netkit FTP server with encryption support. Description A buffer overflow vulnerability has been found in the linux-ftpd-ssl package. A command that generates an excessively long response from the server may overrun a stack buffer. Impact An attacker that has...

RAR: Format string and buffer overflow vulnerabilities

Background RAR is a powerful archive manager that can decompress RAR, ZIP and other files, and can create new archives in RAR and ZIP file format. Description Tan Chew Keong reported about two vulnerabilities found in RAR: A format string error exists when displaying a diagnostic error message th...

OpenVPN: Multiple vulnerabilities

Background OpenVPN is a multi-platform, full-featured SSL VPN solution. Description The OpenVPN client contains a format string bug in the handling of the foreignoption in options.c. Furthermore, when the OpenVPN server runs in TCP mode, it may dereference a NULL pointer under specific error...

ClamAV: Multiple vulnerabilities

Background ClamAV is a GPL anti-virus toolkit, designed for integration with mail servers to perform attachment scanning. ClamAV also provides a command line scanner and a tool for fetching updates of the virus database. Description ClamAV has multiple security flaws: a boundary check was perform...

GNUMP3d: Directory traversal and XSS vulnerabilities

Background GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and other media formats. Description Steve Kemp reported about two cross-site scripting attacks that are related to the handling of files CVE-2005-3424, CVE-2005-3425. Also reported is a directory traversal vulnerability...

fetchmail: Password exposure in fetchmailconf

Background fetchmail is a utility that retrieves and forwards mail from remote systems using IMAP, POP, and other protocols. It ships with fetchmailconf, a graphical utility used to create configuration files. Description Thomas Wolff discovered that fetchmailconf opens the configuration file wit...

giflib: Multiple vulnerabilities

Background giflib is a library for reading and writing GIF images. Description Chris Evans and Daniel Eisenbud independently discovered two out-of-bounds memory write operations and a NULL pointer dereference in giflib. Impact An attacker could craft a malicious GIF image and entice users to load...

QDBM, ImageMagick, GDAL: RUNPATH issues

Background QDBM is a library of routines for managing a database. ImageMagick is a collection of tools to read, write and manipulate images. GDAL is a geospatial data abstraction library. Description Some packages may introduce insecure paths into the list of directories that are searched for...

libgda: Format string vulnerabilities

Background libgda is the library handling the data abstraction layer in the Gnome data access architecture GNOME-DB. It can also be used by non-GNOME applications to manage data stored in databases or XML files. Description Steve Kemp discovered two format string vulnerabilities in the gdalogerro...

XLI, Xloadimage: Buffer overflow

Background XLI and Xloadimage are X11 image manipulation utilities. Description When XLI or Xloadimage process an image, they create a new image object to contain the new image, copying the title from the old image to the newly created image. Ariel Berkman reported that the 'zoom', 'reduce', and...

Ethereal: Multiple vulnerabilities in protocol dissectors

Background Ethereal is a feature-rich network protocol analyzer. Description There are numerous vulnerabilities in versions of Ethereal prior to 0.10.13, including: The SLIM3 and AgentX dissectors could overflow a buffer CVE-2005-3243. iDEFENSE discovered a buffer overflow in the SRVLOC dissector...

TikiWiki: XSS vulnerability

Background TikiWiki is a web-based groupware and content management system CMS, using PHP, ADOdb and Smarty. Description Due to improper input validation, TikiWiki can be exploited to perform cross-site scripting attacks. Impact A remote attacker could exploit this to inject and execute malicious...

SELinux PAM: Local password guessing attack

Background PAM Pluggable Authentication Modules is an architecture allowing the separation of the development of privilege granting software from the development of secure and appropriate authentication schemes. SELinux is an operating system based on Linux which includes Mandatory Access Control...

Mantis: Multiple vulnerabilities

Background Mantis is a web-based bugtracking system written in PHP. Description Mantis contains several vulnerabilities, including: a remote file inclusion vulnerability an SQL injection vulnerability multiple cross site scripting vulnerabilities multiple information disclosure vulnerabilities...

phpMyAdmin: Local file inclusion and XSS vulnerabilities

Background phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the web. Description Stefan Esser discovered that by calling certain PHP files directly, it was possible to workaround the grabglobals.lib.php security model and overwrite the $cfg configuration...

Zope: File inclusion through RestructuredText

Background Zope is an application server that can be used to build content management systems, intranets, portals or other custom applications. Description Zope honors file inclusion directives in RestructuredText objects by default. Impact An attacker could exploit the vulnerability by sending...

cURL: NTLM username stack overflow

Background cURL is a command line tool and library for transferring files via many different protocols. It supports NTLM authentication to retrieve files from Windows-based systems. Description iDEFENSE reported that insufficient bounds checking on a memcpy of the supplied NTLM username can resul...

Netpbm: Buffer overflow in pnmtopng

Background Netpbm is a package of 220 graphics programs and a programming library, including pnmtopng, a tool to convert PNM image files to the PNG format. Description RedHat reported that pnmtopng is vulnerable to a buffer overflow. Impact An attacker could craft a malicious PNM file and entice ...

AbiWord: New RTF import buffer overflows

Background AbiWord is a free and cross-platform word processing program. It allows to import RTF files into AbiWord documents. Description Chris Evans discovered a different set of buffer overflows than the one described in GLSA 200509-20 in the RTF import function in AbiWord. Impact An attacker...

Perl, Qt-UnixODBC, CMake: RUNPATH issues

Background Perl is a stable, cross-platform programming language created by Larry Wall. Qt-UnixODBC is an ODBC library for Qt. CMake is a cross-platform build environment. Description Some packages may introduce insecure paths into the list of directories that are searched for libraries at runtim...

phpMyAdmin: Local file inclusion vulnerability

Background phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the web. Description Maksymilian Arciemowicz reported that in libraries/grabglobals.lib.php, the $redirect parameter was not correctly validated. Systems running PHP in safe mode are not affected...