Lynx: Buffer overflow in NNTP processing

Background Lynx is a text-mode browser for the World Wide Web. It supports multiple URL types, including HTTP and NNTP URLs. Description When accessing a NNTP URL, Lynx connects to a NNTP server and retrieves information about the available articles in the target newsgroup. Ulf Harnhammar...

SPE: Insecure file permissions

Background SPE is a cross-platform Python Integrated Development Environment IDE. Description It was reported that due to an oversight all SPE's files are set as world-writeable. Impact A local attacker could modify the executable files, causing arbitrary code to be executed with the permissions ...

KOffice, KWord: RTF import buffer overflow

Background KOffice is an integrated office suite for KDE. KWord is the KOffice word processor. Description Chris Evans discovered that the KWord RTF importer was vulnerable to a heap-based buffer overflow. Impact An attacker could entice a user to open a specially-crafted RTF file, potentially...

OpenSSL: SSL 2.0 protocol rollback

Background OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport Layer Security protocols and a general-purpose cryptography library. Description Applications setting the SSLOPMSIESSLV2RSAPADDING option or the SSLOPALL option, that implies it can be forced by a third-party to...

uw-imap: Remote buffer overflow

Background uw-imap is the University of Washington's IMAP and POP server daemons. Description Improper bounds checking of user supplied data while parsing IMAP mailbox names can lead to overflowing the stack buffer. Impact Successful exploitation requires an authenticated IMAP user to request a...

Weex: Format string vulnerability

Background Weex is a non-interactive FTP client typically used to update web pages. Description Ulf Harnhammar discovered a format string bug in Weex that can be triggered when it is first run or when its cache files are rebuilt, using the -r option. Impact An attacker could setup a malicious FTP...

xine-lib: Format string vulnerability

Background xine-lib is a multimedia library which can be utilized to create multimedia frontends. It includes functions to retrieve information about audio CD contents from public CDDB servers. Description Ulf Harnhammar discovered a format string bug in the routines handling CDDB server response...

RealPlayer, Helix Player: Format string vulnerability

Background RealPlayer is a multimedia player capable of handling multiple multimedia file formats. Helix Player is an open source media player for Linux. Description "c0ntex" reported that RealPlayer and Helix Player suffer from a heap overflow. Impact By enticing a user to play a specially craft...

Dia: Arbitrary code execution through SVG import

Background Dia is a gtk+ based diagram creation program released under the GPL license. Description Joxean Koret discovered that the SVG import plugin in Dia fails to properly sanitise data read from an SVG file. Impact An attacker could create a specially crafted SVG file, which, when imported...

Ruby: Security bypass vulnerability

Background Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby supports the safe execution of untrusted code using a safe level and taint flag mechanism. Description Dr. Yutaka Oiwa discovered that Ruby fails to properly enforce safe level protections...

Texinfo: Insecure temporary file creation

Background Texinfo is the official documentation system created by the GNU project. Description Frank Lichtenheld has discovered that the "sortoffline" function in texindex insecurely creates temporary files with predictable filenames. Impact A local attacker could create symbolic links in the...

Uim: Privilege escalation vulnerability

Background Uim is a multilingual input method library which provides secure and useful input method for all languages. Description Masanari Yamamoto discovered that Uim uses environment variables incorrectly. This bug causes a privilege escalation if setuid/setgid applications are linked to libui...

gtkdiskfree: Insecure temporary file creation

Background gtkdiskfree is a GTK-based GUI to show free disk space. Description Eric Romang discovered that gtkdiskfree insecurely creates a predictable temporary file to handle command output. Impact A local attacker could create a symbolic link in the temporary files directory, pointing to a val...

Berkeley MPEG Tools: Multiple insecure temporary files

Background The Berkeley MPEG Tools are a collection of utilities for manipulating MPEG video technology, including an encoder mpegencode and various conversion utilities. Description Mike Frysinger of the Gentoo Security Team discovered that mpegencode and the conversion utilities were creating...

Hylafax: Insecure temporary file creation in xferfaxstats script

Background Hylafax is a client-server fax package for class 1 and 2 fax modems. Description Javier Fernandez-Sanguino has discovered that xferfaxstats cron script supplied by Hylafax insecurely creates temporary files with predictable filenames. Impact A local attacker could create symbolic links...

AbiWord: RTF import stack-based buffer overflow

Background AbiWord is a free and cross-platform word processing program. It allows to import RTF files into AbiWord documents. Description Chris Evans discovered that the RTF import function in AbiWord is vulnerable to a stack-based buffer overflow. Impact An attacker could design a malicious RTF...

PHP: Vulnerabilities in included PCRE and XML-RPC libraries

Background PHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the modphp module or the CGI version of PHP, or can run stand-alone in a CLI. Description PHP makes use of a private copy of libpcre which is subject to an...

Qt: Buffer overflow in the included zlib library

Background Qt is a cross-platform GUI toolkit used by KDE. Description Qt links to a bundled vulnerable version of zlib when emerged with the zlib USE-flag disabled. This may lead to a buffer overflow. Impact By creating a specially crafted compressed data stream, attackers can overwrite data...

Webmin, Usermin: Remote code execution through PAM authentication

Background Webmin and Usermin are web-based system administration consoles. Webmin allows an administrator to easily configure servers and other features. Usermin allows users to configure their own accounts, execute commands, and read e-mails. Description Keigo Yamazaki discovered that the...

Mantis: XSS and SQL injection vulnerabilities

Background Mantis is a web-based bugtracking system written in PHP. Description Mantis fails to properly sanitize untrusted input before using it. This leads to an SQL injection and several cross-site scripting vulnerabilities. Impact An attacker could possibly use the SQL injection vulnerability...

util-linux: umount command validation error

Background util-linux is a suite of useful Linux programs including umount, a program used to unmount filesystems. Description When a regular user mounts a filesystem, they are subject to restrictions in the /etc/fstab configuration file. David Watson discovered that when unmounting a filesystem...

Zebedee: Denial of Service vulnerability

Background Zebedee is an application that establishes an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems. Description "Shiraishi.M" reported that Zebedee crashes when "0" is received as the port number in the protocol option header. Impact By performing malformed...

Clam AntiVirus: Multiple vulnerabilities

Background Clam AntiVirus is a GPL anti-virus toolkit, designed for integration with mail servers to perform attachment scanning. Clam AntiVirus also provides a command line scanner and a tool for fetching updates of the virus database. Description Clam AntiVirus is vulnerable to a buffer overflo...

Apache, mod_ssl: Multiple vulnerabilities

Background The Apache HTTP server is one of the most popular web servers on the Internet. modssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2. Description modssl contains a security issue when "SSLVerifyClient optional" is configured in the global virtual...

Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities

Background The Mozilla Suite is a popular all-in-one web browser that includes a mail and news reader. Mozilla Firefox is the next-generation browser from the Mozilla project. Gecko is the layout engine used in both products. Description The Mozilla Suite and Firefox are both vulnerable to the...

Py2Play: Remote execution of arbitrary Python code

Background Py2Play is a peer-to-peer network game engine written in Python. Pickling is a Python feature allowing to serialize Python objects into string representations called pickles that can be sent over the network. Description Arc Riley discovered that Py2Play uses Python pickles to send...

Mailutils: Format string vulnerability in imap4d

Background The GNU Mailutils are a collection of mail-related utilities, including an IMAP4 server imap4d. Description The imap4d server contains a format string bug in the handling of IMAP SEARCH requests. Impact An authenticated IMAP user could exploit the format string error in imap4d to execu...

X.Org: Heap overflow in pixmap allocation

Background X.Org is X.Org Foundation's Public Implementation of the X Window System. Description X.Org is missing an integer overflow check during pixmap memory allocation. Impact An X.Org user could exploit this issue to make the X server execute arbitrary code with elevated privileges. Workarou...

Python: Heap overflow in the included PCRE library

Background Python is an interpreted, interactive, object-oriented, cross-platform programming language. The "re" Python module provides regular expression functions. Description The "re" Python module makes use of a private copy of libpcre which is subject to an integer overflow leading to a heap...

Squid: Denial of Service vulnerabilities

Background Squid is a full-featured Web proxy cache designed to run on Unix-like systems. It supports proxying and caching of HTTP, FTP, and other protocols, as well as SSL support, cache hierarchies, transparent caching, access control lists and many more features. Description Certain malformed...

Net-SNMP: Insecure RPATH

Background Net-SNMP is a suite of applications used to implement the Simple Network Management Protocol. Description James Cloos reported that Perl modules from the Net-SNMP package look for libraries in an untrusted location. This is due to a flaw in the Gentoo package, and not the Net-SNMP suit...

phpLDAPadmin: Authentication bypass

Background phpLDAPadmin is a web-based LDAP client allowing to easily manage LDAP servers. Description Alexander Gerasiov discovered a flaw in login.php preventing the application from validating whether anonymous bind has been disabled in the target LDAP server configuration. Impact Anonymous...

OpenTTD: Format string vulnerabilities

Background OpenTTD is an open source clone of the simulation game "Transport Tycoon Deluxe" by Microprose. Description Alexey Dobriyan discovered several format string vulnerabilities in OpenTTD. Impact A remote attacker could exploit these vulnerabilities to crash the OpenTTD server or client an...

Gnumeric: Heap overflow in the included PCRE library

Background The Gnumeric spreadsheet is a versatile application developed as part of the GNOME Office project. libpcre is a library providing functions for Perl-compatible regular expressions. Description Gnumeric contains a private copy of libpcre which is subject to an integer overflow leading t...

MPlayer: Heap overflow in ad_pcm.c

Background MPlayer is a media player capable of handling multiple multimedia file formats. Description Sven Tantau discovered a heap overflow in the code handling the strf chunk of PCM audio streams. Impact An attacker could craft a malicious video or audio file which, when opened using MPlayer,...

pam_ldap: Authentication bypass vulnerability

Background pamldap is a Pluggable Authentication Module which allows authentication against LDAP directories. Description When a pamldap client attempts to authenticate against an LDAP server that omits the optional error value from the PasswordPolicyResponseValue, the authentication attempt will...

phpWebSite: Arbitrary command execution through XML-RPC and SQL injection

Background phpWebSite is a web site content management system. Description phpWebSite uses an XML-RPC library that improperly handles XML-RPC requests and responses with malformed nested tags. Furthermore, "matrixkiller" reported that phpWebSite is vulnerable to an SQL injection attack. Impact A...

phpGroupWare: Multiple vulnerabilities

Background phpGroupWare is a multi-user groupware suite written in PHP. Description phpGroupWare improperly validates the "mid" parameter retrieved via a forum post. The current version of phpGroupWare also adds several safeguards to prevent XSS issues, and disables the use of a potentially...

lm_sensors: Insecure temporary file creation

Background lmsensors is a software package that provides drivers for monitoring the temperatures, voltages, and fans of Linux systems with hardware monitoring devices. Description Javier Fernandez-Sanguino Pena has discovered that lmsensors insecurely creates temporary files with predictable...

PhpWiki: Arbitrary command execution through XML-RPC

Background PhpWiki is an application that creates a web site where anyone can edit the pages through HTML forms. Description Earlier versions of PhpWiki contain an XML-RPC library that improperly handles XML-RPC requests and responses with malformed nested tags. Impact A remote attacker could...

Apache 2.0: Denial of Service vulnerability

Background The Apache HTTP Server Project is a featureful, freely-available HTTP Web server. Description Filip Sneppe discovered that Apache improperly handles byterange requests to CGI scripts. Impact A remote attacker may access vulnerable scripts in a malicious way, exhausting all RAM and swap...

libpcre: Heap integer overflow

Background libpcre is a library providing functions for Perl-compatible regular expressions. Description libpcre fails to check certain quantifier values in regular expressions for sane values. Impact An attacker could possibly exploit this vulnerability to execute arbitrary code by sending...

Tor: Information disclosure

Background Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Description The Diffie-Hellman implementation of Tor fails to verify the cryptographic strength of keys which are used during handshakes. Impact By setting up a malicio...

PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability

Background The PEAR XML-RPC and phpxmlrpc libraries are both PHP implementations of the XML-RPC protocol. Description Stefan Esser of the Hardened-PHP Project discovered that the PEAR XML-RPC and phpxmlrpc libraries were improperly handling XMLRPC requests and responses with malformed nested tags...

TikiWiki, eGroupWare: Arbitrary command execution through XML-RPC

Background TikiWiki is a full featured Free Software Wiki, CMS and Groupware written in PHP. eGroupWare is a web-based collaboration software suite. Both TikiWiki and eGroupWare include a PHP library to handle XML-RPC requests. Description The XML-RPC library shipped in TikiWiki and eGroupWare...

Evolution: Format string vulnerabilities

Background Evolution is a GNOME groupware application. Description Ulf Harnhammar discovered that Evolution is vulnerable to format string bugs when viewing attached vCards and when displaying contact information from remote LDAP servers or task list data from remote servers CAN-2005-2549. He als...

Kismet: Multiple vulnerabilities

Background Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system. Description Kismet is vulnerable to a heap overflow when handling pcap captures and to an integer underflow in the CDP protocol dissector. Impact With a specially crafted packet an attacker...

Adobe Reader: Buffer Overflow

Background Adobe Reader is a utility used to view PDF files. Description A buffer overflow has been reported within a core application plug-in, which is part of Adobe Reader. Impact An attacker may create a specially-crafted PDF file, enticing a user to open it. This could trigger a buffer overfl...

bluez-utils: Bluetooth device name validation vulnerability

Background bluez-utils are the utilities for use with the BlueZ implementation of the Bluetooth wireless standards for Linux. Description The name of a Bluetooth device is improperly validated by the hcid utility when a remote device attempts to pair itself with a computer. Impact An attacker cou...

Xpdf, Kpdf, GPdf: Denial of Service vulnerability

Background Xpdf, Kpdf and GPdf are PDF file viewers that run under the X Window System. Kpdf and GPdf both contain Xpdf code. Kpdf is also part of kdegraphics. Description Xpdf, Kpdf and GPdf do not handle a broken table of embedded TrueType fonts correctly. After detecting such a table, Xpdf, Kp...