imlib: Buffer overflows in image decoding

Background imlib is an advanced replacement library for image manipulation libraries like libXpm. It is called by numerous programs, including gkrellm and several window managers, to help in displaying images. Description Pavel Kankovsky discovered that several overflows found in the libXpm libra...

PDFlib: Multiple overflows in the included TIFF library

Background PDFlib is a library providing functions to handle PDF files. It includes a modified TIFF library used to process TIFF images. Description The TIFF library is subject to several known vulnerabilities see GLSA 200410-11. Most of these overflows also apply to PDFlib. Impact A remote...

rssh, scponly: Unrestricted command execution

Background rssh and scponly are two restricted shells, allowing only a few predefined commands. They are often used as a complement to OpenSSH to provide access to remote users without providing any remote execution privileges. Description Jason Wies discovered that when receiving an authorized...

Sun and Blackdown Java: Applet privilege escalation

Background Sun and Blackdown both provide implementations of Java Development Kits JDK and Java Runtime Environments JRE. All these implementations provide a Java plug-in that can be used to execute Java applets in a restricted environment for web browsers. Description All Java plug-ins are subje...

Open DC Hub: Remote code execution

Background Open DC Hub is the hub software for the Direct Connect file sharing network. Description Donato Ferrante discovered a buffer overflow vulnerability in the RedirectAll command of the Open DC Hub. Impact Upon exploitation, a remote user with administrative privileges can execute arbitrar...

phpMyAdmin: Multiple XSS vulnerabilities

Background phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL databases from a web-browser. Description Cedric Cochin has discovered multiple cross-site scripting vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited through the PmaAbsoluteUri...

phpWebSite: HTTP response splitting vulnerability

Background phpWebSite is a web site content management system. Description Due to lack of proper input validation, phpWebSite has been found to be vulnerable to HTTP response splitting attacks. Impact A malicious user could inject arbitrary response data, leading to content spoofing, web cache...

Cyrus IMAP Server: Multiple remote vulnerabilities

Background The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server. Description Multiple vulnerabilities have been discovered in the argument parsers of the 'partial' and 'fetch' commands of the Cyrus IMAP Server CAN-2004-1012, CAN-2004-1013. There are also buffer overflows in t...

phpBB: Remote command execution

Background phpBB is an Open Source bulletin board package. Description phpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code. Impact An attacker can exploit the highlighting vulnerability to access the PHP exec function without...

TWiki: Arbitrary command execution

Background TWiki is a Web-based groupware tool based around the concept of wiki pages that can be edited by anybody with a Web browser. Description The TWiki search function, which uses a shell command executed via the Perl backtick operator, does not properly escape shell metacharacters in the...

ProZilla: Multiple vulnerabilities

Background ProZilla is a download accelerator for Linux. Description ProZilla contains several exploitable buffer overflows in the code handling the network protocols. Impact A remote attacker could setup a malicious server and entice a user to retrieve files from that server using ProZilla. This...

pdftohtml: Vulnerabilities in included Xpdf

Background pdftohtml is a utility to convert PDF files to HTML or XML formats. It makes use of Xpdf code to decode PDF files. Description Xpdf is vulnerable to multiple integer overflows, as described in GLSA 200410-20. Impact An attacker could entice a user to convert a specially-crafted PDF fil...

unarj: Long filenames buffer overflow and a path traversal vulnerability

Background unarj is an ARJ archive decompressor. Description unarj has a bounds checking vulnerability within the handling of long filenames in archives. It also fails to properly sanitize paths when extracting an archive if the "x" option is used to preserve paths. Impact An attacker could trigg...

X.Org, XFree86: libXpm vulnerabilities

Background libXpm is a pixmap manipulation library for the X Window System, included in both X.Org and XFree86. Description Several issues were discovered in libXpm, including integer overflows, out-of-bounds memory accesses, insecure path traversal and an endless loop. Impact An attacker could...

Fcron: Multiple vulnerabilities

Background Fcron is a command scheduler with extended capabilities over cron and anacron. Description Due to design errors in the fcronsighup program, Fcron may allow a local user to bypass access restrictions CAN-2004-1031, view the contents of root owned files CAN-2004-1030, remove arbitrary...

SquirrelMail: Encoded text XSS vulnerability

Background SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP, and can optionally be installed with SQL support. Description SquirrelMail fails to properly sanitize certain strings when decoding specially-crafted headers. Impact By enticing a user to read a...

GIMPS, SETI@home, ChessBrain: Insecure installation

Background GIMPS is a client for the distributed Great Internet Mersenne Prime Search. SETI@home is the client for the Search for Extraterrestrial Intelligence SETI project. ChessBrain is the client for the distributed chess supercomputer. Description GIMPS, SETI@home and ChessBrain ebuilds insta...

BNC: Buffer overflow vulnerability

Background BNC BouNCe is an IRC proxy server. Description Leon Juranic discovered that BNC fails to do proper bounds checking when checking server response. Impact An attacker could exploit this to cause a Denial of Service and potentially execute arbitary code with the permissions of the user...

Ruby: Denial of Service issue

Background Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby's CGI module can be used to build web applications. Description Ruby's developers found and fixed an issue in the CGI module that can be triggered remotely and cause an infinite loop. Impact ...

ez-ipupdate: Format string vulnerability

Background ez-ipupdate is a utility for updating host name information for a large number of dynamic DNS services. Description Ulf Harnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate. Impact An attacker could exploit this to execute arbitrary...

Samba: Multiple vulnerabilities

Background Samba is a freely available SMB/CIFS implementation which allows seamless interoperability of file and print services to other SMB/CIFS clients. Description Samba fails to do proper bounds checking when handling TRANSACT2QFILEPATHINFO replies. Additionally an input validation flaw exis...

Davfs2, lvm-user: Insecure tempfile handling

Background Davfs2 is a file system driver that allows you to mount a WebDAV server as a local disk drive. lvm-user is a package providing userland utilities for LVM Logical Volume Management 1.x features. Description Florian Schilhabel from the Gentoo Linux Security Audit Team found that Davfs2...

Apache 2.0: Denial of Service by memory consumption

Background The Apache HTTP Server is one of the most popular web servers on the Internet. Description Chintan Trivedi discovered a vulnerability in Apache httpd 2.0 that is caused by improper enforcing of the field length limit in the header-parsing code. Impact By sending a large amount of...

Pavuk: Multiple buffer overflows

Background Pavuk is web spider and website mirroring tool. Description Pavuk contains several buffer overflow vulnerabilities in the code handling digest authentication and HTTP header processing. This issue is similar to GLSA 200407-19, but contains more vulnerabilities. Impact A remote attacker...

zip: Path name buffer overflow

Background zip is a compression and file packaging utility. Description zip does not check the resulting path length when doing recursive folder compression. Impact An attacker could exploit this by enticing another user or web application to create an archive including a specially-crafted path...

mtink: Insecure tempfile handling

Background mtink is a status monitor and inkjet cartridge changer for some Epson printers. Description Tavis Ormandy from Gentoo Linux discovered that mtink uses insecure permissions on temporary files. Impact A local attacker could create symbolic links in the temporary files directory, pointing...

OpenSSL, Groff: Insecure tempfile handling

Background OpenSSL is a toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a general-purpose cryptography library. It includes the derchop script, which is used to convert DER-encoded certificates to PEM format. Groff GNU Troff is a typesetting package...

zgv: Multiple buffer overflows

Background zgv is a console image viewer based on svgalib. Description Multiple arithmetic overflows have been detected in the image processing code of zgv. Impact An attacker could entice a user to open a specially-crafted image file, potentially resulting in execution of arbitrary code with the...

Kaffeine, gxine: Remotely exploitable buffer overflow

Background Kaffeine and gxine are graphical front-ends for xine-lib multimedia library. Description KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine...

Portage, Gentoolkit: Temporary file vulnerabilities

Background Portage is Gentoo's package management tool. The dispatch-conf utility allows for easy rollback of configuration file changes and automatic updates of configurations files never modified by users. Gentoolkit is a collection of Gentoo specific administration scripts, one of which is the...

ImageMagick: EXIF buffer overflow

Background ImageMagick is a collection of tools to read, write and manipulate images in many formats. Description ImageMagick fails to do proper bounds checking when handling image files with EXIF information. Impact An attacker could use an image file with specially-crafted EXIF information to...

Gallery: Cross-site scripting vulnerability

Background Gallery is a web application written in PHP which is used to organize and publish photo albums. It allows multiple users to build and maintain their own albums. It also supports the mirroring of images on other servers. Description Jim Paris has discovered a cross-site scripting...

shadow: Unauthorized modification of account information

Background shadow provides a set of utilities to deal with user accounts. Description Martin Schulze reported a flaw in the passwdcheck function in "libmisc/pwdcheck.c" which is used by chfn and chsh. Impact A logged-in local user with an expired password may be able to use chfn and chsh to chang...

Proxytunnel: Format string vulnerability

Background Proxytunnel is a program that tunnels connections to a remote server through a standard HTTPS proxy. Description Florian Schilhabel of the Gentoo Linux Security Audit project found a format string vulnerability in Proxytunnel. When the program is started in daemon mode -a port, it...

GD: Integer overflow

Background The GD graphics library is an open source library which allows programmers to easily generate PNG, JPEG, GIF and WBMP images from many different programming languages. Description infamous41md found an integer overflow in the memory allocation procedure of the GD routine that handles...

MIME-tools: Virus detection evasion

Background MIME-tools is a Perl module containing functions to handle MIME attachments. Description MIME-tools doesn't correctly parse attachment boundaries with an empty name boundary="". Impact An attacker could send a carefully crafted email and evade detection on some email virus-scanning...

Apache 1.3: Buffer overflow vulnerability in mod_include

Background The Apache HTTP server is one of the most popular web servers on the internet. modinclude is an Apache module to handle Server Side Includes SSI. Description A possible buffer overflow exists in the gettag function of modinclude.c. Impact If Server Side Includes SSI are enabled, a loca...

Speedtouch USB driver: Privilege escalation vulnerability

Background The speedtouch package contains a driver for the ADSL SpeedTouch USB modem. Description The Speedtouch USB driver contains multiple format string vulnerabilities in modemrun, pppoa2 and pppoa3. This flaw is due to an improperly made syslog system call. Impact A malicious local user cou...

libxml2: Remotely exploitable buffer overflow

Background libxml2 is an XML parsing library written in C. Description Multiple buffer overflows have been detected in the nanoftp and nanohttp modules. These modules are responsible for parsing URLs with ftp information, and resolving names via DNS. Impact An attacker could exploit an applicatio...

ppp: No denial of service vulnerability

Background ppp is a Unix implementation of the Point-to-Point Protocol. Description The pppd server improperly verifies header fields, potentially leading to a crash of the pppd process handling the connection. However, since a separate pppd process handles each ppp connection, this would not...

Cherokee: Format string vulnerability

Background Cherokee is an extra-light web server. Description Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokeeloggerncsawritestring function. Impact Using a specially crafted URL when authenticating via authpam, a malicious user may ...

Archive::Zip: Virus detection evasion

Background Archive::Zip is a Perl module containing functions to handle ZIP archives. Description Archive::Zip can be used by email scanning software like amavisd-new to uncompress attachments before virus scanning. By modifying the uncompressed size of archived files in the global header of the...

GPdf, KPDF, KOffice: Vulnerabilities in included xpdf

Background GPdf is a Gnome-based PDF viewer. KPDF, part of the kdegraphics package, is a KDE-based PDF viewer. KOffice is an integrated office suite for KDE. Description GPdf, KPDF and KOffice all include xpdf code to handle PDF files. xpdf is vulnerable to multiple integer overflows, as describe...

PuTTY: Pre-authentication buffer overflow

Background PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. Description PuTTY fails to do proper bounds checking on SSH2MSGDEBUG packets. The "stringlen" parameter value is incorrectly checked due to signedness issues. Note that...

rssh: Format string vulnerability

Background rssh is a restricted shell, allowing only a few commands like scp or sftp. It is often used as a complement to OpenSSH to provide limited access to users. Description Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in rssh syslogging of...

mpg123: Buffer overflow vulnerabilities

Background mpg123 is a MPEG Audio Player. Description Buffer overflow vulnerabilities in the getauthfromURL and httpopen functions have been reported by Carlos Barros. Additionally, the Gentoo Linux Sound Team fixed additional boundary checks which were found to be lacking. Impact By enticing a...

Netatalk: Insecure tempfile handling in etc2ps.sh

Background Netatalk is a kernel level implementation of the AppleTalk Protocol Suite, which allows Unix hosts to act as file, print, and time servers for Apple computers. It includes several script utilities, including etc2ps.sh. Description The etc2ps.sh script creates temporary files in...

socat: Format string vulnerability

Background socat is a multipurpose bidirectional relay, similar to netcat. Description socat contains a syslog based format string vulnerablility in the 'msg' function of 'error.c'. Exploitation of this bug is only possible when socat is run with the '-ly' option, causing it to log messages to...

MIT krb5: Insecure temporary file use in send-pr.sh

Background MIT krb5 is the free implementation of the Kerberos network authentication protocol written by the Massachusetts Institute of Technology. Description The send-pr.sh script creates temporary files in world-writeable directories with predictable names. Impact A local attacker could creat...

MySQL: Multiple vulnerabilities

Background MySQL is a popular open-source, multi-threaded, multi-user SQL database server. Description The following vulnerabilities were found and fixed in MySQL: Oleksandr Byelkin found that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one CAN-2004-0835...