xv: Buffer overflows in image handling

Background xv is a multi-format image manipulation utility. Description Multiple buffer overflow and integer handling vulnerabilities have been discovered in xv's image processing code. These vulnerabilities have been found in the xvbmp.c, xviris.c, xvpcx.c and xvpm.c source files. Impact An...

Python 2.2: Buffer overflow in getaddrinfo()

Background Python is an interpreted, interactive, object-oriented, cross-platform programming language. Description If IPV6 is disabled in Python 2.2, getaddrinfo is not able to handle IPV6 DNS requests properly and a buffer overflow occurs. Impact An attacker can execute arbitrary code as the us...

Gallery: Arbitrary command execution

Background Gallery is a PHP script for maintaining online photo albums. Description The upload handling code in Gallery places uploaded files in a temporary directory. After 30 seconds, these files are deleted if they are not valid images. However, since the file exists for 30 seconds, a carefull...

eGroupWare: Multiple XSS vulnerabilities

Background eGroupWare is a suite of web-based group applications including calendar, address book, messenger and email. Description Joxean Koret recently discovered multiple cross site scripting vulnerabilities in various modules for the eGroupWare suite. This includes the calendar, address book,...

Squid: Denial of service when using NTLM authentication

Background Squid is a full-featured Web Proxy Cache designed to run on Unix systems. It supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. Description Squid 2.5.x versions contai...

vpopmail: Multiple vulnerabilities

Background vpopmail handles virtual mail domains for qmail and Postfix. Description vpopmail is vulnerable to several unspecified SQL injection exploits. Furthermore when using Sybase as the backend database vpopmail is vulnerable to a buffer overflow and format string exploit. Impact These...

MySQL: Insecure temporary file creation in mysqlhotcopy

Background MySQL is a popular open-source multi-threaded, multi-user SQL database server. Description Jeroen van Wolffelaar discovered that the MySQL database hot copy utility mysqlhotcopy.sh, when using the scp method, uses temporary files with predictable names. A malicious local user with writ...

zlib: Denial of service vulnerability

Background zlib is a general-purpose data-compression library. Description zlib contains a bug in the handling of errors in the "inflate" and "inflateBack" functions. Impact An attacker could exploit this vulnerability to launch a Denial of Service attack on any application using the zlib library...

Gaim: New vulnerabilities

Background Gaim is a multi-protocol instant messaging client for Linux which supports many instant messaging protocols. Description Gaim fails to do proper bounds checking when: Handling MSN messages partially fixed with GLSA 200408-12. Handling rich text format messages. Resolving local hostname...

MoinMoin: Group ACL bypass

Background MoinMoin is a Python clone of WikiWiki, based on PikiPiki. Description MoinMoin contains two unspecified bugs, one allowing anonymous users elevated access when not using ACLs, and the other in the ACL handling in the PageEditor. Impact Restrictions on anonymous users were not properly...

Linux Kernel: Multiple information leaks

Background The Linux kernel is responsible for managing the core aspects of a GNU/Linux system, providing an interface for core system applications as well as providing the essential structure and capability to access hardware that is needed for a running system. Description The Linux kernel allo...

kdelibs: Cross-domain cookie injection vulnerability

Background KDE is a widely-used desktop environment based on the Qt toolkit. kcookiejar in kdelibs is responsible for storing and managing HTTP cookies. Konqueror uses kcookiejar for storing and managing cookies. Description kcookiejar contains a vulnerability which may allow a malicious website ...

Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities

Background Mozilla is a popular web browser that includes a mail and newsreader. Galeon and Epiphany are both web browsers that use gecko, the Mozilla rendering engine. Mozilla Firefox is the next-generation browser from the Mozilla project that incorporates advanced features that are yet to be...

Cacti: SQL injection vulnerability

Background Cacti is a complete web-based front end to rrdtool. Description Cacti is vulnerable to a SQL injection attack where an attacker may inject SQL into the Username field. Impact An attacker could compromise the Cacti service and potentially execute programs with the permissions of the use...

Qt: Image loader overflows

Background Qt is a cross-platform GUI toolkit used by KDE. Description There are several unspecified bugs in the QImage class which may cause crashes or allow execution of arbitrary code as the user running the Qt application. These bugs affect the PNG, XPM, BMP, GIF and JPEG image types. Impact ...

courier-imap: Remote Format String Vulnerability

Background Courier-IMAP is an IMAP server which is part of the Courier mail system. It provides access only to maildirs. Description There is a format string vulnerability in the authdebug function which can be exploited remotely, potentially leading to arbitrary code execution as the user runnin...

xine-lib: VCD MRL buffer overflow

Background xine-lib is a multimedia library which can be utilized to create multimedia frontends. Description xine-lib contains a bug where it is possible to overflow the vcd:// input source identifier management buffer through carefully crafted playlists. Impact An attacker may construct a...

rsync: Potential information leakage

Background rsync is a utility that provides fast incremental file transfers. It is used to efficiently synchronize files between hosts and is used by emerge to fetch Gentoo's Portage tree. rsyncd is the rsync daemon, which listens to connections from rsync clients. Description The paths sent by t...

glibc: Information leak with LD_DEBUG

Background The GNU C library defines various Unix-like "system calls" and other basic facilities needed for a standard POSIX-like application to operate. Description Silvio Cesare discovered a potential information leak in glibc. It allows LDDEBUG on SUID binaries where it should not be allowed...

acroread: UUDecode filename buffer overflow

Background acroread is Adobe's Acrobat PDF reader for Linux. Description acroread contains two errors in the handling of UUEncoded filenames. First, it fails to check the length of a filename before copying it into a fixed size buffer and, secondly, it fails to check for the backtick shell...

Tomcat: Insecure installation

Background Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages. Description The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init scripts as tomcat:tomcat, but those scripts are executed with root privileges when the system is started...

gv: Exploitable Buffer Overflow

Background gv is a PostScript and PDF viewer for X which provides a user interface for the ghostscript interpreter. Description gv contains a buffer overflow vulnerability where an unsafe sscanf call is used to interpret PDF and PostScript files. Impact By enticing a user to view a malformed PDF ...

kdebase, kdelibs: Multiple security issues

Background KDE is a powerful Free Software graphical desktop environment for Linux and Unix-like Operating Systems. Description KDE contains three security issues: Insecure handling of temporary files when running KDE applications outside of the KDE environment DCOPServer creates temporary files ...

Gaim: MSN protocol parsing function buffer overflow

Background Gaim is a multi-protocol instant messaging client for Linux which supports many instant messaging protocols. Description Sebastian Krahmer of the SuSE Security Team has discovered a remotely exploitable buffer overflow vulnerability in the code handling MSN protocol parsing. Impact By...

Nessus: "adduser" race condition vulnerability

Background Nessus is a free and powerful network security scanner. Description A race condition can occur in "nessus-adduser" if the user has not configured their TMPDIR variable. Impact A malicious user could exploit this bug to escalate privileges to the rights of the user running...

Roundup: Filesystem access vulnerability

Background Roundup is a simple to use issue-tracking system with command-line, web, and e-mail interfaces. Description Improper handling of a specially crafted URL allows access to the server's filesystem, which could contain sensitive information. Impact An attacker could view files owned by the...

Cfengine: RSA Authentication Heap Corruption

Background Cfengine is an agent/software robot and a high level policy language for building expert systems to administrate and configure large computer networks. Description Two vulnerabilities have been found in cfservd. One is a buffer overflow in the AuthenticationDialogue function and the...

Horde-IMP: Input validation vulnerability for Internet Explorer users

Background Horde-IMP is the Internet Messaging Program. It is written in PHP and provides webmail access to IMAP and POP3 accounts. Description Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code so that it is not safe for users of Internet Explorer when...

SpamAssassin: Denial of Service vulnerability

Background SpamAssassin is an extensible email filter which is used to identify spam. Description SpamAssassin contains an unspecified Denial of Service vulnerability. Impact By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service...

Opera: Multiple new vulnerabilities

Background Opera is a multi-platform web browser. Description Multiple vulnerabilities have been found in the Opera web browser. Opera fails to deny write access to the "location" browser object. An attacker can overwrite methods in this object and gain script access to any page that uses one of...

PuTTY: Pre-authentication arbitrary code execution

Background PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. Description PuTTY contains a vulnerability allowing a malicious server to execute arbitrary code on the connecting client before host key verification. Impact When...

libpng: Numerous vulnerabilities

Background libpng is a standard library used to process PNG Portable Network Graphics images. It is used by several other programs, including web browsers and potentially server processes. Description libpng contains numerous vulnerabilities including null pointer dereference errors and boundary...

Courier: Cross-site scripting vulnerability in SqWebMail

Background Courier is an integrated mail and groupware server based on open protocols. It provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single framework. The webmail functionality included in Courier called SqWebMail allows you to access mailboxes from a web browser...

MPlayer: GUI filename handling overflow

Background MPlayer is a media player capable of handling multiple multimedia file formats. Description The MPlayer GUI code contains several buffer overflow vulnerabilities, and at least one in the TranslateFilename function is exploitable. Impact By enticing a user to play a file with a carefull...

SoX: Multiple buffer overflows

Background SoX is a command line utility that can convert various formats of computer audio files in to other formats. Description Ulf Harnhammar discovered two buffer overflows in the sox and play commands when handling WAV files with specially crafted header fields. Impact By enticing a user to...

Samba: Multiple buffer overflows

Background Samba is a package which allows nix systems to act as file servers for Windows computers. It also allows nix systems to mount shares exported by a Samba/CIFS/Windows server. The Samba Web Administration Tool SWAT is a web-based configuration tool part of the Samba package. Description...

phpMyAdmin: Multiple vulnerabilities

Background phpMyAdmin is a popular, web-based MySQL administration tool written in PHP. It allows users to administer a MySQL database from a web-browser. Description Two serious vulnerabilities exist in phpMyAdmin. The first allows any user to alter the server configuration variables including...

Pavuk: Digest authentication helper buffer overflow

Background Pavuk is web spider and website mirroring tool. Description Pavuk contains several buffer overflow vulnerabilities in the code handling digest authentication. Impact An attacker could cause a buffer overflow, leading to arbitrary code execution with the rights of the user running Pavuk...

Subversion: Vulnerability in mod_authz_svn

Background Subversion is an advanced version control system, similar to CVS, which supports additional functionality such as the ability to move, copy and delete files and directories. A Subversion server may be run as an Apache module, a standalone server svnserve, or on-demand over ssh a la CVS...

l2tpd: Buffer overflow

Background l2tpd is a GPL implentation of the Layer 2 Tunneling Protocol. Description Thomas Walpuski discovered a buffer overflow that may be exploitable by sending a specially crafted packet. In order to exploit the vulnerable code, an attacker would need to fake the establishment of an L2TP...

mod_ssl: Format string vulnerability

Background modssl provides Secure Sockets Layer encryption and authentication to Apache 1.3. Description A bug in sslengineext.c makes modssl vulnerable to a ssllog related format string vulnerability in the modproxy hook functions. Impact Given the right server configuration, an attacker could...

Linux Kernel: Multiple DoS and permission vulnerabilities

Background The Linux kernel is responsible for managing the core aspects of a GNU/Linux system, providing an interface for core system applications as well as providing the essential structure and capability to access hardware that is needed for a running system. Description The Linux kernel allo...

Opera: Multiple spoofing vulnerabilities

Background Opera is a multi-platform web browser. Description Opera fails to remove illegal characters from an URI of a link and to check that the target frame of a link belongs to the same website as the link. Opera also updates the address bar before loading a page. Additionally, Opera contains...

Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries

Background Unreal Tournament 2003 and 2004 are popular first-person-shooter games. They are both based on the Unreal engine, and can be used in a game server / client setup. Description The Unreal-based game servers support a specific type of query called 'secure'. Part of the Gamespy protocol,...

PHP: Multiple security vulnerabilities

Background PHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the modphp module or the CGI version of PHP, or can run stand-alone in a CLI. Description Several security vulnerabilities were found and fixed in version 4.3...

Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling

Background The Linux kernel is responsible for managing the core aspects of a GNU/Linux system, providing an interface for core system applications as well as providing the essential structure and capability to access hardware that is needed for a running system. Description An attacker can utili...

wv: Buffer overflow vulnerability

Background The wv library allows access to MS Word files. It can parse Word files and allow other applications, such as abiword, to import those files into their native formats. Description A use of strcat without proper bounds checking leads to an exploitable buffer overflow. The vulnerable code...

rsync: Directory traversal in rsync daemon

Background rsync is a utility that provides fast incremental file transfers. It is used to efficiently synchronize files between hosts and is used by emerge to fetch Gentoo's Portage tree. rsyncd is the rsync daemon, which listens to connections from rsync clients. Description When rsyncd is used...

MoinMoin: Group ACL bypass

Background MoinMoin is a Python clone of WikiWiki, based on PikiPiki. Description MoinMoin contains a bug in the code handling administrative group ACLs. A user created with the same name as an administrative group gains the privileges of the administrative group. Impact If an administrative grou...

Ethereal: Multiple security problems

Background Ethereal is a feature rich network protocol analyzer. Description There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.5, including: In some cases the iSNS dissector could cause Ethereal to abort. If there was no policy name for a handle for SMB SID snooping it...