libpng: Buffer overflow on row buffers

Background libpng is a standard library used to process PNG Portable Network Graphics images. It is used by several other programs, including web browsers and potentially server processes. Description Due to a wrong calculation of loop offset values, libpng contains a buffer overflow vulnerabilit...

Shorewall : Insecure temp file handling

Background Shorewall is a high level tool for configuring Netfilter, the firewall facility included in the Linux Kernel. Description Shorewall uses temporary files and directories in an insecure manner. A local user could create symbolic links at specific locations, eventually overwriting other...

XFree86, X.org: XDM ignores requestPort setting

Background The X Display Manager XDM is a program which provides a graphical login prompt to users on the console or on remote X terminals. It has largely been superseded by programs such as GDM and KDM. Description XDM will open TCP sockets for its chooser, even if the DisplayManager.requestPort...

Apache 2: Remote denial of service attack

Background The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems. The goal of this project is to provide a secure, efficient and extensible server that provides services in tune with the current HTTP standards. Description A bu...

Pure-FTPd: Potential DoS when maximum connections is reached

Background Pure-FTPd is a fast, production-quality and standards-compliant FTP server. Description Pure-FTPd contains a bug in the acceptclient function handling the setup of new connections. Impact When the maximum number of connections is reached an attacker could exploit this vulnerability to...

Linux Kernel: Multiple vulnerabilities

Background The Linux kernel is responsible for managing the core aspects of a GNU/Linux system, providing an interface for core system applications as well as providing the essential structure and capability to access hardware that is needed for a running system. Description Multiple flaws have...

Esearch: Insecure temp file handling

Background Esearch is a replacement for the Portage command "emerge search". It uses an index to speed up searching of the Portage tree. Description The eupdatedb utility uses a temporary file /tmp/esearchdb.py.tmp to indicate that the eupdatedb process is running. When run, eupdatedb checks to s...

Pavuk: Remote buffer overflow

Background Pavuk is web spider and website mirroring tool. Description When Pavuk connects to a web server and the server sends back the HTTP status code 305 Use Proxy, Pavuk copies data from the HTTP Location header in an unsafe manner. Impact An attacker could cause a stack-based buffer overflo...

mit-krb5: Multiple buffer overflows in krb5_aname_to_localname

Background mit-krb5 is the free implementation of the Kerberos network authentication protocol by the Massachusetts Institute of Technology. Description The library function krb5anametolocalname contains multiple buffer overflows. This is only exploitable if explicit mapping or rules-based mappin...

FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling

Background FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN are Open Source implementations of IPsec for the Linux operating system. They are all based on the discontinued FreeS/WAN project. Description All these IPsec implementations have several bugs in the verifyx509cert function, which...

giFT-FastTrack: remote denial of service attack

Background giFT-FastTrack is a plugin for the giFT file-sharing application. It allows giFT users to connect to the fasttrack network to share files. Description Alan Fitton found a vulnerability in the giFT-FastTrack plugin in version 0.8.6 and earlier. It can be used to remotely crash the giFT...

gzip: Insecure creation of temporary files

Background gzip GNU zip is popular compression program. The included gzexe utility allows you to compress executables in place and have them automatically uncompress and execute when you run them. Description The script gzexe included with gzip contains a bug in the code that handles tempfile...

IPsec-Tools: authentication bug in racoon

Background IPsec-Tools is a port of KAME's implementation of the IPsec utilities. It contains a collection of network monitoring tools, including racoon, ping, and ping6. Description The KAME IKE daemon racoon is used to authenticate peers during Phase 1 when using either preshared keys, GSS-API,...

Apache 1.3: Buffer overflow in mod_proxy

Background The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems. The goal of this project is to provide a secure, efficient and extensible server that provides services in tune with the current HTTP standards. Description A bu...

Usermin: Multiple vulnerabilities

Background Usermin is a web-based administration tool for Unix. It supports a wide range of user applications including configuring mail forwarding, setting up SSH or reading mail. Description Usermin contains two security vulnerabilities. One fails to properly sanitize email messages that contai...

Squid: NTLM authentication helper buffer overflow

Background Squid contains a bug in the function ntlmcheckauth. It fails to do proper bounds checking on the values copyied to the 'pass' variable. Description Squid is a full-featured Web Proxy Cache designed to run on Unix systems. It supports proxying and caching of HTTP, FTP, and other URLs, a...

aspell: Buffer overflow in word-list-compress

Background aspell is a popular spell-checker. Dictionaries are available for many languages. Description aspell includes a utility for handling wordlists called word-list-compress. This utility fails to do proper bounds checking when processing words longer than 256 bytes. Impact If an attacker...

Webmin: Multiple vulnerabilities

Background Webmin is a web-based administration tool for Unix. It supports a wide range of applications including Apache, DNS, file sharing and others. Description Webmin contains two security vulnerabilities. One allows any user to view the configuration of any module and the other could allow a...

Horde-IMP: Input validation vulnerability

Background Horde-IMP is the Internet Messaging Program. It is written in PHP and provides webmail access to IMAP and POP3 accounts. Description Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code. Impact By enticing a user to read a specially crafted...

Horde-Chora: Remote code execution

Background Chora is a PHP-based SVN/CVS repository viewer by the HORDE project. Description A vulnerability in the diff viewer of Chora allows an attacker to inject shellcode. An attacker can exploit PHP's file upload functionality to upload a malicious binary to a vulnerable server, chmod it as...

Gallery: Privilege escalation vulnerability

Background Gallery is a web application written in PHP which is used to organize and publish photo albums. It allows multiple users to build and maintain their own albums. It also supports the mirroring of images on other servers. Description There is a vulnerability in the Gallery photo album...

Squirrelmail: Another XSS vulnerability

Background SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP, and can optionally be installed with SQL support. Description A new cross-site scripting XSS vulnerability in Squirrelmail-1.4.3rc1 has been discovered. In functions/mime.php Squirrelmail fails to properly...

CVS: additional DoS and arbitrary code execution vulnerabilities

Background CVS Concurrent Versions System is an open-source network-transparent version control system. It contains both a client utility and a server. Description A team audit of the CVS source code performed by Stefan Esser and Sebastian Krahmer resulted in the discovery of several remotely...

Subversion: Remote heap overflow

Background Subversion is a revision control system that aims to be a "compelling replacement for CVS". It enjoys wide use in the open source community. svnserve allows access to Subversion repositories using URIs with the svn://, svn+ssh://, and other tunelled svn+:// protocols. Description The s...

Apache: Buffer overflow in mod_ssl

Background Apache is the most popular Web server on the Internet. modssl provides Secure Sockets Layer encryption and authentication to Apache 1.3. Apache 2 contains the functionality of modssl. Description A bug in the function sslutiluuencodebinary in sslutil.c may lead to a remote buffer...

Mailman: Member password disclosure vulnerability

Background Mailman is a python-based mailing list server with an extensive web interface. Description Mailman contains an unspecified vulnerability in the handling of request emails. Impact By sending a carefully crafted email request to the mailman server an attacker could obtain member password...

sitecopy: Multiple vulnerabilities in included libneon

Background sitecopy easily maintains remote websites. It makes it simple to keep a remote site synchronized with the local site with one command. Description Multiple format string vulnerabilities and a heap overflow vulnerability were discovered in the code of the neon library GLSA 200405-01 and...

Ethereal: Multiple security problems

Background Ethereal is a feature rich network protocol analyzer. Description There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.4, including: A buffer overflow in the MMSE dissector. Under specific conditions a SIP packet could make Ethereal crash. The AIM dissector coul...

tripwire: Format string vulnerability

Background tripwire is an open source file integrity checker. Description The code that generates email reports contains a format string vulnerability in pipedmailmessage.cpp. Impact With a carefully crafted filename on a local filesystem an attacker could cause execution of arbitrary code with...

tla: Multiple vulnerabilities in included libneon

Background GNU Arch tla is a revision control system suited for widely distributed development. Description Multiple format string vulnerabilities and a heap overflow vulnerability were discovered in the code of the neon library GLSA 200405-01 and 200405-13. Current versions of the tla package...

MPlayer, xine-lib: vulnerabilities in RTSP stream handling

Background MPlayer is a movie player capable of handling multiple multimedia file formats. xine-lib is a multimedia player library used by several graphical user interfaces, including xine-ui. They both use the same code to handle Real-Time Streaming Protocol RTSP streams from RealNetworks server...

Heimdal: Kerberos 4 buffer overflow in kadmin

Background Heimdal is a free implementation of Kerberos. Description A buffer overflow was discovered in kadmind, a server for administrative access to the Kerberos database. Impact By sending a specially formatted message to kadmind, a remote attacker may be able to crash kadmind causing a denia...

Midnight Commander: Multiple vulnerabilities

Background Midnight Commander is a visual console file manager. Description Numerous security issues have been discovered in Midnight Commander, including several buffer overflow vulnerabilities, multiple vulnerabilities in the handling of temporary file and directory creation, and multiple forma...

Apache 1.3: Multiple vulnerabilities

Background The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems. The goal of this project is to provide a secure, efficient and extensible server that provides services in tune with the current HTTP standards. Description On...

Opera telnet URI handler file creation/truncation vulnerability

Background Opera is a multi-platform web browser. Description The telnet URI handler in Opera does not check for leading '-' characters in the host name. Consequently, a maliciously-crafted telnet:// link may be able to pass options to the telnet program itself. One example would be the following...

Multiple XSS Vulnerabilities in SquirrelMail

Background SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP, and can optionally be installed with SQL support. Description Several unspecified cross-site scripting XSS vulnerabilities and a well hidden SQL injection vulnerability were found. An XSS attack allows an...

Insecure Temporary File Creation In MySQL

Background MySQL is a popular open-source multi-threaded, multi-user SQL database server. Description The MySQL bug reporting utility mysqlbug creates a temporary file to log bug reports to. A malicious local user with write access to the /tmp directory could create a symbolic link of the name...

Buffer Overflow in Firebird

Background Firebird is an open source relational database that runs on Linux, Windows, and various UNIX systems. Description A buffer overflow exists in three Firebird binaries gdsinetserver, gdslockmgr, and gdsdrop that is exploitable by setting a large value to the INTERBASE environment variabl...

Multiple vulnerabilities in metamail

Background Metamail is a program that decodes MIME encoded mail. It is therefore often automatically called when an email is received or read. Description Ulf Harnhammar found two format string bugs and two buffer overflow bugs in Metamail. Impact A remote attacker could send a malicious email...

Buffer overflow in Subversion

Background Subversion is a version control system intended to eventually replace CVS. Like CVS, it has an optional client-server architecture where the server can be an Apache server running modsvn, or an ssh program as in CVS's :ext: method. In addition to supporting the features found in CVS,...

CVS heap overflow vulnerability

Background CVS Concurrent Versions System is an open-source network-transparent version control system. It contains both a client utility and a server. Description Stefan Esser discovered a heap overflow in the CVS server, which can be triggered by sending malicious "Entry" lines and manipulating...

cadaver heap-based buffer overflow

Background cadaver is a command-line WebDAV client. Description Stefan Esser discovered a vulnerability in the code of the neon library see GLSA 200405-13. This library is also included in cadaver. Impact When connected to a malicious WebDAV server, this vulnerability could allow remote execution...

neon heap-based buffer overflow

Background neon provides an HTTP and WebDAV client library. Description Stefan Esser discovered a vulnerability in the code of the neon library : if a malicious date string is passed to the nerfc1036parse function, it can trigger a string overflow into static heap variables. Impact Depending on t...

ProFTPD Access Control List bypass vulnerability

Background ProFTPD is an FTP daemon. Description ProFTPD 1.2.9 introduced a vulnerability that allows CIDR-based ACLs such as 10.0.0.1/24 to be bypassed. The CIDR ACLs are disregarded, with the net effect being similar to an "AllowAll" directive. Impact This vulnerability may allow unauthorized...

KDE URI Handler Vulnerabilities

Background The K Desktop Environment KDE is a powerful Free Software graphical desktop environment. KDE makes use of URI handlers to trigger various programs when specific URLs are received. Description The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning o...

Icecast denial of service vulnerability

Background Icecast is a program that streams audio data to listeners over the Internet. Description There is an out-of-bounds read error in the web interface of Icecast when handling Basic Authorization requests. This vulnerability can theorically be exploited by sending a specially crafted...

Pound format string vulnerability

Background Pound is a reverse proxy, load balancer and HTTPS front-end. It allows to distribute the load on several web servers and offers a SSL wrapper for web servers that do not support SSL directly. Description A format string flaw in the processing of syslog messages was discovered and...

libpng denial of service vulnerability

Background libpng is a standard library used to process PNG Portable Network Graphics images. Description libpng provides two functions pngchunkerror and pngchunkwarning for default error and warning messages handling. These functions do not perform proper bounds checking on the provided message,...

Exim verify=header_syntax buffer overflow

Background Exim is an highly configurable message transfer agent MTA developed at the University of Cambridge. Description When the option "verify = headersyntax" is used in an ACL in the configuration file, Exim is vulnerable to a buffer overflow attack that can be triggered remotely by sending...

Utempter symlink vulnerability

Background Utempter is an application that allows non-privileged apps to write utmp login info, which otherwise needs root access. Description Utempter contains a vulnerability that may allow local users to overwrite arbitrary files via a symlink attack. Impact This vulnerability may allow...