Getsocial, S.A. Security Vulnerabilities

Mandrake Linux Security Advisory : netpbm (MDKSA-2005:199)

Pnmtopng in netpbm 10.2X, when using the -trans option, uses uninitialized size and index variables when converting Portable Anymap (PNM) images to Portable Network Graphics (PNG), which might allow attackers to execute arbitrary code by modifying the stack. Netpbm 9.2X is not affected by this...

Mandrake Linux Security Advisory : kernel (MDKSA-2005:219)

Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update : An integer overflow in vc_resize (CVE-2004-1333). A race condition in the sysfs_read_file and sysfs_write_file functions in 2.6.10 and earlier allows local users to read kernel memory and cause a...

Mandrake Linux Security Advisory : koffice (MDKSA-2006:008)

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code.....

[Full-disclosure] CYBSEC - Security Advisory: httprint Multiple Vulnerabilities

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_httprint_Multiple_Vulnerabilities.pdf) CYBSEC S.A. www.cybsec.com Advisory Name: httprint Multiple Vulnerabilities Vulnerability Class: Denial of Service, Arbitrary Script...

CYBSEC - Security Advisory: Watchfire AppScan QA Remote Code Execution

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_AppScanQA_RemoteCodeExec.pdf) CYBSEC S.A. www.cybsec.com Advisory Name: Watchfire AppScan QA Remote Code Execution Vulnerability Class: Buffer Overflow Release Date:...

[Full-disclosure] CYBSEC - Security Advisory: Phishing Vector in SAP WAS

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf ) CYBSEC S.A. www.cybsec.com Advisory Name: Phishing Vector in SAP WAS (Web Application Server) Vulnerability Class: Phishing Vector /...

[Full-disclosure] CYBSEC - Security Advisory: Multiple XSS in SAP WAS

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf ) CYBSEC S.A. www.cybsec.com Advisory Name: Multiple XSS in SAP WAS (Web Application Server) Vulnerability Class: Cross-Site Scripting Release...

[Full-disclosure] CYBSEC - Security Advisory: HTTP Response Splitting in SAP WAS

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf ) CYBSEC S.A. www.cybsec.com Advisory Name: HTTP Response Splitting in SAP WAS (Web Application Server) Vulnerability Class: HTTP...

Mandrake Linux Security Advisory : wget (MDKSA-2005:204)

Hugo Vazquez Carames discovered a race condition when writing output files in wget. After wget determined the output file name, but before the file was actually opened, a local attacker with write permissions to the download directory could create a symbolic link with the name of the output file......

Mandrake Linux Security Advisory : nss_ldap (MDKSA-2005:190)

A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had...

Mandrake Linux Security Advisory : ruby (MDKSA-2005:191)

Yutaka Oiwa discovered a bug in Ruby, the interpreter for the object-oriented scripting language, that can cause illegal program code to bypass the safe level and taint flag protections check and be executed. The updated packages have been patched to address this...

Mandrake Linux Security Advisory : squid (MDKSA-2005:195)

The rfc1738_do_escape function in ftp.c for Squid 2.5.STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain 'odd' responses. The updated packages have been patched to address these...

Mandrake Linux Security Advisory : sudo (MDKSA-2005:201)

Tavis Ormandy discovered that sudo does not perform sufficient environment cleaning; in particular the SHELLOPTS and PS4 variables are still passed to the program running as an alternate user which can result in the execution of arbitrary commands as the alternate user when a bash script is...

Mandrake Linux Security Advisory : perl-Compress-Zlib (MDKSA-2005:196)

The perl Compress::Zlib module contains an internal copy of the zlib library that was vulnerable to CVE-2005-1849 and CVE-2005-2096. This library was updated with version 1.35 of Compress::Zlib. An updated perl-Compress-Zlib package is now available to provide the fixed...

Mandrake Linux Security Advisory : unzip (MDKSA-2005:197)

Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges. (CVE-2005-0602) Imran Ghory found a race condition in the handling of output files. While a file was unpacked by unzip, a local attacker with write...

Mandrake Linux Security Advisory : php-imap (MDKSA-2005:194)

'infamous41md' discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code. php-imap is compiled against the static c-client libs from imap. These packages have been recompiled against the updated imap development...

Mandrake Linux Security Advisory : apache-mod_auth_shadow (MDKSA-2005:200)

The mod_auth_shadow module 1.0 through 1.5 and 2.0 for Apache with AuthShadow enabled uses shadow authentication for all locations that use the require group directive, even when other authentication mechanisms are specified, which might allow remote authenticated users to bypass security...

Mandrake Linux Security Advisory : imap (MDKSA-2005:189)

'infamous41md' discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code. The updated packages have been patched to address this...

Mandrake Linux Security Advisory : cfengine (MDKSA-2005:184)

Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine <= 1.6.5 and <= 2.1.16 which allows local users to overwrite arbitrary files via a symlink attack on temporary files used by vicf.in. (CVE-2005-2960) In addition, Javier discovered the cfmailfilter and....

Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:180)

When playing an Audio CD, a xine-lib based media application contacts a CDDB server to retrieve metadata like the title and artist's name. During processing of this data, a response from the server, which is located in memory on the stack, is passed to the fprintf() function as a format string. An....

Mandrake Linux Security Advisory : openssl (MDKSA-2005:179)

Yutaka Oiwa discovered vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of SSL_OP_ALL, which is intended to work around...

Mandrake Linux Security Advisory : squid (MDKSA-2005:181)

Squid 2.5.9, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart). The updated packages have been patched to address these...

Mandrake Linux Security Advisory : curl (MDKSA-2005:182)

A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects...

Mandrake Linux Security Advisory : lynx (MDKSA-2005:186-1)

Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function...

Mandrake Linux Security Advisory : texinfo (MDKSA-2005:175)

Frank Lichtenheld has discovered that texindex insecurely creates temporary files with predictable filenames. This is exploitable if a local attacker were to create symbolic links in the temporary files directory, pointing to a valid file on the filesystem. When texindex is executed, the file...

Mandrake Linux Security Advisory : hylafax (MDKSA-2005:177)

faxcron, recvstats, and xferfaxstats in HylaFax 4.2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. (CVE-2005-3069) In addition, HylaFax has some provisional support for Unix domain sockets, which is disabled in the default compile...

Mandrake Linux Security Advisory : kdeedu (MDKSA-2005:159)

Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. This vulnerability was initially discovered by Javier Fernández-Sanguino Peña. The script uses known filenames in /tmp which allow an local attacker....

Mandrake Linux Security Advisory : php (MDKSA-2005:152)

Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. The php packages, as shipped, were built.....

Mandrake Linux Security Advisory : apache2 (MDKSA-2005:161)

A flaw was discovered in mod_ssl's handling of the 'SSLVerifyClient' directive. This flaw occurs if a virtual host is configured using 'SSLVerifyClient optional' and a directive 'SSLVerifyClient required' is set for a specific location. For servers configured in this fashion, an attacker may be...

Mandrake Linux Security Advisory : apache (MDKSA-2005:130)

Watchfire reported a flaw that occured when using the Apache server as a HTTP proxy. A remote attacker could send an HTTP request with both a 'Transfer-Encoding: chunked' header and a 'Content-Length' header which would cause Apache to incorrectly handle and forward the body of the request in a...

Mandrake Linux Security Advisory : mozilla (MDKSA-2005:128)

A number of vulnerabilities were reported and fixed in Mozilla 1.7.9. The following vulnerabilities have been backported and patched for this update : In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events...

Mandrake Linux Security Advisory : cups (MDKSA-2005:138-1)

A vulnerability was discovered in the CUPS printing package where when processing a PDF file, bounds checking was not correctly performed on some fields. As a result, this could cause the pdtops filter to crash. Update : The patch to correct this problem was not properly applied to the Mandriva...

Mandrake Linux Security Advisory : clamav (MDKSA-2005:166)

A vulnerability was discovered in ClamAV versions prior to 0.87. A buffer overflow could occure when processing malformed UPX-packed executables. As well, it could be sent into an infinite loop when processing specially crafted FSG-packed executables. ClamAV version 0.87 is provided with this...

Mandrake Linux Security Advisory : MySQL (MDKSA-2005:163)

A stack-based buffer overflow was discovered in the init_syms function in MySQL that allows authenticated users that can create user-defined functions to execute arbitrary code via a long function_name field. The updated packages have been patched to address these...

Mandrake Linux Security Advisory : vim (MDKSA-2005:148)

A vulnerability was discovered in the way that vim processed modelines. If a user with modelines enabled opened a textfile with a specially crafted modeline, arbitrary commands could be...

Mandrake Linux Security Advisory : kdegraphics (MDKSA-2005:143)

Wouter Hanegraaff discovered that the TIFF library did not sufficiently validate the 'YCbCr subsampling' value in TIFF image headers. Decoding a malicious image with a zero value resulted in an arithmetic exception, which can cause a program that uses the TIFF library to crash. Kdegraphics < 3.3...

Mandrake Linux Security Advisory : python (MDKSA-2005:154)

Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. The python packages use a private copy of....

Mandrake Linux Security Advisory : kdebase (MDKSA-2005:160)

Ilja van Sprundel from suresec.org notified the KDE security team about a serious lock file handling error in kcheckpass that can, in some configurations, be used to gain root access. In order for an exploit to succeed, the directory /var/lock has to be writeable for a user that is allowed to...

Mandrake Linux Security Advisory : php-pear (MDKSA-2005:146)

A problem was discovered in the PEAR XML-RPC Server package included in the php-pear package. If a PHP script which implements the XML-RPC Server is used, it would be possible for a remote attacker to construct an XML-RPC request which would cause PHP to execute arbitrary commands as the 'apache'.....

Mandrake Linux Security Advisory : mozilla (MDKSA-2005:170)

A number of vulnerabilities have been discovered in Mozilla that have been corrected in version 1.7.12 : A bug in the way Mozilla processes XBM images could be used to execute arbitrary code via a specially crafted XBM image file (CVE-2005-2701). A bug in the way Mozilla handles certain Unicode...

Mandrake Linux Security Advisory : pcre (MDKSA-2005:151)

Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. The updated packages have been patched to....

Mandrake Linux Security Advisory : util-linux (MDKSA-2005:167)

David Watson disovered that the umount utility, when using the '-r' cpmmand, could remove some restrictive mount options such as 'nosuid'. IF /etc/fstab contained user-mountable removable devices that specified nosuid, a local attacker could exploit this flaw to execute arbitrary programs with...

Mandrake Linux Security Advisory : bluez-utils (MDKSA-2005:150)

A vulnerability in bluez-utils was discovered by Henryk Plotz. Due to missing input sanitizing, it was possible for an attacker to execute arbitrary commands supplied as a device name from the remote bluetooth device. The updated packages have been patched to correct this...

Mandrake Linux Security Advisory : mplayer (MDKSA-2005:158)

Buffer overflow in ad_pcm.c in MPlayer 1.0pre7 and earlier allows remote attackers to execute arbitrary code via a video file with an audio header containing a large value in a strf chunk. The updated packages have been patched to correct this...

Mandrake Linux Security Advisory : zlib (MDKSA-2005:124)

A previous zlib update (MDKSA-2005:112; CVE-2005-2096) fixed an overflow flaw in the zlib program. While that update did indeed fix the reported overflow issue, Markus Oberhumber discovered additional ways that a specially crafted compressed stream could trigger an overflow. An attacker could...

Mandrake Linux Security Advisory : netpbm (MDKSA-2005:133)

Max Vozeler discovered that pstopnm, a part of the netpbm graphics utility suite, would call the GhostScript interpreter on untrusted PostScript files without using the -dSAFER option when converting a PostScript file into a PBM, PGM, or PNM file. This could result in the execution of arbitrary...

Mandrake Linux Security Advisory : apache2 (MDKSA-2005:155)

Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. The apache2 packages, as shipped, were...

Mandrake Linux Security Advisory : XFree86 (MDKSA-2005:164)

A vulnerability was discovered in the pixmap allocation handling of the X server that can lead to local privilege escalation. By allocating a huge pixmap, a local user could trigger an integer overflow that resulted in a memory allocation that was too small for the requested pixmap, leading to a...

Mandrake Linux Security Advisory : apache2 (MDKSA-2005:129)

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback which can only be exploited if the Apache server is configured to use a malicious certificate revocation list (CVE-2005-1268). Watchfire reported a flaw that occured when using the Apache server as a HTTP proxy. A.....

Mandrake Linux Security Advisory : smb4k (MDKSA-2005:157)

A severe security issue has been discovered in Smb4K. By linking a simple text file FILE to /tmp/smb4k.tmp or /tmp/sudoers, an attacker could get access to the full contents of the /etc/super.tab or /etc/sudoers file, respectively, because Smb4K didn't check for the existance of these files before....