[ GLSA 200710-11 ] X Font Server: Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: X Font Server: Multiple Vulnerabilities Date: October 12, 2007 Bugs: #185660, #194606 ID: 200710-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Three vulnerabilities have been discovered in the X Font Server possibly allowing local attackers to gain elevated privileges. Background == The X.Org X11 X Font Server provides a standard mechanism for an X server to communicate with a font renderer. Affected packages = --- Package / Vulnerable / Unaffected --- 1 x11-apps/xfs1.0.5 = 1.0.5 Description === iDefense reported that the xfs init script does not correctly handle a race condition when setting permissions of a temporary file (CVE-2007-3103). Sean Larsson discovered an integer overflow vulnerability in the build_range() function possibly leading to a heap-based buffer overflow when handling QueryXBitmaps and QueryXExtents protocol requests (CVE-2007-4568). Sean Larsson also discovered an error in the swap_char2b() function possibly leading to a heap corruption when handling the same protocol requests (CVE-2007-4990). Impact == The first issue would allow a local attacker to change permissions of arbitrary files to be world-writable by performing a symlink attack. The second and third issues would allow a local attacker to execute arbitrary code with privileges of the user running the X Font Server, usually xfs. Workaround == There is no known workaround at this time. Resolution == All X Font Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =x11-apps/xfs-1.0.5 References == [ 1 ] CVE-2007-3103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3103 [ 2 ] CVE-2007-4568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568 [ 3 ] CVE-2007-4990 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHD+eHuhJ+ozIKI5gRAlcdAJ4t+dNJKPDJFQEte8XCtLiIcjzu1QCfdoaF uFfqllq2K1mtyPSCW+jz6DU= =iwzz -END PGP SIGNATURE-
[ GLSA 200710-13 ] Ampache: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Ampache: Multiple vulnerabilities Date: October 13, 2007 Bugs: #189607 ID: 200710-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An SQL injection vulnerability and a possible identity theft have been discovered in Ampache. Background == Ampache is a PHP-based tool for managing, updating and playing audio files via a web interface. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/ampache 3.3.3.5= 3.3.3.5 Description === LT discovered that the match parameter in albums.php is not properly sanitized before being processed. The Ampache development team also reported an error when handling user sessions. Impact == A remote attacker could provide malicious input to the application, possibly resulting in the execution of arbitrary SQL code. He could also entice a user to open a specially crafted link to steal the user's session. Workaround == There is no known workaround at this time. Resolution == All Ampache users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/ampache-3.3.3.5 References == [ 1 ] CVE-2007-4437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4437 [ 2 ] CVE-2007-4438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4438 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHEK1quhJ+ozIKI5gRAthXAJ0Xoi3AmZsz5BpNQ4wf/zCC8Y/QXwCfYgg/ b4HZfA1JiWTW887h6cTlXIQ= =XuoP -END PGP SIGNATURE-
[SECURITY] [DSA 1381-2] New Linux 2.6.18 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1381-2[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier October 12th, 2007 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : several Problem-Type : local Debian-specific: no CVE ID : CVE-2006-5755 CVE-2007-4133 CVE-2007-4573 CVE-2007-5093 Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5755 The NT bit maybe leaked into the next task which can local attackers to cause a Denial of Service (crash) on systems which run the 'amd64' flavour kernel. The stable distribution ('etch') was not believed to be vulnerable to this issue at the time of release, however Bastian Blank discovered that this issue still applied to the 'xen-amd64' and 'xen-vserver-amd64' flavours, and is resolved by this DSA. CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. DSA-1378 resolved this problem for the 'amd64' flavour kernels, but Tim Wickberg and Ralf Hemmenst?dt reported an outstanding issue with the 'xen-amd64' and 'xen-vserver-amd64' issues that is resolved by this DSA. CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch4. This is an update to DSA-1381-1 which included only amd64 binaries for linux-2.6. Builds for all other architectures are now available, as well as rebuilds of ancillary packages that make use of the included linux source. The following matrix lists additional packages that were rebuilt for compatability with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch.13etch4 kernel-patch-openvz 028.18.1etch5 user-mode-linux 2.6.18-1um-2etch.13etch4 We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - Source archives: http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.13etch4.dsc Size/MD5 checksum: 740 6dd1d21aea0566d84f12a4dcffa7d791 http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.13etch4.tar.gz Size/MD5 checksum:54614 886f8a7388d3063b30cbab365c9fd4cb http://security.debian.org/pool/updates/main/k/kernel-patch-openvz/kernel-patch-openvz_028.18.1etch5.dsc Size/MD5 checksum: 588 409655afa6a2969a5a2fae79c767c9cc http://security.debian.org/pool/updates/main/k/kernel-patch-openvz/kernel-patch-openvz_028.18.1etch5.tar.gz Size/MD5 checksum: 1578706 5a8084827360750b14648d5b997647e4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.dsc Size/MD5 checksum: 5672 37f70bdc04b866a5dbcaa8f849be618a http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.diff.gz Size/MD5 checksum: 5321790
[ GLSA 200710-14 ] DenyHosts: Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: DenyHosts: Denial of Service Date: October 13, 2007 Bugs: #181213 ID: 200710-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis DenyHosts does not correctly parse log entries, potentially causing a remote Denial of Service. Background == DenyHosts is designed to monitor SSH servers for repeated failed login attempts. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-admin/denyhosts 2.6-r1 = 2.6-r1 Description === Daniel B. Cid discovered that DenyHosts used an incomplete regular expression to parse failed login attempts, a different issue than GLSA 200701-01. Impact == A remote unauthenticated attacker can add arbitrary hosts into the blacklist, including the all keyword, by submitting specially crafted version identification strings to the SSH server banner. An attacker may use this to prevent legitimate users from accessing a host remotely. Workaround == There is no known workaround at this time. Resolution == All DenyHosts users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-admin/denyhosts-2.6-r1 References == [ 1 ] CVE-2007-4323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4323 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHEK9GuhJ+ozIKI5gRAqKVAJ48DBUzTGjc0CnKWS7Q6SM6/bw9ugCdHEqy 6WhuOTF4o7XnMr5UheGH+Jw= =vsBY -END PGP SIGNATURE-
[ GLSA 200710-10 ] SKK Tools: Insecure temporary file creation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SKK Tools: Insecure temporary file creation Date: October 12, 2007 Bugs: #193121 ID: 200710-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis SKK insecurely creates temporary files. Background == SKK is a Japanese input method for Emacs. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-i18n/skktools 1.2-r1 = 1.2-r1 Description === skkdic-expr.c insecurely writes temporary files to a location in the form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID. Impact == A local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running the SKK software. When SKK writes the temporary file, the target valid file would then be overwritten with the contents of the SKK temporary file. Workaround == There is no known workaround at this time. Resolution == All SKK Tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-i18n/skktools-1.2-r1 References == [ 1 ] CVE-2007-3916 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3916 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpnH0KCtpa7Q.pgp Description: PGP signature
playing for fun with =IE7
playing for fun with =IE7 Impact: who knows ... Fix Available: no --- 1) Bug 2) Proof of concept 3)Conclusion == 1) Bug == it's possible to bypass the extension filter of =IE7 this can result by downloading an arbitrary exe file = 2)proof of concept = let's take this exemple : http://dams083.free.fr/tmp/putty.exe this is simply putty . you click on this and then you will be prompted for downloading the file. but what about if we do : http://dams083.free.fr/tmp/putty.exe?1.txt ... the .exe is showed. now let's go a bit ahead : http://dams083.free.fr/tmp/putty.exe?1.cda wow my .exe is downloaded directly and located in temporary files ( and opened by windows media player). works with theses extension : .log .dif .sol .htt .itpc .itms .dvr-ms .dib .asf .tif etc ... = 5) Conclusion = this is very funny , because actually it only works for .exe extensions. .COM , .PIF , etc you CANT do this. ( overwrite the extension , and then bypass the filter) i guess we can wonder what the heck. regards laurent gaffiƩ
[ GLSA 200710-12 ] T1Lib: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: T1Lib: Buffer overflow Date: October 12, 2007 Bugs: #193437 ID: 200710-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis T1Lib is vulnerable to a buffer overflow allowing for the user-assisted execution of arbitrary code. Background == T1Lib is a library for rasterizing bitmaps from Adobe Type 1 fonts. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/t1lib 5.0.2-r1 = 5.0.2-r1 Description === Hamid Ebadi discovered a boundary error in the intT1_EnvGetCompletePath() function which can lead to a buffer overflow when processing an overly long filename. Impact == A remote attacker could entice a user to open a font file with a specially crafted filename, possibly leading to the execution of arbitrary code with the privileges of the user running the application using T1Lib. Workaround == There is no known workaround at this time. Resolution == All T1Lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/t1lib-5.0.2-r1 References == [ 1 ] CVE-2007-4033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4033 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHD/B7uhJ+ozIKI5gRAv+oAJ9TvvlcU2rryYp+NELK3fLMCFYchQCfSU6B QoxP23u56d+Sy/ldO3vsQFY= =1q2P -END PGP SIGNATURE-