[ MDVSA-2008:243 ] enscript
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:243 http://www.mandriva.com/security/ ___ Package : enscript Date: December 15, 2008 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0 ___ Problem Description: Two buffer overflow vulnerabilities were discovered in GNU enscript, which could allow an attacker to execute arbitrary commands via a specially crafted ASCII file, if the file were opened with the -e or --escapes option enabled (CVE-2008-3863, CVE-2008-4306). The updated packages have been patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306 ___ Updated Packages: Mandriva Linux 2008.0: 3e6a1e5e1fbb01056290779845a373b9 2008.0/i586/enscript-1.6.4-8.1mdv2008.0.i586.rpm b21fd35a6615db96a1e43251039cbf41 2008.0/SRPMS/enscript-1.6.4-8.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 79799132f835055cb1248827c7b20b1e 2008.0/x86_64/enscript-1.6.4-8.1mdv2008.0.x86_64.rpm b21fd35a6615db96a1e43251039cbf41 2008.0/SRPMS/enscript-1.6.4-8.1mdv2008.0.src.rpm Mandriva Linux 2008.1: f756b4d3f93f90f8464f097eafd8c8fe 2008.1/i586/enscript-1.6.4-8.1mdv2008.1.i586.rpm 1a9997a113cf48cf6bc5cfd13e5229a1 2008.1/SRPMS/enscript-1.6.4-8.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: ec5e16911668d5d426938e804c8ee213 2008.1/x86_64/enscript-1.6.4-8.1mdv2008.1.x86_64.rpm 1a9997a113cf48cf6bc5cfd13e5229a1 2008.1/SRPMS/enscript-1.6.4-8.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 32c32ad7ce630cbf2822aecdc1bd43ec 2009.0/i586/enscript-1.6.4-8.1mdv2009.0.i586.rpm def3dc106c558ccf211db5937b7c0e99 2009.0/SRPMS/enscript-1.6.4-8.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 9ec59f8cf2ee2754d3e5ce3ff8852d05 2009.0/x86_64/enscript-1.6.4-8.1mdv2009.0.x86_64.rpm def3dc106c558ccf211db5937b7c0e99 2009.0/SRPMS/enscript-1.6.4-8.1mdv2009.0.src.rpm Corporate 3.0: c8d92ad1383eae7e3eb43af72f0e673a corporate/3.0/i586/enscript-1.6.4-1.2.C30mdk.i586.rpm 194eb371d6966552a1c945e01d649057 corporate/3.0/SRPMS/enscript-1.6.4-1.2.C30mdk.src.rpm Corporate 3.0/X86_64: afc5739e65128feced597669f7a68f3d corporate/3.0/x86_64/enscript-1.6.4-1.2.C30mdk.x86_64.rpm 194eb371d6966552a1c945e01d649057 corporate/3.0/SRPMS/enscript-1.6.4-1.2.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJRrqqmqjQ0CJFipgRAhuGAKCWB9vqbe6cUOtii30YE115xVKV1ACfbM8C TRgbkjX8BKza8puysd47FuE= =d33X -END PGP SIGNATURE-
Re: Moodle 1.9.3 Remote Code Execution
when try this exploit, the result is: Filter not enabled! i think, this exploit need two conditions: 1- register_globals = ON 2- text filter must be enabled
[USN-691-1] Ruby vulnerability
=== Ubuntu Security Notice USN-691-1 December 16, 2008 ruby1.9 vulnerability CVE-2008-3443, CVE-2008-3790 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: ruby1.9 1.9.0.2-7ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443) This update also fixes a regression in the upstream patch previously applied to fix CVE-2008-3790. The regression would cause parsing of some XML documents to fail. Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.1.diff.gz Size/MD5:49454 02828291d0b8db94d06dbc6be804b58b http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.1.dsc Size/MD5: 1771 5d3434eeadde20df96b78b4a959112f2 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2.orig.tar.gz Size/MD5: 6407910 2a848b81ed1d6393b88eec8aa6173b75 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/irb1.9_1.9.0.2-7ubuntu1.1_all.deb Size/MD5:57440 7c3c984736fd87485a9dfa0e8065afcc http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/rdoc1.9_1.9.0.2-7ubuntu1.1_all.deb Size/MD5: 112262 a2afb0c815463a14b51eff6199d10661 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/ri1.9_1.9.0.2-7ubuntu1.1_all.deb Size/MD5: 971786 57646618dddada4562990b3eb1c787b6 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/ruby1.9-elisp_1.9.0.2-7ubuntu1.1_all.deb Size/MD5:31094 4e2ac93f161570ff11b5d39d5912bfce http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/ruby1.9-examples_1.9.0.2-7ubuntu1.1_all.deb Size/MD5:64354 8a9aca7db601358141fd19d85ea45751 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9-dbg_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5: 2113618 bc410c5116879cd05234451e2fbc1447 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5: 2275308 5863e492367db5313ac068c5dde703e9 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9-dev_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5: 943252 1c8a27569a60edf9e4aabb7b7716967f http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5:26536 86aa87a261a57d1d67edb397671b20b4 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libdbm-ruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5:12544 eeb030e448f92081b3c05fe696011142 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libgdbm-ruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5:11838 b8c61c3b7435de2752b46bb75331ca3c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libopenssl-ruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5: 134340 258bed110d062a4b96b02b558b08a412 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libreadline-ruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5:11638 6e3898a64f7dcccf444be54599313a17 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libtcltk-ruby1.9_1.9.0.2-7ubuntu1.1_amd64.deb Size/MD5: 1745708 58a02a0dfa5d27ff0bb011acb635ed80 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9-dbg_1.9.0.2-7ubuntu1.1_i386.deb Size/MD5: 1921126 690079b204fc118f99876ed462371de5 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9_1.9.0.2-7ubuntu1.1_i386.deb Size/MD5: 2127706 3dd6e4cd3c8adf46db14d45574ffd0ec http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9-dev_1.9.0.2-7ubuntu1.1_i386.deb Size/MD5: 889504 c2fe2150cb1c8a15f855c42a52c424ef http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.1_i386.deb Size/MD5:26324 97f33c71e37213e31af3e400e3687a9d http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libdbm-ruby1.9_1.9.0.2-7ubuntu1.1_i386.deb Size/MD5:11186 4f749b40168d0b0235d49082b981694f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libgdbm-ruby1.9_1.9.0.2-7ubuntu1.1_i386.deb Size/MD5:10598 44b212294eb892c174bde278bb9e97cb
Re: Re: Moodle 1.9.3 Remote Code Execution
Similar hacks have been discussed here: http://moodle.org/mod/forum/discuss.php?d=111710#p490453 Affected sites seem to be all running PHP with register_global turned on, which is a really bad idea and not recommended by Moodle.
Re: ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc
The vulnerability you observed in ooVoo 1.7.1.57 was corrected in the updated 1.7.1.59 version of ooVoo. Please make the amendment to the advisory. Thank you for your assistance. Please feel free to contact me with any further updates or requests for information. I'm more than happy to help. Best regards, Philip Robertson ooVoo philip.robert...@oovoo.com
[ GLSA 200812-17 ] Ruby: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Multiple vulnerabilities Date: December 16, 2008 Bugs: #225465, #236060 ID: 200812-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Ruby that allow for attacks including arbitrary code execution and Denial of Service. Background == Ruby is an interpreted object-oriented programming language. The elaborate standard library includes an HTTP server (WEBRick) and a class for XML parsing (REXML). Affected packages = --- Package/ Vulnerable / Unaffected --- 1 dev-lang/ruby 1.8.6_p287-r1 = 1.8.6_p287-r1 Description === Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws: * Arbitrary code execution or Denial of Service (memory corruption) in the rb_str_buf_append() function (CVE-2008-2662). * Arbitrary code execution or Denial of Service (memory corruption) in the rb_ary_stor() function (CVE-2008-2663). * Memory corruption via alloca in the rb_str_format() function (CVE-2008-2664). * Memory corruption (REALLOC_N) in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2725). * Memory corruption (beg + rlen) in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726). Furthermore, several other vulnerabilities have been reported: * Tanaka Akira reported an issue with resolv.rb that enables attackers to spoof DNS responses (CVE-2008-1447). * Akira Tagoh of RedHat discovered a Denial of Service (crash) issue in the rb_ary_fill() function in array.c (CVE-2008-2376). * Several safe level bypass vulnerabilities were discovered and reported by Keita Yamaguchi (CVE-2008-3655). * Christian Neukirchen is credited for discovering a Denial of Service (CPU consumption) attack in the WEBRick HTTP server (CVE-2008-3656). * A fault in the dl module allowed the circumvention of taintness checks which could possibly lead to insecure code execution was reported by sheepman (CVE-2008-3657). * Tanaka Akira again found a DNS spoofing vulnerability caused by the resolv.rb implementation using poor randomness (CVE-2008-3905). * Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial of Service (CPU consumption) vulnerability in the REXML module when dealing with recursive entity expansion (CVE-2008-3790). Impact == These vulnerabilities allow remote attackers to execute arbitrary code, spoof DNS responses, bypass Ruby's built-in security and taintness checks, and cause a Denial of Service via crash or CPU exhaustion. Workaround == There is no known workaround at this time. Resolution == All Ruby users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-lang/ruby-1.8.6_p287-r1 References == [ 1 ] CVE-2008-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 [ 2 ] CVE-2008-2376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 [ 3 ] CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 [ 4 ] CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 [ 5 ] CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 [ 6 ] CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 [ 7 ] CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 [ 8 ] CVE-2008-3655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655 [ 9 ] CVE-2008-3656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656 [ 10 ] CVE-2008-3657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657 [ 11 ] CVE-2008-3790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790 [ 12 ] CVE-2008-3905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Re: [IVIZ-08-016] F-Secure f-prot Antivirus for Linux corrupted ELF header Security Bypass
Version 4.6.8 is an old, obsolete version of F-PROT that is no longer supported by the developers. We no longer release regular virus definition updates for this version, and as far as we know, we have no paying customers of F-PROT 4.6.8 for Linux. The security issue is not present in the current version.
ZDI-08-088: Oracle E-Business Suite Business Intelligence SQL Injection Vulnerability
ZDI-08-088: Oracle E-Business Suite Business Intelligence SQL Injection Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-088 December 16, 2008 -- Affected Vendors: Oracle -- Affected Products: Oracle Database Server -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 4921. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to inject arbitrary SQL on vulnerable installations of Oracle E-Business Suite Business Intelligence. Authentication is not required to exploit this vulnerability. The specific flaw exists in the APPS.ICXSUPWF.DisplayContacts package. The procedure fails to validate the contents of a WHERE clause containing user-suppled input. This allows an attacker to execute arbitrary SQL statements in the context of the APPS user. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html -- Disclosure Timeline: 2007-01-29 - Vulnerability reported to vendor 2008-12-16 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Joxean Koret -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmas...@3com.com.
CVE-2008-1094 - Barracuda Span Firewall SQL Injection Vulnerability
CVE Number: CVE-2008-1094 Vulnerability: SQL Injection Risk: Medium Attack vector: From Remote Vulnerability Discovered: 16th June 2008 Vendor Notified: 16th June 2008 Advisory Released: 15th December 2008 Abstract Barracuda Networks Spam Firewall is vulnerable to various SQL Injection attacks. When exploited by an authenticated user, the identified vulnerability can lead to Denial of Service, Database Information Disclosure, etc. Description The index.cgi resource was identified as being susceptible to SQL Injection attacks. When filtering user accounts in Users-Account View section, the pattern_x parameter (where x = 0..n) allows inserting arbitrary SQL code once filter_x parameter is set to search_count_equals value. /cgi-bin/index.cgi?user=password=et=auth_type=Locallocale=en_USrealm=primary_tab=USERSsecondary_tab= per_user_account_viewboolean_0=boolean_andfilter_0=search_count_equalspattern_0=if(database() like concat(char(99),char(37)),5,0) An attacker can exploit this vulnerability by injecting arbitrary SQL code to be executed as part of the SQL query. Original Advisory: http://dcsl.ul.ie/advisories/02.htm Barracuda Networks Technical Alert http://www.barracudanetworks.com/ns/support/tech_alert.php Affected Versions Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600) Other products/versions might be affected. Mitigation Vendor recommends to the following firmware version Barracuda Spam Firewall (Firmware v3.5.12.001) Alternatively, please contact Barracuda Networks for technical support. Credits Dr. Marian Ventuneac, marian.ventun...@ul.ie Data Communication Security Laboratory, Department of Electronic Computer Engineering, University of Limerick Disclaimer Data Communication Security Laboratory releases this information with the vendor acceptance. DCSL is not responsible for any malicious application of the information presented in this advisory.
CVE-2008-0971 - Barracuda Networks products Multiple Cross-Site Scripting Vulnerabilities
CVE Numbers: CVE-2008-0971
Vulnerabilities: Multiple Cross-Site Scripting (Persistent Reflected)
Risk: Medium
Attack vector: From Remote
Vulnerabilities Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008
Abstract
Barracuda Networks Message Archiver product is vulnerable to persistent and
reflected Cross-Site Scripting (XSS) attacks. Barracuda Spam Firewall, IM
Firewall and Web Filter products are vulnerable to multiple reflected XSS
attacks. When exploited by an authenticated user, the identified
vulnerabilities can lead to Information Disclosure, Session Hijack,
access to Intranet available servers, etc.
Description
The index.cgi resource was identified as being susceptible to multiple
persistent and reflected Cross Site Scripting (XSS)
attacks.
a. Persistent XSS in Barracuda Message Archiver
In Search Based Retention Policy, the Policy Name field allows persistent XSS
when set to something like policy_name onblur=alert('xss')
b. Reflected XSS in Barracuda Message Archiver
Setting various parameters in IP Configuration, Administration, Journal
Accounts, Retention Policy, and GroupWise Sync allow
reflected XSS attacks.
c. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter
· User provided input is not sanitised when displayed as part of error
messages - identified in all verified products.
· User provided input is not sanitised when used to perform various searches
- identified in Barracuda Web Filter.
· Manipulation of HTML INPUT hidden elements - identified in all verified
products.
e.g auth_type INPUT hidden element allows a reflected XSS attack when set to
something like
Localscriptalert('xss')/script
Original Advisory:
http://dcsl.ul.ie/advisories/03.htm
Barracuda Networks Technical Alert
http://www.barracudanetworks.com/ns/support/tech_alert.php
Affected Versions
Barracuda Message Archiver (Firmware v1.1.0.010, Model 350)
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Barracuda Web Filter (Firmware v3.3.0.038, Model 910)
Barracuda IM Firewall (Firmware v3.0.01.008, Model 420)
Other models/firmware versions might be affected.
Mitigation
Vendor recommends upgrading to the following firmware version:
Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
Barracuda Load Balancer Release 2.3.024 (2008-10-20)
Alternatively, please contact Barracuda Networks for technical support.
Credits
Dr. Marian Ventuneac, marian.ventun...@ul.ie
Data Communication Security Laboratory, Department of Electronic Computer
Engineering, University of Limerick
Disclaimer
Data Communication Security Laboratory releases this information with the
vendor acceptance. DCSL is not responsible for any malicious application of the
information presented in this advisory.
[ GLSA 200812-18 ] JasPer: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: JasPer: User-assisted execution of arbitrary code Date: December 16, 2008 Bugs: #222819 ID: 200812-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple memory management errors in JasPer might lead to execution of arbitrary code via jpeg2k files. Background == The JasPer Project is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 (jpeg2k) standard. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 media-libs/jasper 1.900.1-r3 = 1.900.1-r3 Description === Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer: * Multiple integer overflows might allow for insufficient memory allocation, leading to heap-based buffer overflows (CVE-2008-3520). * The jas_stream_printf() function in libjasper/base/jas_stream.c uses vsprintf() to write user-provided data to a static to a buffer, leading to an overflow (CVE-2008-3522). Impact == Remote attackers could entice a user or automated system to process specially crafted jpeg2k files with an application using JasPer, possibly leading to the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All JasPer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/jasper-1.900.1-r3 References == [ 1 ] CVE-2008-3520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 [ 2 ] CVE-2008-3522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
