[SECURITY] [DSA-1975-1] Security Support for Debian 4.0 to be discontinued on February 15th
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1975-1 secur...@debian.org http://www.debian.org/security/ Stefan Fritsch January 20, 2010 http://www.debian.org/security/faq - Security Support for Debian GNU/Linux 4.0 to be discontinued on February 15th One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and nearly three years after the release of Debian GNU/Linux 4.0 alias 'etch' the security support for the old distribution (4.0 alias 'etch') is coming to an end next month. The Debian project is proud to be able to support its old distribution for such a long time and even for one year after a new version has been released. The Debian project has released Debian GNU/Linux 5.0 alias 'lenny' on the 14th of February 2009. Users and Distributors have been given a one-year timeframe to upgrade their old installations to the current stable release. Hence, the security support for the old release of 4.0 is going to end in February 2010 as previously announced. Previously announced security updates for the old release will continue to be available on security.debian.org. Security Updates - The Debian Security Team provides security updates for the current distribution via http://security.debian.org/. Security updates for the old distribution are also provided for one year after the new distribution has been released or until the current distribution is superseded, whatever happens first. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFLV2xsbxelr8HyTqQRAhEEAKChPIqF2VfvHVQoKOZNyB3UqObdkgCcDWb4 17tJ0nC2y8INc7y2h66+Vx8= =CcLt -END PGP SIGNATURE-
Insufficient User Input Validation in VP-ASP 6.50 Demo Code
= CodeScan Advisory, codescan.com advisor...@codescan.com = = Insufficient User Input Validation in VP-ASP 6.50 Demo Code = = Vendor Website: = http://www.vpasp.com/ = = Affected Version: =VP-ASP Shopping Cart 6.50 Demo Code And Earlier = = Researched By =CodeScan Labs advisor...@codescan.com = = Public disclosure on January 21st, 2010 == Overview == CodeScan Labs (http://www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input. During the ongoing testing of CodeScan ASP, VP-ASP was selected as one of the test applications. We downloaded a demo of VP-ASP from the VP-ASP website http://www.vpasp.com/virtprog/paypal.htm. This advisory is the result of research into the security of VP-ASP, based on the report generated by the CodeScan tool. == Vulnerability Details == * SQL Injection * An SQL Injection vulnerability is caused by assigning a variable from client data, for example in file shopsessionsubs.asp in Function Getwebsess: userid=cleanchars(request(websess)) and: userid = Request.Cookies(cookiename) In Sub ResponseCookies variable userid is assigned to variable websess by a call to Getwebsess and variable websess is concatenated with other data to construct an SQL statement: cookiesql=Select * from sitesessions where sessionkey=' websess ' This SQL statement is used in a call to ADODB.Connection.Execute: set cookiers=cookiedbc.execute(cookiesql) The function cleanchars makes a security check on the input, but this check is based on a blacklist of bad characters that could be used in SQL statements; it is better to use a whitelist of allowed characters, as it is easy to overlook possible bad characters. * Cross Site Scripting and Arbitrary File Access * Cross Site Scripting and Arbitrary File Access vulnerabilities are caused by assigning a variable from client data in file shopsessionsubs.asp, in Sub CookielessGenerateFilename: ipaddress = Request.Servervariables(REMOTE_HOST) Variable ipaddress is concatenated with other data in Sub CookielessGenerateFilename to construct a variable filename: tempname=prefix _ mm dd yy _ Ipaddress tempname=tempname .txt tempname=xsavesessionfilefolder \ tempname filename=tempname Variable filename is used in calls to Scripting.FileSystemObject.OpenTextFile and Response.Write in Sub CookielessReadFile: Set Myfile = fso.OpenTextFile(filename, 1, false) and: response.write b unable to open file filename br err.description /b These vulnerabilities do not depend on direct user input, but a hacker could tamper with the REMOTE_HOST server variable or with cookies to supply malicious input. == Credit == Discovered and advised to the vendor by CodeScan Labs == About CodeScan Labs Ltd == CodeScan Labs is a specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET C# and PHP CodeScan Labs operates with Responsible Disclosure where appropriate. As a result, any published advisories will contain information around problems identified by CodeScan, that have been resolved by the vendor. Additional code problems which may be identified by CodeScan or its staff which are not resolved by the vendor may not be made publicly available. -- This message has been scanned for viruses and dangerous content by Bizo EmailFilter, and is believed to be clean.
RE: All China, All The Time
Your Italian ISP example is far from unique. I've received plenty of you're a spammer bounce-back NDR mails from (of all places) mail.ru. In fact, more than a few folks using that ISP must think I'm ignoring them because isatools.org is considered a spam-source by this ISP. Actually, I often respond from another address and exaplain why I'm not responding from the address where they initially contacted me. Sometimes they don't answer, and frankly, I don't blame them... I have to wonder about the criteria used to make this determination in light of the amount of spam sourced from that network space..? No; I don't determine where a mail came from based on the headers... I have traffic logs, yano.. :-) From: Marcello Magnifico [rdo-li...@rdo.is-a-geek.net] Sent: Monday, January 18, 2010 2:54 AM To: bugtraq@securityfocus.com Subject: Re: All China, All The Time On 1/15/10 6:40 PM, Thor (Hammer of God) wrote: [...] The other problem is that many people seem to think I'm saying something against the Chinese *people* themselves Unfortunately, such a security measure can be read that way, too. The solution of blocking China, however, is one which harms both people outside of China, as well as those inside of China. Therefore, it translates into an attack on them. Agree. This already happened in a different context. About one year ago, a company in Italy couldn't write to another company in the U.S., for shared business, only because the recipient's postmaster (an ISP bragging around a lot about how efficient they were in stopping spam) claimed (in the bounce message) to have cut off the entire sender's country (Italy). Now, are Italian sysadmins also in charge of teaching the many professionally unschooled ones in other companies, they should not set up their SMTP servers open relay, and why? Actually, I found myself doing that several times. Given the mutual importance of economic relationships between Italy and U.S., such a drastic measure (e-mail embargo?) was counterproductive, by preventing off a U.S. company from dealing with another country. Btw, in spite of some tries, no one in Iyaly was ever capable to contact the U.S. ISP in order to solve the situation; so the Italian company, already dealing mainly with electronic documents, had to slow down communication by choosing means other than e-mail (fax or airmail), or either change their partner in order to keep up with a strict rhythm (dunno how exactly it ended). As a general rule of thumb, drastic filtering criteria have blocking consequences, especially on business. So, blocking a country may seem a suitable measure for a home/club network where/if you know no local user has (and will have) contacts with that country; not for business, as it is already global and is going to be more and more alike. best regards Marcello
eWebeditor Directory Traversal Vulnerability
# # Securitylab.ir # # Application Info: # Name: eWebeditor # Version: all version # # Vulnerability Info: # Type: Directory Traversal # Risk: Medium # # Vulnerability: # http://site.com/admin/ewebeditor/admin/upload.asp?id=16d_viewmode=dir =./.. # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_i...@yahoo.com ###
[ MDVSA-2010:022 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:022 http://www.mandriva.com/security/ ___ Package : openssl Date: January 21, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0 ___ Problem Description: Some vulnerabilities were discovered and corrected in openssl: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_free_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678 (CVE-2009-4355). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct thies issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355 ___ Updated Packages: Mandriva Linux 2008.0: a9a898f4dadf680f4332bfddfc525700 2008.0/i586/libopenssl0.9.8-0.9.8e-8.5mdv2008.0.i586.rpm 5365fe9fc3b8b48fc039f73a6e4aacc2 2008.0/i586/libopenssl0.9.8-devel-0.9.8e-8.5mdv2008.0.i586.rpm f5de1c555b80b503f4c135ca1a05f525 2008.0/i586/libopenssl0.9.8-static-devel-0.9.8e-8.5mdv2008.0.i586.rpm 98d375a9df19e136a1874203e36e1f77 2008.0/i586/openssl-0.9.8e-8.5mdv2008.0.i586.rpm 66ca48de65b3b7b79a675a5dd58f66bb 2008.0/SRPMS/openssl-0.9.8e-8.5mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 8d695fc8e1d9b887040b2f04045a044c 2008.0/x86_64/lib64openssl0.9.8-0.9.8e-8.5mdv2008.0.x86_64.rpm e8421d7082bccc3ca65884356cd4ec3a 2008.0/x86_64/lib64openssl0.9.8-devel-0.9.8e-8.5mdv2008.0.x86_64.rpm d44773cfa42eebadc1fabedda4d09b5a 2008.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-8.5mdv2008.0.x86_64.rpm 83b8e090dde48aae539074b0c5bd5368 2008.0/x86_64/openssl-0.9.8e-8.5mdv2008.0.x86_64.rpm 66ca48de65b3b7b79a675a5dd58f66bb 2008.0/SRPMS/openssl-0.9.8e-8.5mdv2008.0.src.rpm Mandriva Linux 2009.0: 4909b82f6a8542d6c2c9a149e162b026 2009.0/i586/libopenssl0.9.8-0.9.8h-3.6mdv2009.0.i586.rpm 9db39d348be788066c18b4c79a780708 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.6mdv2009.0.i586.rpm 731627e4d05b6be2d7677c8a3046c503 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.6mdv2009.0.i586.rpm 6ddcae79036144522d305c3b4a8ca65a 2009.0/i586/openssl-0.9.8h-3.6mdv2009.0.i586.rpm 67f542f557fa92711427da2f95627512 2009.0/SRPMS/openssl-0.9.8h-3.6mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 8217f398c7ac610c802f985df7ef7ae5 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.6mdv2009.0.x86_64.rpm a71c716897f07f0a4076ee14b2ced952 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.6mdv2009.0.x86_64.rpm f6e83931027ee725f7c2b5cb3e5a45ba 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.6mdv2009.0.x86_64.rpm 3f42139761e11ce8e2e80a3b88c03c55 2009.0/x86_64/openssl-0.9.8h-3.6mdv2009.0.x86_64.rpm 67f542f557fa92711427da2f95627512 2009.0/SRPMS/openssl-0.9.8h-3.6mdv2009.0.src.rpm Mandriva Linux 2009.1: 986a9920a5e8d89fca5d29f5c44c22ea 2009.1/i586/libopenssl0.9.8-0.9.8k-1.4mdv2009.1.i586.rpm f99f88c47670dc818eabf9dcf59755ce 2009.1/i586/libopenssl0.9.8-devel-0.9.8k-1.4mdv2009.1.i586.rpm d6897c50cdac2690537345dec4eaabb5 2009.1/i586/libopenssl0.9.8-static-devel-0.9.8k-1.4mdv2009.1.i586.rpm 05b1c396ff92151cf1b65dd6351ce0a3 2009.1/i586/openssl-0.9.8k-1.4mdv2009.1.i586.rpm a747a26f98d79c52d7bdc290c0c39fdf 2009.1/SRPMS/openssl-0.9.8k-1.4mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: f8a6ce5af5b0542e3c67473a4343b047 2009.1/x86_64/lib64openssl0.9.8-0.9.8k-1.4mdv2009.1.x86_64.rpm bfb459b88345420630af971914ac28fc 2009.1/x86_64/lib64openssl0.9.8-devel-0.9.8k-1.4mdv2009.1.x86_64.rpm f39d2fe28b1f3832fefc16793b92d31d 2009.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-1.4mdv2009.1.x86_64.rpm 8284232eed28cc67c5f03165775684c1 2009.1/x86_64/openssl-0.9.8k-1.4mdv2009.1.x86_64.rpm a747a26f98d79c52d7bdc290c0c39fdf 2009.1/SRPMS/openssl-0.9.8k-1.4mdv2009.1.src.rpm Mandriva Linux 2010.0: f22f4dd656bae99ba9919e386f96f854 2010.0/i586/libopenssl0.9.8-0.9.8k-5.1mdv2010.0.i586.rpm 3f8249525866e2ea9654d6980d70c268 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.1mdv2010.0.i586.rpm 0611b2c8434d2b775fc9bb9cdb166707 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.1mdv2010.0.i586.rpm 40cb74b266f75d4a661777f55b6dade7 2010.0/i586/openssl-0.9.8k-5.1mdv2010.0.i586.rpm aaf56bf93ad0162cabfc9c1e79c032e1 2010.0/SRPMS/openssl-0.9.8k-5.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: b6ba70ce57f80b5beb65c0993a25bf97
ZDI-10-009: RealNetworks RealPlayer IVR Format Remote Code Execution Vulnerability
ZDI-10-009: RealNetworks RealPlayer IVR Format Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-009 January 21, 2010 -- CVE ID: CVE-2009-0376 -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6964. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's parsing of IVR files. The process trusts size values present in the file and uses them unsafely in various file I/O and memory allocation operations. A specially crafted file can cause memory overflows to occur leading to arbitrary code execution under the context of the user running the player. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01192010_player/en/ -- Disclosure Timeline: 2008-04-16 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * John Rambo -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-006: RealNetworks RealPlayer GIF Handling Remote Code Execution Vulnerability
ZDI-10-006: RealNetworks RealPlayer GIF Handling Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-006 January 21, 2010 -- CVE ID: CVE-2009-4242 -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 0. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute code on vulnerable installations of RealNetworks RealPlayer. User interaction is required in that a user must open a malicious file or visit a malicious web site. The specific flaw exists during the parsing of GIF files with forged chunk sizes. The player uses values from the file improperly when allocating a buffer on the heap. An attacker can abuse this to create and then overflow heap buffers leading to arbitrary code execution in the context of the currently logged in user. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01192010_player/en/ -- Disclosure Timeline: 2007-12-11 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
[ MDVSA-2010:023 ] phpldapadmin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:023 http://www.mandriva.com/security/ ___ Package : phpldapadmin Date: January 21, 2010 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in phpldapadmin: Directory traversal vulnerability in cmd.php in phpLDAPadmin 1.1.0.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cmd parameter (CVE-2009-4427). The updated packages have been patched to correct thies issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4427 ___ Updated Packages: Mandriva Enterprise Server 5: 04269a24be47cae01b6ad81ad46128a1 mes5/i586/phpldapadmin-1.1.0.7-1.1mdvmes5.noarch.rpm 322afd2a91fb2e6c4448d3cf86de4c49 mes5/SRPMS/phpldapadmin-1.1.0.7-1.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 51a833830eeaf5e5e1e8ffacd2e2fd90 mes5/x86_64/phpldapadmin-1.1.0.7-1.1mdvmes5.noarch.rpm 322afd2a91fb2e6c4448d3cf86de4c49 mes5/SRPMS/phpldapadmin-1.1.0.7-1.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLWEXemqjQ0CJFipgRAntXAJ94FOrq4yh3iaqozCLL8Rl3JjxoBwCfbVmt 6aGuXA3N/AEw2RgKgZGmLyU= =BUgG -END PGP SIGNATURE-
ZDI-10-004: Cisco CiscoWorks IPM GIOP getProcessName Remote Code Execution Vulnerability
ZDI-10-004: Cisco CiscoWorks IPM GIOP getProcessName Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-004 January 21, 2010 -- CVE ID: CVE-2010-0138 -- Affected Vendors: Cisco -- Affected Products: Cisco Internetwork Performance Monitor -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6790. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco CiscoWorks Internetwork Performance Monitor. Authentication is not required to exploit this vulnerability. The specific flaw exists in the handling of CORBA GIOP requests. By making a specially crafted getProcessName GIOP request an attacker can corrupt memory. Successful exploitation can result in a full compromise with SYSTEM credentials. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1351d.shtml -- Disclosure Timeline: 2008-10-15 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
[SECURITY] [DSA-1972-2] New audiofile packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-1972-2 secur...@debian.org http://www.debian.org/security/ Stefan Fritsch January 21, 2010 http://www.debian.org/security/faq - - Package: audiofile Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2008-5824 Debian bug : 510205 This advisory adds the packages for the old stable distribution (etch), with the exception of the mips packages. The updates for the mips architecture will be released when they become available. The packages for the stable distribution (lenny) have been released in DSA-1972-1. For reference, the advisory text is provided below. Max Kellermann discovered a heap-based buffer overflow in the handling of ADPCM WAV files in libaudiofile. This flaw could result in a denial of service (application crash) or possibly execution of arbitrary code via a crafted WAV file. The old stable distribution (etch), this problem has been fixed in version 0.2.6-6+etch1. For the stable distribution (lenny), this problem has been fixed in version 0.2.6-7+lenny1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.2.6-7.1. We recommend that you upgrade your audiofile packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch (oldstable) - --- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.diff.gz Size/MD5 checksum: 300089 dbc542c9c87880f436083facfb3ccc28 http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6-6+etch1.dsc Size/MD5 checksum: 629 f9f760bd11ccb13c85266ace4f87d25d http://security.debian.org/pool/updates/main/a/audiofile/audiofile_0.2.6.orig.tar.gz Size/MD5 checksum: 374688 9c1049876cd51c0f1b12c2886cce4d42 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_alpha.deb Size/MD5 checksum: 158070 1d27f78ba5efee6f348fdec83497f0cf http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_alpha.deb Size/MD5 checksum:89404 0c40bf5eeab7afe6b81c0ca1bc8d4add amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_amd64.deb Size/MD5 checksum: 128468 5307500dd56e86e86236a2e8af9258fe http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_amd64.deb Size/MD5 checksum:81598 17ee5acae5158682302d9256688c272e arm architecture (ARM) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_arm.deb Size/MD5 checksum: 114782 d6ca165e6c39f2475b23b07ea84258f3 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_arm.deb Size/MD5 checksum:73324 e5a3329799553494e43586faa08c5607 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_hppa.deb Size/MD5 checksum:87046 504612c1d8b826a30d55ae7688b9a37c http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_hppa.deb Size/MD5 checksum: 135608 5f6809474bca61b181113fff73393c56 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_i386.deb Size/MD5 checksum: 118410 4e3e58094cfa7314a7160d7f936baafb http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_i386.deb Size/MD5 checksum:77204 e572289bc7e52fc49f256ed6d9ccbf80 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_ia64.deb Size/MD5 checksum: 112806 dd5f834b0b56d737f2601c63c776d658 http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_ia64.deb Size/MD5 checksum: 170280 a25c0e6fa1024322810cb29f1204e6ff mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/a/audiofile/libaudiofile0_0.2.6-6+etch1_mipsel.deb Size/MD5 checksum:
ZDI-10-008: RealNetworks RealPlayer SIPR Codec Remote Code Execution Vulnerability
ZDI-10-008: RealNetworks RealPlayer SIPR Codec Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-008 January 21, 2010 -- CVE ID: CVE-2009-4244 -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6514. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute code on vulnerable installations of RealNetworks RealPlayer. User interaction is required in that a user must open a malicious file or visit a malicious web site. The specific flaw exists during the parsing of SIPR codec fields. Specifying a small length value can trigger an undersized heap allocation. This buffer can then subsequently be overflowed. This vulnerability can result in arbitrary code execution under the context of the currently logged in user. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01192010_player/en/ -- Disclosure Timeline: 2008-05-12 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-005: RealNetworks RealPlayer ASMRulebook Remote Code Execution Vulnerability
ZDI-10-005: RealNetworks RealPlayer ASMRulebook Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-005 January 21, 2010 -- CVE ID: CVE-2009-4241 -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5783. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute code on vulnerable installations of RealPlayer. User interaction is required in that a user must open a malicious file or visit a malicious web site. The specific flaw exists during the parsing of files with improperly defined ASMRuleBook structures. A controllable memory allocation allows for an attacker to corrupt heap memory. Attacker controlled data from the corrupt heap is later used as an object pointer which can be leveraged to execute arbitrary code in the context of the currently logged in user. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01192010_player/en/ -- Disclosure Timeline: 2007-11-07 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-007: RealNetworks RealPlayer SMIL getAtom Remote Code Execution Vulnerability
ZDI-10-007: RealNetworks RealPlayer SMIL getAtom Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-007 January 21, 2010 -- CVE ID: CVE-2009-4257 -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5907. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the smlrender.dll library responsible for parsing SMIL files. A lack of proper string length checks can result in the overflow of a static heap buffer. Exploitation of this overflow can lead to arbitrary code execution under the context of the user running the process. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01192010_player/en/ -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-010: RealNetworks RealPlayer Skin Parsing Remote Code Execution Vulnerability
ZDI-10-010: RealNetworks RealPlayer Skin Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-010 January 21, 2010 -- CVE ID: CVE-2009-4246 -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8493. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute code on vulnerable installations of RealNetworks RealPlayer. User interaction is required in that a user must visit a malicious website or open a malicious file and accept a dialog to switch player skins. The specific flaw exists during parsing of malformed RealPlayer .RJS skin files. While loading a skin the application copies certain variable length fields from the extracted file named web.xmb into a statically sized buffer. By crafting these fields appropriately an attack can cause the process to overflow the buffer. This can be leveraged to execute arbitrary code with the privileges of the application. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01192010_player/en/ -- Disclosure Timeline: 2009-01-15 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Peter Vreugdenhil (secur...@petervreugdenhil.nl) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-013: Microsoft Internet Explorer Table Layout Reuse Remote Code Execution Vulnerability
ZDI-10-013: Microsoft Internet Explorer Table Layout Reuse Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-013 January 21, 2010 -- CVE ID: CVE-2010-0245 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 8 Microsoft Internet Explorer 7 -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists when specific elements are used within a table container. If one of these elements is removed the application will unlink the element from the layout tree incorrectly. When this tree is later traversed, the application will reuse the object that has been freed which can lead to code execution under the context of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx -- Disclosure Timeline: 2009-07-14 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sam Thomas of eshu.co.uk -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-011 January 21, 2010 -- CVE ID: CVE-2010-0244 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists when a Col element is used within an HTML table container. If this element is removed while the table is in use a cache that exists of the table's cells will be used after one of it's elements has been invalidated. This can lead to code execution under the context of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx -- Disclosure Timeline: 2009-07-14 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-10-012: Microsoft Internet Explorer Baseline Tag Rendering Remote Code Execution Vulnerability
ZDI-10-012: Microsoft Internet Explorer Baseline Tag Rendering Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-012 January 21, 2010 -- CVE ID: CVE-2010-0246 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9429. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that an attacker must coerce a victim to visit a malicious page. The specific flaw exists due to the application rendering intertwined strike and center tags containing an element that manipulates the font baseline such as 'sub' or 'sup'. When this element pointer is removed the application will later dereference it even though it has been freed. Successful exploitation can lead to arbitrary code execution under the context of the currently logged in user. -- Vendor Response: Microsoft states: http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx -- Disclosure Timeline: 2009-07-16 - Vulnerability reported to vendor 2010-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sam Thomas of eshu.co.uk -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/