[Full-disclosure] [ GLSA 200611-21 ] Kile: Incorrect backup file permission
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Kile: Incorrect backup file permission Date: November 27, 2006 Bugs: #155613 ID: 200611-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Kile uses default permissions for backup files, potentially leading to information disclosure. Background == Kile is a TeX/LaTeX editor for KDE. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-editors/kile < 1.9.2-r1 >= 1.9.2-r1 Description === Kile fails to set the same permissions on backup files as on the original file. This is similar to CVE-2005-1920. Impact == A kile user may inadvertently grant access to sensitive information. Workaround == There is no known workaround at this time. Resolution == All Kile users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/kile-1.9.2-r1" References == [ 1 ] CVE-2005-1920 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1920 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpOgmMYFwqrf.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1220-1] New pstotext packages fix arbitrary shell command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1220-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 26th, 2006 http://www.debian.org/security/faq - -- Package: pstotext Vulnerability : insecure file name quoting Problem-Type : local(remote) Debian-specific: no CVE ID : CVE-2006-5869 Debian Bug : 356988 Brian May discovered that pstotext, a utility to extract plain text from Postscript and PDF files, performs insufficient quoting of file names, which allows execution of arbitrary shell commands. For the stable distribution (sarge) this problem has been fixed in version 1.9-1sarge2. The build for the mipsel architecture is not yet available due to technical problems with the build host. For the upcoming stable distribution (etch) this problem has been fixed in version 1.9-4. For the unstable distribution (sid) this problem has been fixed in version 1.9-4. We recommend that you upgrade your pstotext package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2.dsc Size/MD5 checksum: 566 56e79abcf02e841e78267bda1faff734 http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2.diff.gz Size/MD5 checksum: 8857 4efb7277f17fca5ebd20573d93b11a83 http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9.orig.tar.gz Size/MD5 checksum:37461 64576e8a10ff5514e285d98b3898ae78 Alpha architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_alpha.deb Size/MD5 checksum:34218 57b121ba1a0f5d53412ab5587c611d68 AMD64 architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_amd64.deb Size/MD5 checksum:33872 cc72441f0565d8225ae1e97a7df34a82 ARM architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_arm.deb Size/MD5 checksum:32532 9a3cf4674a2632ac1742551cb27cbe39 HP Precision architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_hppa.deb Size/MD5 checksum:34492 f8a9db92d0ad4d81d58fcc6e763faf47 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_i386.deb Size/MD5 checksum:32864 13c32d5164243e60e2ef00878c973c2f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_ia64.deb Size/MD5 checksum:38038 dcfae670ad3dd9911d5085bcc177a8eb Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_m68k.deb Size/MD5 checksum:31552 9dcd158543df00f1a13012647ec842bb Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_mips.deb Size/MD5 checksum:34404 32922b44fef79abce8ca78587eb55453 PowerPC architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_powerpc.deb Size/MD5 checksum:33636 75f0beb7494479f926c19a1f7e2b8297 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_s390.deb Size/MD5 checksum:33218 096e0022136b767152d2da4a1563edc5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/pstotext/pstotext_1.9-1sarge2_sparc.deb Size/MD5 checksum:33246 5e47a79b9092cae3878294f49bf211c2 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFadZqXm3vHE4uyloRArdeAJ9kBR2UvMXUp4vvECEwsgx7/hKedgCgsjN9 7bAER5TTywq24RN50Z9BSfY= =92S1 -END PGP SIGNATURE- ___ Full-Disclosure
Re: [Full-disclosure] *BSD banner INT overflow vulnerability
Tyop? wrote: > Thinking that respect of standard is pathetic (netiquette here), > will result in all communications, over internet or not, > --> "noise". And the history of F-D shows that F-D is expecially prone to this, this daylasoul moron being just the latest of a string of noise-only contributors. Responsible list members in _any_ unmoderated list don't make the kind of content-free, response-generating posts our latest moron makes. If she posts her inane pointless messages the amount of noise necessarily goes up. If she doesn't make such posts she is therefore responsible for NOT making matters worse. Her posting history shows that ALL she does is increase the noise level, so what should we decide about her? The occasional noise post from an otherwise usually on-topic poster is tolerable, but noise-only posting from morons like daylasoul is not. She should just shut the fuck up until she actually has something to say that is relevant to the list readership... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.26.06: Qbik WinGate Compressed Name Pointer Denial of Service Vulnerability
Qbik WinGate Compressed Name Pointer Denial of Service Vulnerability iDefense Security Advisory 11.26.06 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 26, 2006 I. BACKGROUND Qbik WinGate is an Internet gateway and communications server. It includes functionality related to efficiently sharing an Internet connection including DNS caching. More information is available at the following link: http://www.wingate.com/product-wingate.php II. DESCRIPTION Remote exploitation of a denial of service vulnerability in Qbik IP Management Limited's WinGate allows attackers to cause the application to consume 100% of available CPU cycles. Sending a DNS request which contains a compressed name pointer which references itself, will cause the vulnerable code to enter an infinite loop which will consume all CPU cycles. The following packet illustrates the DNS data that would be included in a packet triggering this vulnerability: \x00\x00 - Transaction ID \x00\x00 - Flags \x00\x01 - Questions \x00\x00 - Answer RRs \x00\x00 - Authority RRs \x00\x00 - Additional RRs \xc0\x0c - Query Name - Looping pointer \x00\x00 - Query Type \x00\x01 - Query Class The DNS protocol allows for the compression of domain names in order to reduce message sizes. This is accomplished by replacing an entire domain name or a list of labels at the end of a domain name with a pointer to a prior occurrence of the same name. The use of a pointer is indicated within the Query Name field when the first two bits equal 1 (e.g. 0x0c). The next byte is then interpreted as a pointer. In the packet detailed above, the pointer itself is at the 12th byte within the DNS data portion of the packet, thereby creating a looping pointer. The DNS compression scheme is discussed in detail in RFC 1035. III. ANALYSIS Successful exploitation of this vulnerability could prevent the WinGate proxy from functioning and thereby deny legitimate users access to network based resources. This vulnerability can be triggered by any user that is able to send packets to the WinGate proxy. A single UDP packet is all that is required and authentication credentials are not needed. IV. DETECTION iDefense has confirmed that Qbik Wingate 6.1 is vulnerable. Earlier versions are suspected vulnerable. V. WORKAROUND iDefense is unaware of an effective workaround for this issue. VI. VENDOR RESPONSE "Qbik acknowledges this to be a bug in WinGate version 6.1.4 and prior." Qbik addressed this vulnerability within version 6.2. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4518 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/17/2006 Initial vendor notification 10/17/2006 Initial vendor response 10/17/2006 Second vendor notification 11/26/2006 Coordinated public disclosure IX. CREDIT Michael Sutton (iDefense Labs) is credited with the discovery of this vulnerability. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.26.06: GNU Radius Format String Vulnerability
GNU Radius Format String Vulnerability iDefense Security Advisory 11.26.06 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 26, 2006 I. BACKGROUND GNU Radius is a centralized user authentication and accounting system. It supports back-end SQL databases for accounting. More information can be found at http://www.gnu.org/software/radius/ II. DESCRIPTION Remote exploitation of a format string vulnerability in GNU Radius could allow an attacker to execute code in the context of the running daemon. The vulnerability specifically exists within the SQL accounting code. A format string is built using user supplied data and then unsafely passed to the variable argument function 'sqllog'. III. ANALYSIS Successful exploitation allows unauthenticated remote attackers to execute arbitrary code in the context of the running radius daemon (radiusd). Typically the radius daemon will run as root. Exploitation requires that radiusd be compiled with an SQL back-end and SQL accounting be turned on. These options are both turned on by default for FreeBSD and Gentoo Linux. IV. DETECTION iDefense has confirmed that this vulnerability is present in version 1.3 and 1.2 of GNU Radius. It is likely that all prior versions are vulnerable. V. WORKAROUND iDefense confirms that using one of the other supported accounting methods will mitigate exploitation of this vulnerability while still allowing accounting to take place. VI. VENDOR RESPONSE The GNU Radius team included a fix for this vulnerability in version 1.4. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4181 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 09/08/2006 Initial vendor response 11/06/2006 Second vendor notification 11/26/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mambo component "jambook" Html injection Vulnerability
### # Advisory #14 Title: Mambo component "jambook" Html injection Vulnerability # # # Author: 0o_zeus_o0 ( Arturo Z. ) # Contact: zeus at diosdelared.com # Website: www.diosdelared.com # Date: 26/11/06 # Risk: medium # Vendor Url: http://www.jxdevelopment.com/jambook # Affected Software: jambook # search: allinurl: com_jambook # #Info: ## #can be exploited by malicious people to conduct script insertion attacks. # #Input passed to the "Entry" field isn't sanitised before being stored in the guestbook. # #This can be exploited to execute arbitrary script code in a user's browser session # #in context of an affected website when a malicious guestbook entry is viewed. # # #example ## # # # # ## # # # #VULNERABLE VERSIONS ## # 1.0 # ## #Contact information #0o_zeus_o0 #zeus at diosdelared.com #www.diosdelared.com ## #greetz: S.S.M, sams, a mi beba #Original Advisory: http://diosdelared.com/14.txt ## ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] *BSD banner INT overflow vulnerability
On 11/26/06, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > Please maintain a reasonable standard of netiquette when posting. > > Thanks. > Who died and made you list-nanny? > > Oh, that's right no-fucking-one. > > Your pathetic posts contribute nothing but noise to the list -- piss > off... Thinking that respect of standard is pathetic (netiquette here), will result in all communications, over internet or not, --> "noise". -- Tyop? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] *BSD banner INT overflow vulnerability
[EMAIL PROTECTED] wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sun, 26 Nov 2006 01:21:50 -0600 "J.A. Terranson" <[EMAIL PROTECTED]> > wrote: > >On Wed, 22 Nov 2006, Sean Comeau wrote: > > > >> On Wed, Nov 22, 2006 at 12:25:46PM +0300, dead code crew wrote: > >> > > >> > %uname -sir > >> > FreeBSD 6.1-RELEASE GENERIC > >> > %gdb banner > >> > (gdb) r -w 1700 > >> > Program received signal SIGSEGV, Segmentation fault. > >> > 0x01010101 in ?? () > >> > > >> > >> This doesn't crash banner on OpenBSD, > > > >FreeBSD 4.10R doesn't give a shit either. > > > >> and even if it did who cares? What would anyone accomplish by > >making > >> this setuid root? > > > > -bash-2.05b$ ls -al /usr/bin/banner > > -r-xr-xr-x 1 root wheel 16136 May 25 2004 /usr/bin/banner > > > >Good question. > > > >-- > >Yours, > > > >J.A. Terranson > >[EMAIL PROTECTED] > >0xBD4A95BF > > > >"Surely the larger lesson learned from that day is that other men, > >all > >over the world, took inspiration not from the heroism of the > >rescuers in > >New York or the passengers flying over Pennsylvania, but from the > >19 > >hijackers - the twisted brilliance of their scheme and their > >willingness > >to sacrifice their lives to make a political and, as they saw it, > >religious statement." > > > >Richard Corliss/Time Magazine > >11 Aug 2006 > > > >___ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > Please maintain a reasonable standard of netiquette when posting. > Thanks. Who died and made you list-nanny? Oh, that's right no-fucking-one. Your pathetic posts contribute nothing but noise to the list -- piss off... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] *BSD banner INT overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 26 Nov 2006 01:21:50 -0600 "J.A. Terranson" <[EMAIL PROTECTED]> wrote: >On Wed, 22 Nov 2006, Sean Comeau wrote: > >> On Wed, Nov 22, 2006 at 12:25:46PM +0300, dead code crew wrote: >> > >> > %uname -sir >> > FreeBSD 6.1-RELEASE GENERIC >> > %gdb banner >> > (gdb) r -w 1700 >> > Program received signal SIGSEGV, Segmentation fault. >> > 0x01010101 in ?? () >> > >> >> This doesn't crash banner on OpenBSD, > >FreeBSD 4.10R doesn't give a shit either. > >> and even if it did who cares? What would anyone accomplish by >making >> this setuid root? > > -bash-2.05b$ ls -al /usr/bin/banner > -r-xr-xr-x 1 root wheel 16136 May 25 2004 /usr/bin/banner > >Good question. > >-- >Yours, > >J.A. Terranson >[EMAIL PROTECTED] >0xBD4A95BF > >"Surely the larger lesson learned from that day is that other men, >all >over the world, took inspiration not from the heroism of the >rescuers in >New York or the passengers flying over Pennsylvania, but from the >19 >hijackers - the twisted brilliance of their scheme and their >willingness >to sacrifice their lives to make a political and, as they saw it, >religious statement." > >Richard Corliss/Time Magazine >11 Aug 2006 > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Please maintain a reasonable standard of netiquette when posting. Thanks. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkVpd7YACgkQ3AEcWsxdEQ496QP/VshMF0rw60R4PnGpNosJN7A+boQn TC1i7J+RaainFCV0vrqxWpRzrhol4raV14KWAxTvq/jwZAcMz18f4j2Y2LmOoFGCrRUR +06y6YkIVGGyoYgu0zzmvyS9hkKXqRv675/fZg45FqW9gGWqJaxJ8vvKaYt87DrP0EJ+ 1G51vxw= =SqM0 -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Internet Explorer 6.x Stack Overflow
IE 6.x Stack Overflow It is tested on IE7 and serveral versions of IE6, though not below 6. In some cases the browser does not crash but displays a Run-time memory full error. This happens when Windows does not have SP2 - but I didn't test it thoroughly. /* ie_stack.php */ http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd "> Internet Explorer 6.x Stack Overflow Copyright © Adriaan Graas Internet Explorer 6.x Stack Overflow Change the amount of code by changing the GET j variable in the url, f.e. index.php?j=1. /* End of file */ This script is also hosted here: http://www.pc1337.nl/iestack/iestack.php?j=1. The php can easily be rewritten to javascript or vbscript. In fact, you can use functions different than alert() to overflow the stack. I am not experienced enough to exploit this. It would be nice if someone works this out. More tests are also welcome. Adriaan Graas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/