Secunia reports:
A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative "modeID" field in the header.
Successful exploitation may allow execution of arbitrary code.
Secunia reports:
A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to the "drive_init()" function in vl.c determining the format of a disk from data contained in the disk's header. This can be exploited by a malicious user in a guest system to e.g. read arbitrary files on the host by writing a fake header to a raw formatted disk image.
Secunia reports:
A vulnerability has been reported in swfdec, which can be exploited by malicious people to disclose sensitive information.
The vulnerability is caused due to swfdec not properly restricting untrusted sandboxes from reading local files, which can be exploited to disclose the content of arbitrary local files by e.g. tricking a user into visiting a malicious website.
FrSIRT reports:
A vulnerability has been identified in mt-daapd which could be exploited by remote attackers to cause a denial of service or compromise an affected system. This issue is caused by a buffer overflow error in the ws_getpostvars() function when processing a negative Content-Length: header value, which could be exploited by remote unauthenticated attackers to crash an affected application or execute arbitrary code.
Secunia reports:
Two vulnerabilities have been reported in SDL_image, which can be exploited by malicious people to cause a Denial of Service or potentially compromise an application using the library.
A boundary error within the LWZReadByte() function in IMG_gif.c can be exploited to trigger the overflow of a static buffer via a specially crafted GIF file.
A boundary error within the "IMG_LoadLBM_RW()" function in IMG_lbm.c can be exploited to cause a heap-based buffer overflow via a specially crafted IFF ILBM file.
Secunia reports:
A vulnerability has been reported in GnuPG, which can potentially be exploited to compromise a vulnerable system.
The vulnerability is caused due to an error when importing keys with duplicated IDs. This can be exploited to cause a memory corruption when importing keys via --refresh-keys or --import.
Successful exploitation potentially allows execution of arbitrary code, but has not been proven yet.
Extmail team reports:
Emergency update #4 fixes a serious security vulnerability.
Successful exploit of this vulnerability would allow attacker to change user's password without knowing it by using specifically crafted HTTP request.
Secunia reports:
A vulnerability has been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.
Certain input when editing the list templates and the list info attribute is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious website is accessed.
Secunia reports:
The vulnerability is caused due to an error when attaching to a TTY via the -T command line switch. This can be exploited to execute arbitrary commands with the privileges of the user running mksh via characters previously written to the attached virtual console.
Hanno Boeck reports:
The installer of serendipity 1.3 has various Cross Site Scripting issues. This is considered low priority, as attack scenarios are very unlikely.
Various path fields are not escaped properly, thus filling them with javascript code will lead to XSS. MySQL error messages are not escaped, thus the database host field can also be filled with javascript.
In the referrer plugin of the blog application serendipity, the referrer string is not escaped, thus leading to a permanent XSS.
Mozilla Foundation reports:
Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.
Secunia reports:
Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a Denial of Service, disclose potentially sensitive information, or potentially compromise an application using the library.
The vulnerability is caused due to the improper handling of PNG chunks unknown to the library. This can be exploited to trigger the use of uninitialized memory in e.g. a free() call via unknown PNG chunks having a length of zero.
Successful exploitation may allow execution of arbitrary code, but requires that the application calls the png_set_read_user_chunk_fn() function or the png_set_keep_unknown_chunks() function under specific conditions.
Secunia reports:
A vulnerability has been reported in Openfire, which can be exploited by malicious people to cause a Denial of Service.
The vulnerability is caused due to an unspecified error and can be exploited to cause a Denial of Service.
CVE reports:
Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).
Justin Ferguson reports:
Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
The PostgreSQL developers report:
PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". This provided two vulnerabilities to privilege escalation: (1) index functions were executed as the superuser and not the table owner during VACUUM and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within index functions. Both of these holes have now been closed.
PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. First, users could create infinite loops using some specific regular expressions. Second, certain complex regular expressions could consume excessive amounts of memory. Third, out-of-range backref numbers could be used to crash the backend.
DBLink functions combined with local trust or ident authentication could be used by a malicious user to gain superuser privileges. This issue has been fixed, and does not affect users who have not installed DBLink (an optional module), or who are using password authentication for local access. This same problem was addressed in the previous release cycle, but that patch failed to close all forms of the loophole.
A phpMyAdmin security announcement report:
It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed. If a user can upload on the same host where phpMyAdmin is running a PHP script that can read files with the rights of the web server's user, the current advisory does not describe an additional threat.
A phpMyAdmin security announcement report:
phpMyAdmin saves sensitive information like the MySQL username and password and the Blowfish secret key in session data, which might be unprotected on a shared host.
xine Team reports:
A new xine-lib version is now available. This release contains a security fix (an unchecked array index that could allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.)
Secunia reports:
Some vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.
1) A boundary error exists within the "cli_scanpe()" function in libclamav/pe.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Upack" executable.
Successful exploitation allows execution of arbitrary code.
2) A boundary error within the processing of PeSpin packed executables in libclamav/spin.c can be exploited to cause a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code.
3) An unspecified error in the processing of ARJ files can be exploited to hang ClamAV.
Secunia reports:
A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to lighttpd not properly clearing the OpenSSL error queue. This can be exploited to close concurrent SSL connections of lighttpd by terminating one SSL connection.
The ikiwiki development team reports:
Cross Site Request Forging could be used to construct a link that would change a logged-in user's password or other preferences if they clicked on the link. It could also be used to construct a link that would cause a wiki page to be modified by a logged-in user.
postfix-policyd-weight does not check for symlink for its working directory. If the working directory is not already setup by the super root, an unprivileged user can link it to another directories in the system. This results in ownership/permission changes on the target directory.
If the system random number generator can be predicted by its past output, then an attacker may spoof Recursor to accept mallicious data. This leads to DNS cache poisoning and client redirection.
Multiple local privilege escalation are found in the symlink verification code. An attacker may use it to run a PHP script with the victim's privilege. This attack is a little harder when suphp operates in paranoid mode. For suphp that runs in owner mode which is the default in ports, immediate upgrade to latest version is advised.
Opera Software reports of multiple security issues in Opera. All of them can lead to arbitrary code execution. Details are as the following:
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
- MFSA 2008-18 Java socket connection to any local port via LiveConnect
- MFSA 2008-17 Privacy issue with SSL Client Authentication
- MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
- MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
- MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
Core Security Technologies reports:
A remote buffer overflow vulnerability found in a library used by both the SILC server and client to process packets containing cryptographic material may allow an un-authenticated client to executearbitrary code on the server with the privileges of the user account running the server, or a malicious SILC server to compromise client systems and execute arbitrary code with the privileges of the user account running the SILC client program.
SecurityFocus reports:
The 'bzip2' application is prone to a remote file-handling vulnerability because the application fails to properly handle malformed files.
Exploit attempts likely result in application crashes.
Ian Jackson reports on the debian-security mailinglist:
When a block device read or write request is made by the guest, nothing checks that the request is within the range supported by the backend, but the code in the backend typically assumes that the request is sensible.
Depending on the backend, this can allow the guest to read and write arbitrary memory locations in qemu, and possibly gain control over the qemu process, escaping from the emulation/virtualisation.
Dovecot reports:
Security hole in blocking passdbs (MySQL always. PAM, passwd and shadow if blocking=yes) where user could specify extra fields in the password. The main problem here is when specifying "skip_password_check" introduced in v1.0.11 for fixing master user logins, allowing the user to log in as anyone without a valid password.
The Mplayer team reports:
A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer.
A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
Chris Evans from the Google Security Team reports:
Severity: parsing of evil PostScript file will result in arbitrary code execution.
A stack-based buffer overflow in the zseticcspace() function in zicc.c allows remote arbitrary code execution via a malicious PostScript file (.ps) that contains a long Range array.
A phpMyAdmin security announcement report:
phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data.
Mitigation factor
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.
PCRE developers report:
A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow.
xine Team reports:
A new xine-lib version is now available. This release contains a security fix (array index vulnerability which may lead to a stack buffer overflow.
Coppermine Security advisory
The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability.
MoinMoin Security advisory
XSS issue in login action
XSS issue in AttachFile action
XSS issue in RenamePage/DeletePage action
XSS issue in gui editor
Opera Software ASA reports about multiple security fixes:
- Fixed an issue where simulated text inputs could trick users into uploading arbitrary files, as reported by Mozilla.
- Image properties can no longer be used to execute scripts, as reported by Max Leonov.
- Fixed an issue where the representation of DOM attribute values could allow cross site scripting, as reported by Arnaud.lb.
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- Web forgery overwrite with div overlay
- URL token stealing via stylesheet redirect
- Mishandling of locally-saved plain text files
- File action dialog tampering
- Possible information disclosure in BMP decoder
- Web browsing history and forward navigation stealing
- Directory traversal via chrome: URI
- Stored password corruption
- Privilege escalation, XSS, Remote Code Execution
- Multiple file input focus stealing vulnerabilities
- Crashes with evidence of memory corruption (rv:1.8.1.12)
Secunia Advisory reports:
A vulnerability has been reported in OpenLDAP, which can be exploited by malicious users to cause a DoS (Denial of Service).
iDefense Security Advisory 02.12.08:
Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.
The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.
Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Disabling the scanning of PE files will prevent exploitation.
If using clamscan, this can be done by running clamscan with the '--no-pe' option.
If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.
The cacti development team reports:
Multiple security vulnerabilities have been discovered in Cacti's web interface:
- XSS vulnerabilities
- Path disclosure vulnerabilities
- SQL injection vulnerabilities
- HTTP response splitting vulnerabilities
The ikiwiki development team reports:
The htmlscrubber did not block javascript in uris. This was fixed by adding a whitelist of valid uri types, which does not include javascript. Some urls specifyable by the meta plugin could also theoretically have been used to inject javascript; this was also blocked.
zenphoto project reports:
A new zenphoto version is now available. This release contains security fixes for HTML, XSS, and SQL injection vulnerabilities.
Greg Wilkins reports:
jetty allows remote attackers to bypass protection mechanisms and read the source of files via multiple '/' characters in the URI.
xine project reports:
A new xine-lib version is now available. This release contains a security fix (remotely-expoitable buffer overflow, CVE-2006-1664). (This is not the first time that that bug has been fixed...) It also fixes a few more recent bugs, such as the audio output problems in 1.1.9.
Matthieu Herrb of X.Org reports:
Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows.
Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code.
When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges.
All these vulnerabilities, to be exploited succesfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed.
Gentoo reports:
A remote attacker could entice a user to install a specially crafted "rc" file to execute arbitrary code via long strings in the "Name" and "Comment" fields or via unspecified vectors involving the second vulnerability.
Nico Golde reports:
A local attacker could exploit this vulnerability to conduct symlink attacks to overwrite files with the privileges of the user running Claws Mail.
Secunia reports:
A vulnerability has been reported in IRC Services, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to the improper handling of overly long passwords within the "default_encrypt()" function in encrypt.c and can be exploited to crash an affected server.
xine project reports:
A new xine-lib version is now available. This release contains a security fix (remotely-expoitable buffer overflow, CVE-2008-0225). It also contains a read-past-end fix for an internal library function which is only used if the OS does not supply it and a rendering fix for Darwin/PPC.
Geeklog reports:
MustLive pointed out a possible XSS in the form to email an article to a friend that we're fixing with this release.
Please note that this problem only exists in Geeklog 1.4.0 - neither Geeklog 1.4.1 nor any older versions (1.3.x series) have that problem.
The Drupal Project reports:
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.
The Drupal Project reports:
When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.
The Drupal Project reports:
When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.
Drupal's .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.
Secunia reports:
A vulnerability has been reported in MaraDNS, which can be exploited by malicious people to cause a Denial of Service.
The vulnerability is caused due to an error within the handling of certain DNS packets. This can be exploited to cause a resource rotation by sending specially crafted DNS packets, which cause an authoritative CNAME record to not resolve, resulting in a Denial of Sevices.
Secunia reports:
Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user's system.
An input validation error when processing .RA/.RAM files can be exploited to cause a heap corruption via a specially crafted .RA/.RAM file with an overly large size field in the header.
An error in the processing of .PLS files can be exploited to cause a memory corruption and execute arbitrary code via a specially crafted .PLS file.
An input validation error when parsing .SWF files can be exploited to cause a buffer overflow via a specially crafted .SWF file with malformed record headers.
A boundary error when processing rm files can be exploited to cause a buffer overflow.
Adobe Security bulletin:
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Dovecot reports:
If two users with the same password and same pass_filter variables log in within auth_cache_ttl seconds (1h by default), the second user may get logged in with the first user's cached pass_attrs. For example if pass_attrs contained the user's home/mail directory, this would mean that the second user will be accessing the first user's mails.
The Gallery team reports:
Gallery 2.2.4 addresses the following security vulnerabilities:
- Publish XP module - Fixed unauthorized album creation and file uploads.
- URL rewrite module - Fixed local file inclusion vulnerability in unsecured admin controller and information disclosure in hotlink protection.
- Core / add-item modules - Fixed Cross Site Scripting (XSS) vulnerabilities through malicious file names.
- Installation (Gallery application) - Update web-accessibility protection of the storage folder for Apache 2.2.
- Core (Gallery application) / MIME module - Fixed vulnerability in checks for disallowed file extensions in file uploads.
- Gallery Remote module - Added missing permissions checks for some GR commands.
- WebDAV module - Fixed Cross Site Scripting (XSS) vulnerability through HTTP PROPPATCH.
- WebDAV module - Fixed information (item data) disclosure in a WebDAV view.
- Comment module - Fixed information (item data) disclosure in comment views.
- Core module (Gallery application) - Improved resilience against item information disclosure attacks.
- Slideshow module - Fixed information (item data) disclosure in the slideshow.
- Print modules - Fixed information (item data) disclosure in several print modules.
- Core / print modules - Fixed arbitrary URL redirection (phishing attacks) in the core module and several print modules.
- WebCam module - Fixed proxied request weakness.
Theodore Y. Ts'o reports:
Fix a potential security vulnerability where an untrusted filesystem can be corrupted in such a way that a program using libext2fs will allocate a buffer which is far too small. This can lead to either a crash or potentially a heap-based buffer overflow crash. No known exploits exist, but main concern is where an untrusted user who possesses privileged access in a guest Xen environment could corrupt a filesystem which is then accessed by thus allowing the untrusted user to gain privileged access in the host OS. Thanks to the McAfee AVERT Research group for reporting this issue.
The Wireshark team reports of multiple vulnerabilities:
- Wireshark could crash when reading an MP3 file.
- Beyond Security discovered that Wireshark could loop excessively while reading a malformed DNP packet.
- Stefan Esser discovered a buffer overflow in the SSL dissector.
- The ANSI MAP dissector could be susceptible to a buffer overflow on some platforms.
- The Firebird/Interbase dissector could go into an infinite loop or crash.
- The NCP dissector could cause a crash.
- The HTTP dissector could crash on some systems while decoding chunked messages.
- The MEGACO dissector could enter a large loop and consume system resources.
- The DCP ETSI dissector could enter a large loop and consume system resources.
- Fabiodds discovered a buffer overflow in the iSeries (OS/400) Communication trace file parser.
- The PPP dissector could overflow a buffer.
- The Bluetooth SDP dissector could go into an infinite loop.
- A malformed RPC Portmap packet could cause a crash.
- The IPv6 dissector could loop excessively.
- The USB dissector could loop excessively or crash.
- The SMB dissector could crash.
- The RPL dissector could go into an infinite loop.
- The WiMAX dissector could crash due to unaligned access on some platforms.
- The CIP dissector could attempt to allocate a huge amount of memory and crash.
Impact
It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Opera Software ASA reports about multiple security fixes:
- Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by David Bloom. Details will be disclosed at a later date.
- Fixed an issue with TLS certificates that could be used to execute arbitrary code, as reported by Alexander Klink (Cynops GmbH). Details will be disclosed at a later date.
- Rich text editing can no longer be used to allow cross domain scripting, as reported by David Bloom. See our advisory.
- Prevented bitmaps from revealing random data from memory, as reported by Gynvael Coldwind. Details will be disclosed at a later date.
Luigi Auriemma reports that peercast is vulnerable to a buffer overflow which could lead to a DoS or potentially remote code execution:
The handshakeHTTP function which handles all the requests received by the other clients is vulnerable to a heap overflow which allows an attacker to fill the loginPassword and loginMount buffers located in the Servent class with how much data he wants.
The Ganglia project reports:
The Ganglia development team is pleased to release Ganglia 3.0.6 (Foss) which is available[...]. This release includes a security fix for web frontend cross-scripting vulnerability.
SecurityFocus reports:
QEMU is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks when handling user-supplied input.
Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of the issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
The Drupal Project reports:
The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.
Secuna Research reports:
Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the "domain logons" option is enabled.
Secunia reports:
Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name.
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
The live555 development team reports:
Fixed a bounds-checking error in "parseRTSPRequestString()" caused by an int vs. unsigned problem.
The function which handles the incoming queries from the clients is affected by a vulnerability which allows an attacker to crash the server remotely using the smallest RTSP query possible to use.
GNU security announcement:
GNU Finger unfortunately has not been updated in many years, and has known security vulnerabilities. Please do not use it in production environments.
Squid secuirty advisory reports:
Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing.
This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service.
Rails core team reports:
The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077.
Rails core team reports:
All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn't strictly necessary if you aren't working with JSON. For more information the JSON vulnerability, see CVE-2007-3227.
The ikiwiki development team reports:
Ikiwiki did not check if path to the srcdir to contained a symlink. If an attacker had commit access to the directories in the path, they could change it to a symlink, causing ikiwiki to read and publish files that were not intended to be published. (But not write to them due to other checks.)
Mozilla Foundation reports:
The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
phpMyAdmin security announcement:
The login page auth_type cookie was vulnerable to XSS via the convcharset parameter. An attacker could use this to execute malicious code on the visitors computer
The Samba Team reports:
Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf.
Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller.
PHP project reports:
Security Enhancements and Fixes in PHP 5.2.5:
- Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
- Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
- Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
- Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
- Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
- Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
- Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).
US-CERT reports:
webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a stats method action to /xml-rpc with (1) an empty Authorization header line, which triggers a crash in the ws_decodepassword function; or (2) a header line without a ':' character, which triggers a crash in the ws_getheaders function.
CVE reports:
The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.
iDefense Laps reports:
Remote exploitation of multiple integer overflow vulnerabilities in libFLAC, as included with various vendor's software distributions, allows attackers to execute arbitrary code in the context of the currently logged in user.
These vulnerabilities specifically exist in the handling of malformed FLAC media files. In each case, an integer overflow can occur while calculating the amount of memory to allocate. As such, insufficient memory is allocated for the data that is subsequently read in from the file, and a heap based buffer overflow occurs.
Secunia Research reports:
Secunia Research has discovered some vulnerabilities in Xpdf, which can be exploited by malicious people to compromise a user's system.
- An array indexing error within the "DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be exploited to corrupt memory via a specially crafted PDF file.
- An integer overflow error within the "DCTStream::reset()" method in xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file.
- A boundary error within the "CCITTFaxStream::lookChar()" method in xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow by tricking a user into opening a PDF file containing a specially crafted "CCITTFaxDecode" filter.
Successful exploitation may allow execution of arbitrary code.
Plone projectreports:
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
The DigiTrust Group reports:
When creating a new database, a malicious user can use a client-side Web proxy to place malicious code in the db parameter of the POST request. Since db_create.php does not properly sanitize user-supplied input, an administrator could face a persistent XSS attack when the database names are displayed.
Gallery project reports:
Gallery 2.2.3 addresses the following security vulnerabilities:
- Unauthorized renaming of items possible with WebDAV (reported by Merrick Manalastas)
- Unauthorized modification and retrieval of item properties possible with WebDAV
- Unauthorized locking and replacing of items possible with WebDAV
- Unauthorized editing of data file possible via linked items with Reupload and WebDAV (reported by Nicklous Roberts)
A Secunia reports:
Some vulnerabilities have been reported in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and disclose potentially sensitive information.
Input passed to the username parameter in tiki-remind_password.php (when remind is set to send me my password) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code (for example with meta refreshes to a javascript: URL) in a user's browser session in context of an affected site.
Input passed to the local_php and error_handler parameters in tiki-index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Input passed to the imp_language parameter in tiki-imexport_languages.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Certain img src elements are not properly santised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.
Secunia reports:
Secunia Research has discovered a vulnerability in CUPS, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the "ippReadIO()" function in cups/ipp.c when processing IPP (Internet Printing Protocol) tags. This can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags.
Successful exploitation allows execution of arbitrary code.
Red Hat reports:
A flaw was found in Perl's regular expression engine. Specially crafted input to a regular expression can cause Perl to improperly allocate memory, possibly resulting in arbitrary code running with the permissions of the user running Perl.
Debian project reports:
Tavis Ormandy of the Google Security Team has discovered several security issues in PCRE, the Perl-Compatible Regular Expression library, which potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions.
SEC-Consult reports:
Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication.
Gentoo reports:
Kalle Olavi Niemitalo discovered two boundary errors in fsplib code included in gFTP when processing overly long directory or file names.
A remote attacker could trigger these vulnerabilities by enticing a user to download a file with a specially crafted directory or file name, possibly resulting in the execution of arbitrary code or a Denial of Service.
Securiweb reports:
dircproxy allows remote attackers to cause a denial of service (segmentation fault) via an ACTION command without a parameter, which triggers a NULL pointer dereference, as demonstrated using a blank /me message from irssi.
A Secunia Advisory report:
Input passed to the "posts_columns" parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
BugTraq reports:
OpenLDAP is prone to multiple remote denial-of-service vulnerabilities because of an incorrect NULL-termination issue and a double-free issue.
Django project reports:
A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory.
Due to limitations imposed by