A vulnerability has been reported in ClamAV, which potentially can be exploited by malicious people with an unknown impact.
The vulnerability is caused due to an unspecified boundary error in "libclamav/upx.c". This can potentially be exploited to cause a heap-based buffer overflow via a specially-crafted UPX packed file.
Remote exploitation of a buffer overflow vulnerability in the University of Washington's IMAP Server (UW-IMAP) allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values. The mail_valid_net_parse_work() function in src/c-client/mail.c is responsible for obtaining and validating the specified mailbox name from user-supplied data. An error in the parsing of supplied mailbox names will continue to copy memory after a " character has been parsed until another " character is found.
A remote or local user may be able to supply a specially crafted regular expression to trigger a heap integer overflow in PCRE. The impact depends on the application that uses the library. Applications that parse untrusted regular expressions may be vulnerable.
If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411"
If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client.
A malicious [authenticated] client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its internal routing table.
DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client.
The identified vulnerability is a buffer overflow within a core application plug-in, which is part of Adobe Acrobat and Adobe Reader. If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe Reader. A buffer overflow can cause the application to crash and increase the risk of malicious code execution.
There was a memory alignment bug in the library Gaim uses to access the Gadu-Gadu network. This bug can not be exploited on x86 architectures. This bug was recently fixed in the libgadu library, but also needed to be fixed in Gaim because Gaim includes a copy of the libgadu library.
A remote user could cause Gaim to crash on some systems by sending the Gaim user a file whose filename contains certain invalid characters. It is unknown what combination of systems are affected, but it is suspected that Windows users and systems with older versions of GTK+ are especially susceptible.
A remote AIM or ICQ user can cause a buffer overflow in Gaim by setting an away message containing many AIM substitution strings (such as %t or %n).
Tor 0.1.0.13 fixes a CRITICAL bug in the security of our crypto handshakes. All clients should upgrade IMMEDIATELY.
Michael has reported some vulnerabilities in jabberd, which potentially can be exploited by malicious users to compromise a vulnerable system.
The vulnerabilities are caused due to three boundary errors in jid.c when parsing JID strings with overly long user, host, or resource components. This can be exploited to crash the server or potentially execute arbitrary code.
Secunia reports a download dialog spoofing issue, an image dragging issue and a link hijacking issue in Secunia Advisories SA15870, SA15756 and SA15781.
im 6.3 before 6.3.082, with modelines enabled, allows attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.
Clamav provides file format support for virus analysis. During analysis ClamAV Antivirus Library is vulnerable to buffer overflows allowing attackers complete control of the system. These vulnerabilities can be exploited remotely without user interaction or authentication through common protocols such as SMTP, SMB, HTTP, FTP, etc.
fetchmail's POP3/UIDL code does not truncate received UIDs properly. A malicious or compromised POP3 server can thus corrupt fetchmail's stack and inject code when fetchmail is using UIDL, either through configuration, or as a result of certain server capabilities. Note that fetchmail is run as root on some sites, so an attack might compromise the root account and thus the whole machine.
James Bercegay of GulfTech Security Research discovered that the PEAR XML-RPC library fails to sanatize input sent using the "POST" method. A remote attacker could exploit this vulnerability to execute arbitrary PHP script code by sending a specially crafted XML document to web applications making use of these libraries.
Apache SpamAssassin Security Team reports
Apache SpamAssassin 3.0.4 was recently released, and fixes a denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The vulnerability allows certain misformatted long message headers to cause spam checking to take a very long time.
While the exploit has yet to be seen in the wild, we are concerned that there may be attempts to abuse the vulnerability in the future. Therefore, we strongly recommend all users of these versions upgrade to Apache SpamAssassin 3.0.4 as soon as possible.
Tor 0.1.0.11 fixes a security problem where servers disregard their exit policies in some circumstances.
Nobuhiro IMAI reports:
the default value modification on Module#public_instance_methods (from false to true) breaks s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style security protection.
This problem could allow a remote attacker to execute arbitrary commands on XMLRPC server of libruby.
Andrew Toller and Stefan Kanthak discovered that a flaw in libmspack's Quantum archive decompressor renders Clam AntiVirus vulnerable to a Denial of Service attack.
A bug in Tor allows attackers to view arbitrary memory contents from an exit server's process space. A remote attacker could exploit the memory disclosure to gain sensitive information and possibly even private keys.
The leafnode security page notes:
A vulnerability was found in the fetchnews program (the NNTP client) that may under some circumstances cause a wait for input that never arrives, fetchnews "hangs". This hang does not cost CPU.
The squid patches page notes:
Malicious users may spoof DNS lookups if the DNS client UDP port (random, assigned by OS as startup) is unfiltered and your network is not protected from IP spoofing.
This patch adds access controls to the cachemgr.cgi script, preventing it from being abused to reach other servers than allowed in a local configuration file.
A malicious local attacker could exploit a race condition to change the content of the temporary files before they are executed by fixproc, possibly leading to the execution of arbitrary code. A local attacker could also create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When fixproc is executed, this would result in the file being overwritten.
Two stack based buffer overflow bugs have been found in nasm. An attacker could create an ASM file in such a way that when compiled by a victim, could execute arbitrary code on their machine.
It is possible for a remote user to overflow a static buffer by sending an IM containing a very large URL (greater than 8192 bytes) to the Gaim user. This is not possible on all protocols, due to message length restrictions. Jabber are SILC are known to be vulnerable.
Potential remote denial of service bug resulting from not checking a pointer for non-NULL before passing it to strncmp, which results in a crash. This can be triggered by a remote client sending an SLP message with an empty body.
A vulnerability has been discovered in the record packet parsing in the GnuTLS library. Additionally, a flaw was also found in the RSA key export functionality.
A remote attacker could exploit this vulnerability and cause a Denial of Service to any application that utilizes the GnuTLS library.
Previously exported RSA keys can be fixed by executing the following command on the key files:
# certtool -k infile outfile
Two vulnerabilities were found in the fetchnews program (the NNTP client). These can cause the fetchnews program to crash when the upstream server closes the connection while leafnode is receiving an article header, or an article body.
Damian Put reports about ImageMagick:
Remote exploitation of a heap overflow vulnerability could allow execution of arbitrary code or course denial of service.
A heap overflow exists in ReadPNMImage() function, that is used to decode a PNM image files.
A vulnerability has been reported in Convert-UUlib where a malformed parameter can be provided by an attacker allowing a read operation to overflow a buffer. The vendor credits Mark Martinec and Robert Lewis with the discovery.
Multiple vulnerabilities have been reported in PHP, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
Multiple vulnerabilities have been reported in PHP, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
Greg Roelofs reports, that the fixes for several input-validation vulnerabilities, reported in August 2004, where incomplete.
The copy_symlink() subroutine in rsnapshot incorrectly changes file ownership on the files pointed to by symlinks, not on the symlinks themselves. This would allow, under certain circumstances, an arbitrary user to take ownership of a file on the main filesystem.
The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read.
The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, allows (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions.
Sending a Gaim Jabber user a certain invalid file transfer request triggers an out-of-bounds read which causes Gaim to crash.
A vulnerability has been reported in Sylpheed, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the handling of certain unspecified headers containing non-ASCII characters. This may be exploited to execute arbitrary code by tricking a user into replying to a malicious message.
A vulnerability in OpenPGP can be used by attackers to recover partial plaintexts from messages employing symmetric encryption. Researchers Serge Mister and Robert Zuccherato of Entrust have developed a chosen-ciphertext attack method that can be used against OpenPGP messages encrypted using cipher feedback (CFB) mode. The attack takes advantage of an integrity check feature that is intended to save time by aborting futile and possibly lengthy decryption attempts.
Dmitry V. Levin has reported a vulnerability in LibTIFF, which potentially can be exploited by malicious people to compromise a user's system.
infamous41md discovered a problem in libtiff, the Tag Image File Format library for processing TIFF graphics files. Upon reading a TIFF file it is possible to allocate a zero sized buffer and write to it which would lead to the execution of arbitrary code.
We do not have much information about these vulnerabilites, so we can only provide some numbers:
32 segmentation fault fixes
38 incorrect buffer lenght calculation fixes
58 buffer overflow fixes
Joseph VanAndel reports that grip is vulnerability to a buffer overflow vulnerability when receiving more than 16 CDDB responses. This could lead to a crash in grip and potentially execution arbitrary code.
A workaround is to disable CDDB lookups.
Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw in the handling of image filenames by xv. Successful exploitation would require a victim to process a specially crafted image with a malformed filename, potentially resulting in the execution of arbitrary code.
Two iDEFENSE Security Advisories reports:
An exploitable stack-based buffer overflow condition exists when using NT Lan Manager (NTLM) authentication. The problem specifically exists within
Curl_input_ntlm()defined in lib/http_ntlm.c.Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using NTLM authentication.
Sylvain Defresne reports that libexif is vulnerable to a buffer overflow vulnerability due to insufficient input checking. This could lead crash of applications using libexif.
mlterm is vulnerable to an integer overflow that can be triggered by specifying a large image file as a background. An attacker can create a specially-crafted image file which, when used as a background by the victim, can lead to the execution of arbitrary code with the privileges of the user running mlterm.
Ulf Harnhammar wrote:
(1) There are buffer overflows when extracting, testing or listing specially prepared ACE archives.
(2) There are directory traversal bugs when extracting ACE archives.
(3) There are buffer overflows when dealing with long (>17000 characters) command line arguments.
When mod_auth_radius authenticates user against remote RADIUS server, it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Server can respond with RADIUS packet with RADIUS_ACCESS_CHALLENGE code. When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE with attribute code set to RADIUS_STATE and another attribute code in same packet set to RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in the local buffer with function radcpy(). Size of the data to be copied in local buffer is taken from 'length' value of the packet attribute received from RADIUS server.
Midnight Commander contains several format string errors, buffer overflows and one buffer underflow leading to execution of arbitrary code. An attacker could exploit these vulnerabilities to execute arbitrary code with the permissions of the user running Midnight Commander or cause Denial of Service by freeing unallocated memory.
It has been discovered, that cpio, a program to manage archives of files, creates output files with -O and -F with broken permissions due to a reset zero umask which allows local users to read or overwrite those files.
Erik Sjolund discovered several issues in enscript. It suffers from several buffer overflows, quotes and shell escape characters are insufficiently sanitized in filenames, and it supported taking input from an arbitrary command pipe, with unwanted side effects.
Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could have been exploited to execute arbitrary code with the privileges of the user.
On 7th February 2005 I was notified of a number of potentially - compromised Full-Disclosure subscriber accounts. Following an investigation it appears that the Mailman configuration database was obtained from lists.netsys.com on 2nd January 2005 using a remote directory traversal exploit for a previously unpublished vulnerability in Mailman 2.1.5.
A problem has been discovered where it's possible to, under certain circumstance, perform a DOS (denial of service) attack against the Dante server, leading it to crash or become unable to provide service to clients. The problem was recently made public by a source unrelated to Inferno Nettverk.
Low privileged users can invoke the LOAD extension to load arbitrary libraries into the postgres process space.
A data URL (RCF 2397) containing an executable file may cause Opera to mislead the user. Opera's download dialog will in some cases say "Open with NOTEPAD.EXE". But clicking "Open" will run the executable.
Martin Joey
Schulze reports:
Max Vozeler discovered an integer overflow in the helper application camel-lock-helper which runs setuid root or setgid mail inside of Evolution, a free groupware suite. A local attacker can cause the setuid root helper to execute arbitrary code with elevated privileges via a malicious POP server.
A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.
The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system.
1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.
2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.
infamous41md has reported two vulnerabilities in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
Florian Weimer has discovered a cross-site scripting vulnerability in the error messages that are produced by Mailman.
By enticing a user to visiting a specially-crafted URL, an attacker can execute arbitrary script code running in the context of the victim's browser
CUPS includes xpdf code and therefore is vulnerable to the recent stack overflow issue, potentially resulting in the remote execution of arbitrary code.
The vulnerability specifically exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. The offending code can be found in the Decrypt::makeFileKey2 function.
The Debian Security Team reports:
Javier Fernandez-Sanguino Pena from the Debian Security Audit Project discovered a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also could unveil the contents of a temporary file which might contain sensitive information.
Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer included in multiple Unix and Linux distributions could allow for arbitrary code execution as the user viewing a PDF file.
The vulnerability specifically exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. The offending code can be found in the Decrypt::makeFileKey2 function in the source file xpdf/Decrypt.cc.
Yosef Klein and Limin Wang have found a buffer overflow vulnerability in unrtf that can allow an attacker to execute arbitrary code with the permissions of the user running unrtf, by running unrtf on a specially crafted rtf document.
Alexander Larsson reports that some versions of gnome-vfs contain a number of `extfs' scripts that do not properly validate user input. If an attacker can cause her victim to process a specially-crafted URI, arbitrary commands can be executed with the privileges of the victim.
Current versions of gnome-vfs2 do not support 'extfs' any more.
teTeX includes its own version of xpdf in order to link pdftex and is affected by the following xpdf vulnerability.
iDEFENSE reports:
Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file. The offending code can be found in the Gfx::doImage() function in the source file xpdf/Gfx.cc.
iDEFENSE, Ariel Berkman and the MPlayer development team found multiple vulnerabilities in MPlayer. These include potential heap overflows in Real RTSP and pnm streaming code, stack overflows in MMST streaming code and multiple buffer overflows in BMP demuxer and mp3lib code.
An iDEFENSE Security Advisory reports:
Remote exploitation of a buffer overflow in version 5.09 of Adobe Acrobat Reader for Unix could allow for execution of arbitrary code.
The vulnerability specifically exists in a the function mailListIsPdf(). This function checks if the input file is an email message containing a PDF. It unsafely copies user supplied data using strcat into a fixed sized buffer.
iDEFENSE reports:
Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file. The offending code can be found in the Gfx::doImage() function in the source file xpdf/Gfx.cc.
Secunia reports:
Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.
Secunia reports:
Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to the filename and the "Content-Type" header not being sufficiently validated before being displayed in the file download dialog. This can be exploited to spoof file types in the download dialog by passing specially crafted "Content-Disposition" and "Content-Type" headers containing dots and ASCII character code 160.
Secunia Research has reported a vulnerability in Opera, which can be exploited by malicious people to spoof the content of websites. The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.
Secunia reports:
Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.
A HexView security advisory reports:
When zip performs recursive folder compression, it does not check for the length of resulting path. If the path is too long, a buffer overflow occurs leading to stack corruption and segmentation fault. It is possible to exploit this vulnerability by embedding a shellcode in directory or file name. While the issue is not of primary concern for regular users, it can be critical for environments where zip archives are re-compressed automatically using Info-Zip application.
There is a buffer overflow vulnerability in getnickuserhost() function that is called when BNC is processing response from some IRC server. When BNC is connected to some IRC server, it will send 'USER' and 'NICK' command. Server response is at some point processed with getnickuserhost() function.
Chris Evans discovered several integer arithmetic overflows in the xpdf 2 and xpdf 3 code bases. The flaws have impacts ranging from denial-of-service to arbitrary code execution.
A directory-traversal issue exists in cabextract that could overwrite any file on the system when extracting a malicious cab file.
A parsing error exists in the SNMP module of Squid where a specially-crafted UDP packet can potentially cause the server to restart, closing all current connections.
From Gaim's security issue list:
Buffer overflow. memcpy(); was used without checking the size of the buffer before copying to it. Additionally, a logic flaw was causing the wrong buffer to be used as the destination for the copy under certain circumstances.
Remote crash. Gaim allocates a buffer for the payload of each message received based on the size field in the header of the message. A malicious peer could specify an invalid size that exceeds the amount of available memory.
Remote crash. After accepting a file transfer request, Gaim will attempt to allocate a buffer of a size equal to the entire filesize, this allocation attempt will cause Gaim to crash if the size exceeds the amount of available memory.
A flaw exists in the input parsing of BNC where part of the sbuf_getmsg() function handles the backspace character incorrectly. A remote user could issue commands using fake authentication credentials and possibly gain access to scripts running on the client side.
It is possible to execute remote code simply using HTTP request plus 31 headers followed by a shellcode that will be executed directly.
The Cyrus SASL library, libsasl, contains functions which may load dynamic libraries. These libraries may be loaded from the path specified by the environmental variable SASL_PATH, which in some situations may be fully controlled by a local attacker. Thus, if a set-user-ID application (such as chsh) utilizes libsasl, it may be possible for a local attacker to gain superuser privileges.
According to a KDE Security Advisory:
WESTPOINT internet reconnaissance services alerted the KDE security team that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Web sites operating under the affected domains can set HTTP cookies in such a way that the Konqueror web browser will send them to all other web sites operating under the same domain. A malicious website can use this as part of a session fixation attack. See e.g. http://www.acros.si/papers/session_fixation.pdf
Affected are all country specific secondary top level domains that use more than 2 characters in the secondary part of the domain name and that use a secondary part other than com, net, mil, org, gov, edu or int. Examples of affected domains are .ltd.uk, .plc.uk and .firm.in
It should be noted that popular domains such as .co.uk, .co.in and .com are NOT affected.
Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method.
Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.
There is a path-sanitizing bug that affects daemon, but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
The log functions in jftpgw may allow remotely authenticated user to execute arbitrary code via the format string specifiers in certain syslog messages.
Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service).
Ulf Harnhammar discovered two buffer overflows in SoX. They occur when the sox or play commands handle malicious .WAV files.
A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. The default setting for this parameter is "mangling method = hash2" and therefore not vulnerable.
During a reaudit of the memory_limit problematic it was discovered that it is possible for a remote attacker to trigger the memory_limit request termination in places where an interruption is unsafe. This can be abused to execute arbitrary code on remote PHP servers.
A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites. The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window. Successful exploitation allows a malicious website to load arbitrary content in an arbitrary frame in another browser window owned by e.g. a trusted site.
The starting offsets for the loops are calculated incorrectly which may cause a buffer overrun beyond the beginning of the row buffer. This will allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.
Mailman contains an unspecified vulnerability in the handling of request emails. By sending a carefully crafted email request to the mailman server an attacker could obtain member passwords.
A possible denial of service when the max number of connection is reached existed in versions prior to 1.0.19.
aspell includes a utility for handling wordlists called word-list-compress. This utility fails to do proper bounds checking when processing words longer than 256 bytes. If an attacker could entice a user to handle a wordlist containing very long word lengths it could result in the execution of arbitrary code with the permissions of the user running the program.
The telnet URI handler in Opera does not check for leading '-' characters in the host name. Consequently, a maliciously-crafted telnet:// link may be able to pass options to the telnet program itself. For example telnet://-nMyFile. If MyFile exists in the user's home directory and the user clicking on the link has write permissions to it, the contents of the file will be overwritten with the output of the telnet trace information. If MyFile does not exist, the file will be created in the user's home directory.
Stefan Esser reports:
A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon.
The vulnerability is in the function ne_rfc1036_parse, which is in turn used by the function ne_httpdate_parse. Applications using either of these neon functions may be vulnerable. This update is needed because the cadaver port uses an included version of libneon.
Stefan Esser reports:
A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon.
The vulnerability is in the function ne_rfc1036_parse, which is in turn used by the function ne_httpdate_parse. Applications using either of these neon functions may be vulnerable.
A remote exploitable buffer overflow has been discovered in exim when verify = header_syntax is used in the configuration file. This does not affect the default configuration.
Multiple vulnerabilities have being found and fixed in the Real-Time Streaming Protocol (RTSP) client for RealNetworks servers, including a series of potentially remotely exploitable buffer overflows. Arbitrary remote code execution maybe possilbe under the user ID running the player when playing Real RTSP streams.
Ulf Harnhammar discovered several vulnerabilities in LHa for UNIX's path name handling code. Specially constructed archive files may cause LHa to overwrite files or execute arbitrary code with the privileges of the user invoking LHa. This could be particularly harmful for automated systems that might handle archives such as virus scanning processes.
Steve Kemp discovered a vulnerability in xonix, a game, where an external program was invoked while retaining setgid privileges. A local attacker could exploit this vulnerability to gain gid "games".
Steve Grubb reports a buffer read overrun in libpng's png_format_buffer function. A specially constructed PNG image processed by an application using libpng may trigger the buffer read overrun and possibly result in an application crash.
Greuff reports that the neon WebDAV client library contains several format string bugs within error reporting code. A malicious server may exploit these bugs by sending specially crafted PROPFIND or PROPPATCH responses.
Shaun Colley reports that the script `mysqlbug' included with MySQL sometimes creates temporary files in an unsafe manner. As a result, an attacker may create a symlink in /tmp so that if another user invokes `mysqlbug' and quits without making any changes, an arbitrary file may be overwritten with the bug report template.
Versions of the neon client library up to and including 0.24.4 have been found to contain a number of format string bugs. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver.
Three vulnerabilities were found in Monit during a simple code review. All of the vulnerabilities are in Monit's HTTP/HTTPS administration interfaces, and as such can only be exploited if the interface is enabled and accessible. Two of the vulnerabilities lie in the Basic authentication code, while one vulnerability lies in the processing of POST requests.
A remotely exploitable heap buffer overflow vulnerability was found in MPlayer's URL decoding code. If an attacker can cause MPlayer to visit a specially crafted URL, arbitrary code execution with the privileges of the user running MPlayer may occur. A `visit' might be caused by social engineering, or a malicious web server could use HTTP redirects which MPlayer would then process.
From the Squid advisory:
Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.