Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 2.6.32-4locris1
• Unaffected: 2.6.32-4locris2

Three vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

1. A vulnerability is caused due to a NULL-pointer dereference error within the “cifs_create()” function in fs/cifs/dir.c. This can be exploited to cause a crash when a file without an associated “nameidata” structure is created.
2. There was a check for mandatory locking where the GFS/GFS2 locking code skipped the lock in case sgid bits are set for the file. This can be triggered to cause a crash on a system mounting a GFS/GFS2 filesystem.
3. The vulnerability is caused due to a memory leak within the “release_one_tty()” function in drivers/char/tty_io.c, which can be exploited to e.g. cause a DoS due to memory exhaustion.

• Bug Tracker URL: http://bugs.frugalware.org/task/4183

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1148
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0727
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1162

• Author: Miklos Vajna
• Vulnerable: 0.8.7e-1
• Unaffected: 0.8.7e-2locris1

A vulnerability has been reported in Cacti, which can be exploited by malicious users to conduct SQL injection attacks. Input passed via the “export_item_id” parameter to templates_export.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that the attacker is allowed to export templates.

• Bug Tracker URL: http://bugs.frugalware.org/task/4193

CVEs:

• No CVE yet, see http://seclists.org/fulldisclosure/2010/Apr/272.

• Author: Miklos Vajna
• Vulnerable: 2.0.9-1
• Unaffected: 2.0.9-2locris1

Some security issues have been reported in GNU nano, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

1. The application does not properly verify if the file currently being edited has been changed outside the context of the current editing session before writing to it, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.
2. A race condition exists when creating backup files, which can be exploited to take the ownership of arbitrary files via e.g. symlink attacks. Successful exploitation requires that the victim is tricked into editing files owned by the attacker and that the backup functionality is enabled.

• Bug Tracker URL: http://bugs.frugalware.org/task/4196

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1160
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1161

• Author: Miklos Vajna
• Vulnerable: 0.96-2
• Unaffected: 0.96-3locris1

A weakness has been reported in PolicyKit, which can be exploited by malicious, local users to disclose certain system information. The weakness is caused due to the “pkexec” utility returning different results depending on the existence of files, which can be exploited to e.g. determine if a file exists in a restricted directory.

• Bug Tracker URL: http://bugs.frugalware.org/task/4199

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0750

• Author: Miklos Vajna
• Vulnerable: 1.4.2-1
• Unaffected: 1.4.5-1locris1

A weakness has been reported in memcached, which can be exploited by malicious, local users to potentially cause a DoS (Denial of Service). The weakness is caused due to the application improperly handling received TCP data. This can be exploited to consume large amounts of memory and temporarily hang or potentially crash an affected server by sending an overly large number of bytes without a terminating newline (’\n’) character to TCP port 11211.

• Author: Miklos Vajna
• Vulnerable: 2.11.1-1
• Unaffected: 2.11.1-2locris1

Dan Rosenberg reported two security issues in glibc:

1. “ncpmount” and “mount.cifs” failed to properly sanitize provided mountpoint directory names (specifically, special characters such as newlines were not stripped). An attacker could create a directory with newline characters in its name and issue an ncpmount / mount.cifs command to mount to that directory, allowing them to corrupt /etc/mtab and potentially add unauthorized mounting options for other devices.
2. A memory corruption vulnerability in ld.so: When processing maliciously crafted ELF binaries using ld.so, regardless of whether execution of those binaries is intended (for example, using the “–verify” flag, which should not lead to any code execution), arbitrary code execution can be achieved.

• Bug Tracker URL: http://bugs.frugalware.org/task/4166

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830

• Author: Miklos Vajna
• Vulnerable: 6-22locris1
• Unaffected: 6-23locris1

A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context. Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.

• Author: Miklos Vajna
• Vulnerable: 1.7.2-3
• Unaffected: 1.7.2-4locris1

A security issue has been reported in sudo, which can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to an error within the command matching functionality, which can be exploited to run a “sudoedit” executable within the current working directory. Successful exploitation may allow the execution of arbitrary code with escalated privileges, but requires that the attacker is allowed to use sudo’s “sudoedit” pseudo-command, that the PATH environment variable contains “.” while the directories do not contain any other “sudoedit” executable, and that the “ignore_dot” or “secure_path” options are disabled.

• Author: Miklos Vajna
• Vulnerable: 4.3.5-7
• Unaffected: 4.3.5-8locris1

A security issue has been reported in KDE, which can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to a race condition within KDM when creating the control socket during a user login. This can be exploited to change the access permissions of arbitrary files to world-writable, which can be leveraged to e.g. execute arbitrary code with escalated privileges.

• Author: Miklos Vajna
• Vulnerable: 5.x_1.6-1
• Unaffected: 5.x_1.7-1locris1

A vulnerability has been reported in the Views module for Drupal, which can be exploited by malicious users to compromise a vulnerable system. Certain unspecified input is not properly sanitised before being used to import views. This can be exploited to execute arbitrary PHP code. Successful exploitation requires “administer views” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4178

CVEs:

• No CVE reference, see http://drupal.org/node/765022.