Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 6.x_1.3-1locris1
• Unaffected: 6.x_1.4-1locris1

Some vulnerabilities have been reported in the Internationalization module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

1. Certain input passed to translating blocks is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.
2. Certain unspecified input is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires “translate interface” or “administer blocks” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4134

CVEs:

• No CVE reference, see http://drupal.org/node/764998.

• Author: Miklos Vajna
• Vulnerable: 6.x_2.8-1
• Unaffected: 6.x_2.10-1locris1

A vulnerability has been reported in the Views module for Drupal, which can be exploited by malicious users to compromise a vulnerable system. Certain unspecified input is not properly sanitised before being used to import views. This can be exploited to execute arbitrary PHP code. Successful exploitation requires “administer views” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4179

CVEs:

• No CVE reference, see http://drupal.org/node/765022.

• Author: Miklos Vajna
• Vulnerable: 2.6.32-3
• Unaffected: 2.6.32-4locris1

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to the ReiserFS file system implementation not properly restricting access to the “.reiserfs_priv” directory, which can be exploited to e.g. gain root privileges by modifying ACLs or extended attributes. Successful exploitation requires that the ReiserFS file system is used.

• Author: Miklos Vajna
• Vulnerable: 1.15.1-1
• Unaffected: 1.15.1-2locris1

A vulnerability has been reported in MediaWiki, which can be exploited by malicious users to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. force a victim into executing malicious javascript. Successful exploitation requires “$wgAllowUserJs” to be set to “true” in LocalSettings.php.

• Author: Miklos Vajna
• Vulnerable: 3.0-18
• Unaffected: 3.0-19locris1

Marc Schoenefeld found an integer overflow in the way TeX text formatting system processed special commands. If a user was tricked into processing a specially-crafted typesetter-independent .dvi (DeVice Independent) file, it could lead to dvips executable crash or, potentially, to arbitrary code execution with the privileges of the user running dvips.

• Bug Tracker URL: http://bugs.frugalware.org/task/4153

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0739

• Author: Miklos Vajna
• Vulnerable: 3.6.2-1locris1
• Unaffected: 3.6.3-1locris1

A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a use-after-free error when moving DOM nodes between documents and can be exploited via a specially crafted web page. Successful exploitation allows execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/4171

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1121

• Author: Miklos Vajna
• Vulnerable: 6-21
• Unaffected: 6-22locris1

Multiple vulnerabilities have been reported in Sun Java, where some have an unknown impact and others can be exploited by malicious people to manipulate certain data, disclose potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system.

1. An error in the implementation of the “HeadspaceSoundbank” class can be exploited to cause a stack-based buffer overflow via a crafted Soundbank file with an overly long name.
2. An error in the implementation of the “HeadspaceSoundbank” class can be exploited to cause a heap-based buffer overflow via a crafted Soundbank file with an overly long record.
3. An input validation error in the processing of image files can be exploited to cause a heap-based buffer overflow, e.g. if a user visits a web page containing a specially crafted java applet. Successful exploitation of these vulnerabilities allows execution of arbitrary code.
4. Unspecified vulnerabilities exist in the ImageIO, Java 2D, Java Runtime Environment, Java Web Start, Java Plug-in, Pack200, Sound, and HotSpot Server components.
5. An error in the JSSE component while handling TLS session re-negotiations can be exploited to manipulate certain data.
6. An unspecified error in the Java Web Start, Java Plug-in component can be exploited to manipulate certain data or cause a DoS.
7. Two unspecified errors in the Java Runtime Environment can be exploited to disclose unspecified information.
8. An unspecified error in the Java Web Start, Java Plug-in component can be exploited to cause a DoS.

• Bug Tracker URL: http://bugs.frugalware.org/task/4167

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850

• Author: Miklos Vajna
• Vulnerable: 5.3.1-2
• Unaffected: 5.3.2-1locris1

Two vulnerabilities have been reported in PHP, which can be exploited by malicious users to bypass certain security restrictions.

1. An error in the session extension can be exploited to bypass the “safe_mode” and “open_basedir” feature.
2. A validation error exists within the “tempnam()” function, which can be exploited to bypass the “safe_mode” feature. A NULL pointer dereference has been reported in the xmlrpc extension, in a call to estrdup(). This bug can at least be used to perform DoS attacks.

• Bug Tracker URL: http://bugs.frugalware.org/task/4165

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1128
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1129
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1130
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0397

• Author: Miklos Vajna
• Vulnerable: 0.98.1-1
• Unaffected: 0.98.1-2locris1

Gabriel Menezes Nunes has discovered a security issue in aMSN, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to the application improperly verifying the validity of the SSL certificate presented when logging in. This can be exploited to spoof a valid server and obtain the user’s MSN username and password via e.g. a man-in-the-middle attack.

• Author: Miklos Vajna
• Vulnerable: 7.19.7-1
• Unaffected: 7.19.7-2locris1

A security issue has been reported in cURL / libcURL, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. The security issue is caused due to an error when returning data to the registered callback function for downloading compressed content over HTTP. The library may send back up to 64Kb of data to the callback function, exceeding the documented maximum data size of 16Kb (CURL_MAX_WRITE_SIZE). This can potentially lead to buffer overflows in client applications.