Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.5.2-1
• Unaffected: 1.5.2-2locris1

Braden Thomas from Apple has discovered a signature verification bypass issue in xar. The issue is that xar_open assumes that the checksum is stored at offset 0, but xar_signature_copy_signed_data uses xar property “checksum/offset” to find the offset to the checksum when validating the signature. As a result, a modified xar archive can pass signature validation by putting the checksum for the modified TOC at offset 0, pointing “checksum/offset” at the non-modified checksum at a higher offset, and using the original non-modified signature.

• Author: Miklos Vajna
• Vulnerable: 5.20-1getorin1
• Unaffected: 5.21-1getorin1

A vulnerability has been reported in Drupal Core, which can be exploited by malicious users to conduct script insertion attacks. Input passed to the “Category” input field of the Contact module’s administration form is not properly sanitised before being displayed to the user.

• Bug Tracker URL: http://bugs.frugalware.org/task/4052

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369

• Author: Miklos Vajna
• Vulnerable: 5.x_2.5-1
• Unaffected: 5.x_2.6-1getorin1

A vulnerability has been reported in the Link module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed via the link title parameter, when using the “Separate title and URL” format, is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.

• Author: Miklos Vajna
• Vulnerable: 5.x_2.7-1
• Unaffected: 5.x_2.8-1getorin1

Some vulnerabilities have been reported in the Webform module for Drupal, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to disclose potentially sensitive information.

1. Input passed to field labels while creating new webforms is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires permissions to create webforms.
2. An error in the handling of cached pages can be exploited to disclose session variables when caching is enabled.

• Bug Tracker URL: http://bugs.frugalware.org/task/4000

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=4532
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4533

• Author: Miklos Vajna
• Vulnerable: 6.x_2.6-1
• Unaffected: 6.x_2.8-1getorin1

See FSA630 for details.

• Bug Tracker URL: http://bugs.frugalware.org/task/4025

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3915

• Author: Miklos Vajna
• Vulnerable: 6.x_2.7-1
• Unaffected: 6.x_2.8-1getorin1

See FSA627 for details.

• Bug Tracker URL: http://bugs.frugalware.org/task/4001

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4532
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4533

• Author: Miklos Vajna
• Vulnerable: 3.2.0.1-1
• Unaffected: 3.2.2.1-1getorin1

Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion and SQL injection attacks.

1. Input used as the MySQL table name is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.
2. Input passed to various parameters of the PDF schema generator feature is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

• Bug Tracker URL: http://bugs.frugalware.org/task/3996

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3696
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3697

• Author: Miklos Vajna
• Vulnerable: 1.2.2-1getorin1
• Unaffected: 1.2.3-1getorin1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. An alignment error within the “dissect_paltalk()” function in epan/dissectors/packet-paltalk.c of the Paltalk dissector can be exploited to cause a crash. Note: Successful exploitation requires that Wireshark is running on an alignment sensitive architecture.
2. A NULL pointer dereference error within the DCERPC/NT dissector when can be exploited to cause a crash.
3. An off-by-one error within the “dissect_negprot_response()” function in epan/dissectors/packet-smb.c of the SMB dissector can be exploited to cause a crash.
4. An error within the RADIUS dissector can be exploited to cause a crash.

• Bug Tracker URL: http://bugs.frugalware.org/task/4026

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3549
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3550
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3551

• Author: Miklos Vajna
• Vulnerable: 1.2.3-1getorin1
• Unaffected: 1.2.5-1getorin1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user’s system.

1. A boundary error in the Daintree SNA file parser can be exploited to cause a buffer overflow via a specially crafted capture file. Successful exploitation may allow execution of arbitrary code.
2. An error in the IPMI dissector on Windows can be exploited to cause a crash.
3. An error in the SMB and SMB2 dissectors can be exploited to cause a crash.

• Bug Tracker URL: http://bugs.frugalware.org/task/4064

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4376
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4377
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4378

• Author: Miklos Vajna
• Vulnerable: 1.2.5-1getorin1
• Unaffected: 1.2.6-1getorin1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user’s system. The vulnerabilities are caused due to errors within the LWRES dissector, which can be exploited to cause e.g. a stack-based buffer overflow via a specially crafted network packet or by tricking a user into loading a specially crafted capture file. Successful exploitation allows execution of arbitrary code.