Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 8.1.2-1
• Unaffected: 8.1.3-1solaria1

Multiple vulnerabilities have been reported in Adobe Reader/Acrobat, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a user’s system.

1. A boundary error exists when parsing format strings containing a floating point specifier in the “util.printf()” Javascript function. This can be exploited to cause a stack-based buffer overflow via a specially crafted PDF and allows execution of arbitrary code.
2. An out-of-bounds array indexing error when parsing embedded Type 1 fonts can be exploited to corrupt memory and may allow execution of arbitrary code.
3. An error in an AcroJS function used to perform HTTP authentication can be exploited to corrupt memory via an overly long string passed to the function. This may allow execution of arbitrary code.
4. An error when creating a Collab object and performing a specific sequence of actions on it can be exploited to corrupt memory. This may allow execution of arbitrary code.
5. An unspecified error when parsing malformed PDF objects can be exploited to corrupt memory, which may allow execution of arbitrary code.
6. An input validation error in the Download Manager used by Adobe Reader may allow code execution during the download process.
7. An error in the Download Manager used by Adobe Reader may result in a user’s Internet Security options being changed during the download process.
8. An input validation error in a JavaScript method may allow code execution.
9. An unspecified privilege escalation vulnerability exists in the version for UNIX/Linux.

• Bug Tracker URL: http://bugs.frugalware.org/task/3440

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2549
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4812
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4813
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4814
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4815
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4816
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4817

• Author: Miklos Vajna
• Vulnerable: 1.3.8-1
• Unaffected: 1.3.9-1solaria1

Some vulnerabilities have been reported in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system.

1. Two boundary errors exist in the implementation of the HP-GL/2 filter. These can be exploited to cause buffer overflows via HP-GL/2 files containing overly large pen numbers.
2. A boundary error exists within the “read_rle16()” function when processing SGI (Silicon Graphics Image) files. This can be exploited to cause a heap-based buffer overflow via a specially crafted SGI file.
3. An integer overflow error exists within the “WriteProlog()” function included in the “texttops” utility. This can be exploited to cause a heap-based buffer overflow via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/3400

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3639
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3640
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3641

• Author: Miklos Vajna
• Vulnerable: 22.2-4solaria1
• Unaffected: 22.3-1solaria1

Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file.

• Bug Tracker URL: http://bugs.frugalware.org/task/3397

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3949

• Author: Miklos Vajna
• Vulnerable: 5.4.1.2-1
• Unaffected: 5.4.2.1solaria1-1

A vulnerability has been reported in Net-snmp, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an integer overflow error within the “netsnmp_create_subtree_cache()” function in agent/snmp_agent.c. This can be exploited to cause a crash via a specially crafted SNMP GETBULK request.

• Bug Tracker URL: http://bugs.frugalware.org/task/3438

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309

• Author: Miklos Vajna
• Vulnerable: 0.11.5-1
• Unaffected: 0.11.6-1solaria1

A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application improperly setting the ADMIN file control information to “00” while initializing smart cards having a Siemens CardOS M4 operating system. This can be exploited to change a user PIN code without having the PIN or PUK if the smart card was initialized with OpenSC.

• Author: Miklos Vajna
• Vulnerable: 5.11-1solaria1
• Unaffected: 5.12-1solaria1

A vulnerability has been reported in Drupal, which can potentially be exploited by malicious, local users to gain escalated privileges. Input passed to unspecified parameters is not properly verified before being used to include files. This can be exploited to include specially named files from local resources and potentially escalate privileges. Successful exploitation requires that the web server is configured to use virtual hosts.

• Author: Miklos Vajna
• Vulnerable: 5.x_1.10-1solaria1
• Unaffected: 5.x_1.9-1

Some vulnerabilities have been reported in the Drupal Content Construction Kit (CCK), which can be exploited by malicious users to conduct script insertion attacks. Input passed to unspecified field labels and “content-type” names is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires “administer content” privileges.

• Author: Miklos Vajna
• Vulnerable: 6.5-1solaria1
• Unaffected: 6.6-1solaria1

Two vulnerabilities have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks. An input passed as book page titles is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected site when the malicious data is viewed. For more info about the other issue, see FSA548. Successful exploitation requires valid user credentials with the “create book content” permission or the permission to edit book nodes.

• Author: Miklos Vajna
• Vulnerable: 2.11.9.2-1solaria1
• Unaffected: 2.11.9.3-1solaria1

Hadi Kiamarsi has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “db” parameter in pmd_pdf.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation may require that the victim has valid user credentials.

• Author: Miklos Vajna
• Vulnerable: 2.6.2-1solaria1
• Unaffected: 2.6.3-1solaria1

A vulnerability in the Snoopy library was announced. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, they wanted to get an update out.

• Bug Tracker URL: http://bugs.frugalware.org/task/3424

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796