Frugalware Security Announcements (FSAs)

• Vulnerable: 1.1.22-2kalgan1
• Unaffected: 1.1.22-2kalgan2

Chris Evans has reported some vulnerabilities in libxslt, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. The vulnerabilities are caused due to boundary errors within crypto.c when handling the XSLT “crypto:rc4_encrypt” and “crypto:rc4_decrypt” functions. This can be exploited to cause a heap-based buffer overflow via a specially crafted stylesheet.

• Bug Tracker URL: http://bugs.frugalware.org/task/3285

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935

• Vulnerable: 2.1pre33-1
• Unaffected: 2.1-1kalgan1

Unspecified vulnerability in Links before 2.1, when “only proxies” is enabled, has unknown impact and attack vectors related to providing “URLs to external programs.”

• Bug Tracker URL: http://bugs.frugalware.org/task/3272

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3329

• Vulnerable: 2.5.2-2kalgan1
• Unaffected: 2.5.2-2kalgan2

Some vulnerabilities have been reported in Python, where some have unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

1. Various integer overflow errors exist in core modules e.g. stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule.
2. An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results.
3. Integer overflow errors in the processing of unicode strings can be exploited to cause buffer overflows on 32-bit systems.
4. An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not have a “vsnprintf()” function.
5. An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings can lead to memory corruption. Successful exploitation of some of these vulnerabilities may allow to crash an application or to execute arbitrary code, but depends on the implementation of an Python application.

• Bug Tracker URL: http://bugs.frugalware.org/task/3286

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142

• Vulnerable: 1.8.6-4
• Unaffected: 1.8.6-5kalgan1

Some vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks.

1. Multiple errors in the implementation of safe level restrictions can be exploited to call “untrace_var()”, perform syslog operations, and modify “$PROGRAM_NAME” at safe level 4, or call insecure methods at safe levels 1 through 3.
2. An error exists in the usage of regular expressions in “WEBrick::HTTPUtils.split_header_value()”. This can be exploited to consume large amounts of CPU via a specially crafted HTTP request.
3. An error in “DL” can be exploited to bypass security restrictions and call potentially dangerous functions.
4. The vulnerability is caused due to resolv.rb not sufficiently randomising the DNS query port number, which can be exploited to poison the DNS cache.

• Bug Tracker URL: http://bugs.frugalware.org/task/3300

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3443

• Vulnerable: 1.4.8-2
• Unaffected: 1.4.10-1kalgan1

A security issue has been reported in Amarok, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to the “MagnatuneBrowser::listDownloadComplete()” function handling temporary files in an insecure manner. This can be exploited via symlink attacks in combination with a race condition to overwrite arbitrary files with the privileges of the user running the application.

• Vulnerable: 2.0.0.14-1kalgan1
• Unaffected: 2.0.0.15-1kalgan1

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, disclose sensitive information, or potentially compromise a user’s system.

1. Multiple errors in the layout and JavaScript engines can be exploited to corrupt memory.
2. An error in the handling of unprivileged XUL documents can be exploited to load Chrome scripts from a “fastload” file via “script” elements.
3. An error in the “mozIJSSubScriptLoader.LoadScript()” function can be exploited to bypass XPCNativeWrappers and run arbitrary code with Chrome privileges. Successful exploitation requires that an add-on using the affected function is installed.
4. An error in the block reflow process can be exploited to cause a crash or potentially execute arbitrary code.
5. An error in the processing of file URLs contained within local directory listings can potentially be exploited to execute malicious JavaScript content.
6. Multiple errors in the implementation of the JavaScript same origin policy can be exploited to execute arbitrary script code in the context of a different domain.
7. Multiple errors in the verification of signed JAR files can be exploited to execute arbitrary JavaScript code with the privileges of the JAR’s signer.
8. An error in the implementation of file upload forms can be exploited to upload arbitrary local files to a remote webserver via specially crafted “DOM Range” and “originalTarget” elements.
9. An error in the Java LiveConnect implementation on Mac OS X can be exploited to establish arbitrary socket connections.
10. An uninitialized memory access in the processing of improperly encoded “.properties” files can potentially be exploited to disclose sensitive memory via an add-on using the malformed file.
11. An error in the processing of “Alt Names” provided by “peer” trusted certificates can be exploited to conduct spoofing attacks.
12. An error in the processing of Windows URL shortcuts can be exploited to run a remote site as a local file.

• Bug Tracker URL: http://bugs.frugalware.org/task/3202

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2806
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811

• Vulnerable: 1.5.4.3-1
• Unaffected: 1.5.6.4-1kalgan1

Stack-based buffer overflow in the (1) diff_addremove and (2) diff_change functions in GIT before 1.5.6.4 might allow local users to execute arbitrary code via a PATH whose length is larger than the system’s PATH_MAX when running GIT utilities such as git-diff or git-grep.

• Bug Tracker URL: http://bugs.frugalware.org/task/3305

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3546

• Vulnerable: 2.9.21-3
• Unaffected: 2.9.21.1-1kalgan1

A weakness has been reported in PowerDNS, which can be exploited by malicious people to conduct spoofing attacks. The weakness is caused due to the server dropping DNS queries for invalid DNS records within a valid domain. This can be exploited to facilitate the spoofing of the valid domain on third-party DNS servers.

• Bug Tracker URL: http://bugs.frugalware.org/task/3309

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3337

• Vulnerable: 2.0.0.14-1kalgan1
• Unaffected: 2.0.0.16-1kalgan1

Some vulnerabilities have been reported in Mozilla Thunderbird, which potentially can be exploited by malicious people to compromise a user’s system. For more information, see FSA509

• Bug Tracker URL: http://bugs.frugalware.org/task/3206

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811

• Vulnerable: 5.9-1kalgan1
• Unaffected: 5.10-1kalgan1

Some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system, and by malicious people to conduct cross-site scripting and cross-site request forgery attacks.

1. Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. A vulnerability is caused by the fact that the private filesystem uses the MIME media type it receives from the web browser when handling uploads. This can be exploited for script insertion attacks. Successful exploitation of this vulnerability requires valid user credentials with the right to upload files.
3. A vulnerability is caused due to missing restrictions on what file types that users are allowed to upload in the BlogAPI module. This can be exploited to e.g. execute arbitrary PHP code. Successful exploitation of this vulnerability requires valid user credentials with the “administer content with blog api” permission.
4. A vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to add or delete user access rules, by enticing a logged-in user to visit a malicious web page.

• Bug Tracker URL: http://bugs.frugalware.org/task/3299

CVEs:

• There is no CVE for this issue yet, see http://drupal.org/node/295053