Frugalware Security Announcements (FSAs)

• Vulnerable: 2.11.7.1-1kalgan1
• Unaffected: 2.11.8.1-1kalgan1

Aung Khant has reported two vulnerabilities in phpMyAdmin, which can be exploited by malicious local users to conduct cross-site scripting attacks, and by malicious people to conduct spoofing attacks.

1. Many scripts except for index.php do not check if they are linked into another site’s frames. This can potentially be used for spoofing and phishing attacks.

2. Input from the config/config.inc.php configuration file to scripts/setup.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Vulnerable: 2.4.6-1
• Unaffected: 2.4.7-1kalgan1

Sebastian Krahmer has reported some security issues in Postfix, which can be exploited by malicious, local users to disclose potentially sensitive information and perform certain actions with escalated privileges.

1. A security issue is caused due to Postfix incorrectly handling symlink files. This can be exploited to e.g. append mail messages to arbitrary files by creating a hardlink to a symlink owned by the root user. Successful exploitation requires write permission to the mail spool directory, that there is no “root” mailbox, and users can create a hardlink to a symlink (e.g. Linux 2.x, Solaris, Irix 6.5).
2. A security issue is caused due to Postfix not correctly checking the ownership of the destination when delivering email. This can be exploited to e.g. disclose emails by creating an insecure mailbox file for other users. Successful exploitation requires permission to create files within the mail spool directory.

• Bug Tracker URL: http://bugs.frugalware.org/task/3296

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937

• Vulnerable: 1.1.1-1
• Unaffected: 1.1.2-1kalgan1

Some vulnerabilities have been reported in Mantis, which can be exploited by malicious users to compromise a vulnerable system and malicious people to conduct cross-site scripting and request forgery attacks.

1. Input passed to the “filter_target” parameter in return_dynamic_filters.php is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. A vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. add a new user with administrative privileges by enticing a logged-in administrator to visit a malicious site.
3. Input passed to the “value” parameter in adm_config_set.php is not properly sanitised before being used in an “eval()” statement. This can be exploited to e.g. execute arbitrary PHP commands via a specially crafted request. Successful exploitation requires administrator access, but see vulnerability #2.
4. Input passed to the “language” parameter in account_prefs_update.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

• Bug Tracker URL: http://bugs.frugalware.org/task/3249

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2276
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3331
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3332
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3333

• Vulnerable: 0.2-1
• Unaffected: 0.2-2kalgan1

Anders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem.

• Bug Tracker URL: http://bugs.frugalware.org/task/3243

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2232

• Vulnerable: 1.9-1
• Unaffected: 1.9-2kalgan1

Otto Moerbeck has reported the following potential out of bounds of the allocated stack access in the yacc binary:

Fix an venerable bug: if we’re reducing a rule that has an empty right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action. Detected by my new malloc.

• Vulnerable: 1.6.1-1
• Unaffected: 1.6.1-2kalgan1

Two security issues have been reported in CheckInstall, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issues are caused due to the “checkinstall” and “installwatch” scripts creating directories in an insecure manner. This can potentially be exploited via symlink attacks to delete or modify arbitrary files with the privileges of the user running the affected scripts.

• Bug Tracker URL: http://bugs.frugalware.org/task/3209

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958

• Vulnerable: 20070422-3
• Unaffected: 20070422-4kalgan1

A vulnerability has been reported in FFmpeg, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error within the “str_read_packet()” function in libavformat/psxstr.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted STR file.

• Bug Tracker URL: http://bugs.frugalware.org/task/3252

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162

• Vulnerable: 2.3.41-1
• Unaffected: 2.3.43-1kalgan1

A vulnerability has been reported in OpenLDAP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the “ber_get_next()” function in libraries/liblber/io.c. This can be exploited to trigger an “assert()” and terminate the “slapd” process via a specially crafted ASN.1 BER encoded packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/3207

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952

• Vulnerable: 5.10.0-3
• Unaffected: 5.10.0-4kalgan1

Description: A vulnerability has been reported in Perl, which can be exploited by malicious, local user to perform actions with escalated privileges. The vulnerability is caused due to the insecure use of chmod on symbolic links and can be exploited to change permissions of arbitrary files to 0777 via symlink attacks.

• Bug Tracker URL: http://bugs.frugalware.org/task/3210

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2827

• Vulnerable: 2.0.22-1
• Unaffected: 3.0.2-1kalgan1

Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to “urls gone through redirect() being used within login_box().”

• Bug Tracker URL: http://bugs.frugalware.org/task/3244

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3224