Frugalware Security Announcements (FSAs)

• Vulnerable: 2.2.0-1
• Unaffected: 2.2.5-1kalgan1

Some vulnerabilities have been reported in GnuTLS, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library.

1. A boundary error exists in the processing “Client Hello” messages containing a “Server Name” extension. This can be exploited to cause a heap-based buffer overflow via a specially crafted TLS packet. Successful exploitation may allow execution of arbitrary code.
2. A NULL-pointer dereference error in the processing of TLS packets containing multiple “Client Hello” messages can be exploited to crash an affected application.
3. A signedness error exists within the “_gnutls_ciphertext2compressed()” function in lib/gnutls_cipher.c. This can be exploited to cause an out of bounds read and crash an affected application via specially crafted, encrypted TLS data.

• Bug Tracker URL: http://bugs.frugalware.org/task/3100

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950

• Vulnerable: 61-2
• Unaffected: 61-3kalgan1

A vulnerability has been reported in KVM, which can be exploited by malicious, local users to bypass certain security restrictions or cause a DoS (Denial of Service). The error can be exploited by a guest to read arbitrary files on the host via a specially crafted disk header. For more information, see FSA455.

• Bug Tracker URL: http://bugs.frugalware.org/task/3044

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004

• Vulnerable: 0.9.1-2
• Unaffected: 0.9.1-3kalgan1

A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to the “drive_init()” function in vl.c determining the format of a disk from data contained in the disk’s header. This can be exploited by a malicious user in a guest system to e.g. read arbitrary files on the host by writing a fake header to a raw formatted disk image.

• Vulnerable: 21.4.21-1
• Unaffected: 21.4.21-2kalgan1

Some security issues have been reported in XEmacs, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issues are caused due to the use of vulnerable GNU Emacs code. For more information, see FSA423.

• Bug Tracker URL: http://bugs.frugalware.org/task/3041

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1694

• Vulnerable: 1.3.3-2
• Unaffected: 1.3.5-1kalgan1

Viktor Griph has reported a security issue in Audacity, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to delete arbitrary files and directories. The security issue is caused due to the “AudacityApp::OnInit()” method in src/AudacityApp.cpp handling temporary files in an insecure manner. This can be exploited to delete arbitrary files and directories via symlink attacks, or to cause a deadlock.

• Vulnerable: 1.1.11-1
• Unaffected: 1.1.12-1kalgan1

A security issue has been reported in GraphicsMagick, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the improper processing of file extensions and can be exploited to e.g. access X11 or to invoke certain delegate programs. Successful exploitation requires that a user is tricked into processing a malicious file with a specific file extension.

• Bug Tracker URL: http://bugs.frugalware.org/task/3076

CVEs:

• There is no CVE for this issue, see http://sourceforge.net/project/shownotes.php?release_id=595544

• Vulnerable: 5.2.5-2
• Unaffected: 5.2.6-1kalgan1

Some vulnerabilities have been reported in PHP, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

1. An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow.
2. An error in the processing of multibyte characters within the “escapeshellcmd()” and “escapeshellarg()” functions can be exploited to escape the inserted backslash or quote characters via certain multibyte characters. Successful exploitation allows to bypass the “safe_mode_exec_dir” and “disable_functions” directives, and potentially to inject arbitrary shell commands via user controlled input, but requires that the shell uses a locale with a variable width character (e.g. GBK, EUC-KR, SJIS).
3. A vulnerability is caused due to an error during path translation in cgi_main.c. This can potentially be exploited to execute arbitrary code, but depends on how a targeted application is using PHP.
4. An error in cURL can be exploited to bypass the “safe_mode” directive.
5. A boundary error in PCRE can potentially be exploited by malicious people to cause a DoS or compromise a vulnerable system.

• Bug Tracker URL: http://bugs.frugalware.org/task/3074

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108

• Vulnerable: 1.6.4-1
• Unaffected: 1.6.5-1kalgan1

A vulnerability has been reported in Pngcrush, which can be exploited by malicious people to disclose potentially sensitive information or potentially compromise a user’s system. The vulnerability is caused due to the use of vulnerable libpng code. For more information, see FSA434.

• Bug Tracker URL: http://bugs.frugalware.org/task/3079

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382

• Vulnerable: 1.5.0-2
• Unaffected: 1.6.0-1kalgan1

Some vulnerabilities have been reported in rdesktop, which can be exploited by malicious people to compromise a user’s system.

1. An integer underflow error in iso.c when processing RDP requests can be exploited to cause a heap-based buffer overflow.
2. An input validation error in rdp.c when processing RDP redirect requests can be exploited to cause a BSS-based buffer overflow.
3. A signedness error within “xrealloc()” in rdesktop.c can be exploited to cause a heap-based buffer overflow. Successful exploitation allows execution of arbitrary code but requires that a user is tricked into connecting to a malicious RDP server.

• Bug Tracker URL: http://bugs.frugalware.org/task/3078

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1802
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1803

• Vulnerable: 0.9.4-2
• Unaffected: 0.9.4-3kalgan1

A security issue has been reported in Eterm, which can be exploited by malicious, local users to gain escalated privileges. Eterm 0.9.4 opens a terminal window on :0 if -display is not specified and the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine.

• Bug Tracker URL: http://bugs.frugalware.org/task/2918

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1692