This is a list of security announcments that have been released for the current stable version of Frugalware
A vulnerability has been reported in KDE, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to potentially gain escalated privileges. The vulnerability is caused due to an error in the start_kdeinit script (installed setuid root by default). This can be exploited to send signals to privileged processes, cause a DoS, or potentially execute arbitrary code in the context of the target process.
A vulnerability has been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error when preventing race conditions between “fcntl_setlk()” and “close()” calls on SMP systems. This can be exploited to trigger the improper, reordered access to the file descriptor table and the “file_lock” structure of an inode, between threads running on different CPUs.
Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or potentially compromise a user’s system. For more information, see FSA407.
A weakness has been reported in util-linux-ng, which can be exploited by malicious people to manipulate certain data. The security issue is caused due to an error in login.c while logging login attempts. This can be exploited to inject e.g. an arbitrary address in the audit logs via a specially crafted username.
Two vulnerabilities have been reported in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and to compromise a vulnerable system.
A vulnerability has been reported in frugalwareutils, which can potentially be exploited by malicious people to cause a DoS on a vulnerable system. The vulnerability is caused due to creating new files as root without checking the current value of umask. Successful exploitation may allow execution of arbitrary code.
A vulnerability has been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to potentially gain escalated privileges. A race condition error exists in the dnotify subsystem between calls to “fcntl()” and “close()”. This can be exploited to cause a system crash or potentially gain root privileges.
A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the use of vulnerable libfishsound; an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative “modeID” field in the header. Successful exploitation may allow execution of arbitrary code.
A vulnerability has been reported in xine-lib, which can potentially be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the use of vulnerable libfishsound; an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative “modeID” field in the header.
Successful exploitation may allow execution of arbitrary code.
Guido Landi has discovered a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error within the “demux_nsf_send_chunk()” function in src/demuxers/demux_nsf.c. This can be exploited to cause a stack-based buffer overflow via an overly long NSF title.
