Frugalware Security Announcements (FSAs)

• Author: vmiklos
• Vulnerable: 0.99.8-1
• Unaffected: 1.0.0-1kalgan1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to errors in the X.509sat, Roofnet, LDAP, and SCCP dissectors. These can be exploited to cause the application to crash when processing specially crafted packets that are either captured off the wire or loaded via a capture file.

• Author: vmiklos
• Vulnerable: 1.0.5-1
• Unaffected: 1.0.6-1kalgan1

A vulnerability has been reported in various Horde products, which can be exploited by malicious users to disclose sensitive information and potentially compromise a vulnerable system. Input passed to the “theme” parameter is not properly sanitised before being used. This can be exploited to include arbitrary files from local resources, using directory traversal attacks and URL-encoded NULL bytes ("%00"). NOTE: Other attack vectors are also reported to exist. Successful exploitation may allow execution of arbitrary code, but requires valid user credentials.

• Author: vmiklos
• Vulnerable: 6-7
• Unaffected: 6-8kalgan1

Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to cause a DoS (Denial of Service), to bypass certain security restrictions, or to compromise a vulnerable system.

1. Two unspecified errors in the Java Runtime Environment Virtual Machine can be exploited by a malicious, untrusted applet to read and write local files and execute local applications.
2. An unspecified error in the Java Runtime Environment (JRE) when processing XSLT transformations can be exploited by untrusted applets or applications to e.g. read certain URL resources or potentially execute arbitrary code.
3. A boundary error exists in the “useEncodingDecl()” function when parsing the xml header character encoding attribute. This can be exploited to cause a stack-based buffer overflow and execute arbitrary code via a specially crafted JNLP file containing an overly long charset name in the xml header.
4. A boundary error exists in the “useEncodingDecl()” function when processing xml-based JNLP files for UTF8 characters. This can be exploited to cause a stack-based buffer overflow and execute arbitrary code via a specially crafted JNLP file containing overly long key name in the xml header.
5. A boundary error exist in Java Web Start, which can be exploited e.g. by an untrusted Java Web Start application to read and write local files and execute local applications.
6. An unspecified error in Java Web Start can be exploited by a malicious, untrusted applet to read and write local files or execute local applications.
7. An unspecified error in Java Web Start can be exploited by an untrusted Java Web Start application to create files on the system and run local applications with the privileges of the user running the untrusted Java Web Start application.
8. An unspecified error in the Java Plug-in can be exploited by an applet to bypass the same origin policy and to execute local applications.
9. Some errors in the Java Runtime Environment image parsing library within the processing of ICC profiles can be exploited to crash the JVM or to write local files and execute local applications.
10. An error in the Java Runtime Environment may allow java script code within a browser to make connections through Java APIs to network services on the local system.
11. A boundary error exists in Java Web Start in the processing of JNLP files, which can be exploited to cause a stack-based buffer overflow when a user visits a malicious web site.

• Bug Tracker URL: http://bugs.frugalware.org/task/2845

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1185
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1186
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1188
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1189
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1190
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1191
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1192
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1193
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1194
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1195
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1196

• Author: vmiklos
• Vulnerable: 1.0rc2-3
• Unaffected: 1.0rc2-4kalgan1

k`sOSe has discovered a vulnerability in MPlayer, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to an integer overflow error in the “sdpplin_parse()” function in stream/realrtsp/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large “StreamCount” SDP parameter. Successful exploitation may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2913

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1558

• Author: vmiklos
• Vulnerable: 4.7p1-3
• Unaffected: 4.7p1-4kalgan1

A vulnerability has been discovered in OpenSSH, which can be exploited by malicious, local users to disclose sensitive information. The vulnerability is caused due to sshd improperly binding TCP ports on the local IPV6 interface if required ports on the IPV4 interface are in use. This can be exploited by a malicious, local user to intercept an X11 forwarding session by listening to a port used by sshd to forward the local X11 display (e.g. port 6010/TCP).

• Author: vmiklos
• Vulnerable: 2.11.5-1
• Unaffected: 2.11.5.1-1kalgan1

im Hermann has discovered a vulnerability in phpMyAdmin, which can potentially be exploited by malicious users to disclose sensitive information. The MySQL username, password, and the Blowfish secret key are stored as plain text in session files. This can potentially be exploited e.g. by users on shared hosts to access that information.

• Bug Tracker URL: http://bugs.frugalware.org/task/2917

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567

• Author: voroskoi
• Vulnerable: 1.0.4-1
• Unaffected: 1.0.5-1kalgan1

A vulnerability has been reported in bzip2, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of malformed archives and can potentially be exploited to cause a DoS.

• Bug Tracker URL: http://bugs.frugalware.org/task/2903

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372

• Author: vmiklos
• Vulnerable: 8.61-1
• Unaffected: 8.62-1kalgan1

Chris Evans has reported a vulnerability in Ghostscript, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error within the “zseticcspace()” function in zicc.c. This can be exploited to cause a stack-based buffer overflow via an overly large “Range” array. Successful exploitation allows execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2823

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0411

• Author: vmiklos
• Vulnerable: 1.1.6-1
• Unaffected: 1.2.6-1kalgan1

Some vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious people to disclose sensitive information and conduct cross-site scripting attacks.

1. Input passed to the “to_json” function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. An error in ActiveResource when processing responses using the “Hash.from_xml” function can be exploited to determine the existence of files and to read the contents of arbitrary XML files.
3. A security issue is caused due to lib/action_controller/cgi_process.rb removing the “:cookie_only” attribute from “DEFAULT_SESSION_OPTIONS” and can be exploited to conduct session fixation attacks against applications using the affected component.

• Bug Tracker URL: http://bugs.frugalware.org/task/2591

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077

• Author: vmiklos
• Vulnerable: 3.0-12
• Unaffected: 3.0-13kalgan1

Some vulnerabilities have been reported in teTeX, which can be exploited by malicious, local users to disclose and manipulate sensitive information and by malicious people to potentially compromise a vulnerable system.

1. A boundary error in dvips can be exploited to cause a stack-based buffer overflow when a user is tricked into opening a specially crafted DVI file containing an overly long hypertext reference. Successful exploitation requires that dvips is invoked with the “-z” option.
2. Some boundary errors in dviljk can be exploited to cause buffer overflows when a user is enticed to print a specially crafted DVI file. Successful exploitation of vulnerabilities #1 and #2 may allow execution of arbitrary code.
3. An error due to dvips using the insecure “tmpnam()” function when converting DVI files can potentially be exploited to disclose and modify sensitive information.

• Bug Tracker URL: http://bugs.frugalware.org/task/2592

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5935
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5936
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5937