Frugalware Security Announcements (FSAs)

• Author: vmiklos
• Vulnerable: 2.6.22-7sayshell3
• Unaffected: 2.6.22-7sayshell4

A vulnerability with unknown impact has been reported in the Linux Kernel. The vulnerability is caused due to a boundary error within the “isdn_net_setcfg()” function in drivers/isdn/i4l/isdn_net.c when processing IOCTL configuration requests sent to the ISDN pseudo device (/dev/isdnctrl). This can be exploited to cause a buffer overflow via a specially crafted IIOCNETSCF IOCTL request. Successful exploitation requires write access to /dev/isdnctrl.

A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information. The security issue is caused due to the “do_coredump()” function in fs/exec.c not correctly verifying the user ID of a core dump file when dumping the core into an existing file. This can be exploited to e.g. gain access to sensitive information by tricking an application with another user ID into dumping the core into a preexisting file.

• Author: voroskoi
• Vulnerable: 1.4.13-1sayshell1
• Unaffected: 1.4.13-1sayshell2

Multiple vulnerabilities has been reported in Asterisk, which can be exploited by malicious people to conduct SQL injection attacks, bypass certain security restrictions and cause a DoS (Denial of Service).

1. Input passed as lookup data to the Postgres Realtime Engine is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that the module is configured and used.
2. Input passed as ANI and DNIS strings to the Call Detail Record Postgres logging engine is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires valid user credentials and that the module is configured and used.
3. The security issue is caused due to missing checks of IP addresses when processing database-based registrations (“realtime”). This can be exploited to authenticate as a legitimate user without a password. Successful exploitation requires that host-based authentication is used and that the attacker has knowledge of a valid username.
4. The vulnerability is caused due to a null-pointer dereference error within the handling of the “BYE/Also” transfer method and can be exploited to crash the application. Successful exploitation requires that a dialog has already been established.

• Bug Tracker URL: http://bugs.frugalware.org/task/2652

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6171
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430

• Author: voroskoi
• Vulnerable: 1.0.13-1
• Unaffected: 1.0.13-2sayshell1

MustLive has discovered a vulnerability in Joomla!, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “searchword” parameter in index.php (when “option” is set to “com_search”) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that the victim changes the number of search results in a drop-down box, after having clicked on the malicious link.

• Author: voroskoi
• Vulnerable: 0.78.2-1
• Unaffected: 0.78.2-2sayshell1

Some vulnerabilities have been reported in the cd-info and iso-info applications of libcdio, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerabilities are caused due to boundary errors within the function “print_iso9660_recurse()” in cd-info.c and iso-info.c. This be exploited to cause a buffer overflow by e.g. tricking a user into using the iso-info application on a specially crafted ISO image.

• Author: voroskoi
• Vulnerable: 8.2.5-1
• Unaffected: 8.2.6-1sayshell1

Some vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to gain escalated privileges or to cause a DoS (Denial of Service).

1. Index functions are executed as superuser during “VACUUM” and “ANALYZE”, which can be exploited to gain escalated privileges.
2. “SET ROLE” and “SET SESSION AUTHORIZATION” are permitted within index functions, which can be exploited to gain escalated privileges.
3. Various errors in the processing of regular expressions within SQL queries can be exploited to cause infinite loops, consume large amounts of memory, or to crash the backend, resulting in a DoS.
4. Errors in the DBLink module can be exploited to gain superuser privileges when being used in combination with local trust or ident authentication.

• Bug Tracker URL: http://bugs.frugalware.org/task/2714

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4769
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4772
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6600
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6601
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6067

• Author: voroskoi
• Vulnerable: 2.6.9-2
• Unaffected: 2.6.9-3sayshell1

Two vulnerabilities have been reported in rsync, which can be exploited by malicious users to bypass certain security restrictions.

1. An error in the rsync daemon when the “use chroot” option is disabled can be exploited to gain access to files outside of the module’s hierarchy via symlink attacks.
2. An error exists within the enforcing of the “exclude”, “exclude from”, and “filter” options. This can be exploited to bypass access restrictions and gain access to hidden files via e.g. symlink attacks, if the filename is known.

• Bug Tracker URL: http://bugs.frugalware.org/task/2653

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6199
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6200

• Author: voroskoi
• Vulnerable: 0.16.0-3
• Unaffected: 0.16.0-4sayshell1

Chris Rohlf has reported a vulnerability in Ruby-GNOME2, which can potentially be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a format string error within the “Gtk::MessageDialog.new()” method in gtk/src/rbgtkmessagedialog.c and can potentially be exploited to execute arbitrary code when a specially crafted string is passed to the affected function. NOTE: Exploitation and impact of this vulnerability depend on how an application uses the affected function of the vulnerable library.

• Author: voroskoi
• Vulnerable: 2.2.6-1
• Unaffected: 2.2.6-2sayshell1

A vulnerability have been reported in Apache mod_imagemap module, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input passed to “mod_imagemap” is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that “mod_imagemap” is enabled and a mapfile is publicly accessible.

• Author: voroskoi
• Vulnerable: 0.91.2-1
• Unaffected: 0.91.2-2sayshell1

Some vulnerabilities have been reported in ClamAV, where one vulnerability has an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1. An integer overflow error exists within the “cli_scanpe()” function when handling MEW packed executables. This can be exploited to cause a heap-based buffer overflow via specially crafted “ssize” and “dsize” values. Successful exploitation allows execution of arbitrary code.
2. An off-by-one error exists within libclamav/mspack.c when handling MSZIP compressed files. This can be exploited to e.g. crash the scanner or potentially execute arbitrary code via a specially crafted MSZIP compressed file.
3. An boundary error exists within the bzip2 “BZ_GET_FAST()” and “BZ_GET_FAST_C()” decompression macros in libclamav/nsis/bzlib_private.h.

• Bug Tracker URL: http://bugs.frugalware.org/task/2679

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6335
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6336
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6337

• Author: voroskoi
• Vulnerable: 1.3.2-2sayshell2
• Unaffected: 1.3.2-2sayshell3

A vulnerability has been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerability is caused due to a signedness error within the “asn1_get_string()” function in backend/snmp.c. This can be exploited to cause a stack-based buffer overflow via specially crafted SNMP responses containing ASN1 encoded strings with negative length values. Successful exploitation on 1.3.x versions requires that the snmp backend is configured in snmp.conf.