Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 5.2-2sayshell2
• Unaffected: 5.2-2sayshell3

Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and cross-site request forgery attacks.

1. Input passed via unspecified parameters to theme .tpl.php files is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that “register_globals” is enabled, and the .htaccess file fails to prevent access to .tpl.php files and to disable “register_globals”.
2. An error in the text filtering functionality can be exploited to bypass the filter via invalid UTF-8 sequences. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed with e.g. Internet Explorer 6.
3. The aggregator module allows users to perform certain actions via HTTP GET requests without performing any validity checks to verify the request. This can be exploited to e.g. remove items from a particular feed when a user visits a specially crafted page.

• Bug Tracker URL: http://bugs.frugalware.org/task/2692

CVEs:

• There is no CVE entry for this issue.

• Author: voroskoi
• Vulnerable: 1.0.1-3
• Unaffected: 1.0.1-4sayshell1

Secunia Research has discovered a vulnerability in IMP Webmail Client and Horde Groupware Webmail Edition, which can be exploited by malicious people to bypass certain security restrictions and manipulate data. The HTML filter does not filter out frame and frameset HTML elements. Additionally, the application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to (a) delete an arbitrary number of e-mail messages by referencing their numeric IDs and (b) purge deleted mails, when the victim opens a malicious HTML mail. Successful exploitation requires that the victim opens the HTML part of a malicious message.

• Author: voroskoi
• Vulnerable: 0.6.16-1
• Unaffected: 0.6.16-2sayshell1

Two vulnerabilities have been reported in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise an application using the library.

1. An integer overflow error in the “exif_data_load_data_thumbnail()” function in exif-data.c when processing exif image tags can be exploited to cause a memory corruption and may allow execution of arbitrary code via a specially crafted exif file.
2. An infinite recursion error in the “exif_loader_write()” function in exif-loader.c when handling exif image tags can be exploited to cause an application to crash via a specially crafted exif file.

• Bug Tracker URL: http://bugs.frugalware.org/task/2680

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6351
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6352

• Author: voroskoi
• Vulnerable: 2.6.30-1
• Unaffected: 2.6.30-2sayshell1

A vulnerability has been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the “xmlCurrentChar()” function. This can be exploited to trigger the execution of an infinite loop via specially crafted UTF-8 sequences.

• Bug Tracker URL: http://bugs.frugalware.org/task/2700

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6284

• Author: voroskoi
• Vulnerable: 1.0.8-1
• Unaffected: 1.0.8-2sayshell1

seiji has discovered a vulnerability in Mantis, which can be exploited by malicious users to conduct script insertion attacks. Input passed as the filename for the uploaded file in bug_report.php is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected site when the malicious filename is viewed in view.php. Successful exploitation requires valid user credentials.

• Author: voroskoi
• Vulnerable: 9.24-1sayshell1
• Unaffected: 9.25-1sayshell1

Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, and compromise a user’s system.

1. An unspecified error can be exploited via certain plugins to conduct cross-domain scripting attacks.
2. An unspecified error within the processing of TLS certificates can be exploited to execute arbitrary code.
3. An unspecified error within Rich text editing when using designMode can be exploited to conduct cross-domain scripting attacks.
4. An unspecified error within the processing of bitmaps can be exploited to disclose the contents of random memory areas.

• Bug Tracker URL: http://bugs.frugalware.org/task/2677

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6520
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6522
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6524

• Author: voroskoi
• Vulnerable: 4.6-1
• Unaffected: 4.6-2sayshell1

A security issue has been reported in scponly, which can be exploited by malicious, local users to bypass certain security restrictions. The security issue is caused due to the unsafe execution of certain programs (e.g. svn, svnserve, rsync or unison) and can be exploited to execute arbitrary programs via various parameters.

• Bug Tracker URL: http://bugs.frugalware.org/task/2662

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6350

• Author: voroskoi
• Vulnerable: 2.6.STABLE16-1
• Unaffected: 2.6.STABLE16-2sayshell1

A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a boundary error within the processing of cache update replies and can be exploited to crash an affected server.

• Bug Tracker URL: http://bugs.frugalware.org/task/2659

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6239

• Author: voroskoi
• Vulnerable: 2.0.5-1
• Unaffected: 2.0.5-2sayshell1

A vulnerability has been reported in syslog-ng, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the improper processing of incoming timestamps. This can be exploited to trigger a NULL pointer dereference via a specially crafted message containing a timestamp without a terminating space character.

• Bug Tracker URL: http://bugs.frugalware.org/task/2675

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437

• Author: voroskoi
• Vulnerable: 0.8.6-7
• Unaffected: 0.8.6-8sayshell1

Some vulnerabilities have been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user’s system.

1. Boundary errors in the “ParseMicroDvd()”, “ParseSSA()”, and “ParseVplayer()” functions when handling subtitles can be exploited to cause stack-based buffer overflows.
2. A format string error in the web interface listening on port 8080/tcp (disabled by default) can be exploited via a specially crafted HTTP request with a “Connection” header value containing format specifiers. Successful exploitation of the vulnerabilities allows execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2682

CVEs:

• There is no CVE entry for these issues.