Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 2.9-1
• Unaffected: 2.9-2sayshell1

There is a vulnerability in cpio, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing specially crafted tar archives and can be exploited to cause a stack-based buffer overflow and crash the vulnerable application.

• Bug Tracker URL: http://bugs.frugalware.org/task/2570

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476

• Author: voroskoi
• Vulnerable: 2.3.38-1
• Unaffected: 2.3.39-1sayshell1

Some vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious users to cause a DoS (Denial of Service).

1. A vulnerability is caused due to the “add_filter_attrs()” function in servers/slapd/overlay/pcache.c not correctly NULL terminating “new_attrs”, which can be exploited to crash slapd due to an out of bounds memory access. Successful exploitation may require that slapd runs as proxy-caching server.
2. An error within the normalisation of “objectClasses” can be exploited to crash a vulnerable server by sending a malformed “objectClasses” attribute.

• Bug Tracker URL: http://bugs.frugalware.org/task/2542

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5708

• Author: voroskoi
• Vulnerable: 5.8.8-4
• Unaffected: 5.8.8-5sayshell1

Tavis Ormandy and Will Drewry have reported a vulnerability in Perl, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the processing of regular expressions containing Unicode data. This can be exploited to cause a buffer overflow via a specially crafted regular expression causing a runtime switch to the Unicode character scheme.

• Author: voroskoi
• Vulnerable: 5.2.4-1
• Unaffected: 5.2.5-1sayshell1

Some vulnerabilities and weaknesses have been reported in PHP, where some have unknown impacts and others can be exploited to bypass certain security restrictions.

1. Various errors exist in the “htmlentities” and “htmlspecialchars” functions where partial multibyte sequences are not accepted.
2. Various boundary errors exist in the “fnmatch()”, “setlocale()”, and “glob()” functions and can be exploited to cause buffer overflows.
3. An error in the processing of the “mail.force_extra_parameters” directive within an “.htaccess” file can be exploited to bypass the “safe_mode” directive.
4. An error in the handling of variables can be exploited to overwrite values set in httpd.conf via the “ini_set()” function.

• Bug Tracker URL: http://bugs.frugalware.org/task/2576

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887

• Author: voroskoi
• Vulnerable: 2.11.1.2-1sayshell1
• Unaffected: 2.11.2.2-1sayshell1

Three vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion, SQL injection and cross-site scripting attacks.

1. Input passed to the “db” parameter in db_create.php is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires that the attacker has CREATE DATABASE credentials, that the target user has valid user credentials, and that the target user uses a web browser that executes JavaScript code in img HTML elements (e.g. Opera).
2. Input passed to the “db” parameter in db_create.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that the attacker has CREATE DATABASE credentials.
3. Tim Brown has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “convcharset” parameter in index.php (when “auth_type” in the configuration is set to “cookie”) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/2578 http://bugs.frugalware.org/task/2588

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5976
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5977

• Author: voroskoi
• Vulnerable: 3.0.26-1
• Unaffected: 3.0.26-2sayshell1

Some vulnerabilities have been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system.

1. A boundary error exists within the “reply_netbios_packet()” function in nmbd/nmbd_packets.c when sending NetBIOS replies. This can be exploited to cause a stack-based buffer overflow by sending multiple specially crafted WINS “Name Registration” requests followed by a WINS “Name Query” request. Successful exploitation allows execution of arbitrary code, but requires that Samba is configured to run as a WINS server (the “wins support” option is enabled).
2. A boundary error exists within the processing of GETDC logon requests. This can be exploited to cause a buffer overflow by sending specially crafted GETDC mailslot requests. Successful exploitation of the vulnerability requires that Samba is configured as a Primary or Backup Domain Controller.

• Bug Tracker URL: http://bugs.frugalware.org/task/2589

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572

• Author: vmiklos
• Vulnerable: 2.6.22-7sayshell2
• Unaffected: 2.6.22-7sayshell3

Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service).

1. An error within the “wait_task_stopped()” function can be exploited to cause a DoS by manipulating the state of a child process while the parent is waiting for the state to change (e.g. the parent is inside “wait()” or “waitpid()”).
2. An NULL-pointer dereference error exists within the “tcp_sacktag_write_queue()” function when processing ACK packets. This can be exploited to crash an affected system via specially crafted ACK packets.

• Bug Tracker URL: http://bugs.frugalware.org/task/2599

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5500
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5501

• Author: voroskoi
• Vulnerable: 0.6-1
• Unaffected: 0.6-2sayshell1

Some vulnerabilities have been reported in Poppler, which can be exploited by malicious people to compromise an application using the library. The vulnerabilities are caused due to the use of vulnerable Xpdf code. For more information: FSA-316

• Bug Tracker URL: http://bugs.frugalware.org/task/2561

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393

• Author: voroskoi
• Vulnerable: 3.5.7-2
• Unaffected: 3.5.7-3sayshell1

Some vulnerabilities have been reported in KOffice, which can be exploited by malicious people to compromise a user’s system. The vulnerabilities are caused due to the use of vulnerable Xpdf code. For more information: FSA-316

• Bug Tracker URL: http://bugs.frugalware.org/task/2560

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393

• Author: voroskoi
• Vulnerable: 1.6.3-2
• Unaffected: 1.6.3-3sayshell1

Some vulnerabilities have been reported in KOffice, which can be exploited by malicious people to compromise a user’s system. The vulnerabilities are caused due to the use of vulnerable Xpdf code. For more information: FSA-316

• Bug Tracker URL: http://bugs.frugalware.org/task/2559

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393