Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 5.2-1
• Unaffected: 5.2-2sayshell1

Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions, and by malicious users to conduct HTTP response splitting attacks.

1. Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which is included in a response sent to the user. This allows arbitrary HTML and script code to be executed in a user’s browser session in context of an affected site. Successful exploitation of this vulnerability requires valid user credentials.
2. The Upload module includes the “.html” file extension in its default whitelist for file uploads. This can be exploited to upload arbitrary HTML files and enticing users to visit them, thereby executing arbitrary HTML and script code in a user’s browser session in context of an affected site.
3. The hook_components API operation does not pass the publication status. This makes it possible for modules including Organic groups and Subscriptions to send e-mail messages containing unpublished comments. Furthermore vulnerabilities have been reported in Drupal, which can be exploited by malicious people to conduct cross-site request forgery attacks and to compromise a vulnerable system.
4. Input passed to unspecified parameters in install.php is not properly sanitised. This can be exploited to execute arbitrary code. Successful exploitation of this vulnerability requires that the configured SQL server is not reachable.
5. A vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to delete users by enticing a logged-in administrator to visit a malicious site.

• Bug Tracker URL: http://bugs.frugalware.org/task/2507

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5595
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5596
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5597
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5593
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5594

• Author: voroskoi
• Vulnerable: 2.0.0.7-1
• Unaffected: 2.0.0.8-1sayshell1

Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user’s system.

1. Various errors in the browser engine can be exploited to cause a memory corruption.
2. Various errors in the Javascript engine can be exploited to cause a memory corruption. Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
3. An error in the handling of onUnload events can be exploited to read and manipulate the document’s location of new pages.
4. Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitised before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user’s request when a proxy is used.
5. An error when displaying web pages written in the XUL markup language can be exploited to hide the window’s title bar and facilitate phishing attacks.
6. An error exists in the handling of “smb:” and “sftp:” URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server. Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page.
7. An unspecified error in the handling of “XPCNativeWrappers” can lead to execution of arbitrary Javascript code with the user’s privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu). Furthermore a weakness has been discovered in Firefox, which potentially can be exploited by malicious people to disclose sensitive information. The weakness is caused due to a design error within the focus handling of form fields and can potentially be exploited by changing the focus from a “textarea” field to a “file upload” form field via the “OnKeyDown” event. Successful exploitation allows an arbitrary file on the user’s system to be uploaded to a malicious web site, but requires that the user is tricked into typing the file name into a “textarea” input form.

• Bug Tracker URL: http://bugs.frugalware.org/task/2235 http://bugs.frugalware.org/task/2513

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1095
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2292
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4841
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5334
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5337
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5338
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3511

• Author: voroskoi
• Vulnerable: 2.7.7-1
• Unaffected: 2.7.7-2sayshell1

Kees Cook has reported a vulnerability in HPLIP, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to the hpssd daemon not properly sanitising certain input before using it to invoke sendmail using the “popen3()” method. This can be exploited to execute arbitrary commands with escalated privileges (e.g. “root”) by sending specially crafted requests to the hpssd daemon. NOTE: Depending upon the configuration of hpssd, this may also be remotely exploitable.

• Author: voroskoi
• Vulnerable: 0.9.3.2-4
• Unaffected: 0.9.3.3-1sayshell1

Clemens Kolbitsch and Sylvester Keil have reported a vulnerability in MadWifi, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of beacon frames. This can be exploited via a specially crafted beacon frame with an overly large “length” value (greater than 15) in the extended supported rates element (“xrates”). Successful exploitation causes the driver to exit and results in a kernel panic.

• Author: voroskoi
• Vulnerable: 0.9.8-9
• Unaffected: 0.9.8-10sayshell1

Andy Polyakov has reported a vulnerability in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vulnerability is caused due to an unspecified error within the DTLS implementation. Successful exploitation may allow the execution of arbitrary code. Note: Reportedly, this vulnerability affects only clients and servers explicitly using DTLS.

• Bug Tracker URL: http://bugs.frugalware.org/task/2488

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4995

• Author: voroskoi
• Vulnerable: 9.23-1
• Unaffected: 9.24-1sayshell1

Some vulnerabilities have been reported in Opera, where one vulnerability has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a user’s system.

1. Opera may launch external email or newsgroup clients incorrectly. This can be exploited to execute arbitrary commands by e.g. visiting a malicious website. Successful exploitation requires that the user has configured an external email or newsgroup client.
2. An error when processing frames from different websites can be exploited to bypass the same-origin policy. This allows to overwrite functions of those frames and to execute arbitrary HTML and script code in a user’s browser session in context of other sites.

• Bug Tracker URL: http://bugs.frugalware.org/task/2502

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5540
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5541

• Author: voroskoi
• Vulnerable: 2.11.1-1
• Unaffected: 2.11.1.2-1sayshell1

Omer Singer has reported two vulnerabilities in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

1. Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that the user is running a browser that has not URL-encoded the request (e.g. Internet Explorer 6).
2. Input passed in the URL to server_status.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that the target user has valid user credentials. NOTE: Some other potential cross-site scripting problems have also been fixed by the vendor.

• Bug Tracker URL: http://bugs.frugalware.org/task/2489 http://bugs.frugalware.org/task/2503

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5386

• Author: voroskoi
• Vulnerable: 1.1.4-1
• Unaffected: 1.1.5-1sayshell1

Some vulnerabilities and a weakness have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user’s system.

1. Various errors in the browser engine can be exploited to cause a memory corruption.
2. Various errors in the Javascript engine can be exploited to cause a memory corruption. Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
3. An error in the handling of onUnload events can be exploited to read and manipulate the document’s location of new pages.
4. Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitised before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user’s request when a proxy is used.
5. An error when displaying web pages written in the XUL markup language can be exploited to hide the window’s title bar and facilitate phishing attacks.
6. An error exists in the handling of “smb:” and “sftp:” URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server. Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page.
7. An unspecified error in the handling of “XPCNativeWrappers” can lead to execution of arbitrary Javascript code with the user’s privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu).

• Bug Tracker URL: http://bugs.frugalware.org/task/2514

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1095
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2292
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4841
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5334
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5337
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5338
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340

• Author: voroskoi
• Vulnerable: 1.2.20-1
• Unaffected: 1.2.22-1sayshell1

Some vulnerabilities have been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. Certain errors within libpng, including a logical NOT instead of a bitwise NOT in pngtrtran.c, an error in the 16bit cheap transparency extension, and an incorrect use of sizeof() may be exploited to crash an application using the library.
2. Various out-of-bounds read errors exist within the functions “png_handle_pCAL()”, “png_handle_sCAL()”, “png_push_read_tEXt()”, “png_handle_iTXt()”, and “png_handle_ztXt()”, which may be exploited by exploited to crash an application using the library.
3. The vulnerability is caused due to an off-by-one error within the ICC profile chunk handling, which potentially can be exploited to crash an application using the library.

• Bug Tracker URL: http://bugs.frugalware.org/task/2475

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269

• Author: voroskoi
• Vulnerable: 1.10.10-1
• Unaffected: 1.10.10-2sayshell1

A vulnerability has been discovered in PWLib, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the “PString::vsprintf()” method in src/ptlib/common/contain.cxx. This can be exploited to cause a memory corruption by e.g. tricking an application using the library to use this function with a string longer than 1000 bytes.

• Bug Tracker URL: http://bugs.frugalware.org/task/2491

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4897