Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 1.0.17-2
• Unaffected: 1.0.17-3terminus1

Robert Buchholz has reported a vulnerability in libsndfile, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the “flac_buffer_copy()” function in src/flac.c when handling FLAC files with variable bitrates. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into playing a specially crafted FLAC file with an application using the library. Successful exploitation may allow the execution of arbitrary code.

• Author: voroskoi
• Vulnerable: 1.9.3-1
• Unaffected: 1.9.4-1terminus1

A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to unspecified parameters in the API pretty-printing mode is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that the API interface is enabled.

• Author: voroskoi
• Vulnerable: 2.2.2-1terminus1
• Unaffected: 2.2.3-1terminus1

Some vulnerabilities have been reported in Wordpress, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct SQL injection attacks.

1. The “unfiltered_html” privilege feature can be bypassed by adding a field named “no_filter”. This can be exploited by malicious users without the “unfiltered_html” privilege to e.g. post blog entries with arbitrary HTML and script code via specially crafted POST requests.
2. Input passed to certain parameters (e.g. the “post_type” parameter of the URL passed to the “pingback.extensions.getPingbacks()” XMLRPC method) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2398

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4893
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4894

• Author: voroskoi
• Vulnerable: 2.8.1-1
• Unaffected: 2.8.1-2terminus1

Secunia Research has discovered a vulnerability in Sylpheed-Claws (Claws Mail), which can be exploited by malicious people to compromise a vulnerable system. A format string error in the “inc_put_error()” function in src/inc.c when displaying a POP3 server’s error response can be exploited via specially crafted POP3 server replies containing format specifiers. Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into connecting to a malicious POP3 server.

• Author: voroskoi
• Vulnerable: 4.2.3-2terminus1
• Unaffected: 4.2.3-2terminus2

A vulnerability has been reported in Qt, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or to compromise an application using the library. The vulnerability is caused due to an off-by-one error within the “QUtf8Decoder::toUnicode()” function (“QUtf8Codec::convertToUnicode()” in Qt 4.x) in codecs/qutfcodec.cpp. This can be exploited to cause a one-byte heap-based buffer overflow via a specially crafted unicode string.

• Author: voroskoi
• Vulnerable: 2.3.1-1
• Unaffected: 2.3.1-2terminus1

Secunia Research has discovered a vulnerability in Sylpheed, which can be exploited by malicious people to compromise a vulnerable system. A format string error in the “inc_put_error()” function in src/inc.c when displaying a POP3 server’s error response can be exploited via specially crafted POP3 server replies containing format specifiers. Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into connecting to a malicious POP3 server.

• Author: vmiklos
• Vulnerable: 3.5.6-3terminus1
• Unaffected: 3.5.6-3terminus2

KDE has acknowledged a security issue in KDM, which can be exploited by malicious, local users to bypass certain security restrictions. The security issue is caused due to an error when checking the credentials during login, which can be exploited to log in to an account (potentially including “root”) without specifying a valid password.

• Bug Tracker URL: http://bugs.frugalware.org/task/2430

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569

• Author: vmiklos
• Vulnerable: 1.4.16-1terminus1
• Unaffected: 1.4.16-1terminus2

Mattias Bengtsson and Philip Olausson have reported a vulnerability in lighttpd, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the mod_fastcgi extension when handling headers in a HTTP request. This can be exploited to e.g. add or replace PHP headers (e.g. SCRIPT_FILENAME) via a HTTP request containing an overly long header.

• Author: vmiklos
• Vulnerable: 3.3.7-5terminus1
• Unaffected: 3.3.7-5terminus2

A vulnerability has been reported in Qt, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or to compromise an application using the library. The vulnerability is caused due to an off-by-one error within the “QUtf8Decoder::toUnicode()” function (“QUtf8Codec::convertToUnicode()” in Qt 4.x) in codecs/qutfcodec.cpp. This can be exploited to cause a one-byte heap-based buffer overflow via a specially crafted unicode string.

• Author: vmiklos
• Vulnerable: 2.6.9-1
• Unaffected: 2.6.9-2terminus1

Sebastian Krahmer has reported a vulnerability in rsync, which can potentially be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an off-by-one error within the “f_name()” function in flist.c and can be exploited to cause a one-byte stack-based buffer overflow via an overly long directory name.

• Bug Tracker URL: http://bugs.frugalware.org/task/2371

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091