Frugalware Security Announcements (FSAs)

This is a list of security announcments that have been released for the current stable version of Frugalware

xorg-server

  • Author: vmiklos
  • Vulnerable: 1.2.0-2terminus1
  • Unaffected: 1.2.0-2terminus2

A vulnerability has been reported in X.org X11, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a boundary error within the composite extension when copying data from pixmaps with different bit depths. This can be exploited to cause a buffer overflow by copying data between specially crafted pixmaps.

CVEs:

asterisk

  • Author: vmiklos
  • Vulnerable: 1.4.11-1terminus1
  • Unaffected: 1.4.11-1terminus2

A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling emails with a malformed MIME body. This can be exploited to crash the service by sending a specially crafted email to a user and tricking him into listening to the voicemail. Successful exploitation requires that the IMAP backend for the voicemail feature is used. Reportedly, other backends are not affected.

clamav

  • Author: voroskoi
  • Vulnerable: 0.91.1-1terminus1
  • Unaffected: 0.91.2-1terminus1

Some vulnerabilities have been reported in ClamAV, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

  1. A NULL-pointer dereference error exists within the “cli_scanrtf()” function in libclamav/rtf.c. This can potentially be exploited to crash ClamAV via a specially crafted RTF file.
  2. A NULL-pointer dereference error exists within the “cli_html_normalise()” function in libclamav/htmlnorm.c. This can potentially be exploited to crash ClamAV via a specially crafted HTML file containing a “data” URL scheme.
  3. The recipient address extracted from email messages is not properly sanitised before being used in a call to “popen()” when executing sendmail. This can be exploited to execute arbitrary code with the privileges of the clamav-milter process by sending an email with a specially crafted recipient address to the affected system. Successful exploitation requires that clamav-milter is started with the “black hole” mode activated.

CVEs:

gftp

  • Author: voroskoi
  • Vulnerable: 2.0.18-2
  • Unaffected: 2.0.18-3terminus1

Some vulnerabilities have been reported in gFTP, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerabilities are caused due to the use of vulnerable fsplib code, which may allow the execution of arbitrary code.

CVEs:

php

  • Author: voroskoi
  • Vulnerable: 5.2.3-1terminus3
  • Unaffected: 5.2.4-1terminus1

Some vulnerabilities have been reported in PHP, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions.

  1. An error with unknown impact exists within the “money_format()” function when processing “%i” and “%n” tokens.
  2. An unspecified error exists within the “zend_alter_ini_entry()” function. This can be exploited to trigger a memory_limit interruption.
  3. Two integer overflow errors exist within the “gdImageCreate()” and “gdImageCreateTrueColor()” functions in ext/gd/libgd/gd.c. These can be exploited to cause a heap-based buffer overflow via overly large integer values passed as parameters to e.g. the “imagecreatetruecolor()” PHP function.
  4. Two integer overflow errors exist within the “gdImageCopyResized()” function in ext/gd/libgd/gd.c. These can be exploited to cause a heap-based buffer overflow via overly large integer values passed as parameters to the “imagecopyresized()” or “imagecopyresampled()” PHP functions. Successful exploitation of vulnerabilities #3 and #4 may allow execution of arbitrary code, which may lead to security restrictions (e.g. the “disable_functions” directive) being bypassed, but requires that PHP is configured to use gd.
  5. An error exists within the handling of SQL queries containing “LOCAL INFILE” inside the MySQL and MySQLi extensions. This can be exploited to bypass the “open_basedir” and “safe_mode” directives.
  6. An error exists when processing “session_save_path()” and “ini_set()” functions called from a “.htaccess” file. This can be exploited to bypass the “open_basedir” and “safe_mode” directives.
  7. An unspecified error exists within the “glob()” function. This can be exploited to bypass the “open_basedir” directive.
  8. An unspecified error exists within the session extension. This can potentially be exploited to bypass the “open_basedir” directive when the session file is a symlink.

CVEs:

realplayer

  • Author: voroskoi
  • Vulnerable: 10.0.8.805_20060718-1
  • Unaffected: 10.0.9.809_20070726-1terminus1

A vulnerability has been reported in RealPlayer and Helix Player, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error in the wallclock functionality in “SmilTimeValue::parseWallClockValue()” when handling time formats. This can be exploited to cause a stack-based buffer overflow via an SMIL file with an overly long, specially-crafted time string. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.

wordpress

  • Author: voroskoi
  • Vulnerable: 2.2.1-1terminus1
  • Unaffected: 2.2.2-1terminus1

Benjamin Flesch has discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “style” parameter in wp-admin/upload.php (when “post_id” is set to a negative integer value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that the target user has valid author or higher credentials.

kernel

  • Author: vmiklos
  • Vulnerable: 2.6.20-5terminus8
  • Unaffected: 2.6.20-5terminus9

Security issues has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.

  1. The security issue is caused due to the AACRAID driver not correctly checking the privileges for IOCTLs. This can be exploited to perform potentially dangerous operations by sending certain IOCTLs to the driver.
  2. The weakness is caused due to the Linux Kernel not correctly enforcing the defined signing options when mounting a CIFS file system. This may weaken the security and can be leveraged to perform further attacks.
  3. The vulnerability is caused due to an error within the driver for i965G chipsets and above, which can be exploited to e.g. gain escalated privileges by modifying physical memory.

CVEs:

gdm

  • Author: voroskoi
  • Vulnerable: 2.18.0-1
  • Unaffected: 2.18.0-2terminus1

A vulnerability has been discovered in GNOME Display Manager, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to the GDM daemon improperly handling NULL values returned by the “g_strsplit” function. This can be exploited to crash the GNOME Display Manager by sending specially crafted requests to the local GDM socket.

CVEs:

python

  • Author: voroskoi
  • Vulnerable: 2.5-3terminus1
  • Unaffected: 2.5-3terminus2

Some vulnerabilities have been reported in the Python tarfile module, which can be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are caused due to input validation errors when extracting tar archives. This can be exploited to extract files to arbitrary locations outside the specified directory with the permissions of the application using the tarfile module by using the “../” directory traversal sequence or malicious symlinks in a specially crafted tar archive.