Frugalware Security Announcements (FSAs)

• Author: vmiklos
• Vulnerable: 3.3.7-4
• Unaffected: 3.3.7-5terminus1

A vulnerability has been reported in Qt, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a format string error in QTextEdit when handling error messages. This can can be exploited to execute arbitrary code by e.g. causing an application linked against Qt to parse specially crafted text.

• Bug Tracker URL: http://bugs.frugalware.org/task/2311

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388

• Author: vmiklos
• Vulnerable: 1.6.2-1
• Unaffected: 1.6.2-2terminus1

A vulnerability has been reported in KDE and KOffice, which potentially can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to the use of vulnerable Xpdf code, which may allow the execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2301

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387

• Author: vmiklos
• Vulnerable: 1.4.2-2terminus2
• Unaffected: 1.4.8-1terminus1

Some vulnerabilities have been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1. A boundary error exists in the Asterisk STUN implementation, which can be exploited to cause the application to crash via specially crafted RTP packets. Successful exploitation requires that the chan_sip, chan_gtalk, chan_jingle, chan_h323, chan_mgcp, or chan_skinny is enabled. The vulnerability is reported in the following products: Asterisk Open Source 1.4.x prior to version 1.4.8 AsteriskNOW pre-release prior to version beta7 Asterisk Appliance Developer Kit prior to version 0.5.0 s800i 1.0.x prior to version 1.0.2.
2. A boundary error exists in the Asterisk Skinny channel driver (chan_skinny), which can be exploited to cause the application to crash via packets that contain a size field smaller than the actual size of the packet. Successful exploitation requires that chan_skinny is enabled.
3. A NULL-pointer dereference error exists in the Asterisk IAX2 channel driver (chan_iax2), which can be exploited to cause a DoS via specially crafted LGRQ and LAGRP frames. Successful exploitation requires that chan_iax is enabled.
4. A boundary error exists in the Asterisk IAX2 channel driver (chan_iax2) within the handling of RTP frames. This can be exploited to cause a stack-based buffer overflow by sending large data payloads (more than 4096 bytes) in a voice or video frame. Successful exploitation of this vulnerability allows execution of arbitrary code, but requires that the system is configured to connect channels that use RTP and IAX channels.

• Bug Tracker URL: http://bugs.frugalware.org/task/2269

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3762
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3763
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3764
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3765

• Author: vmiklos
• Vulnerable: 3.5.6-1
• Unaffected: 3.5.6-2terminus1

A vulnerability has been reported in KDE, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to the use of vulnerable Xpdf code, which may allow the execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2302

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387

• Author: vmiklos
• Vulnerable: 4.7.5-1
• Unaffected: 4.7.7-1terminus1

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via “some server variables,” including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.

• Bug Tracker URL: http://bugs.frugalware.org/task/2295

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4064

• Author: vmiklos
• Vulnerable: 2.2.4-1
• Unaffected: 2.2.4-2terminus1

Some vulnerabilities have been acknowledged in Apache, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to conduct cross-site scripting attacks.

1. An error in the mod_status module can be exploited by malicious people to conduct cross-site scripting attacks.
2. An error in the Multi-Processing Module (MPM) can be exploited by malicious, local users to cause a DoS.
3. An error in the mod_cache module in the handling of Cache-Control headers can be exploited to crash the child process via specially crafted requests. This could lead to a DoS if using a threaded Multi-Processing Module.

• Bug Tracker URL: http://bugs.frugalware.org/task/2298

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304

• Author: vmiklos
• Vulnerable: 0.90.2-1terminus2
• Unaffected: 0.90.2-1terminus3

Metaeye SG has reported a vulnerability in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL-pointer dereference error within libclamav/unrar/unrarvm.c when handling RAR archives and can be exploited to cause a crash via a specially crafted RAR archive.

• Bug Tracker URL: http://bugs.frugalware.org/task/2257

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3725

• Author: vmiklos
• Vulnerable: 1.0.12-2terminus1
• Unaffected: 1.0.13-1terminus1

Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious people to conduct session fixation attacks, cross-site scripting attacks or HTTP response splitting attacks.

1. Certain unspecified input passed in com_search, com_content and mod_login is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. Input passed to the “url” parameter is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user, allowing for execution of arbitrary HTML and script code in a user’s browser session in context of an affected site.
3. An error exists in the handling of sessions and can be exploited to hijack another user’s session by tricking the user into logging in after following a specially crafted link.

• Bug Tracker URL: http://bugs.frugalware.org/task/2290

CVEs:

• No CVE for this issue, see: http://www.joomla.org/content/view/3677/1/

• Author: vmiklos
• Vulnerable: 1.1.2-1
• Unaffected: 1.2.0-1terminus1

David Thiel has reported some vulnerabilities in libvorbis, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

1. A boundary error exists in the way the “_01inverse()” function in res.c processes “blocksize_0” and “blocksize_1” values, which can be exploited to cause a heap overwrite.
2. A boundary error exists in the way the “vorbis_info_clear()” function in info.c processes invalid mapping types, which can be exploited to trigger a call to a value outside the dispatch table.
3. Invalid “blocksize” values passed to the “vorbis_dsp_clear()” function in block.c result in an invalid memory access, which can be exploited to cause a DoS.

• Bug Tracker URL: http://bugs.frugalware.org/task/2293

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4029
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3106

• Author: vmiklos
• Vulnerable: 3.01-4
• Unaffected: 3.02-1terminus1

A vulnerability has been reported in Xpdf, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to an integer overflow within “StreamPredictor::StreamPredictor()” in xpdf/Stream.cc and can be exploited to cause a buffer overflow by e.g. tricking a user into opening a specially crafted PDF file in Xpdf. Successful exploitation may allow the execution of arbitrary code.