Frugalware Security Announcements (FSAs)

• Author: vmiklos
• Vulnerable: 7.0-4terminus1
• Unaffected: 7.0-4terminus2

Secunia Research has discovered a vulnerability in Vim, which can be exploited by malicious people to compromise a vulnerable system. A format string error in the “helptags_one()” function in src/ex_cmds.c when running the “helptags” command can be exploited to execute arbitrary code via specially crafted help files. Successful exploitation requires that the user is tricked into running “helptags” on malicious data.

• Bug Tracker URL: http://bugs.frugalware.org/task/2292

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953

• Author: vmiklos
• Vulnerable: 2.0.0.4-1terminus1
• Unaffected: 2.0.0.6-1terminus1

1. Michal Zalewski has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information and conduct spoofing attacks. The vulnerability is caused due to an error in the handling of the “wyciwyg://” URI handler. This can be exploited to access or spoof contents from a previously cached web site e.g. via HTTP 302 redirects when a user visits a malicious web page.
2. The problem is that Firefox registers the “firefoxurl://” URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the “-chrome” parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using other browsers.
3. Various errors in the browser engine can be exploited to cause memory corruption and potentially to execute arbitrary code.
4. Various errors in the Javascript engine can be exploited to cause memory corruption and potentially to execute arbitrary code.
5. An error in the “addEventListener” and “setTimeout” methods can be exploited to inject script into another site’s context, circumventing the browser’s same-origin policy.
6. An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site.
7. An unspecified error in the handling of elements outside of documents allows an attacker to call an event handler and execute arbitrary code with chrome privileges.
8. An unspecified error in the handling of “XPCNativeWrapper” can lead to execution of user-supplied code.
9. The vulnerability is caused due to an error within the handling of “about:blank” pages loaded by chrome in an addon. This can be exploited to execute script code under chrome privileges by e.g. clicking on a link opened in an “about:blank” window created and populated in a certain ways by an addon. Successful exploitation requires that certain addons are installed.

• Bug Tracker URL: http://bugs.frugalware.org/task/2252 http://bugs.frugalware.org/task/2253 http://bugs.frugalware.org/task/2303

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3656
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3670
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3734
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3735
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3736
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3737
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3738
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3089
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3844

• Author: vmiklos
• Vulnerable: 2.2.13-2terminus1
• Unaffected: 2.2.13-2terminus2

Some vulnerabilities have been reported in Gimp, which can be exploited by malicious people to compromise a user’s system.

1. An integer overflow exists within the function “seek_to_and_unpack_pixeldata()” in plug-ins/common/psd.c. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted PSD file with large width or height values.
2. Multiple integer overflows exist within the DICOM, PNM, PSD, PSP, Sun RAS, XBM, and XWD loader plugins. These can potentially be exploited to cause a heap-based buffer overflow by tricking a user into opening specially crafted image files. Successful exploitation may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2237

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4519
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2949

• Author: vmiklos
• Vulnerable: 9.4.1-1terminus2
• Unaffected: 9.4.1-1terminus1

Amit Klein has reported a vulnerability in BIND, which can be exploited by malicious people to poison the DNS cache. The vulnerability is caused due to predictable query IDs in outgoing queries (e.g. if BIND works as resolver or when sending NOTIFYs to slaves) and can be exploited to poison the DNS cache when the query ID is guessed. Reportedly, the chance to guess the next query ID for 50% of the queries (if the query ID is even) is 1 to 8.

• Author: vmiklos
• Vulnerable: 1.3.2-2
• Unaffected: 1.4.0-1terminus1

A vulnerability has been reported in c-ares, which can be exploited by malicious people to poison the DNS cache. The vulnerability is caused due to predictable DNS “Transaction ID” field in DNS queries and can be exploited to poison the DNS cache of an application using the library if a valid ID is guessed.

• Bug Tracker URL: http://bugs.frugalware.org/task/2159

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3152
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3153

• Author: vmiklos
• Vulnerable: 3.2.0-2
• Unaffected: 3.2.5-1terminus1

Secunia Research has discovered a vulnerability in KVIrc, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to the “parseIrcUrl()” function in src/kvirc/kernel/kvi_ircurl.cpp not properly sanitising parts of the URI when building the command for KVIrc’s internal script system. This can be exploited to inject and execute commands for the KVIrc script system (including the “run” command, which can be leveraged to execute shell commands) by e.g. tricking a user into opening a malicious “irc://” (or similar URI like “irc6://”) URI. Successful exploitation requires that KVIrc is the default handler for “irc://” or similar URIs.

• Author: vmiklos
• Vulnerable: 1.3.1-2
• Unaffected: 1.3.1-3terminus1

Some vulnerabilities have been reported in libarchive, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to a NULL pointer dereference, an infinite loop, and a buffer overflow when processing certain malformed pax extension headers. These can be exploited to crash an application, cause a high CPU load or potentially execute arbitrary code by tricking a user or automated system to process a specially crafted archive file with an application using the library.

• Author: vmiklos
• Vulnerable: 0.59-1
• Unaffected: 0.60-1terminus1

Two vulnerabilities have been reported in the Net::DNS Perl module, which can be exploited to poison the DNS cache or to cause a DoS (Denial of Service).

1. An error exists in the handling of DNS queries where IDs are incremented with a fixed value and are additionally used for child processes in a forking server. This can be exploited to poison the DNS cache of an application using the module if a valid ID is guessed.
2. An error in the PP implementation within the “dn_expand()” function can be exploited to cause a stack overflow due to an endless loop via a specially crafted DNS packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/2217

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3377
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409

• Author: vmiklos
• Vulnerable: 3.9.5-2
• Unaffected: 3.9.5-3terminus1

mu-b has reported a vulnerability in tcpdump, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to the incorrect use of the return value of “snprintf()” in print-bgp.c. This can be exploited to cause a buffer overflow by sending specially crafted BGP packets. Successful exploitation may allow the execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2270

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798

• Author: vmiklos
• Vulnerable: 1.4.13-3terminus1
• Unaffected: 1.4.16-1terminus1

Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially to compromise a vulnerable system.

1. An error in the processing of HTTP headers can be exploited to cause a DoS by sending duplicate HTTP headers with a trailing whitespace character.
2. An error in mod_auth can be exploited to cause a DoS by sending requests with the algorithm set to “MD5-sess” and without a cnonce.
3. An error when parsing Auth-Digest headers in mod_auth can potentially be exploited to cause a DoS by sending multiple whitespace characters.
4. An error exists in the mechanism that limits the number of active connections. This can be exploited to cause a DoS.
5. An error exists in the processing of HTTP requests. This can be exploited to access restricted files by adding a “/” to an URL.
6. An error exists in mod_scgi. This can be exploited to cause a DoS by sending a SCGI request and closing the connection while lighttpd processes the request.
7. The return value of “base64_decode” in mod_auth was not checked properly when parsing the credentials for basic authentication, which could lead to accessing uninitialized memory.
8. An error in the header parsing code can lead to access of memory outside of the original boundaries and can cause a memory corruption. Successful exploitation of this vulnerability can potentially be exploited to execute arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2271

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3946
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3947
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3948
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3949
• ttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3950