Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 2.1.3-1terminus1
• Unaffected: 2.2.1-1terminus1

Janek Vind has discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the “cookie” parameter in wp-admin/admin-ajax.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows e.g. retrieving administrator password hashes, but requires knowledge of the database table prefix. A vulnerability has been discovered in WordPress, which can be exploited by malicious users to conduct SQL injection attacks. Input passed to the “wp.suggestCategories” method in xmlrpc.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows e.g. retrieving usernames and password hashes, but requires valid user credentials and knowledge of the database table prefix. Alexander Concha has discovered a vulnerability in WordPress and WordPress MU, which can be exploited by malicious users to bypass certain security restrictions and to compromise a vulnerable system. The vulnerability is caused due to improper authentication verification. This can be exploited to add the custom field “_wp_attached_file” to a post, upload a PHP script to an arbitrary path with wp-app.php or app.php, and execute arbitrary PHP code. Successful exploitation requires valid Editor credentials and that the system is configured to allow uploads.

• Author: voroskoi
• Vulnerable: 0.90.2-1terminus1
• Unaffected: 0.90.2-1terminus2

Some vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. An error exists within the OLE2 parser when handling objects with malformed FAT partitions and large property sizes. This can be exploited to cause a DoS due to storage and CPU resource consumption by scanning a specially crafted OLE2 file.
2. An error in the processing of RAR files can be exploited to crash the process via a specially crafted RAR file.
3. A boundary error exists within the file /libclamav/unsp.c, which can be exploited to crash the process via a specially crafted NsPacked file.
4. An incorrect regular expression in libclamav/phishcheck.c can be exploited to cause a DoS by consuming all available CPU resources via a specially crafted file.

• Bug Tracker URL: http://bugs.frugalware.org/task/2042

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3023
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3024
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3025
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3122
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3123

• Author: voroskoi
• Vulnerable: 1.10.0-1
• Unaffected: 1.10.0-2terminus1

Philip Van Hoof has reported a vulnerability in Evolution, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to the “imap_rescan()” function in camel/providers/imap/camel-imap-folder.c not properly sanitising the “SEQUENCE” value before being used to index arrays. This may be exploited to execute arbitrary code by e.g. tricking a user into using a malicious IMAP server.

• Author: voroskoi
• Vulnerable: 2.0.34-2terminus1
• Unaffected: 2.0.34-2terminus2

Some vulnerabilities have been reported in the GD Graphics Library, where some have unknown impact and others can potentially be exploited to cause a DoS.

1. An integer overflow exists in the “gdImageCreateTrueColor()” function.
2. An error in the “gdImageCreateXbm()” function can potentially be exploited to cause a crash.

• Bug Tracker URL: http://bugs.frugalware.org/task/2219

CVEs:

• No CVE for this issue, see: http://www.libgd.org/ReleaseNote020035

• Author: voroskoi
• Vulnerable: 0.6.13-2terminus1
• Unaffected: 0.6.13-2terminus2

A vulnerability has been reported in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. The vulnerability is caused due to an integer overflow error within the “exif_data_load_data_entry()” function when handling EXIF component information and can be exploited to cause a heap based buffer overflow. Successful exploitation may allow an attacker to crash an application using the library or to execute arbitrary code.

• Author: voroskoi
• Vulnerable: 2.1.0-6terminus1
• Unaffected: 2.1.0-6terminus2

Some vulnerabilities have been reported in OpenOffice, which can potentially be exploited by malicious people to compromise a user’s system.

1. An error exists when parsing the “prdata” tag in RTF files where the first token is smaller that the second one. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted RTF files.
2. A vulnerability is caused due to the use of a vulnerable copy of the FreeType library, which can be exploited to cause a heap based buffer overflow by e.g. tricking a user into opening a specially crafted document.

• Bug Tracker URL: http://bugs.frugalware.org/task/2196

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0245
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2754

• Author: voroskoi
• Vulnerable: 0.8.6-3
• Unaffected: 0.8.6-4terminus1

Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to compromise a user’s system. The vulnerabilities are caused due to format string errors in the Ogg/Vorbis, Ogg/Theora, CDDA (CD Digital Audio), and SAP (Service Announce Protocol) plugins. These can be exploited to execute arbitrary code via a specially crafted .ogg or .ogm file (Vorbis/Theora), CDDB entry, or SAP/SDP message.

• Author: voroskoi
• Vulnerable: 0.8.6j-1
• Unaffected: 0.8.6j-2terminus1

A vulnerability has been discovered in Cacti, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in graph_image.php, which can be exploited to use lots of system resources by passing malicious values to the “graph_start”, “graph_end”, “graph_width”, and “graph_height” parameters.

• Bug Tracker URL: http://bugs.frugalware.org/task/2133

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3112
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3113

• Author: voroskoi
• Vulnerable: 2.6.20-5terminus5
• Unaffected: 2.6.20-5terminus6

Two vulnerabilities and a weakness have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information and malicious people to cause a DoS (Denial of Service).

1. A NULL-pointer dereference exists within netfilter when handling new SCTP connections with unknown chunk types. This can be exploited to crash the kernel by sending malicious packets.
2. An underflow error within the “cpuset_task_read()” function in /kernel/cpuset.c can be exploited to read kernel memory, which may contain potentially sensitive information. Successful exploitation requires that the attacker has access to open the /dev/cpuset/tasks file (the cpuset file system needs to be mounted).
3. The kernel does not handle seeds for the random number generator correctly. This may weaken the security of applications relying on the randomness of the kernel random number generator.

• Bug Tracker URL: http://bugs.frugalware.org/task/2160

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2453
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2875
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2876

• Author: voroskoi
• Vulnerable: 20070125-1
• Unaffected: 20070125-2terminus1

A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Successful exploitation may allow execution of arbitrary code with another user’s privileges, but requires that the malicious user has a specially crafted realname and exists in the target user’s alias file. Also fixes http://dev.mutt.org/trac/ticket/2846

• Bug Tracker URL: http://bugs.frugalware.org/task/2140

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683