Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 4.3.2-1
• Unaffected: 4.3.2-2terminus1

A vulnerability has been reported in GNU findutils, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error when parsing “old” style formatted locate databases. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into running locate on a specially crafted “old” style database containing an overly long path (more than 1026 bytes).

• Author: voroskoi
• Vulnerable: 1.0rc1-4terminus2
• Unaffected: 1.0rc1-4terminus3

Secunia Research has discovered some vulnerabilities in MPlayer, which can be exploited by malicious people to compromise a user’s system.

1. A boundary error within the “cddb_query_parse()” function in stream/stream_cddb.c when parsing album titles can be exploited to cause a stack-based buffer overflow by tricking a user into parsing malicious CDDB entries via overly long album titles. Successful exploitation allows execution of arbitrary code.
2. Boundary errors within the “cddb_parse_matches_list()” and “cddb_read_parse()” functions in stream/stream_cddb.c when parsing album and category titles can be exploited to cause stack-based buffer overflows by tricking a user into parsing malicious CDDB entries with overly long album or category titles. Successful exploitation allows execution of arbitrary code, but may require that the user connects to a malicious server.

• Bug Tracker URL: http://bugs.frugalware.org/task/2131

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2948

• Author: voroskoi
• Vulnerable: 1.5.14-1
• Unaffected: 1.5.14-2terminus1

A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Successful exploitation may allow execution of arbitrary code with another user’s privileges, but requires that the malicious user has a specially crafted realname and exists in the target user’s alias file. Also fixes http://dev.mutt.org/trac/ticket/2846

• Bug Tracker URL: http://bugs.frugalware.org/task/2139

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683

• Author: voroskoi
• Vulnerable: 5.2.2-1terminus2
• Unaffected: 5.2.3-1terminus1

A weakness and a vulnerability have been reported in PHP 5, which can be exploited by malicious, local users to bypass certain security restrictions.

1. An integer overflow error in the “chunk_split()” function can be exploited to cause a heap based buffer overflow. Successful exploitation of this vulnerability may allow execution of arbitrary code, which can lead to security restrictions, such as the “disable_functions” directive, being bypassed.
2. An error in the “realpath()” function allows bypassing of the “open_basedir” restriction and identifying the existence of files. Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the use of an incorrect regular expression within the “FILTER_VALIDATE_EMAIL” filter of the ext/filter extension. This can be exploited to inject newlines via specially crafted email addresses, which may allow mail header injection.

• Bug Tracker URL: http://bugs.frugalware.org/task/2127

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900

• Author: voroskoi
• Vulnerable: 4.20-1
• Unaffected: 4.21-1terminus1

A vulnerability has been reported in file, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified integer underflow within the “file_printf” function, which can be exploited to cause a heap-based buffer overflow.

• Bug Tracker URL: http://bugs.frugalware.org/task/2119

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799

• Author: voroskoi
• Vulnerable: 2.0.0.3-1terminus1
• Unaffected: 2.0.0.4-1terminus1

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user’s system.

1. Errors in the JavaScript engine can be exploited to cause memory corruption and potentially to execute arbitrary code.
2. An error in the “addEventListener” method can be exploited to inject script into another site, circumventing the browser’s same-origin policy. This could be used to access or modify sensitive information from the other site.
3. An error in the handling of XUL popups can be exploited to spoof parts of the browser such as the location bar.

• Bug Tracker URL: http://bugs.frugalware.org/task/2125

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2870
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871

• Author: voroskoi
• Vulnerable: 2.0.34-1
• Unaffected: 2.0.34-2terminus1

Xavier Roche has reported a vulnerability in GD Graphics Library, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the incorrect use of libpng within the function “gdPngReadData()” when processing truncated data. This can be exploited to cause an infinite loop by e.g. tricking an application using the library to process a specially crafted file.

• Author: voroskoi
• Vulnerable: 2.6.20-5terminus3
• Unaffected: 2.6.20-5terminus4

Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information.

1. A memory leak exists when releasing PPPoE sockets after they are connected, but before the “PPPIOCGCHAN” ioctl is called. This can be exploited to cause a DoS due to memory exhaustion.
2. An error within the “_udp_lib_get_port()” function in net/ipv4/udp.c can be exploited to intercept traffic by binding to a port using a local address if a wildcard bind exists with a local address to that port.

• Bug Tracker URL: http://bugs.frugalware.org/task/2097

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2480
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2525

• Author: voroskoi
• Vulnerable: 2.6.20-5terminus4
• Unaffected: 2.6.20-5terminus5

A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The security issue is caused due to an error within the handling of certain VFAT IOCTLs on 64bit systems, which can be exploited to crash the kernel by calling certain IOCTLs with malicious parameters. Successful exploitation requires a 64bit-system and vfat and msdos file systems.

• Author: voroskoi
• Vulnerable: 1.4.2.2-2
• Unaffected: 1.4.2.2-3terminus1

A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Successful exploitation may allow execution of arbitrary code with another user’s privileges, but requires that the malicious user has a specially crafted realname and exists in the target user’s alias file. Also fixes http://dev.mutt.org/trac/ticket/2846

• Bug Tracker URL: http://bugs.frugalware.org/task/2120

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683