Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 4.3-1terminus1
• Unaffected: 4.3-2terminus1

When running without administrator privileges, TrueCrypt automatically attempts to elevate its access rights (if necessary) using the sudo command. The Linux version of TrueCrypt no longer supports the set-euid root mode of execution. These changes also prevent all discovered and undiscovered (if any) security issues related to the set-euid root mode of execution, including an issue affecting all previous Linux versions of TrueCrypt where a local non-administrator user could cause a denial of service or gain administrator privileges.

• Author: voroskoi
• Vulnerable: 0.8.0-1
• Unaffected: 0.8.3-1terminus1

Ben Hutchings discovered the following security weaknesses in the utility programs: Due to insufficient sanitation, smb4k_mount allowed an user to mount any (local) device if the program was used in combination with sudo or super. The function findprog(), which was in present smb4k_mount, smb4k_umount, and smb4k_kill, returned a pointer to memory that was freed when the function exited. The function replace_special_characters(), that was present in smb4k_mount and smb4k_umount, returned a pointer to memory that was freed after the function exited. Additionally, it didn’t replace the hyphen.

• Author: voroskoi
• Vulnerable: 2.1.2-1
• Unaffected: 2.1.4-1terminus1

Two vulnerabilities have been reported in KTorrent, which can be exploited by malicious people to overwrite arbitrary files on a user’s system or to potentially compromise a user’s system.

1. An input validation error when processing paths of filenames within torrents can be exploited to e.g. overwrite arbitrary files with the privileges of the user running the application via directory traversal attacks.
2. An error in the processing of messages with invalid chunk indexes can be exploited to corrupt memory and may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/2012

CVEs:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1384
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1385
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1799

• Author: voroskoi
• Vulnerable: 0.95.0-1
• Unaffected: 0.95.0-2terminus1

The XPM library’s scan.c file may allow attackers to execute arbitrary code by crafting a malicious XPM image file containing a negative bitmap_unit value that provokes a buffer overflow.

• Bug Tracker URL: http://bugs.frugalware.org/task/1967

CVEs:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0605

• Author: voroskoi
• Vulnerable: 2.10.0.2-1
• Unaffected: 2.10.1-1terminus1

Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “fieldkey” parameter in browse_foreigners.php and input passed to the “PMA_sanitize()” function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Author: voroskoi
• Vulnerable: 1.01-1
• Unaffected: 1.05-1terminus1

Two vulnerabilities have been reported in the Firebug extension for Mozilla Firefox, which can be exploited by malicious people to compromise a vulnerable system.

1. Input passed to the “console.log()” function is not properly sanitised and can be exploited to e.g. execute arbitrary script code within the “chrome:” context by tricking a user into visiting a malicious website.
2. Results of the “toString” method when processing function objects are not properly sanitised before being used. This can be exploited to e.g. execute arbitrary script code within the “chrome:” context by overriding the “toString” method with a specially crafted function.

• Bug Tracker URL: http://bugs.frugalware.org/task/1917

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1878
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1947

• Author: voroskoi
• Vulnerable: 6.3.2_8-1
• Unaffected: 6.3.2_8-2terminus1

Some vulnerabilities have been reported in ImageMagick, which can be exploited by malicious people to compromise a vulnerable system.

1. A integer overflow error within the “ReadDCMImage()” function can be exploited to cause a heap-based buffer overflow when processing specially crafted DCM images.
2. Two integer overflows within the “ReadXWDImage()” function when calculating the amount of memory to be allocated for the ‘colors’ or ‘comment’ fields can be exploited to cause heap-based buffer overflows when processing specially crafted XWD images.

• Bug Tracker URL: http://bugs.frugalware.org/task/1913

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1797

• Author: voroskoi
• Vulnerable: 2.6.20-5terminus1
• Unaffected: 2.6.20-5terminus2

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the “atalk_sum_skb()” function when creating the checksum of an AppleTalk frame that is shorter than specified in the header. This can be exploited to trigger a “BUG_ON” condition by sending a specially crafted AppleTalk frame to a vulnerable system. Successful exploitation requires that the AppleTalk kernel module is loaded.

• Author: voroskoi
• Vulnerable: 9.10-1
• Unaffected: 9.20-1terminus1

Stefan Esser has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability exist because pages that do not specify a charset inherit the charset of the parent page. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of certain sites that are included e.g. via iframes in a malicious page that uses UTF-7 as charset. Successful exploitation requires that the user is tricked into visiting a malicious web site. A vulnerability with an unknown impact has been reported in Opera. The vulnerability is caused due to an unspecified error when using the Adobe Flash Player plug-in. The vulnerability is reported in Opera versions prior to 9.20 running on Linux, Solaris, or FreeBSD and using the Adobe Flash Player version 7 or 9.

• Author: voroskoi
• Vulnerable: 2.1.2-1
• Unaffected: 2.1.3-1terminus1

g30rg3_x has discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “year” parameter when used in wp_title() is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. A vulnerability has been discovered in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “PHP_SELF” variable is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Sumit Siddharth has discovered two vulnerabilities in WordPress, which can be exploited by malicious users to conduct SQL injection attacks or to bypass certain security restrictions.