Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 0.7-1
• Unaffected: 0.7-2terminus1

Jonathan So has reported a vulnerability in Aircrack-ng, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error within the airodump-ng module when processing 802.11 authentication packets. This can be exploited to cause a stack-based buffer overflow via a specially crafted 802.11 packet. Successful exploitation allows execution of arbitrary code and requires that the application is logging packets with the -w or –write option.

• Author: voroskoi
• Vulnerable: 0.90.1-1
• Unaffected: 0.90.2-1terminus1

Two vulnerabilities have been reported in Clam AntiVirus. One has an unknown impact, while the other can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

1. An unspecified file descriptor leak error exists within libclamav/chmunpack.c.
2. A signedness error exists within the “cab_unstore()” function in libclamav/cab.c. This can be exploited to cause a stack based buffer overflow via a specially crafted “.cab” file, and may allow execution of arbitrary code or crashing of the clamd process.

• Bug Tracker URL: http://bugs.frugalware.org/task/1946

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1745
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1997

• Author: voroskoi
• Vulnerable: 1.4.13-2
• Unaffected: 1.4.13-3terminus1

Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).

1. An error exists during the parsing of the “\r\n\r\n” sequence. This can be exploited to cause an infinite loop by aborting the connection while the server parses the sequence, which e.g. results in a high CPU load and exhaustion of system resources .
2. An NULL pointer dereference exists within the mtime handling of files. This can be exploited to cause a crash by requesting a file with mtime 0. Successful exploitation requires that the attacker can request or upload files with mtime 0, or can otherwise modify the mtime of files.

• Bug Tracker URL: http://bugs.frugalware.org/task/1951

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1869
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1870

• Author: voroskoi
• Vulnerable: 1.4.1-1
• Unaffected: 1.4.2-2terminus1

A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain SIP INVITE messages. This can be exploited to crash the server by sending a SIP INVITE message with 2 SDP headers, where the second header contains an invalid IP address. Successful exploitation requires that the callee is an invalid dailplan or user. qwerty1979 has reported a vulnerability in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of SIP replies from a remote system and can be exploited to crash the service via the remote system sending a SIP reply containing SIP Response code 0. A security issue has been reported in Asterisk, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to a problem within the AEL (Asterisk Extension Language) when generating switch extensions. Depending on the extension, an attacker may be able to guess and dial a special number, which could allow him to e.g. listen to the voicemails of other users.

• Author: voroskoi
• Vulnerable: 0.9.2.1-9terminus1
• Unaffected: 0.9.3-1terminus1

Some vulnerabilities have been reported in MadWifi, which can be exploited by malicious people to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service).

1. An error within the “ieee80211_input()” function when handling AUTH frames from IBSS nodes can be exploited to cause a kernel crash by sending specially crafted AUTH frames. Successful exploitation may require that the “Ad-Hoc” mode is used.
2. MadWifi does not correctly handle Channel Switch Announcements. This can be exploited to force a channel switch thus interrupting the communication by injecting a Channel Switch Announcement with “CS Count” set to 1 or less.
3. An error within ieee80211_output.c may cause unencrypted packets to be sent before the WPA authentication is completed. This can be exploited to gain knowledge of certain sensitive information, which may be leveraged for further attacks.

• Bug Tracker URL: http://bugs.frugalware.org/task/1914

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7178
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7179
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7180

• Author: voroskoi
• Vulnerable: 2.0.3-1
• Unaffected: 2.0.3-2terminus1

A vulnerability has been reported in mod_perl, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a regular expression in “RegistryCooker.pm” (mod_perl 2.x) or “PerlRun.pm” (mod_perl 1.x) that uses the “path_info” variable without properly escaping it. This can be exploited to cause a DoS by sending requests with specially crafted URLs to a vulnerable server.

• Author: voroskoi
• Vulnerable: 4.2.3-1
• Unaffected: 4.2.3-2terminus1

Andreas Nolden has reported a vulnerability in Qt, which potentially can be exploited to conduct cross-site scripting attacks in applications using the Qt libraries. The vulnerability is caused due to Qt not properly rejecting overly long UTF-8 character sequences. This can be exploited to bypass certain character sanitation mechanisms and allow e.g. the execution of HTML and script code in applications depending on the correct behavior.

• Author: voroskoi
• Vulnerable: 2.3.2-1
• Unaffected: 2.3.3-1terminus1

A vulnerability has been reported in FreeType, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. The vulnerability is caused due to an integer overflow when parsing BDF fonts. This can be exploited to cause a heap-based buffer overflow via a specially crafted BDF font.

• Bug Tracker URL: http://bugs.frugalware.org/task/1916

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351

• Author: voroskoi
• Vulnerable: 2.10.0-1
• Unaffected: 2.10.0-2terminus1

Secunia Research has discovered a vulnerability in Evolution, which potentially can be exploited by malicious people to compromise a vulnerable system. A format string error in the “write_html()” function in calendar/gui/e-cal-component-memo-preview.c when displaying a memo’s categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. Successful exploitation requires that the user opens a shared memo in their mailbox, clicks on “Accept”, and views the memo under the “Memo” tab.

• Author: voroskoi
• Vulnerable: 1.1.1-1
• Unaffected: 1.1.1-2terminus1

Some vulnerabilities have been reported in X.Org X11, which potentially can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and gain escalated privileges.

1. An integer overflow exists within the parsing of BDF fonts. This can be exploited to cause a heap-based buffer overflow via a specially crafted BDF font. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
2. An integer overflow exists within the parsing of the “fonts.dir” fonts information file. This can be exploited to cause a heap-based buffer overflow via a specially crafted fonts information file that specifies an element count of more than 1,073,741,824 in the first line. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
3. An input validation error exists within the “ProcXCMiscGetXIDList()” function of the XC-MISC extension. This can be exploited to cause a stack-based (if the “alloca()” function is available) or heap-based memory corruption by passing specially crafted parameters to the function. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
4. An integer overflow exists within the “XGetPixel()” function in ImUtil.c. This can be exploited to cause a crash or disclose potentially sensitive information by passing specially crafted parameters to the function.

• Bug Tracker URL: http://bugs.frugalware.org/task/1911

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667