Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 1.5.0.9-1siwenna1
• Unaffected: 1.5.0.10-1siwenna1

Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and spoofing attacks, gain knowledge of sensitive information, and potentially compromise a user’s system.

1. An error in the handling of the “locations.hostname” DOM property can be exploited to bypass certain security restrictions.
2. It is possible to conduct cross-site scripting attacks against sites containing a frame with a “data:” URI as source. Successful exploitation requires that a user is tricked into visiting a malicious website and opening a blocked popup.
3. It is possible to open windows containing local files thereby stealing the contents when the full path of a locally saved file containing malicious script code is known. This can be exploited in combination with a flaw in the seeding of the pseudo-random number generator causing downloaded files to be saved to temporary files with a somewhat predictable name. Successful exploitation requires that a user is tricked into visiting a malicious website and opening a blocked popup.
4. Browser UI elements like the host name and security indicators can be spoofed using a specially crafted custom cursor and manipulating the CSS3 hotspot property.
5. It may be possible to gain knowledge of sensitive information from a website due to an error resulting in two web pages colliding in the disk cache thereby potentially appending part of one document to the other. Successful exploitation requires that a user is tricked into visiting a malicious website while visiting the target website.
6. Various errors in the Mozilla parser when handling invalid trailing characters in HTML tag attribute names and during processing of UTF-7 content when child frames inherit the character set of its parent window can be exploited to conduct cross-site scripting attacks.
7. A vulnerability in the Password Manager may be exploited to conduct phishing attacks.
8. Multiple memory corruption errors exist in the layout engine, JavaScript engine, and in SVG. Some of these may be exploited to execute arbitrary code on a user’s system.
9. An error within the handling of the onUnload event handler and self-modifying document.write() calls can be exploited to corrupt memory and potentially execute arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/1486 http://bugs.frugalware.org/task/1692 http://bugs.frugalware.org/task/1713 http://bugs.frugalware.org/task/1756

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0801
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995

• Author: voroskoi
• Vulnerable: 2.6.17-6siwenna7
• Unaffected: 2.6.17-6siwenna8

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an invalid freeing of a pointer when handling NFSACL 2 “ACCESS” requests, which can be exploited to crash the kernel.

• Bug Tracker URL: http://bugs.frugalware.org/task/1740

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0772

• Author: voroskoi
• Vulnerable: 2.0.2-2
• Unaffected: 2.0.2-3siwenna1

A vulnerability has been reported in Ekiga, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to format string errors when the “gm_main_window_flash_message()” function is invoked. This can be exploited to crash the application or potentially execute arbitrary code by sending a specially crafted Q.931 SETUP packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/1738

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1006
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1007

• Author: voroskoi
• Vulnerable: 1.7.2-1siwenna1
• Unaffected: 1.7.3-1siwenna1

Moshe BA has reported a vulnerability in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “rs” parameter in index.php (when “action” is set to “ajax”) is not properly sanitised from UTF-7 data before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that $wgUseAjax is set to true (not default setting) and that the target user uses Internet Explorer with encoding auto-detection enabled.

• Author: voroskoi
• Vulnerable: 5.1.6-4siwenna1
• Unaffected: 5.1.6-5siwenna1

Several vulnerabilities and a weakness have been reported in PHP, where some have unknown impacts and others can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1. The “safe_mode” and “open_basedir” protection mechanisms can be bypassed via the session extension.
2. Unspecified overflows can be exploited to cause a stack corruption in the session extension.
3. Stack overflows exist in the “zip”, “imap”, and “sqlite” (PHP 5) extensions.
4. A boundary error within the stream filters can be exploited to cause a buffer overflow.
5. An integer overflow exists in the “str_replace()” function. This can be exploited to trigger an error when allocating memory and potentially allows the execution of arbitrary code, if the function is used on long, untrusted strings.
6. An unspecified error when importing malicious WDDX data can be exploited to disclose random heap memory.
7. A format string error exists in the *print() functions on 64-bit systems.
8. Boundary errors exist within the “mail()” and the “ibase_add_user()”, “ibase_delete_user()”, and “ibase_modify_user()” functions and can be exploited to cause buffer overflows.
9. A format string error exists in the “odbc_result_all()” function. Successful exploitation may allow the execution of arbitrary code, but requires that the attacker has control over the table contents of the used database.
10. An error within the “imap_mail_compose()” function can be exploited to cause a heap based buffer overflow and may allow the execution of arbitrary code, if the function is used with untrusted input to create a new MIME message.
11. A weakness within the “zend_hash_init()” function on 64bit systems can be exploited to cause a DoS via CPU consumption until the script times out by triggering an infinite loop when unserializing untrusted data.

• Bug Tracker URL: http://bugs.frugalware.org/task/1695

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0905
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988

• Author: voroskoi
• Vulnerable: 2.6.17-6siwenna6
• Unaffected: 2.6.17-6siwenna7

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference within the “key_alloc_serial()” function, which can be exploited to crash the Kernel.

• Bug Tracker URL: http://bugs.frugalware.org/task/1712

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0006

• Author: voroskoi
• Vulnerable: 0.88.7-1siwenna1
• Unaffected: 0.90-1siwenna1

Two vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. Input passed via the “id” parameter when parsing MIME headers is not properly sanitised before being used to create local files. This can be exploited to e.g. overwrite the anti-virus signature file via directory traversal attacks, preventing malware from being detected.
2. An file descriptor leak error in the processing of CAB files can be exploited to e.g. prevent legitimate users from sending out valid archives via a specially crafted CAB file with a cabinet header containing a record length of zero.

• Bug Tracker URL: http://bugs.frugalware.org/task/1714

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0898

• Author: voroskoi
• Vulnerable: 3.1.5-1
• Unaffected: 3.1.8-1siwenna1

A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error and can be exploited to cause a DoS via overly long URIs in the message content.

• Bug Tracker URL: http://bugs.frugalware.org/task/1715

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0451

• Author: voroskoi
• Vulnerable: 3.6.8-1
• Unaffected: 3.7.3-1siwenna1

A vulnerability has been reported in RARLabs UnRAR, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a boundary error when processing password-protected archives using the UnRAR command line utility. This can be exploited to cause a stack-based buffer overflow via a specially crafted password-protected archive. Successful exploitation requires that the user is e.g. tricked into opening a password-protected archive and respond to the password prompt.

• Author: voroskoi
• Vulnerable: 3.5.4-3
• Unaffected: 3.5.4-4siwenna1

A weakness has been discovered in Konqueror, which can potentially be exploited by malicious people to conduct cross-site scripting attacks. The weakness is caused due to an error in the parsing of comments within title tags of an HTML document. Arbitrary HTML and script code in a comment tag is executed in a user’s browser session when preceded by the corresponding closing title tag. Successful exploitation is possible on web sites that allow users to insert unsanitised HTML and script code within a comment into such a tag.