Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 0.1.1.23-1
• Unaffected: 0.1.1.26-1siwenna1

1. Stop sending the HttpProxyAuthenticator string to directory servers when directory connections are tunnelled through Tor.
2. Clients no longer store bandwidth history in the state file.
3. Do not log introduction points for hidden services if SafeLogging is set.
4. When the user sends a NEWNYM signal, clear the client-side DNS cache too. Otherwise we continue to act on previous information.

• Bug Tracker URL: http://bugs.frugalware.org/task/1536

CVEs:

• There is no CVE for these issues, see Changelog of tor.

• Author: voroskoi
• Vulnerable: 0.6.13-2siwenna1
• Unaffected: 0.6.13-3siwenna1

A vulnerability has been reported in Avahi, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the “consume_labels()” function in avahi-core/dns.c when handling compressed packets. This can be exploited to cause an endless loop by sending specially crafted packets with compression labels that refer each other.

• Bug Tracker URL: http://bugs.frugalware.org/task/1607

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6870

• Author: voroskoi
• Vulnerable: 1.0.11-1
• Unaffected: 1.0.12-1siwenna1

Some vulnerabilities have been reported in Joomla!, where some have unknown impacts and one can be exploited by malicious people to conduct cross-site scripting attacks.

1. Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. The vulnerabilities are caused due to unspecified errors in Joomla!. The vendor describes them as “several low level security issues”. No further information is currently available.

• Bug Tracker URL: http://bugs.frugalware.org/task/1585

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6833
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6834
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6832

• Author: voroskoi
• Vulnerable: 2.6.17-6siwenna5
• Unaffected: 2.6.17-6siwenna6

Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

1. An error exists within the handling of locking semaphores in “mincore()”. This can be exploited to cause a deadlock by using the function on unmapped pages.
2. An error exists within the “zlib_inflate()” function when processing certain data streams. This can be exploited to corrupt memory by e.g. mounting a specially crafted cramfs image and performing a read operation on the mounted file system.
3. The Kernel fails to handle corrupted data structures in the Ext2 file system correctly. This can be exploited to crash the system by mounting and reading a specially crafted file system image.

• Bug Tracker URL: http://bugs.frugalware.org/task/1615

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4814
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5823

• Author: voroskoi
• Vulnerable: 0.5.1-2
• Unaffected: 0.5.1-3siwenna1

A vulnerability has been reported in w3m, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a format string error when handling SSL certificates and can be exploited via a specially crafted SSL certificate containing format specifiers in the “CN” field. Successful exploitation may allow execution of arbitrary code when e.g. visiting a malicious website, but requires that the application is running with either the “-dump” or “-backend” option.

• Author: voroskoi
• Vulnerable: 1.1.1-5
• Unaffected: 1.1.1-6siwenna1

Sean Larsson has reported some vulnerabilities in X.Org X11, which can be exploited by malicious, local users to gain escalated privileges. The vulnerabilities are caused due to input validation errors within the “ProcRenderAddGlyphs()” function of the “Render” extension, and the “ProcDbeGetVisualInfo()” and “ProcDbeSwapBuffers()” functions of the “DBE” extension. This can be exploited to cause memory corruption by sending specially crafted X requests to the X server. Successful exploitation may allow the execution of arbitrary code with the privileges of the X server, but requires that the “Render” or “DBE” extensions are loaded.

• Author: voroskoi
• Vulnerable: 0.8.6h-1
• Unaffected: 0.8.6i-1siwenna1

rgod has discovered four vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.

1. The “cmd.php” and “copy_cacti_user.php” scripts do not properly restrict access to command line usage and are installed in a web-accessible location. Successful exploitation requires that “register_argc_argv” is enabled.
2. Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that “register_argc_argv” is enabled.
3. The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands.
4. Input passed in the URL to copy_cacti_user.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows adding new administrator users, but requires that “register_argc_argv” is enabled. Furthermore, it has been reported that other scripts may be exploitable under certain conditions. It has also been reported that script_server.php can be exploited to cause a DoS (denial of service).

• Bug Tracker URL: http://bugs.frugalware.org/task/1584

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6799

• Author: voroskoi
• Vulnerable: 4.7.3-2siwenna1
• Unaffected: 4.7.5-1siwenna1

A weakness has been reported in Drupal, which can be exploited by malicious users to conduct spoofing attacks. The weakness is caused due to an unspecified error and can be exploited to change the page cache so existing pages return “page not found” errors. Successful exploitation requires valid user credentials with the ability to post content. It also requires the page cache to be enabled and that MySQL is used.

• Author: voroskoi
• Vulnerable: 2.0.21-1
• Unaffected: 2.0.22-1siwenna1

Some vulnerabilities have been discovered in phpBB, which can be exploited by malicious people to conduct cross-site request forgery attacks and cross-site scripting attacks.

1. The application allows users to send messages via HTTP requests without performing any validity checks to verify the request. This can be exploited to send messages to arbitrary users by e.g. tricking a target user into visiting a malicious website.
2. Input passed to the form field “Message body” in privmsg.php is not properly sanitised before it is returned to the user when sending messages to a non-existent user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation of the vulnerabilities requires that the target user is logged in.

• Bug Tracker URL: http://bugs.frugalware.org/task/1515

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6421
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6508
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6841

• Author: voroskoi
• Vulnerable: 0.8.5-1
• Unaffected: 0.8.6-1siwenna2

Kevin Finisterre and LMH have reported a vulnerability in VLC media player, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to a format string error when handling “udp://” URIs and can be exploited via a specially crafted web site or an M3U file with a specially crafted udp:// URI containing format string specifiers as the file name. Successful exploitation allows execution of arbitrary code.