Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 1.0pre8-5
• Unaffected: 1.0pre8-6siwenna1

The code mentioned in DSA 1244-1 is also included in MPlayer. A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a malicious server. Since the attacker can not write arbitrary data into the buffer, creating an exploit is very hard; but a DoS attack is easily made.

• Author: voroskoi
• Vulnerable: 1.1.17.2-1siwenna1
• Unaffected: 1.1.17.2-2siwenna1

Jose Ramon Palanco has reported a vulnerability in Mono, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the System.Web class when handling HTTP requests. This can be exploited to gain remote access to the source code of a web application by e.g. appending “%20” to an URI. Note: Reportedly, this can also be exploited to gain access to the Web.Config file, which may contain sensitive information like credentials.

• Author: voroskoi
• Vulnerable: 2.16.0-2
• Unaffected: 2.16.4-1siwenna1

A vulnerability has been reported in the gdmchooser application of the GNOME Display Manager, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a format string error within the “gdm_chooser_add_host()” function in gdm2/gui/gdmchooser.c. This can be exploited to execute arbitrary code with the privileges of the gdmchooser application by entering a specially crafted string when providing a remote host.

• Author: voroskoi
• Vulnerable: 1.0.6-1siwenna1
• Unaffected: 1.0.7-1siwenna1

Multiple vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user’s system. 1)Various errors in the layout engine and JavaScript engine can be exploited to cause memory corruption and some may potentially allow execution of arbitrary code. 2) An error when reducing the CPU’s floating point precision, which may happen on Windows when loading a plugin creating a Direct3D device, may cause the “js_dtoa()” function to not exit and instead cause a memory corruption. 3) A boundary error when setting the cursor to a Windows bitmap using the CSS cursor property can be exploited to cause a heap-based buffer overflow. 4) An unspecified error in the “watch()” JavaScript function can be exploited to execute arbitrary code. 5) An error in LiveConnect causes an already freed object to be used and may potentially allow execution of arbitrary code. 6) An error in the handling of the “src” attribute of IMG elements loaded in a frame can be exploited to change the attribute to a “javascript:” URI. This allows execution of arbitrary HTML and script code in a user’s browser session. 7) An error within the handling of SVG comment objects can be exploited to cause a memory corruption and allows execution of arbitrary code by appending an SVG comment object from one document into another type of document (e.g. HTML). 8) A boundary error within the processing of mail headers can be exploited to cause a heap-based buffer overflow via an overly long “Content-Type” header in an external message body. 9) A boundary error within the processing of rfc2047-encoded headers can be exploited to cause a heap-based buffer overflow.

• Author: voroskoi
• Vulnerable: 0.88.5-1siwenna1
• Unaffected: 0.88.7-1siwenna1

Hendrik Weimer has reported a vulnerability in Clam AntiVirus, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending specially crafted emails to a vulnerable system.

• Bug Tracker URL: http://bugs.frugalware.org/task/1537

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6481

• Author: voroskoi
• Vulnerable: 1.5.0.7-1siwenna1
• Unaffected: 1.5.0.9-1siwenna1

Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of certain information, conduct cross-site scripting attacks, and potentially compromise a user’s system. 1)Various errors in the layout engine and JavaScript engine can be exploited to cause memory corruption and some may potentially allow execution of arbitrary code. 2) An error when reducing the CPU’s floating point precision, which may happen on Windows when loading a plugin creating a Direct3D device, may cause the “js_dtoa()” function to not exit and instead cause a memory corruption. 3) A boundary error when setting the cursor to a Windows bitmap using the CSS cursor property can be exploited to cause a heap-based buffer overflow. 4) An unspecified error in the “watch()” JavaScript function can be exploited to execute arbitrary code. 5) An error in LiveConnect causes an already freed object to be used and may potentially allow execution of arbitrary code. 6) An error in the handling of the “src” attribute of IMG elements loaded in a frame can be exploited to change the attribute to a “javascript:” URI. This allows execution of arbitrary HTML and script code in a user’s browser session. 7) An error within the handling of SVG comment objects can be exploited to cause a memory corruption and allows execution of arbitrary code by appending an SVG comment object from one document into another type of document (e.g. HTML).

• Author: voroskoi
• Vulnerable: 4.2.1b-1
• Unaffected: 4.5.0h-1siwenna1

A vulnerability has been reported in Sugar Open Source, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/1556

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6712

• Author: voroskoi
• Vulnerable: 1.5.0.8-1siwenna1
• Unaffected: 1.5.0.9-1siwenna1

Multiple vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user’s system. 1)Various errors in the layout engine and JavaScript engine can be exploited to cause memory corruption and some may potentially allow execution of arbitrary code. 2) An error when reducing the CPU’s floating point precision, which may happen on Windows when loading a plugin creating a Direct3D device, may cause the “js_dtoa()” function to not exit and instead cause a memory corruption. 3) A boundary error when setting the cursor to a Windows bitmap using the CSS cursor property can be exploited to cause a heap-based buffer overflow. 4) An unspecified error in the “watch()” JavaScript function can be exploited to execute arbitrary code. 5) An error in LiveConnect causes an already freed object to be used and may potentially allow execution of arbitrary code. 6) An error in the handling of the “src” attribute of IMG elements loaded in a frame can be exploited to change the attribute to a “javascript:” URI. This allows execution of arbitrary HTML and script code in a user’s browser session. 7) A boundary error within the processing of mail headers can be exploited to cause a heap-based buffer overflow via an overly long “Content-Type” header in an external message body. 8) A boundary error within the processing of rfc2047-encoded headers can be exploited to cause a heap-based buffer overflow.

• Author: voroskoi
• Vulnerable: 0.62-2
• Unaffected: 0.62-3siwenna1

Kimmo Hämäläinen has reported a weakness in D-Bus, which can be exploited by malicious, local users to cause a DoS (Denial of Service). An error within the “match_rule_equal()” function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus.

• Bug Tracker URL: http://bugs.frugalware.org/task/1522

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6107

• Author: voroskoi
• Vulnerable: 2.6.17-6siwenna3
• Unaffected: 2.6.17-6siwenna5

Various kernel security bugs. We have also released a 2.6.17-6siwenna4, but we have fixed another bug on the same day, that’s why there was no FSA.

• Bug Tracker URL: http://bugs.frugalware.org/task/1514 http://bugs.frugalware.org/task/1562

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4572
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5173
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5757
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6333
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3741
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4997