• Go back to all articles

All articles tagged with Debian

Willem Pinckaers discovered that Tor, a tool to enable online anonymity, does not correctly handle all data read from the network. By supplying specially crafted packets a remote attacker can cause Tor to overflow its heap, crashing the process. Arbitrary code execution has not been confirmed but there is a potential risk. Updated packages are available from security.debian.org.

Joel Voss of Leviathan Security Group discovered two vulnerabilities in xpdf rendering engine, which may lead to the execution of arbitrary code if a malformed PDF file is opened. Updated packages are available from security.debian.org.

It was discovered that collectd, a statistics collection and monitoring daemon, is prone to a denial of service attach via a crafted network packet. Updated packages are available from security.debian.org.

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. Updated packages are available from security.debian.org.

Several remote vulnerabilities have been discovered in BIND, an implementation of the DNS protocol suite. When DNSSEC validation is enabled, BIND does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (server crash) via a DNS query. BIND does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which may lead to zone unavailability during rollovers. BIND does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (server crash) via a query for cached data. Updated packages are available from security.debian.org.

Bui Quang Minh discovered that libxml2, a library for parsing and handling XML data files, does not well process a malformed XPATH, causing crash and allowing arbitrary code execution. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. Among other issues, Kees Cook discovered an issue in the v4l 32-bit compatibility layer for 64-bit systems that allows local users with /dev/video write permission to overwrite arbitrary kernel memory, potentially leading to a privilege escalation. Tavis Ormandy discovered an issue in the io_submit system call. Local users can cause an integer overflow resulting in a denial of service. Dan Rosenberg discovered an issue in the cxgb network driver that allows unprivileged users to obtain the contents of sensitive kernel memory. Dan Rosenberg discovered an issue in the eql network driver that allows local users to obtain the contents of sensitive kernel memory. Dan Rosenberg discovered an issue in the ROSE socket implementation. On systems with a rose device, local users can cause a denial of service (kernel memory corruption). Thomas Dreibholz discovered an issue in the SCTP protocol that permits a remote user to cause a denial of service (kernel panic). Dan Rosenberg discovered an issue in the pktcdvd driver. Local users with permission to open /dev/pktcdvd/control can obtain the contents of sensitive kernel memory or cause a denial of service. Dan Rosenberg discovered an issue in the ALSA sound system. Local users with permission to open /dev/snd/controlC0 can create an integer overflow condition that causes a denial of service. Dan Jacobson reported an issue in the thinkpad-acpi driver. On certain Thinkpad systems, local users can cause a denial of service (X.org crash) by reading /proc/acpi/ibm/video. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in Xulrunner. Xulrunner allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption. Multiple unspecified vulnerabilities in the browser engine in Xulrunner allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Xulrunner allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server. Xulrunner does not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. Stack-based buffer overflow in the text-rendering functionality in Xulrunner allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method. Use-after-free vulnerability in the nsBarProp function in Xulrunner allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window. The LookupGetterOrSetter function in Xulrunner does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted HTML document. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in Mozilla’s Network Security Services (NSS) library. NSS recognizes a wildcard IP address in the subject’s Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NSS does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. Updated packages are available from security.debian.org.

Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU libc allows local users to gain root privileges using a crafted LD_AUDIT environment variable. Updated packages are available from security.debian.org.

Several remote vulnerabilities have been discovered in TYPO3. Multiple remote file disclosure vulnerabilities in the jumpUrl mechanism and the Extension Manager allowed attackers to read files with the privileges of the account under which the web server was running. The TYPO3 backend contained several cross-site scripting vulnerabilities, and the RemoveXSS function did not filter all Javascript code. Malicious editors with user creation permission could escalate their privileges by creating new users in arbitrary groups, due to lack of input validation in the taskcenter. TYPO3 exposed a crasher bug in the PHP filter_var function, enabling attackers to cause the web server process to crash and thus consume additional system resources. Updated packages are available from security.debian.org.

Tim Bunce discovered that PostgreSQL, a database server software, does not properly separate interpreters for server-side stored procedures which run in different security contexts. As a result, non-privileged authenticated database users might gain additional privileges. Updated packages are available from security.debian.org.

Joel Voss of Leviathan Security Group discovered two vulnerabilities in the Poppler PDF rendering library, which may lead to the execution of arbitrary code if a malformed PDF file is opened. Updated packages are available from security.debian.org.

Kamesh Jayachandran and C. Michael Pilat discovered that the mod_dav_svn module of subversion, a version control system, is not properly enforcing access rules which are scope-limited to named repositories. If the SVNPathAuthz option is set to short_circuit set this may enable an unprivileged attacker to bypass intended access restrictions and disclose or modify repository content. Updated packages are available from security.debian.org.

APR-util is part of the Apache Portable Runtime library which is used by projects such as Apache httpd and Subversion. Jeff Trawick discovered a flaw in the apr_brigade_split_line() function in apr-util. A remote attacker could send crafted http requests to cause a greatly increased memory consumption in Apache httpd, resulting in a denial of service. Updated packages are available from security.debian.org.

Marc Schoenefeld has found an input stream position error in the way the FreeType font rendering engine processed input file streams. If a user loaded a specially-crafted font file with an application linked against FreeType and relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could cause the application to crash or, possibly execute arbitrary code. Updated packages are available from security.debian.org.

Several remote vulnerabilities have been discovered in Moodle, a course management system. Moodle does not enable the “Regenerate session id during login” setting by default, which makes it easier for remote attackers to conduct session fixation attacks. Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands. Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability. user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page.

A Cross-site scripting (XSS) vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL. A Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php) allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. A Cross-site scripting (XSS) vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username. Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input. A Cross-site request forgery (CSRF) vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in drupal6 a fully-featured content management framework. Several issues have been discovered in the OpenID module that allows malicious access to user accounts. The upload module includes a potential bypass of access restrictions due to not checking letter case-sensitivity. The comment module has a privilege escalation issue that allows certain users to bypass limitations. Several cross-site scripting (XSS) issues have been discovered in the Action feature. Updated packages are available from security.debian.org.

Mikolaj Izdebski has discovered an integer overflow flaw in the BZ2_decompress function in bzip2/libbz2. An attacker could use a crafted bz2 file to cause a denial of service (application crash) or potentially to execute arbitrary code. Updated packages are available from security.debian.org.

Phil Oester discovered that squid3, a fully featured Web Proxy cache, is prone to a denial of service attack via a specially crafted request that includes empty strings. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. Andre Osterhues reported an issue in the eCryptfs subsystem. A buffer overflow condition may allow local users to cause a denial of service or gain elevated privileges. Tavis Ormandy reported an issue in the irda subsystem which may allow local users to cause a denial of service via a NULL pointer dereference. Dan Rosenberg discovered an issue in the XFS file system that allows local users to read potentially sensitive kernel memory. Tavis Ormandy reported an issue in the ALSA sequencer OSS emulation layer. Local users with sufficient privileges to open /dev/sequencer can cause a denial of service via a NULL pointer dereference. Ben Hawkes discovered an issue in the 32-bit compatibility code for 64-bit systems. Local users can gain elevated privileges due to insufficient checks in compat_alloc_user_space allocations. Updated packages are available from security.debian.org.

A vulnerability has been discovered in samba, a SMB/CIFS file, print, and login server for Unix. The sid_parse() function does not correctly check its input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. Updated packages are available from security.debian.org.

It has been discovered that in cvsnt, a multi-platform version of the original source code versioning system CVS, an error in the authentication code allows a malicious, unprivileged user, through the use of a specially crafted branch name, to gain write access to any module or directory, including CVSROOT itself. The attacker can then execute arbitrary code as root by modifying or adding administrative scripts in that directory. Updated packages are available from security.debian.org.

Dan Rosenberg discovered that in couchdb, a distributed, fault-tolerant and schema-free document-oriented database, an insecure library search path is used; a local attacker could execute arbitrary code by first dumping a maliciously crafted shared library in some directory, and then having an administrator run couchdb from this same directory. Updated packages are available from security.debian.org.

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. Implementation errors in XUL processing allow the execution of arbitrary code. An implementation error in the XPCSafeJSObjectWrapper wrapper allows the bypass of the same origin policy. An integer overflow in frame handling allows the execution of arbitrary code. An implementation error in DOM handling allows the execution of arbitrary code. Incorrect pointer handling in the plugin code allow the execution of arbitrary code. Incorrect handling of an object tag may lead to the bypass of cross site scripting filters. Incorrect copy and paste handling could lead to cross site scripting. Crashes in the layout engine may lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in the FreeType font library. Multiple stack-based buffer overflows in the CFF Type2 CharStrings interpreter allow remote attackers to execute arbitrary code or cause a denial of service. A buffer overflow in the ftmulti demo program allows remote attackers to cause a denial of service or possibly execute arbitrary code. The FT_Stream_EnterFrame function does not properly validate certain position values, which allows remote attackers to cause a denial of service or possibly execute arbitrary code. An array index error in the t42_parse_sfnts function allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code. files, leading to a heap-based buffer overflow. FreeType uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service or possibly execute arbitrary code. A buffer overflow in the Mac_Read_POST_Resource function in allows remote attackers to cause a denial of service or possibly execute arbitrary code. FreeType allows remote attackers to cause a denial of service via a crafted BDF font file, related to an attempted modification of a value in a static string. Updated packages are available from security.debian.org.

Several remote vulnerabilities have been discovered in the BGP implementation of Quagga, a routing daemon. When processing a crafted Route Refresh message received from a configured, authenticated BGP neighbor, Quagga may crash, leading to a denial of service. When processing certain crafted AS paths, Quagga would crash with a NULL pointer dereference, leading to a denial of service. In some configurations, such crafted AS paths could be relayed by intermediate BGP routers. Updated packages are available from security.debian.org.

It was discovered that smbind, a PHP-based tool for managing DNS zones for BIND, does not properly validating input. An unauthenticated remote attacker could execute arbitrary SQL commands or gain access to the admin account. Updated packages are available from security.debian.org.

It has been discovered that in barnowl, a curses-based instant-messaging client, the return codes of calls to the ZPending and ZReceiveNotice functions in libzephyr were not checked, allowing attackers to cause a denial of service (crash of the application), and possibly execute arbitrary code. Updated packages are available from security.debian.org.

Several implementation errors in the dissector of the Wireshark network traffic analyzer for the ASN.1 BER protocol and in the SigComp Universal Decompressor Virtual Machine may lead to the execution of arbitrary code. Updated packages are available from security.debian.org.