• Go back to all articles

All articles tagged with Security

KDE is a graphical desktop environment for the X Window System. KDE fails in multiple places to properly quote URLs and file names before passing them to a command shell. This could allow remote attackers to execute arbitrary commands via carefully crafted URLs, filenames, or email addresses. KDE versions up to and including KDE 3.1.1 have a vulnerability caused by -dSAFER not being used when previewing in Konquerer. An attacker can prepare a malicious PostScript or PDF file which provides the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. Fixed packages are available from updates.redhat.com.

Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers. Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavaliable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. Fixed packages are available from updates.redhat.com.

Joey Hess discovered that fuzz, a software stress-testing tool, creates a temporary file without taking appropriate security precautions. This bug could allow an attacker to gain the privileges of the user invoking fuzz, excluding root (fuzz does not allow itself to be invoked as root). Fixed packages are available from security.debian.org.

The gtop daemon, used for monitoring remote machines, contains a buffer overflow which could be used by an attacker to execute arbitrary code with the privileges of the daemon process. If started as root, the daemon process drops root privileges, assuming uid and gid 99 by default. Fixed packages are available from security.debian.org.

Maurice Massar discovered that, due to a packaging error, the program /usr/bin/KATAXWR was inadvertently installed setuid root. This program was not designed to run setuid, and contained multiple vulnerabilities which could be exploited to gain root privileges. Fixed packages are available from security.debian.org.

Byrial Jensen discovered a couple of off-by-one buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This code is imported in the Balsa package. This problem could potentially allow a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder. Fixed packages are available from security.debian.org.

Timo Sirainen discovered several problems in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. Fixed packages are available from security.debian.org.

mod_auth_any is a Web server module that allows the Apache httpd server to call arbitrary external programs to verify user passwords. Vulnerabilities have been found in the way mod_auth_any escapes shell arguments when calling external programs. Versions of mod_auth_any included in Red Hat Linux 7.2 and 7.3 are affected. These vulnerabilities allow remote attackers to run arbitrary commands as the user under which the Web server is running. Fixed packages are available from updates.redhat.com.

Two vulnerabilities have been discoverd in Snort, a popular network intrusion detection system. Snort comes with modules and plugins that perform a variety of functions such as protocol analysis. Researchers have discovered a remotely exploitable inteter overflow that results in overwriting the heap in the "stream4" preprocessor module as well as a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Fixed packages are available from security.debian.org.

The man package includes tools for finding and displaying online documentation. Versions of man before 1.51 have a bug where a malformed man file can cause a program named "unsafe" to be run. To exploit this vulnerability a local attacker would need to be able to get a victim to run man on a carefully crafted man file, and for the attacker to be able to create a file called "unsafe" that will be on the victims default path. Fixed packages are available from updates.redhat.com.

The KDE team discoverd a vulnerability in the way KDE uses Ghostscript software for processing of PostScript (PS) and PDF files. An attacker could provide a malicious PostScript or PDF file via mail or websites that could lead to executing arbitrary commands under the privileges of the user viewing the file or when the browser generates a directory listing with thumbnails. Fixed packages are available from security.debian.org.

Timo Sirainen discovered a vulnerability in pptpd, a Point to Point Tunneling Server, which implements PPTP-over-IPSEC and is commonly used to create Virtual Private Networks (VPN). By specifying a small packet length an attacker is able to overflow a buffer and execute code under the user id that runs pptpd, probably root. An exploit for this problem is already circulating. Fixed packages are available from security.debian.org.

MySQL is a multi-user, multi-threaded SQL database server. A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application. Also, MySQL 3.23.55 and earlier creates world-writable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart. Fixed packages are available from updates.redhat.com.

Zlib is a general-purpose, patent-free, lossless data compression library used by many different programs. The function gzprintf within zlib, when called with a string longer than Z_PRINTF_BUFZISE (= 4096 bytes), can overflow without giving a warning. zlib-1.1.4 and earlier exhibit this behavior. There are no known exploits of the gzprintf overrun, and only a few programs, including rpm2html and gimp-print, are known to use the gzprintf function. The problem has been fixed by checking the length of the output string within gzprintf. Fixed packages are available from updates.redhat.com.

mICQ is an online messaging and conferencing program. mICQ versions 0.4.9 and earlier allow remote attackers to cause a denial of service (crash) using malformed ICQ message types without a 0xFE separator character. Fixed packages are available from updates.redhat.com.

LPRng is a print spooler. LPRng includes a program, psbanner, that can be used to produce Postscript banner pages to separate print jobs. A vulnerability has been found in psbanner, which creates a temporary file with a known filename in an insecure manner. An attacker could create a symbolic link and cause arbitrary files to be written as the 'lp' user. Fixed packages are available from updates.redhat.com.

SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities have been found which affect versions of SquirrelMail shipped with Red Hat Linux 8.0 and Red Hat Linux 9. Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and earlier allow remote attackers to execute script as other Web users via mailbox displays, message displays, or search results displays. Fixed packages are available from updates.redhat.com.

The K Desktop Environment KDE allows to generate postscript previews which can be viewed via certain konqueror plug-ins for example. The previews are generated by invoking the ghostscript program but without supplying the "-dSAFER" option as an argument. This allows embedded code to be executed. Additionally to the correction made to the postscript generation process, various other security related bug fixes and patches from KDE 3.0.5a have been incorporated. Fixed packages are available from ftp.suse.com.

Ethereal is a package designed for monitoring network traffic on your system. Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via carefully crafted SOCKS packets. Additionally, a heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. Fixed packages are available from updates.redhat.com.

Brian Campbell discovered two security-related problems in gkrellm-newsticker, a plugin for the gkrellm system monitor program, which provides a news ticker from RDF feeds. It can launch a web browser of the user's choice when the ticker title is clicked by using the URI given by the feed. However, special shell characters are not properly escaped enabling a malicious feed to execute arbitrary shell commands on the clients machine. Also, it crashes the entire gkrellm system on feeds where link or title elements are not entirely on a single line. A malicious server could therefore craft a denial of service. Fixed packages are available from security.debian.org.

tcpdump is a command-line tool for monitoring network traffic. The BGP decoding routines in tcpdump before 3.6.2 used incorrect bounds checking when copying data, which allows remote attackers to cause a denial of service and possibly execute arbitrary code (as the 'pcap' user). The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0. This causes tcpdump to generate data within an infinite loop. A vulnerability in tcpdump before 3.7.2 is related to an inability to handle unknown RADIUS attributes properly, and allows remote attackers to cause a denial of service (infinite loop). Fixed packages are available from updates.redhat.com. The ISAKMP parser in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a malformed ISAKMP packet to UDP port 500, causing tcpdump to enter an infinite loop.

The KDE team discoverd a vulnerability in the way KDE uses Ghostscript software for processing of PostScript (PS) and PDF files. An attacker could provide a malicious PostScript or PDF file via mail or websites that could lead to executing arbitrary commands under the privileges of the user viewing the file or when the browser generates a directory listing with thumbnails. Fixed packages are available from security.debian.org.

Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though. Fixed packages are available from security.debian.org.

Timo Sirainen discovered several problems in ircII, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. Fixed packages are available from security.debian.org.

Michal Zalewski discovered a buffer overflow, triggered by a char to int conversion, in the address parsing code in sendmail, a widely used powerful, efficient, and scalable mail transport agent. This problem is potentially remotely exploitable. Fixed packages are available from security.debian.org

Sam Hocevar discovered a security problem in rinetd, an IP connection redirection server. When the connection list is full, rinetd resizes the list in order to store the new incoming connection. However, this is done improperly, resulting in a denial of service and potentially execution of arbitrary code. Fixed packages are available from security.debian.org.

Researchers discovered two flaws in OpenSSL, a Secure Socket Layer (SSL) library and related cryptographic tools. Applications that are linked against this library are generally vulnerable to attacks that could leak the server's private key or make the encrypted session decryptable otherwise. Fixed packages are available from security.debian.org.

Timo Sirainen discovered several problems in EPIC, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. Fixed packages are available from security.debian.org.

Paul Szabo discovered insecure creation of a temporary file in ps2epsi, a script that is distributed as part of gs-common which contains common files for different Ghostscript releases. ps2epsiuses a temporary file in the process of invoking ghostscript. This file was created in an insecure fashion, which could allow a local attacker to overwrite files owned by a user who invokes ps2epsi. Fixed packages are available from security.debian.org.

Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon. Fixed packages are available from security.debian.org.