USNs for ubuntu 4.10

USN-275-1: Mozilla vulnerabilities

Web pages with extremely long titles caused subsequent launches of Mozilla browser to hang for up to a few minutes, or caused Mozilla to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious…

28 April 2006

USN-274-1: MySQL vulnerability

A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely. This only affects you if you enabled the ‘log’ parameter in the MySQL configuration.

27 April 2006

USN-273-1: Ruby vulnerability

Yukihiro Matsumoto reported that Ruby’s HTTP module uses blocking sockets. By sending large amounts of data to a server application that uses this module, a remote attacker could exploit this to render this application unusable and not respond any more to other clients (Denial of Service).

24 April 2006

USN-272-1: cyrus-sasl2 vulnerability

A Denial of Service vulnerability has been discovered in the SASL authentication library when using the DIGEST-MD5 plugin. By sending a specially crafted realm name, a malicious SASL server could exploit this to crash the application that uses SASL.

24 April 2006

USN-271-1: Firefox vulnerabilities

Web pages with extremely long titles caused subsequent launches of Firefox browser to hang for up to a few minutes, or caused Firefox to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious…

20 April 2006

USN-270-1: xpdf vulnerabilities

Derek Noonburg discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system…

13 April 2006

USN-269-1: xscreensaver vulnerability

In some cases, xscreensaver did not properly grab the keyboard when reading the password for unlocking the screen, so that the password was typed into the currently active application window. The only known vulnerable case was when xscreensaver activated while an rdesktop session was currently active.

11 April 2006

USN-264-1: gnupg vulnerability

Tavis Ormandy discovered a flaw in gnupg’s signature verification. In some cases, certain invalid signature formats could cause gpg to report a ‘good signature’ result for auxiliary unsigned data which was prepended or appended to the checked message part.

4 April 2006

USN-267-1: mailman vulnerability

A remote Denial of Service vulnerability was discovered in the decoder for multipart messages. Certain parts of type “message/delivery-status” or parts containing only two blank lines triggered an exception. An attacker could exploit this to crash Mailman by sending a specially crafted email to a mailing list.

4 April 2006

USN-266-1: dia vulnerabilities

Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user’s privileges.

3 April 2006

USN-263-1: Linux kernel vulnerabilities

A flaw was found in the module reference counting for loadable protocol modules of netfilter. By performing particular socket operations, a local attacker could exploit this to crash the kernel. This flaw only affects Ubuntu 5.10. (CVE-2005-3359) David Howells noticed a race condition in the add_key(), request_key() and keyctl() functions. By…

13 March 2006

USN-261-1: PHP vulnerabilities

Stefan Esser discovered that the ‘session’ module did not sufficiently verify the validity of the user-supplied session ID. A remote attacker could exploit this to insert arbitrary HTTP headers into the response sent by the PHP application, which could lead to HTTP Response Splitting (forging of arbitrary responses on behalf the PHP application)…

10 March 2006

USN-260-1: flex vulnerability

Chris Moore discovered a buffer overflow in a particular class of lexicographical scanners generated by flex. This could be exploited to execute arbitrary code by processing specially crafted user-defined input to an application that uses a flex scanner for parsing. This flaw particularly affects gpc, the GNU Pascal Compiler. A potentially remote…

7 March 2006

USN-258-1: PostgreSQL vulnerability

Akio Ishida discovered that the SET SESSION AUTHORIZATION command did not properly verify the validity of its argument. An authenticated PostgreSQL user could exploit this to crash the server. However, this does not affect the official binary Ubuntu packages. The crash can only be triggered if the source package is rebuilt with assertions enabled…

27 February 2006

USN-255-1: openssh vulnerability

Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like ‘*‘), an attacker could exploit this to execute arbitrary…

22 February 2006

USN-254-1: noweb vulnerability

Javier Fern�ndez-Sanguino Pe�a discovered that noweb scripts created temporary files in an insecure way. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running noweb.

22 February 2006

USN-256-1: bluez-hcidump vulnerability

Pierre Betouin discovered a Denial of Service vulnerability in the handling of the L2CAP (Logical Link Control and Adaptation Layer Protocol) layer. By sending a specially crafted L2CAP packet through a wireless Bluetooth connection, a remote attacker could crash hcidump. Since hcidump is mainly a debugging tool, the impact of this flaw is very…

22 February 2006

USN-253-1: heimdal vulnerability

A remote Denial of Service vulnerability was discovered in the heimdal implementation of the telnet daemon. A remote attacker could force the server to crash due to a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. Please note that the heimdal-servers package is not…

18 February 2006

USN-252-1: gnupg vulnerability

Tavis Ormandy discovered a potential weakness in the signature verification of gnupg. gpgv and gpg –verify returned a successful exit code even if the checked file did not have any signature at all. The recommended way of checking the result is to evaluate the status messages, but some third party applications might just check the exit code for…

18 February 2006

USN-251-1: libtasn vulnerability

Evgeny Legerov discovered a buffer overflow in the DER format decoding function of the libtasn library. This library is mainly used by the GNU TLS library; by sending a specially crafted X.509 certificate to a server which uses TLS encryption/authentication, a remote attacker could exploit this to crash that server process and possibly…

17 February 2006

USN-248-2: unzip regression fix

USN-248-1 fixed a vulnerability in unzip. However, that update inadvertedly changed the field order in the contents listing output, which broke unzip frontends like file-roller. The updated packages fix this regression.

15 February 2006

USN-249-1: xpdf/poppler/kpdf vulnerabilities

The splash image handler in xpdf did not check the validity of coordinates. By tricking a user into opening a specially crafted PDF file, an attacker could exploit this to trigger a buffer overflow which could lead to arbitrary code execution with the privileges of the user. The poppler library and kpdf also contain xpdf code, and thus…

15 February 2006

USN-248-1: unzip vulnerability

A buffer overflow was discovered in the handling of file name arguments. By tricking a user or automated system into processing a specially crafted, excessively long file name with unzip, an attacker could exploit this to execute arbitrary code with the user’s privileges.

15 February 2006

USN-247-1: Heimdal vulnerability

A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them. Please note that the heimdal-servers package is not officially supported in Ubuntu (it is in the ‘universe’ component of the archive). However, this affects you if you…

11 February 2006

USN-246-1: imagemagick vulnerabilities

Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be…

25 January 2006

USN-244-1: Linux kernel vulnerabilities

Doug Chapman discovered a flaw in the reference counting in the sys_mq_open() function. By calling this function in a special way, a local attacker could exploit this to cause a kernel crash. (CVE-2005-3356) Karl Janmar discovered that the /proc file system module used signed data types in a wrong way. A local attacker could exploit this to…

18 January 2006

USN-242-1: mailman vulnerabilities

Aliet Santiesteban Sifontes discovered a remote Denial of Service vulnerability in the attachment handler. An email with an attachment whose filename contained invalid UTF-8 characters caused mailman to crash. (CVE-2005-3573) Mailman did not sufficiently verify the validity of email dates. Very large numbers in dates caused mailman to crash….

16 January 2006

USN-241-1: Apache vulnerabilities

The “mod_imap” module (which provides support for image maps) did not properly escape the “referer” URL which rendered it vulnerable against a cross-site scripting attack. A malicious web page (or HTML email) could trick a user into visiting a site running the vulnerable mod_imap, and employ cross-site-scripting techniques to gather sensitive…

13 January 2006

USN-235-2: sudo vulnerability

USN-235-1 fixed a vulnerability in sudo’s handling of environment variables. Tavis Ormandy noticed that sudo did not filter out the PYTHONINSPECT environment variable, so that users with the limited privilege of calling a python script with sudo could still escalate their privileges. For reference, this is the original advisory: Charles Morris…

9 January 2006

USN-239-1: libapache2-mod-auth-pgsql vulnerability

Several format string vulnerabilities were discovered in the error logging handling. By sending specially crafted user names, an unauthenticated remote attacker could exploit this to crash the Apache server or possibly even execute arbitrary code with the privileges of Apache (user ‘www-data’).

9 January 2006

USN-236-1: xpdf vulnerabilities

Chris Evans discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system also…

6 January 2006

USN-235-1: sudo vulnerability

Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl’s library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the…

6 January 2006

USN-234-1: cpio vulnerability

Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with…

3 January 2006

USN-233-1: fetchmail vulnerability

Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in ‘multidrop’ mode, a malicious email server could cause a crash by sending an email without any headers. Since fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed.

3 January 2006

USN-232-1: PHP vulnerabilities

Eric Romang discovered a local Denial of Service vulnerability in the handling of the ‘session.save_path’ parameter in PHP’s Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319) A Denial of Service flaw was found in the EXIF module. By sending an image…

23 December 2005

USN-231-1: Linux kernel vulnerabilities

Rudolf Polzer reported an abuse of the ‘loadkeys’ command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the…

23 December 2005

USN-230-2: ffmpeg/xine-lib vulnerability

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw. For reference, this is the original advisory: Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening…

16 December 2005

USN-228-1: curl library vulnerability

Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with…

13 December 2005

USN-222-2: Perl vulnerability

USN-222-1 fixed a vulnerability in the Perl interpreter. It was discovered that the version of USN-222-1 was not sufficient to handle all possible cases of malformed input that could lead to arbitrary code execution, so another update is necessary. Original advisory: Jack Louis of Dyad Security discovered that Perl did not sufficiently check…

13 December 2005

USN-227-1: xpdf vulnerabilities

infamous41md discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, tetex-bin, KOffice, and kpdf. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS…

12 December 2005

USN-226-1: Courier vulnerability

Patrick Cheong Shu Yang discovered a flaw in the user account handling of courier-authdaemon. After successful authorization, the Courier mail server granted access to deactivated accounts.

10 December 2005

USN-225-1: Apache 2 vulnerability

A memory leak was found in the Apache 2 ‘worker’ module in the handling of aborted TCP connections. By repeatedly triggering this situation, a remote attacker could drain all available memory, which eventually led to a Denial of Service.

7 December 2005

USN-224-1: Kerberos vulnerabilities

Ga�l Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Ga�l Delalleau discovered a buffer overflow in the…

6 December 2005

USN-222-1: Perl vulnerability

Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the…

2 December 2005

USN-221-1: racoon vulnerability

The Oulu University Secure Programming Group discovered a remote Denial of Service vulnerability in the racoon daemon. When the daemon is configured to use aggressive mode, then it did not check whether the peer sent all required payloads during the IKE negotiation phase. A malicious IPsec peer could exploit this to crash the racoon…

1 December 2005

USN-220-1: w3c-libwww vulnerability

Sam Varshavchik discovered several buffer overflows in the HTBoundary_put_block() function. By sending specially crafted HTTP multipart/byteranges MIME messages, a malicious HTTP server could trigger an out of bounds memory access in the libwww library, which causes the program that uses the library to crash.

1 December 2005

USN-218-1: netpbm vulnerabilities

Two buffer overflows were discovered in the ‘pnmtopng’ tool, which were triggered by processing an image with exactly 256 colors when using the -alpha option (CVE-2005-3662) or by processing a text file with very long lines when using the -text option (CVE-2005-3632). A remote attacker could exploit these to execute arbitrary code by tricking an…

22 November 2005

USN-190-2: ucs-snmp vulnerability

USN-190-1 fixed a vulnerability in the net-snmp library. It was discovered that the same problem also affects the ucs-snmp implementation (which is used by the Cyrus email server). Original advisory: A remote Denial of Service has been discovered in the SMNP (Simple Network Management Protocol) library. If a SNMP agent uses TCP sockets for…

21 November 2005

USN-216-1: GDK vulnerabilities

Two integer overflows have been discovered in the XPM image loader of the GDK pixbuf library. By tricking an user into opening a specially crafted XPM image with any Gnome desktop application that uses this library, this could be exploited to execute arbitrary code with the privileges of the user running the application. (CVE-2005-2976,…

16 November 2005

USN-151-4: rpm vulnerability

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since lsb-rpm is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed…

9 November 2005

USN-215-1: fetchmailconf vulnerability

Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program. The output configuration file was initially created with insecure permissions, and secure permissions were applied after writing the configuration into the file. During this time, the file was world readable on a standard system (unless the user…

8 November 2005

USN-214-1: libungif vulnerabilities

Chris Evans discovered several buffer overflows in the libungif library. By tricking an user (or automated system) into processing a specially crafted GIF image, this could be exploited to execute arbitrary code with the privileges of the application using libungif.

7 November 2005

USN-206-2: Fixed lynx packages for USN-206-1

USN-206-1 fixed a security vulnerability in lynx. Unfortunately the fix contained an error that caused lynx to crash under certain circumstances. The updated packages fix this.

29 October 2005

USN-151-3: zlib vulnerabilities

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since aide is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed zlib.

29 October 2005

USN-213-1: sudo vulnerability

Tavis Ormandy discovered a privilege escalation vulnerability in sudo. On executing shell scripts with sudo, the “P4” and “SHELLOPTS” environment variables were not cleaned properly. If sudo is set up to grant limited sudo privileges to normal users this could be exploited to run arbitrary commands as the target user. Updated packags for Ubuntu…

28 October 2005

USN-212-1: libgda2 vulnerability

Steve Kemp discovered two format string vulnerabilities in the logging handler of the Gnome database access library. Depending on the application that uses the library, this could have been exploited to execute arbitrary code with the permission of the user running the application.

28 October 2005

USN-211-1: Enigmail vulnerability

Hadmut Danish discovered an information disclosure vulnerability in the key selection dialog of the Mozilla/Thunderbird enigmail plugin. If a user’s keyring contained a key with an empty user id (i. e. a key without a name and email address), this key was selected by default when the user attempted to send an encrypted email. Unless this empty key…

20 October 2005

USN-210-1: netpbm vulnerability

A buffer overflow was found in the “pnmtopng” conversion program. By tricking an user (or automated system) to process a specially crafted PNM image with pnmtopng, this could be exploited to execute arbitrary code with the privileges of the user running pnmtopng.

18 October 2005

USN-209-1: SSH server vulnerability

An information disclosure vulnerability has been found in the SSH server. When the GSSAPIAuthentication option was enabled, the SSH server could send GSSAPI credentials even to users who attempted to log in with a method other than GSSAPI. This could inadvertently expose these credentials to an untrusted user. Please note that this does not…

18 October 2005

USN-207-1: PHP vulnerability

A bug has been found in the handling of the open_basedir directive handling. Contrary to the specification, the value of open_basedir was handled as a prefix instead of a proper directory name even if it was terminated by a slash (‘/’). For example, this allowed PHP scripts to access the directory /home/user10 when open_basedir was configured to…

17 October 2005

USN-206-1: Lynx vulnerability

Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges…

17 October 2005

USN-205-1: Curl and wget vulnerabilities

A buffer overflow has been found in the NTLM authentication handler of the Curl library and wget. By tricking an user or automatic system that uses the Curl library, the curl application, or wget into visiting a specially-crafted web site, a remote attacker could exploit this to execute arbitrary code with the privileges of the calling user. The…

14 October 2005

USN-204-1: SSL library vulnerability

Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL applications. Applications using the OpenSSL library can use the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the former) to maintain compatibility with third party products, which is achieved by working around known bugs in them. The…

14 October 2005

USN-203-1: Abiword vulnerabilities

Chris Evans discovered several buffer overflows in the RTF import module of AbiWord. By tricking a user into opening an RTF file with specially crafted long identifiers, an attacker could exploit this to execute arbitrary code with the privileges of the AbiWord user.

13 October 2005

USN-201-1: SqWebmail vulnerabilities

Several Cross Site Scripting vulnerabilities were discovered in SqWebmail. A remote attacker could exploit this to execute arbitrary JavaScript or other active HTML embeddable content in the web browser of an SqWebmail user by sending specially crafted emails to him. Please note that the “sqwebmail” package is not officially supported by Ubuntu…

12 October 2005

USN-200-1: Thunderbird vulnerabilities

A buffer overflow was discovered in the XBM image handler. By tricking an user into opening a specially crafted XBM image, an attacker could exploit this to execute arbitrary code with the user’s privileges. (CAN-2005-2701) Mats Palmgren discovered a buffer overflow in the Unicode string parser. Unicode strings that contained “zero-width…

11 October 2005

USN-199-1: Linux kernel vulnerabilities

A Denial of Service vulnerability was discovered in the sys_set_mempolicy() function. By calling the function with a negative first argument, a local attacker could cause a kernel crash. (CAN-2005-3053) A race condition was discovered in the handling of shared memory mappings with CLONE_VM. A local attacker could exploit this to cause a deadlock…

11 October 2005

USN-198-1: cfengine vulnerabilities

Javier Fern�ndez-Sanguino Pe�a discovered that several tools in the cfengine package (vicf, cfmailfilter, and cfcron) create and use temporary files in an insecure way. A local attacker could exploit this with a symlink attack to create or overwrite arbitrary files with the privileges of the user running the cfengine program.

10 October 2005

USN-197-1: Shorewall vulnerability

A firewall bypass vulnerability has been found in shorewall. If MACLIST_TTL was set to a value greater than 0 or MACLIST_DISPOSITION was set to “ACCEPT” in /etc/shorewall/shorewall.conf, and a client was positively identified through its MAC address, that client bypassed all other policies/rules in place. This could allow external computers to get…

10 October 2005

USN-196-1: Xine library vulnerability

Ulf Harnhammar discovered a format string vulnerability in the CDDB module’s cache file handling in the Xine library, which is used by packages such as xine-ui, totem-xine, and gxine. By tricking an user into playing a particular audio CD which has a specially-crafted CDDB entry, a remote attacker could exploit this vulnerability to execute…

10 October 2005

USN-195-1: Ruby vulnerability

The object oriented scripting language Ruby supports safely executing untrusted code with two mechanisms: safe level and taint flag on objects. Dr. Yutaka Oiwa discovered a vulnerability that allows Ruby methods to bypass these mechanisms. In systems which use this feature, this could be exploited to execute Ruby code beyond the restrictions…

10 October 2005

USN-194-1: texinfo vulnerability

Frank Lichtenheld discovered that the “texindex” program created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running texindex.

6 October 2005

USN-192-1: Squid vulnerability

Mike Diggins discovered a remote Denial of Service vulnerability in Squid. Sending specially crafted NTML authentication requests to Squid caused the server to crash.

1 October 2005

USN-191-1: unzip vulnerability

Imran Ghory found a race condition in the handling of output files. While a file was unpacked by unzip, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the unzip user.

30 September 2005

USN-190-1: SNMP vulnerability

A remote Denial of Service has been discovered in the SMNP (Simple Network Management Protocol) library. If a SNMP agent uses TCP sockets for communication, a malicious SNMP server could exploit this to crash the agent. Please note that by default SNMP uses UDP sockets.

30 September 2005

USN-189-1: cpio vulnerabilities

Imran Ghory found a race condition in the handling of output files. While a file was unpacked with cpio, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the cpio user. (CAN-2005-1111) Imran Ghory discovered a path traversal vulnerability. Even when…

29 September 2005

USN-188-1: AbiWord vulnerability

Chris Evans discovered a buffer overflow in the RTF import module of AbiWord. By tricking a user into opening an RTF file with specially crafted long identifiers, an attacker could exploit this to execute arbitrary code with the privileges of the AbiWord user.

29 September 2005

USN-187-1: Linux kernel vulnerabilities

A Denial of Service vulnerability was detected in the stack segment fault handler. A local attacker could exploit this by causing stack fault exceptions under special circumstances (scheduling), which lead to a kernel crash. (CAN-2005-1767) Vasiliy Averin discovered a Denial of Service vulnerability in the “tiocgdev” ioctl call and in the…

25 September 2005

USN-186-2: Ubuntu 4.10 packages for USN-186-1 Firefox security update

USN-186-1 fixed several vulnerabilities in the Firefox browser for Ubuntu 5.04. This update provides fixed packages for Ubuntu 4.10, which was vulnerable to the same issues. The original advisory is available at http://www.ubuntu.com/usn/usn-186-1

25 September 2005

USN-186-1: Mozilla and Firefox vulnerabilities

Peter Zelezny discovered that URLs which are passed to Firefox or Mozilla on the command line are not correctly protected against interpretation by the shell. If Firefox or Mozilla is configured as the default handler for URLs (which is the default in Ubuntu), this could be exploited to execute arbitrary code with user privileges by tricking the…

23 September 2005

USN-185-1: CUPS vulnerability

A flaw was detected in the printer access control list checking in the CUPS server. Printer names were compared in a case sensitive manner; by modifying the capitalization of printer names, a remote attacker could circumvent ACLs and print to printers he should not have access to. The Ubuntu 5.04 version of cupsys is not vulnerable against this.

20 September 2005

USN-184-1: umount vulnerability

David Watson discovered that “umount -r” removed some restrictive mount options like the “nosuid” flag. If /etc/fstab contains user-mountable removable devices which specify the “nosuid” flag (which is common practice for such devices), a local attacker could exploit this to execute arbitrary programs with root privileges by calling “umount -r” on…

19 September 2005

USN-183-1: Squid vulnerabilities

A Denial of Service vulnerability was discovered in the handling of aborted requests. A remote attacker could exploit this to crash Squid by sending specially crafted requests. (CAN-2005-2794) Alex Masterov discovered a Denial of Service vulnerability in the sslConnectTimeout() function. By sending specially crafted SSL requests, a remote…

13 September 2005

USN-83-2: LessTif 1 vulnerabilities

USN-83-1 fixed some vulnerabilities in the “lesstif2” library. The older “lesstif1” library was also affected, however, a fix was not yet available at that time. This USN fixes the flaws for lesstif1. Please note that there are no supported applications that use this library, so this only affects you if you use third-party applications which use…

13 September 2005

USN-181-1: Mozilla products vulnerability

Tom Ferris discovered a buffer overflow in the Mozilla products (Mozilla browser, Firefox, Thunderbird). By tricking an user to click on a Hyperlink with a specially crafted destination URL, a remote attacker could crash the application. It might even be possible to exploit this vulnerability to execute arbitrary code, but this has not yet been…

12 September 2005

USN-182-1: X server vulnerability

A local privilege escalation vulnerability has been discovered in the pixmap allocation handling of the X server. By allocating a huge pixmap, a local user could trigger an integer overflow that resulted in a memory allocation that was too small for the requested pixmap. This resulted in a buffer overflow which could eventually be exploited to…

12 September 2005

USN-180-1: MySQL vulnerability

AppSecInc Team SHATTER discovered a buffer overflow in the “CREATE FUNCTION” statement. By specifying a specially crafted long function name, a local or remote attacker with function creation privileges could crash the server or execute arbitrary code with server privileges. However, the right to create function is usually not granted…

12 September 2005

USN-179-1: openssl weak default configuration

The current default algorithm for creating “message digests” (electronic signatures) for certificates created by openssl is MD5. However, this algorithm is not deemed secure any more, and some practical attacks have been demonstrated which could allow an attacker to forge certificates with a valid certification authority signature even if he does…

10 September 2005

USN-178-1: Linux kernel vulnerabilities

Oleg Nesterov discovered a local Denial of Service vulnerability in the timer handling. When a non group-leader thread called exec() to execute a different program while an itimer was pending, the timer expiry would signal the old group leader task, which did not exist any more. This caused a kernel panic. This vulnerability only affects Ubuntu…

9 September 2005

USN-177-1: Apache 2 vulnerabilities

Apache did not honour the “SSLVerifyClient require” directive within a <Location> block if the surrounding <VirtualHost> block contained a directive “SSLVerifyClient optional”. This allowed clients to bypass client certificate validation on servers with the above configuration. (CAN-2005-2700) Filip Sneppe discovered a Denial of Service…

7 September 2005

USN-175-1: ntp server vulnerability

Thomas Biege discovered a flaw in the privilege dropping of the NTP server. When ntpd was configured to drop root privileges, and the group to run under was specified as a name (as opposed to a numeric group ID), ntpd changed to the wrong group. Depending on the actual group it changed to, this could either cause non-minimal privileges, or a…

2 September 2005

USN-173-4: PCRE vulnerabilities

USN-173-1 fixed a buffer overflow vulnerability in the PCRE library. However, it was found that the various python packages and gnumeric contain static copies of the library code, so these packages need to be updated as well. In gnumeric this bug could be exploited to execute arbitrary code with the privileges of the user if the user was tricked…

31 August 2005

USN-173-3: Fixed apache2 packages for USN-173-2

USN-173-2 fixed a vulnerability in Apache’s regular expression parser. However, the packages from that advisories had a bug that prevented Apache from starting. This update fixes this. We apologize for the inconvenience!

30 August 2005

USN-173-2: PCRE vulnerability

USN-173-1 fixed a buffer overflow vulnerability in the PCRE library. However, it was determined that this did not suffice to prevent all possible overflows, so another update is necessary. In addition, it was found that the Ubuntu 4.10 version of Apache 2 contains a static copy of the library code, so this package needs to be updated as well. In…

25 August 2005

USN-173-1: PCRE vulnerability

A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the…

24 August 2005

USN-171-1: PHP4 vulnerabilities

CAN-2005-1751: The php4-dev package ships a copy of the “shtool” utility in /usr/lib/php4/build/, which provides useful functionality for developers of software packages. Eric Romang discovered that shtool created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the …

21 August 2005

USN-170-1: gnupg vulnerability

Serge Mister and Robert Zuccherato discovered a weakness of the symmetrical encryption algorithm of gnupg. When decrypting a message, gnupg uses a feature called “quick scan”; this can quickly check whether the key that is used for decryption is (probably) the right one, so that wrong keys can be determined quickly without decrypting the whole…

20 August 2005

USN-169-1: Linux kernel vulnerabilities

David Howells discovered a local Denial of Service vulnerability in the key session joining function. Under certain user-triggerable conditions, a semaphore was not released properly, which caused processes which also attempted to join a key session to hang forever. This only affects Ubuntu 5.04 (Hoary Hedgehog). (CAN-2005-2098) David Howells…

19 August 2005

USN-168-1: Gaim vulnerabilities

Daniel Atallah discovered a Denial of Service vulnerability in the file transfer handler of OSCAR (the module that handles various instant messaging protocols like ICQ). A remote attacker could crash the Gaim client of an user by attempting to send him a file with a name that contains invalid UTF-8 characters. (CAN-2005-2102) It was found that…

12 August 2005

USN-166-1: Evolution vulnerabilities

Ulf Harnhammar disovered several format string vulnerabilities in Evolution. By tricking an user into viewing a specially crafted vCard attached to an email, specially crafted contact data from an LDAP server, specially crafted task lists from remote servers, or saving Calendar entries with this malicious task list data, it was possible for an…

11 August 2005

USN-165-1: heartbeat vulnerability

Eric Romang discovered that heartbeat created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with root privileges as soon as heartbeat is started.

11 August 2005

USN-164-1: netpbm vulnerability

Max Vozeler discovered that the the “pstopnm” conversion tool did not use the -dSAFER option when calling ghostscript. This option prohibits file operations and calling commands within PostScript code. This flaw could be exploited by an attacker to execute arbitrary code if he tricked an user (or an automatic server) into processing a…

11 August 2005

USN-163-1: xpdf vulnerability

xpdf and kpdf did not sufficiently verify the validity of the “loca” table in PDF files, a table that contains glyph description information for embedded TrueType fonts. After detecting the broken table, xpdf attempted to reconstruct the information in it, which caused the generation of a huge temporary file that quickly filled up available disk…

10 August 2005

USN-161-1: bzip2 utility vulnerability

USN-158-1 fixed a command injection vulnerability in the “zgrep” utility. It was determined that the “bzgrep” counterpart in the bzip2 package is vulnerable to the same flaw. bzgrep did not handle shell metacharacters like ‘|’ and ‘&’ properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user…

5 August 2005

USN-160-1: Apache 2 vulnerabilities

Marc Stern discovered a buffer overflow in the SSL module’s certificate revocation list (CRL) handler. If Apache is configured to use a malicious CRL, this could possibly lead to a server crash or arbitrary code execution with the privileges of the Apache web server. (CAN-2005-1268) Watchfire discovered that Apache insufficiently verified…

4 August 2005

USN-157-2: Updated Mozilla Thunderbird Enigmail plugin for Ubuntu 4.10

USN-157-1 fixed some vulnerabilities in the Mozilla Thunderbird email client. The updated Thunderbird version broke compatibility with the Enigmail plugin. As announced in USN-157-1, the Enigmail package was now updated for Ubuntu 4.10 (Warty Warthog) to work with the new Thunderbird version.

2 August 2005

USN-159-1: unzip vulnerability

If a ZIP archive contains binaries with the setuid and/or setgid bit set, unzip preserved those bits when extracting the archive. This could be exploited by tricking the administrator into unzipping an archive with a setuid-root binary into a directory the attacker can access. This allowed the attacker to execute arbitrary commands with root…

1 August 2005

USN-158-1: gzip utility vulnerability

zgrep did not handle shell metacharacters like ‘|’ and ‘&’ properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.

1 August 2005

USN-157-1: Mozilla Thunderbird vulnerabilities

Vladimir V. Perepelitsa discovered a bug in Thunderbird’s handling of anonymous functions during regular expression string replacement. A malicious HTML email could exploit this to capture a random block of client memory. (CAN-2005-0989) Georgi Guninski discovered that the types of certain XPInstall related JavaScript objects were not…

1 August 2005

USN-156-1: TIFF vulnerability

Wouter Hanegraaff discovered that the TIFF library did not sufficiently validate the “YCbCr subsampling” value in TIFF image headers. Decoding a malicious image with a zero value resulted in an arithmetic exception, which caused the program that uses the TIFF library to crash. This leads to a Denial of Service in server applications that use…

29 July 2005

USN-155-2: Updated Epiphany packages to match Mozilla security update

USN-155-1 fixed some security vulnerabilities of the Mozilla suite. Unfortunately this update caused regressions in the Epiphany web browser, which uses parts of the Mozilla browser. The updated packages fix these problems.

29 July 2005

USN-149-3: Ubuntu 4.10 update for Firefox vulnerabilities

USN-149-1 fixed some vulnerabilities in the Ubuntu 5.04 (Hoary Hedgehog) version of Firefox. The version shipped with Ubuntu 4.10 (Warty Warthog) is also vulnerable to these flaws, so it needs to be upgraded as well. Please see http://www.ubuntulinux.org/support/documentation/usn/usn-149-1 for the original advisory. This update also fixes…

28 July 2005

USN-155-1: Mozilla vulnerabilities

Secunia.com reported that one of the recent security patches in Firefox reintroduced the frame injection patch that was originally known as CAN-2004-0718. This allowed a malicious web site to spoof the contents of other web sites. (CAN-2005-1937) It was discovered that a malicious website could inject arbitrary scripts into a target site by…

27 July 2005

USN-154-1: vim vulnerability

Georgi Guninski discovered that it was possible to construct Vim modelines that execute arbitrary shell commands by wrapping them in glob() or expand() function calls. If an attacker tricked an user to open a file with a specially crafted modeline, he could exploit this to execute arbitrary commands with the user’s privileges.

26 July 2005

USN-153-1: fetchmail vulnerability

Ross Boylan discovered a remote buffer overflow in fetchmail. By sending invalid responses with very long UIDs, a faulty or malicious POP server could crash fetchmail or execute arbitrary code with the privileges of the user invoking fetchmail. fetchmail is commonly run as root to fetch mail for multiple user accounts; in this case, this…

26 July 2005

USN-151-2: zlib vulnerabilities

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Most applications use the shared library provided by the “zlib1g” package; however, some packages contain copies of the affected zlib code, so they need to be upgraded…

23 July 2005

USN-152-1: PAM/NSS LDAP vulnerabilitiy

Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master.

21 July 2005

USN-151-1: zlib vulnerability

USN-148-1 fixed an improver input verification of zlib (CAN-2005-2096). Markus Oberhumer discovered additional ways a disrupted stream could trigger a buffer overflow and crash the application using zlib, so another update is necessary. zlib is used by hundreds of server and client applications, so this vulnerability could be exploited to cause…

21 July 2005

USN-147-2: Fixed php4-pear packages for USN-147-1

USN-147-1 [1] fixed a remote code execution vulnerability in the XMLRPC module of the PEAR library. Unfortunately the packages announced in USN-147-1 were faulty and shipped broken xmlrpc modules. The updated packages ship correct modules. We apologize for the inconvenience. [1] https://www.ubuntulinux.org/support/documentation/usn/usn-147-1

6 July 2005

USN-148-1: zlib vulnerability

Tavis Ormandy discovered that zlib did not properly verify data streams. Decompressing certain invalid compressed files caused corruption of internal data structures, which caused applications which link to zlib to crash. Specially crafted input might even have allowed arbitrary code execution. zlib is used by hundreds of server and client…

6 July 2005

USN-147-1: PHP XMLRPC vulnerability

A remote code execution vulnerability has been discovered in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server’s privileges. In Ubuntu 5.04 (Hoary…

5 July 2005

USN-146-1: Ruby vulnerability

Nobuhiro IMAI discovered that the changed default value of the Module#public_instance_methods() method broke the security protection of XMLRPC server handlers. A remote attacker could exploit this to execute arbitrary commands on an XMLRPC server.

29 June 2005

USN-145-1: wget vulnerabilities

Jan Minar discovered a path traversal vulnerability in wget. If the name “..” was a valid host name (which can be achieved with a malicious or poisoned domain name server), it was possible to trick wget into creating downloaded files into arbitrary locations with arbitrary names. For example, wget could silently overwrite the users ~/.bashrc and…

28 June 2005

USN-144-1: dbus vulnerability

Besides providing the global system-wide communication bus, dbus also offers per-user “session” buses which applications in an user’s session can create and use to communicate with each other. Daniel Reed discovered that the default configuration of the session dbus allowed a local user to connect to another user’s session bus if its address was…

28 June 2005

USN-143-1: Linux amd64 kernel vulnerabilities

A Denial of Service vulnerability has been discovered in the ptrace() call on the amd64 platform. By calling ptrace() with specially crafted (“non-canonical”) addresses, a local attacker could cause the kernel to crash. This only affects the amd64 platform. (CAN-2005-1762) ZouNanHai discovered that a local user could hang the kernel by invoking…

27 June 2005

USN-142-1: sudo vulnerability

Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command “ALL”, that user could execute arbitrary commands with sudo by creating symbolic links at a certain time. Please note…

21 June 2005

USN-141-1: tcpdump vulnerability

It was discovered that certain invalid BGP packets triggered an infinite loop in tcpdump, which caused tcpdump to stop working. This could be abused by a remote attacker to bypass tcpdump analysis of network traffic.

21 June 2005

USN-140-1: Gaim vulnerability

A remote Denial of Service vulnerability was discovered in Gaim. A remote attacker could crash the Gaim client of an MSN user by sending a specially crafted MSN package which states an invalid body length in the header.

15 June 2005

USN-139-1: Gaim vulnerability

A remote Denial of Service vulnerability was discovered in Gaim. By initiating a file transfer with a file name containing certain international characters (like an accented “a”), a remote attacker could crash the Gaim client of an arbitrary Yahoo IM member.

10 June 2005

USN-138-1: gedit vulnerability

A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user. This becomes security relevant if e. g. your web browser is configued to open URLs in gedit. If you never open…

9 June 2005

USN-137-1: Linux kernel vulnerabilities

Alexander Nyberg discovered that ptrace() insufficiently validated addresses on the amd64 platform so that it was possible to set an invalid segment base. A local attacker could exploit this to crash the kernel. This does not affect the i386 and powerpc platforms in any way. (CAN-2005-0756) Chris Wright discovered that the mmap() function could…

8 June 2005

USN-136-2: Fixed packages for USN-136-1

It was discovered that the packages from USN-136-1 had a flawed patch with regressions that caused the ld linker to fail. The updated packages fix this. We apologize for the inconvenience.

27 May 2005

USN-136-1: binutils vulnerability

Tavis Ormandy found an integer overflow in the Binary File Descriptor (BFD) parser in the GNU debugger. The same vulnerable code is also present in binutils. By tricking an user into processing a specially crafted executable with the binutils tools (strings, objdump, nm, readelf, etc.), an attacker could exploit this to execute arbitrary code with…

27 May 2005

USN-135-1: gdb vulnerabilities

Tavis Ormandy found an integer overflow in the GNU debugger. By tricking an user into merely load a specially crafted executable, an attacker could exploit this to execute arbitrary code with the privileges of the user running gdb. However, loading untrusted binaries without actually executing them is rather uncommon, so the risk of this flaw is…

27 May 2005

USN-133-1: Apache utility vulnerability

A buffer overflow was discovered in the “htpasswd” utility. This could be exploited to execute arbitrary code with the privileges of the user invoking htpasswd. This is only a security vulnerability if you have a website that offers a public interface to htpasswd without checking the input beforehand; however, this is very unusual.

26 May 2005

USN-132-1: ImageMagick vulnerabilities

Damian Put discovered a buffer overflow in the PNM image decoder. Processing a specially crafted PNM file with a small “colors” value resulted in a crash of the application that used the ImageMagick library. (CAN-2005-1275) Another Denial of Service vulnerability was found in the XWD decoder. Specially crafted invalid color masks resulted in an…

23 May 2005

USN-131-1: Linux kernel vulnerabilities

Colin Percival discovered an information disclosure in the “Hyper Threading Technology” architecture in processors which are capable of simultaneous multithreading (in particular Intel Pentium 4, Intel Mobile Pentium 4, and Intel Xeon processors). This allows a malicious thread to monitor the execution of another thread on the same CPU. This could…

23 May 2005

USN-130-1: TIFF library vulnerability

Tavis Ormandy discovered a buffer overflow in the TIFF library. A malicious image with an invalid “bits per sample” number could be constructed which, when decoded, would have resulted in execution of arbitrary code with the privileges of the process using the library. Since this library is used in many applications like “ghostscript” and the…

20 May 2005

USN-129-1: Squid vulnerability

It was discovered that Squid did not verify the validity of DNS server responses. When Squid is started, it opens a DNS client UDP port whose number is randomly assigned by the operating system. Unless your network firewall is configured to accept DNS responses only from known good nameservers, this vulnerability allowed users within the…

18 May 2005

USN-128-1: nasm vulnerability

Josh Bressers discovered a buffer overflow in the ieee_putascii() function of nasm. If an attacker tricked a user into assembling a malicious source file, they could exploit this to execute arbitrary code with the privileges of the user that runs nasm.

18 May 2005

USN-127-1: bzip2 vulnerabilities

Imran Ghory discovered a race condition in the file permission restore code of bunzip2. While a user was decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause bzip2 to restore the file permissions to the hard link target instead of to the bzip2…

17 May 2005

USN-126-1: GNU TLS library vulnerability

A Denial of Service vulnerability was discovered in the GNU TLS library, which provides common cryptographic algorithms and is used by many applications in Ubuntu. Due to a missing sanity check of the padding length field, specially crafted ciphertext blocks caused an out of bounds memory access which could crash the application. It was not…

13 May 2005

USN-125-1: Gaim vulnerabilities

Marco Alvarez found a Denial of Service vulnerability in the Jabber protocol handler. A remote attacker could exploit this to crash Gaim by sending specially crafted file transfers to the user. (CAN-2005-0967) Stu Tomlinson discovered an insufficient bounds checking flaw in the URL parser. By sending a message containing a very long URL, a…

13 May 2005

USN-123-1: Xine library vulnerabilities

Two buffer overflows have been discovered in the MMS and Real RTSP stream handlers of the Xine library. By tricking a user to connect to a malicious MMS or RTSP video/audio stream source with an application that uses this library, an attacker could crash the client and possibly even execute arbitrary code with the privileges of the…

6 May 2005

USN-122-1: Squid vulnerability

Michael Bhola discovered that errors in the http_access configuration, in particular missing or invalid ACLs, did not cause a fatal error. This could lead to wider access permissions than intended by the administrator.

6 May 2005

USN-121-1: OpenOffice.org vulnerability

The StgCompObjStream::Load() failed to check the validity of a length field in documents. If an attacker tricked a user to open a specially crafted OpenOffice file, this triggered a buffer overflow which could lead to arbitrary code execution with the privileges of the user opening the document. The update for Ubuntu 5.04 (Hoary Hedgehog) also…

6 May 2005

USN-120-1: Apache 2 vulnerability

Luca Ercoli discovered that the “htdigest” program did not perform any bounds checking when it copied the “user” and “realm” arguments into local buffers. If this program is used in remotely callable CGI scripts, this could be exploited by a remote attacker to execute arbitrary code with the privileges of the CGI script.

6 May 2005

USN-119-1: tcpdump vulnerabilities

It was discovered that certain invalid GRE, LDP, BGP, and RSVP packets triggered infinite loops in tcpdump, which caused tcpdump to stop working. This could be abused by a remote attacker to bypass tcpdump analysis of network traffic.

6 May 2005

USN-118-1: PostgreSQL vulnerabilities

It was discovered that unprivileged users were allowed to call internal character conversion functions. However, since these functions were not designed to be safe against malicious choices of argument values, this could potentially be exploited to execute arbitrary code with the privileges of the PostgreSQL server (user “postgres”)….

4 May 2005

USN-117-1: cvs vulnerability

Alen Zukich discovered a buffer overflow in the processing of version and author information in the CVS client. By tricking an user to connect to a malicious CVS server, an attacker could exploit this to execute arbitrary code with the privileges of the connecting user.

4 May 2005

USN-116-1: gzip vulnerabilities

Imran Ghory discovered a race condition in the file permission restore code of gzip and gunzip. While a user was compressing or decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause gzip to restore the file permissions to the hard link…

4 May 2005

USN-112-1: PHP4 vulnerabilities

An integer overflow was discovered in the exif_process_IFD_TAG() function in PHP4’s EXIF module. EXIF tags with a specially crafted “Image File Directory” (IFD) tag caused a buffer overflow which could have been exploited to execute arbitrary code with the privileges of the PHP4 server. (CAN-2005-1042) The same module also contained a Denial of…

14 April 2005

USN-111-1: Squid vulnerability

A remote Denial of Service vulnerability has been discovered in Squid. If the remote end aborted the connection during a PUT or POST request, Squid tried to free an already freed part of memory, which eventually caused the server to crash.

14 April 2005

USN-110-1: Linux kernel vulnerabilities

Alexander Nyberg discovered an integer overflow in the sysfs_write_file() function. A local attacker could exploit this to crash the kernel or possibly even execute arbitrary code with root privileges by writing to an user-writable file in /sys under certain low-memory conditions. However, there are very few cases where a user-writeable sysfs file…

11 April 2005

USN-109-1: MySQL vulnerability

USN-32-1 fixed a database privilege escalation vulnerability; original advisory text: “If a user was granted privileges to a database with a name containing an underscore (”_“), the user also gained the ability to grant privileges to other databases with similar names. (CAN-2004-0957)” Recently a corner case was discovered where this…

6 April 2005

USN-108-1: GDK vulnerability

Matthias Clasen discovered a Denial of Service vulnerability in the BMP image module of gdk. Processing a specially crafted BMP image with an application using gdk-pixbuf caused an allocated memory block to be free()‘ed twice, leading to a crash of the application. However, it is believed that this cannot be exploited to execute…

6 April 2005

USN-107-1: racoon vulnerability

Sebastian Krahmer discovered a Denial of Service vulnerability in the racoon daemon. By sending specially crafted ISAKMP packets, a remote attacker could trigger a buffer overflow which caused racoon to crash. This update does not introduce any source code changes affecting the ipsec-tools package. It is necessary to update the version number…

6 April 2005

USN-106-1: Gaim vulnerabilities

Jean-Yves Lefort discovered a buffer overflow in the gaim_markup_strip_html() function. This caused Gaim to crash when receiving certain malformed HTML messages. (CAN-2005-0965) Jean-Yves Lefort also noticed that many functions that handle IRC commands do not escape received HTML metacharacters; this allowed remote attackers to cause a Denial of…

5 April 2005

USN-105-1: PHP4 vulnerabilities

Two Denial of Service vulnerabilities have been discovered in the getimagesize() function. getimagesize() uses format specific internal functions php_handle_iff() and php_handle_jpeg() which get stuck in infinite loops when certain (invalid) size parameters are read from the image. In web applications that allow users to upload arbitrary image…

5 April 2005

USN-104-1: unshar vulnerability

Joey Hess discovered that “unshar” created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

4 April 2005

USN-103-1: Linux kernel vulnerabilities

Mathieu Lafon discovered an information leak in the ext2 file system driver. When a new directory was created, the ext2 block written to disk was not initialized, so that previous memory contents (which could contain sensitive data like passwords) became visible on the raw device. This is particularly important if the target device is removable…

1 April 2005

USN-102-1: shar vulnerabilities

Shaun Colley discovered a buffer overflow in “shar” that was triggered by output files (specified with -o) with names longer than 49 characters. This could be exploited to run arbitrary attacker specified code on systems that automatically process uploaded files with shar. Ulf Harnhammar discovered that shar does not check the data…

29 March 2005

USN-101-1: telnet vulnerabilities

A buffer overflow was discovered in the telnet client’s handling of the LINEMODE suboptions. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client….

29 March 2005

USN-100-1: cdrecord vulnerability

Javier Fern�ndez-Sanguino Pe�a noticed that cdrecord created temporary files in an insecure manner if DEBUG was enabled in /etc/cdrecord/rscsi. If the default value was used (which stored the debug output file in /tmp), this could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking…

24 March 2005

USN-99-2: Fixed php4 packages for USN-99-1

USN-99-1 fixed a safe mode bypass which allowed malicious PHP scripts to circumvent path restrictions by creating a specially crafted directory whose length exceeded the capacity of the realpath() function (CAN-2004-1064). However, this caused severe regressions, some applications like SquirrelMail and Gallery did not work any more, and the…

24 March 2005

USN-99-1: PHP4 vulnerabilities

Stefano Di Paola discovered integer overflows in PHP’s pack() and unpack() functions. A malicious PHP script could exploit these to break out of safe mode and execute arbitrary code with the privileges of the PHP interpreter. (CAN-2004-1018) Note: The second part of CAN-2004-1018 (buffer overflow in the shmop_write() function) was already fixed…

18 March 2005

USN-98-1: OpenSLP vulnerabilities

The SuSE Security Team discovered several buffer overflows in the OpenSLP server and client library. By sending specially crafted SLP packets, a remote attacker could exploit this to crash the SLP server or execute arbitrary code with the privileges of the “daemon” user. Likewise, a malicious SLP server could exploit the client…

18 March 2005

USN-97-1: libxpm vulnerability

Chris Gilbert discovered a buffer overflow in the XPM library shipped with XFree86. If an attacker tricked a user into loading a malicious XPM image with an application that uses libxpm, he could exploit this to execute arbitrary code with the privileges of the user opening the image. These overflows do not allow privilege escalation through the…

16 March 2005

USN-96-1: mySQL vulnerabilities

Stefano Di Paola discovered three privilege escalation flaws in the MySQL server: - If an authenticated user had INSERT privileges on the ‘mysql’ administrative database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the database server (user ‘mysql’). (CAN-2005-0709) -…

16 March 2005

USN-95-1: Linux kernel vulnerabilities

A remote Denial of Service vulnerability was discovered in the Netfilter IP packet handler. This allowed a remote attacker to crash the machine by sending specially crafted IP packet fragments. (CAN-2005-0209) The Netfilter code also contained a memory leak. Certain locally generated packet fragments are reassembled twice, which caused a double…

15 March 2005

USN-94-1: Perl vulnerability

Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that…

9 March 2005

USN-93-1: Squid vulnerability

A race condition was discovered in the handling of “Set-Cookie” headers. If the obsolete Netscape recommendation was used for handling cookies in the cache, it was possible for an attacker to steal the cookies of other users.

8 March 2005

USN-92-1: LessTif vulnerabilities

Several vulnerabilities have been found in the XPM image decoding functions of the LessTif library. If an attacker tricked a user into loading a malicious XPM image with an application that uses LessTif, he could exploit this to execute arbitrary code in the context of the user opening the image. Ubuntu does not contain any server applications…

8 March 2005

USN-91-1: EXIF library vulnerability

Sylvain Defresne discovered that the EXIF library did not properly validate the structure of the EXIF tags. By tricking a user to load an image with a malicious EXIF tag, an attacker could exploit this to crash the process using the library, or even execute arbitrary code with the privileges of the process.

8 March 2005

USN-90-1: Imagemagick vulnerability

Tavis Ormandy discovered a format string vulnerability in ImageMagick’s file name handling. Specially crafted file names could cause a program using ImageMagick to crash, or possibly even cause execution of arbitrary code. Since ImageMagick can be used in custom printing systems, this also might lead to privilege escalation (execute code with the…

3 March 2005

USN-89-1: XML library vulnerabilities

Several buffer overflows have been discovered in libxml’s FTP connection and DNS resolution functions. Supplying very long FTP URLs or IP addresses might result in execution of arbitrary code with the privileges of the process using libxml. This does not affect the core XML parsing code, which is what the majority of programs use this library…

28 February 2005

USN-88-1: reportbug information disclosure

Rolf Leggewie discovered two information disclosure bugs in reportbug. The per-user configuration file ~/.reportbugrc was created world-readable. If it contained email smarthost passwords, these were readable by any other user on the computer storing the home directory. reportbug usually includes the settings from ~/.reportbugrc in generated bug…

28 February 2005

USN-87-1: Cyrus IMAP server vulnerability

Sean Larsson discovered a buffer overflow in the IMAP “annotate” extension. This possibly allowed an authenticated IMAP client to execute arbitrary code with the privileges of the Cyrus IMAP server.

28 February 2005

USN-86-1: cURL vulnerability

infamous41md discovered a buffer overflow in cURL’s NT LAN Manager (NTLM) authentication handling. By sending a specially crafted long NTLM reply packet, a remote attacker could overflow the reply buffer. This could lead to execution of arbitrary attacker specified code with the privileges of the application using the cURL library.

28 February 2005

USN-85-1: Gaim vulnerabilities

The Gaim developers discovered that the HTML parser did not sufficiently validate its input. This allowed a remote attacker to crash the Gaim client by sending certain malformed HTML messages. (CAN-2005-0208, CAN-2005-0473) Another lack of sufficient input validation was found in the “Oscar” protocol handler which is used for ICQ and AIM. By…

26 February 2005

USN-84-1: Squid vulnerabilities

When parsing the configuration file, squid interpreted empty Access Control Lists (ACLs) without defined authentication schemes in a non-obvious way. This could allow remote attackers to bypass intended ACLs. (CAN-2005-0194) A remote Denial of Service vulnerability was discovered in the domain name resolution code. A faulty or malicious DNS…

21 February 2005

USN-66-2: PHP vulnerability

Ubuntu Security Notice USN-66-1 described a circumvention of the “open_basedir” restriction by using the cURL module. Adam Conrad discovered that the fix from USN-66-1 still allowed to bypass this restriction with certain variants of path specifications. In addition this update fixes the crash of the PHP interpreter if curl_init() was called…

17 February 2005

USN-78-2: Fixed mailman packages for USN-78-1

Ubuntu Security Announce USN-78-1 described a path traversal vulnerability in the “private” module of Mailman. Unfortunately this updated mailman package was broken so that the “private” module could not be executed at all any more. The latest package version fixes this. We apologize for the inconvenience. For reference, this is the description…

17 February 2005

USN-83-1: LessTif 2 vulnerabilities

Several vulnerabilities have been found in the XPM image decoding functions of the LessTif library. If an attacker tricked a user into loading a malicious XPM image with an application that uses LessTif, he could exploit this to execute arbitrary code in the context of the user opening the image. Ubuntu does not contain any server applications…

16 February 2005

USN-82-1: Linux kernel vulnerabilities

CAN-2004-0176: Michael Kerrisk noticed an insufficient permission checking in the shmctl() function. Any process was permitted to lock/unlock any System V shared memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the maximum size of shared memory that unprivileged users can acquire). This allowed am unprivileged user …

15 February 2005

USN-81-1: iptables vulnerability

Faheem Mitha noticed that the “iptables” command did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup.

11 February 2005

USN-80-1: mod_python vulnerability

Graham Dumpleton discovered an information disclosure in the “publisher” handle of mod_python. By requesting a carefully crafted URL for a published module page, anybody can obtain extra information about internal variables, objects, and other information which is not intended to be visible.

11 February 2005

USN-79-1: PostgreSQL vulnerabilities

The execution of custom PostgreSQL functions can be restricted with the EXECUTE privilege. However, previous versions did not check this privilege when executing a function which was part of an aggregate. As a result, any database user could circumvent the EXECUTE restriction of functions with a particular (but very common) parameter structure…

11 February 2005

USN-78-1: Mailman vulnerability

An path traversal vulnerability has been discovered in the “private” module of Mailman. A flawed path sanitation algorithm allowed the construction of URLS to arbitrary files readable by Mailman. This allowed a remote attacker to retrieve configuration and password databases, private list archives, and other files.

10 February 2005

USN-77-1: Squid vulnerabilities

A possible authentication bypass was discovered in the LDAP authentication backend. LDAP ignores leading and trailing whitespace in search filters. This could possibly be abused to bypass explicit access controls or confuse accounting when using several variants of the login name. (CAN-2005-0173) Previous Squid versions were not strict enough…

8 February 2005

USN-76-1: Emacs vulnerability

Max Vozeler discovered a format string vulnerability in the “movemail” utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could have been exploited to execute arbitrary code with the privileges of the user and the “mail” group (since “movemail” is installed as “setgid mail”).

7 February 2005

USN-74-2: Fixed Postfix packages for USN-74-1

This is an update to the recently published Ubuntu Security Notice USN-74-1, which fixed the delivery of arbitrary mail to any MX host which has an IPv6 address. Unfortunately that upgrade revealed an error in the package upgrade system which caused package installation to fail. After the failed upgrade the Postfix server was not started again,…

5 February 2005

USN-75-1: cpio vulnerability

Recently it was discovered that cpio created world-writeable files when used in -o/–create mode with giving an output file (with -O). This allowed any user to modify the created cpio archives. Now cpio respects the current umask setting of the user. Note: This vulnerability has already been fixed in a very old version of cpio, but the fix was…

4 February 2005

USN-74-1: Postfix vulnerability

Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code of Postfix when /proc/net/if_inet6 is not available (which is the case in Ubuntu since Postfix runs in a chroot). If “permit_mx_backup” was enabled in the “smtpd_recipient_restrictions”, Postfix turned into an open relay, i. e. erroneously permitted the delivery of…

4 February 2005

USN-73-1: Python vulnerability

The Python developers discovered a flaw in the SimpleXMLRPCServer module. Python XML-RPC servers that used the register_instance() method to register an object, but do not have a dispatch() method, allowed remote users to access or change function internals using the im* and func_* attributes.

4 February 2005

USN-72-1: Perl vulnerabilities

Two exploitable vulnerabilities involving setuid-enabled perl scripts have been discovered. The package “perl-suid” provides a wrapper around perl which allows to use setuid-root perl scripts, i.e. user-callable Perl scripts which have full root privileges. Previous versions allowed users to overwrite arbitrary files by setting the PERLIO_DEBUG…

2 February 2005

USN-71-1: PostgreSQL vulnerability

John Heasman discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library’s initialisation function was then executed with the permissions of the server. Now the use of LOAD is restricted to the database superuser…

1 February 2005

USN-70-1: Perl DBI module vulnerability

Javier Fern�ndez-Sanguino Pe�a from the Debian Security Audit Project discovered that the module DBI::ProxyServer in Perl’s DBI library created a PID file in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking a program using this module (like ‘dbiproxy’). Now…

26 January 2005

USN-69-1: Evolution vulnerability

Max Vozeler discovered an integer overflow in camel-lock-helper. An user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root…

24 January 2005

USN-68-1: enscript vulnerabilities

Erik Sj�lund discovered several vulnerabilities in enscript which could cause arbitrary code execution with the privileges of the user calling enscript. Quotes and other shell escape characters in titles and file names were not handled in previous versions. (CAN-2004-1184) Previous versions supported reading EPS data not only from a file,…

24 January 2005

USN-67-1: Squid vulnerabilities

infamous41md discovered several Denial of Service vulnerabilities in squid. A malicious Gopher server could crash squid by sending a line bigger than 4096 bytes. (CAN-2005-0094) If squid is configured to send WCPP (Web Cache Communication Protocol) messages to a “home router”, an attacker who was able to send UDP packets with a forged source…

21 January 2005

USN-66-1: PHP vulnerabilities

FraMe from kernelpanik.org reported that the cURL module does not respect open_basedir restrictions. As a result, scripts which used cURL to open files with an user-specified path could read arbitrary local files outside of the open_basedir directory. Stefano Di Paola discovered a vulnerability in PHP’s shmop_write() function. Its “offset”…

21 January 2005

USN-65-1: Apache utility script vulnerability

Javier Fern�ndez-Sanguino Pe�a noticed that the “check_forensic” script created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

20 January 2005

USN-64-1: xpdf, CUPS vulnerabilities

A buffer overflow has been found in the xpdf viewer. An insufficient input validation of the encryption key length could be exploited by an attacker providing a specially crafted PDF file which, when processed by xpdf, could result in abnormal program termination or the execution of attacker supplied program code with the user’s privileges. The…

19 January 2005

USN-63-1: MySQL client vulnerability

Javier Fern�ndez-Sanguino Pe�a noticed that the “mysqlaccess” program created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

19 January 2005

USN-62-1: imagemagick vulnerability

Andrei Nigmatulin discovered a potential buffer overflow in the PhotoShop Document image decoding function of ImageMagick. Decoding a malicious PSD image which specifies more than the allowed 24 channels might result in execution of arbitrary code with the user’s privileges. Since ImageMagick can be used in custom printing systems, this…

19 January 2005

USN-61-1: vim vulnerabilities

Javier Fern�ndez-Sanguino Pe�a noticed that the auxillary scripts “tcltags” and “vimspell.sh” created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the script (either by calling it directly or by execution through vim).

19 January 2005

USN-60-0: Linux kernel vulnerabilities

CAN-2005-0001: Paul Starzetz discovered a race condition in the Linux page fault handler code. This allowed an unprivileged user to gain root privileges on multiprocessor machines under some circumstances. This also affects the Hyper-Threading mode on Pentium 4…

14 January 2005

USN-59-1: mailman vulnerabilities

Florian Weimer discovered a cross-site scripting vulnerability in mailman’s automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error…

11 January 2005

USN-58-1: MIT Kerberos server vulnerability

Michael Tautschnig discovered a possible buffer overflow in the add_to_history() function in the MIT Kerberos 5 implementation. Performing a password change did not properly track the password policy’s history count and the maximum number of keys. This could cause an array overflow and may have allowed authenticated users (not necessarily one with…

10 January 2005

USN-57-1: Linux kernel vulnerabilities

Paul Starzetz discovered a race condition in the ELF library and a.out binary format loaders, which can be locally exploited in several different ways to gain root privileges. (CAN-2004-1235) Liang Bin found a design flaw in the capability module. After this module was loaded on demand in a running system, all unprivileged user space processes…

9 January 2005

USN-56-1: exim4 vulnerabilities

A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of…

7 January 2005

USN-55-1: imlib2 vulnerabilities

Recently, Pavel Kankovsky discovered several buffer overflows in imlib which were fixed in USN-53-1. It was found that imlib2 was vulnerable to similar issues. If an attacker tricked a user into loading a malicious XPM or BMP image, he could exploit this to execute arbitrary code in the context of the user opening the image. These…

7 January 2005

USN-54-1: TIFF library tool vulnerability

Dmitry V. Levin discovered a buffer overflow in the “tiffdump” utility. If an attacker tricked a user into processing a malicious TIFF image with tiffdump, they could cause a buffer overflow which at least causes the program to crash. However, it is not entirely clear whether this can be exploited to execute arbitrary code with the privileges of…

7 January 2005

USN-53-1: imlib vulnerabilities

Pavel Kankovsky discovered several buffer overflows in imlib. If an attacker tricked a user into loading a malicious image, he could exploit this to execute arbitrary code in the context of the user opening the image.

29 December 2004

USN-52-1: vim vulnerability

Ciaran McCreesh found several vulnerabilities related to the use of options in Vim modeline commands, such as ‘termcap’, ‘printdevice’, ‘titleold’, ‘filetype’, ‘syntax’, ‘backupext’, ‘keymap’, ‘patchmode’, and ‘langmenu’. If an attacker tricked an user to open a file with a specially crafted modeline, he could exploit this to execute arbitrary…

23 December 2004

USN-51-1: teTeX auxiliary script vulnerability

Javier Fern�ndez-Sanguino Pe�a noticed that “xdvizilla”, an auxiliary script to integrate DVI file viewing in Mozilla-based browsers, created temporary files and directories in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

23 December 2004

USN-50-1: CUPS vulnerabilities

CAN-2004-1125: The recent USN-48-1 fixed a buffer overflow in xpdf. Since CUPS contains xpdf code to convert incoming PDF files to the PostScript format, this vulnerability applies to cups as well. In this case it could even lead to privilege escalation: if an attacker submitted a malicious PDF file for printing, he could be able to…

23 December 2004

USN-49-1: debmake vulnerability

Javier Fern�ndez-Sanguino Pe�a noticed that the debstd script from debmake, a deprecated helper package for Debian packaging, created temporary directories in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

23 December 2004

USN-48-1: xpdf, tetex-bin vulnerabilities

A potential buffer overflow has been found in the xpdf viewer. An insufficient input validation could be exploited by an attacker providing a specially crafted PDF file which, when processed by xpdf, could result in abnormal program termination or the execution of attacker supplied program code with the user’s privileges. The tetex-bin package…

23 December 2004

USN-47-1: Linux kernel vulnerabilities

Georgi Guninski discovered two Denial of Service vulnerabilities in the Linux kernel. An integer overflow in the vc_resize() function caused the memory allocation for the new screen being too short, thus causing a buffer overflow and a kernel crash. There was also a memory leak in the ip_options_get() function. Calling ip_cmsg_send() very often…

23 December 2004

USN-46-1: TIFF library vulnerability

A buffer overflow was discovered in the TIFF library. A TIFF file includes a value indicating the number of “directory entry” header fields contained in the file. If this value is -1, an invalid memory allocation was performed. A malicious image could be constructed which, when decoded, would have resulted in execution of arbitrary code with the…

22 December 2004

USN-45-1: nasm vulnerability

Jonathan Rockway discovered a locally exploitable buffer overflow in the error() function of nasm. If an attacker tricked a user into assembling a malicious source file, they could exploit this to execute arbitrary code with the privileges of the user that runs nasm.

22 December 2004

USN-44-1: perl information leak

A race condition and possible information leak has been discovered in Perl’s File::Path::rmtree(). This function changes the permission of files and directories before removing them to avoid problems with wrong permissions. However, they were made readable and writable not only for the owner, but for the entire world, which opened a race condition…

21 December 2004

USN-43-1: groff utility vulnerabilities

Javier Fern�ndez-Sanguino Pe�a discovered that the auxiliary scripts “eqn2graph” and “pic2graph” created temporary files in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.

21 December 2004

USN-42-1: Xine library vulnerabilities

Several buffer overflows have been discovered in xine-lib, the video/audio codec library for Xine frontends (xine-ui, totem-xine, kaffeine, and others). If an attacker tricked a user into loading a malicious RTSP stream or a stream with specially crafted AIFF audio or PNM image data, they could exploit this to execute arbitrary code with the…

21 December 2004

USN-41-1: Samba vulnerability

Greg MacManus discovered an integer overflow in Samba’s smbd daemon. Requesting a very large number of access control descriptors from the server caused an integer overflow, which resulted in a memory allocation being too short, thus causing a buffer overflow. By sending carefully crafted data, an attacker could exploit this to execute arbitrary…

18 December 2004

USN-40-1: PHP vulnerabilities

Stefan Esser reported several buffer overflows in PHP’s variable unserializing handling. These could allow an attacker to execute arbitrary code on the server with the PHP interpreter’s privileges by sending specially crafted input strings (form data, cookie values, and similar). Additionally, Ilia Alshanetsky discovered a buffer overflow in…

17 December 2004

USN-39-1: Linux amd64 kernel vulnerability

USN-30-1 fixed several flaws in the Linux ELF binary loader’s handling of setuid binaries. Unfortunately it was found that these patches were not sufficient to prevent all possible attacks on 64-bit platforms, so previous amd64 kernel images were still vulnerable to root privilege escalation if setuid binaries were run under certain…

17 December 2004

USN-38-1: Linux kernel vulnerabilities

CAN-2004-0814: Vitaly V. Bursov discovered a Denial of Service vulnerability in the “serio” code; opening the same tty device twice and doing some particular operations on it caused a kernel panic and/or a system lockup. Fixing this vulnerability required a change in the Application Binary Interface (ABI) of the kernel. This means…

15 December 2004

USN-37-1: cyrus21-imapd vulnerability

Recently another buffer overflow has been discovered in the SASL authentication module of the Cyrus IMAP server. An off-by-one comparison error in the mysasl_canon_user() function could lead to a missing termination of an user name string. This vulnerability could allow remote, attacker-supplied machine code to be executed in the context of the…

2 December 2004

USN-36-1: NFS statd vulnerability

SGI discovered a remote Denial of Service vulnerability in the NFS statd server. statd did not ignore the “SIGPIPE” signal which caused it to shutdown if a misconfigured or malicious peer terminated the TCP connection prematurely.

1 December 2004

USN-35-1: imagemagick vulnerabilities

Markus Meissner discovered several potential buffer overflows in some image decoding functions of ImageMagick. Decoding a malicious BMP or DIB image or AVI video might result in execution of arbitrary code with the user’s privileges. Since imagemagick can be used in custom printing systems, this also might lead to privilege escalation (execute…

1 December 2004

USN-34-1: OpenSSH information leakage

@Mediaservice.net discovered two information leaks in the OpenSSH server. When using password authentication, an attacker could test whether a login name exists by measuring the time between failed login attempts, i. e. the time after which the “password:” prompt appears again. A similar issue affects systems which do not allow root logins…

30 November 2004

USN-33-1: libgd vulnerabilities

CAN-2004-0990 described several buffer overflows which had been discovered in libgd’s PNG handling functions. Another update is required because the update from USN-21-1 was not sufficient to prevent every possible attack. If an attacker tricks a user into loading a malicious PNG or XPM image, they could leverage this into executing arbitrary…

30 November 2004

USN-32-1: mysql vulnerabilities

Several vulnerabilities have been discovered in the MySQL database server. Lukasz Wojtow discovered a potential buffer overflow in the function mysql_real_connect(). A malicious name server could send specially crafted DNS packages which might result in execution of arbitrary code with the database server’s privileges. However, it is believed…

25 November 2004

USN-31-1: cyrus21-imapd vulnerabilities

Stefan Esser discovered several buffer overflows in the Cyrus IMAP server. Due to insufficient checking within the argument parser of the “partial” and “fetch” commands, an argument like “body[p” was detected as “body.peek”. This could cause a buffer overflow which could be exploited to execute arbitrary attacker-supplied code. This update also…

24 November 2004

USN-30-1: Linux kernel vulnerabilities

CAN-2004-0883, CAN-2004-0949: During an audit of the smb file system implementation within Linux, several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. To exploit any of these vulnerabilities, an attacker needs control over the answers of the connected Samba server. This…

19 November 2004

USN-29-1: samba vulnerability

During an audit of the Samba 3.x code base Stefan Esser discovered a Unicode file name buffer overflow within the handling of TRANSACT2_QFILEPATHINFO replies. A malicious samba user with write access to a share could exploit this by creating specially crafted path names (files with very long names containing Unicode characters) that would overflow…

18 November 2004

USN-28-1: sudo vulnerability

Liam Helmer discovered an input validation flaw in sudo. When the standard shell “bash” starts up, it searches the environment for variables with a value beginning with “()”. For each of these variables a function with the same name is created, with the function body filled in from the environment variable’s value. A malicious user with sudo…

18 November 2004

USN-27-1: libxpm4 vulnerability

Chris Evans discovered several stack overflows in the versions of libXpm shipped by X.Org, XFree86, and LessTif. These overflows were fixed in the Warty development tree before its release. Mathieu Herrb of OpenBSD subsequently discovered that the original patch was insufficient to address these overflows, and thus the version of libxpm4 shipped…

18 November 2004

USN-26-1: bogofilter vulnerability

Antti-Juhani Kaijanaho discovered a Denial of Service vulnerability in bogofilter. The quoted-printable decoder handled certain Base-64 encoded strings in an invalid way which caused a buffer overflow and an immediate program abort. The exact impact depends on the way bogofilter is integrated into the system. In common setups, the mail that…

17 November 2004

USN-25-1: libgd2 vulnerability

CAN-2004-0990 described several more buffer overflows which had been discovered in libgd2’s PNG handling functions. However, it was determined that the update from USN-11-1 was not sufficient to prevent every possible attack, so another update is required. If an attacker tricked a user into loading a malicious PNG image, they could leverage this…

16 November 2004

USN-24-1: openssl script vulnerability

Recently, Trustix Secure Linux discovered a vulnerability in the openssl package. The auxiliary script “der_chop” created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

12 November 2004

USN-23-1: apache2 vulnerability

Chintan Trivedi discovered a Denial of Service vulnerability in apache2. The field length limit was not enforced for certain malicious requests. This could allow a remote attacker who is able to send large amounts of data to a server to cause HTTP server instances to consume proportional amounts of memory, which can render the service unavailable.

12 November 2004

USN-22-1: samba vulnerability

Karol Wiesek discovered a Denial of Service vulnerability in samba. A flaw in the input validation routines used to match filename strings containing wildcard characters may allow a remote user to consume more than normal amounts of CPU resources, thus impacting the performance and response of the server. In some circumstances the server…

10 November 2004

USN-21-1: libgd vulnerabilities

Several buffer overflows have been discovered in libgd’s PNG handling functions. If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo…

10 November 2004

USN-20-1: Ruby CGI module vulnerability

The Ruby developers discovered a potential Denial of Service vulnerability in the CGI module (cgi.rb). Specially crafted CGI requests could cause an infinite loop in the server process. Repetitive attacks could use most of the available processor resources, exhaust the number of allowed parallel connections in web servers, or cause similar effects…

9 November 2004

USN-19-1: squid vulnerabilities

Recently, two Denial of Service vulnerabilities have been discovered in squid, a WWW proxy cache. Insufficient input validation in the NTLM authentication handler allowed a remote attacker to crash the service by sending a specially crafted NTLMSSP packet. Likewise, due to an insufficient validation of ASN.1 headers, a remote attacker…

7 November 2004

USN-18-1: zip vulnerability

HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives…

6 November 2004

USN-17-1: passwd vulnerability

Martin Schulze and Steve Grubb discovered a flaw in the authentication input validation of the “chfn” and “chsh” programs. This allowed logged in users with an expired password to change their real name and their login shell without having to change their password. This flaw cannot lead to privilege escalation and does not allow to modify account…

5 November 2004

USN-16-1: perl vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the perl package. The utility “instmodsh”, the Perl package “PPPort.pm”, and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with…

3 November 2004

USN-15-1: lvm10 vulnerability

Recently, Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program “lvmcreate_initrd” created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

2 November 2004

USN-14-1: xpdf vulnerabilities

Markus Meissner discovered even more integer overflow vulnerabilities in xpdf, a viewer for PDF files. These integer overflows can eventually lead to buffer overflows. The Common UNIX Printing System (CUPS) uses the same code to print PDF files; tetex-bin uses the code to generate PDF output and process included PDF files. In any case, these…

2 November 2004

USN-13-1: groff utility vulnerability

Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility “groffer” created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.

2 November 2004

USN-10-1: XML library vulnerabilities

Several buffer overflows have been discovered in libxml2’s FTP connection and DNS resolution functions. Supplying very long FTP URLs or IP addresses might result in execution of arbitrary code with the privileges of the process using libxml2. Since libxml2 is used in packages like php4-imagick, the vulnerability also might lead to privilege…

30 October 2004

USN-12-1: ppp Denial of Service

It has been discovered that ppp does not properly verify certain data structures used in the CBCP protocol. This vulnerability could allow an attacker to cause the pppd server to crash due to an invalid memory access, leading to a denial of service. However, there is no possibility of code execution or privilege escalation.

29 October 2004

USN-11-1: libgd2 vulnerabilities

Several buffer overflows have been discovered in libgd’s PNG handling functions. If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo…

29 October 2004

USN-9-1: tetex-bin vulnerabilities

Chris Evans and Marcus Meissner recently discovered several integer overflow vulnerabilities in xpdf, a viewer for PDF files. Because tetex-bin contains xpdf code, it is also affected. These vulnerabilities could be exploited by an attacker providing a specially crafted TeX, LaTeX, or PDF file. Processing such a file with pdflatex could result in…

28 October 2004

USN-4-1: Standard C library script vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the libc6 package. The utilities “catchsegv” and “glibcbug” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

28 October 2004

USN-8-1: gaim vulnerabilities

A buffer overflow and two remote crashes were recently discovered in gaim’s MSN protocol handler. An attacker could potentially execute arbitrary code with the user’s privileges by crafting and sending a particular MSN message.

27 October 2004

USN-7-1: imagemagick vulnerability

A buffer overflow in imagemagick’s EXIF parsing routine has been discovered in imagemagick versions prior to 6.1.0. Trying to query EXIF information of a malicious image file might result in execution of arbitrary code with the user’s privileges. Since imagemagick can be used in custom printing systems, this also might lead to privilege…

27 October 2004

USN-6-1: postgresql contributed script vulnerability

Recently, Trustix Secure Linux discovered a vulnerability in the postgresql-contrib package. The script “make_oidjoins_check” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the script.

27 October 2004

USN-5-1: gettext vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the gettext package. The programs “autopoint” and “gettextize” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

27 October 2004

USN-3-1: GhostScript utility script vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the gs-common package. The utilities “pv.sh” and “ps2epsi” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

27 October 2004

USN-2-1: xpdf vulnerabilities

Chris Evans discovered several integer overflow vulnerabilities in xpdf, a viewer for PDF files. The Common UNIX Printing System (CUPS) also uses the same code to print PDF files. In either case, these vulnerabilities could be exploited by an attacker by providing a specially crafted PDF file which, when processed by CUPS or xpdf, could result…

23 October 2004

USN-1-1: PNG library vulnerabilities

Several integer overflow vulnerabilities were discovered in the PNG library. These vulnerabilities could be exploited by an attacker by providing a specially crafted PNG image which, when processed by the PNG library, could result in the execution of program code provided by the attacker. The PNG library is used by a variety of software packages…

23 October 2004