USNs for ubuntu 5.04

USN-372-1: imagemagick vulnerability

M. Joonas Pihlaja discovered that ImageMagick did not sufficiently verify the validity of PALM and DCM images. When processing a specially crafted image with an application that uses imagemagick, this could be exploited to execute arbitrary code with the application’s privileges.

1 November 2006

USN-371-1: Ruby vulnerability

An error was found in Ruby’s CGI library that did not correctly check for the end of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU.

1 November 2006

USN-370-1: screen vulnerability

cstone and Rich Felker discovered a programming error in the UTF8 string handling code of “screen” leading to a denial of service. If a crafted string was displayed within a screen session, screen would crash or possibly execute arbitrary code.

1 November 2006

USN-368-1: Qt vulnerability

An integer overflow was discovered in Qt’s image loader. By processing a specially crafted image with an application that uses this library (like Konqueror), a remote attacker could exploit this to execute arbitrary code with the application’s privileges.

24 October 2006

USN-367-1: Pike vulnerability

An SQL injection was discovered in Pike’s PostgreSQL module. Applications using a PostgreSQL database and uncommon character encodings could be fooled into running arbitrary SQL commands, which could result in privilege escalation within the application, application data exposure, or denial of service. Please refer to…

18 October 2006

USN-365-1: libksba vulnerability

A parsing failure was discovered in the handling of X.509 certificates that contained extra trailing data. Malformed or malicious certificates could cause services using libksba to crash, potentially creating a denial of service.

16 October 2006

USN-363-1: libmusicbrainz vulnerability

Luigi Auriemma discovered multiple buffer overflows in libmusicbrainz. When a user made queries to MusicBrainz servers, it was possible for malicious servers, or man-in-the-middle systems posing as servers, to send a crafted reply to the client request and remotely gain access to the user’s system with the user’s privileges.

11 October 2006

USN-362-1: PHP vulnerabilities

The stripos() function did not check for invalidly long or empty haystack strings. In an application that uses this function on arbitrary untrusted data this could be exploited to crash the PHP interpreter. (CVE-2006-4485) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the “memory_limit” setting…

11 October 2006

USN-361-1: Mozilla vulnerabilities

Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565, CVE-2006-4568, CVE-2006-4571) A bug was found in the script handler for automatic…

10 October 2006

USN-360-1: awstats vulnerabilities

awstats did not fully sanitize input, which was passed directly to the user’s browser, allowing for an XSS attack. If a user was tricked into following a specially crafted awstats URL, the user’s authentication information could be exposed for the domain where awstats was hosted. (CVE-2006-3681) awstats could display its installation path under…

10 October 2006

USN-359-1: Python vulnerability

Benjamin C. Wiley Sittler discovered that Python’s repr() function did not properly handle UTF-32/UCS-4 strings. If an application uses repr() on arbitrary untrusted data, this could be exploited to execute arbitrary code with the privileges of the python application.

6 October 2006

USN-353-2: OpenSSL vulnerability

USN-353-1 fixed several vulnerabilities in OpenSSL. However, Mark J Cox noticed that the applied patch for CVE-2006-2940 was flawed. This update corrects that patch. For reference, this is the relevant part of the original advisory: Certain types of public key could take disproportionate amounts of time to process. The library now limits the…

5 October 2006

USN-358-1: ffmpeg, xine-lib vulnerabilities

XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not correctly validate certain headers. By tricking a user into playing an AVI with malicious headers, an attacker could execute arbitrary code with the target user’s privileges. (CVE-2006-4799) Multiple integer overflows were discovered in ffmpeg and tools that contain…

5 October 2006

USN-356-1: gdb vulnerability

Will Drewry, of the Google Security Team, discovered buffer overflows in GDB’s DWARF processing. This would allow an attacker to execute arbitrary code with user privileges by tricking the user into using GDB to load an executable that contained malicious debugging information.

2 October 2006

USN-355-1: openssh vulnerabilities

Tavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the…

2 October 2006

USN-353-1: openssl vulnerabilities

Dr. Henson of the OpenSSL core team and Open Network Security discovered a mishandled error condition in the ASN.1 parser. By sending specially crafted packet data, a remote attacker could exploit this to trigger an infinite loop, which would render the service unusable and consume all available system memory. (CVE-2006-2937) Certain types of…

29 September 2006

USN-349-1: gzip vulnerabilities

Tavis Ormandy discovered that gzip did not sufficiently verify the validity of gzip or compress archives while unpacking. By tricking an user or automated system into unpacking a specially crafted compressed file, this could be exploited to execute arbitrary code with the user’s privileges.

20 September 2006

USN-348-1: GnuTLS vulnerability

The GnuTLS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.

19 September 2006

USN-347-1: Linux kernel vulnerabilities

Sridhar Samudrala discovered a local Denial of Service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535) Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the…

19 September 2006

USN-346-1: Linux kernel vulnerabilities

A Denial of service vulnerability was reported in iptables’ SCTP conntrack module. On computers which use this iptables module, a remote attacker could expoit this to trigger a kernel crash. (CVE-2006-2934) A buffer overflow has been discovered in the dvd_read_bca() function. By inserting a specially crafted DVD, USB stick, or…

15 September 2006

USN-345-1: mailman vulnerabilities

Steve Alexander discovered that mailman did not properly handle attachments with special filenames. A remote user could exploit that to stop mail delivery until the server administrator manually cleaned these posts. (CVE-2006-2941) Various cross-site scripting vulnerabilities have been reported by Barry Warsaw. By using specially crafted email…

13 September 2006

USN-344-1: X.org vulnerabilities

iDefense security researchers found several integer overflows in X.org’s font handling library. By using a specially crafted Type1 CID font file, a local user could exploit these to crash the X server or execute arbitrary code with root privileges.

13 September 2006

USN-343-1: bind9 vulnerabilities

bind did not sufficiently verify particular requests and responses from other name servers and users. By sending a specially crafted packet, a remote attacker could exploit this to crash the name server.

8 September 2006

USN-342-1: PHP vulnerabilities

The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application’s privileges. (CVE-2006-4020) The file_exists() and imap_reopen() functions did not…

7 September 2006

USN-341-1: libxfont vulnerability

An integer overflow has been discovered in X.org’s font handling library. By using a specially crafted font file, this could be exploited to crash the X server or execute arbitrary code with root privileges.

7 September 2006

USN-340-1: imagemagick vulnerabilities

Tavis Ormandy discovered several buffer overflows in imagemagick’s Sun Raster and XCF (Gimp) image decoders. By tricking a user or automated system into processing a specially crafted image, this could be exploited to execute arbitrary code with the users’ privileges.

6 September 2006

USN-339-1: OpenSSL vulnerability

Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google Security discovered that the OpenSSL library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.

5 September 2006

USN-337-1: imagemagick vulnerability

Damian Put discovered a buffer overflow in imagemagick’s SGI file format decoder. By tricking an user or automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user’s privileges.

17 August 2006

USN-336-1: binutils vulnerability

A buffer overflow was discovered in gas (the GNU assembler). By tricking an user or automated system (like a compile farm) into assembling a specially crafted source file with gcc or gas, this could be exploited to execute arbitrary code with the user’s privileges.

17 August 2006

USN-335-1: heartbeat vulnerability

Yan Rong Ge discovered that heartbeat did not sufficiently verify some packet input data, which could lead to an out-of-boundary memory access. A remote attacker could exploit this to crash the daemon (Denial of Service).

16 August 2006

USN-334-1: krb5 vulnerabilities

Michael Calmer and Marcus Meissner discovered that several krb5 tools did not check the return values from setuid() system calls. On systems that have configured user process limits, it may be possible for an attacker to cause setuid() to fail via resource starvation. In that situation, the tools will not reduce their privilege levels, and…

16 August 2006

USN-333-1: libwmf vulnerability

An integer overflow was found in the handling of the MaxRecordSize field in the WMF header parser. By tricking a user into opening a specially crafted WMF image file with an application that uses this library, an attacker could exploit this to execute arbitrary code with the user’s privileges.

9 August 2006

USN-332-1: gnupg vulnerability

Evgeny Legerov discovered that gnupg did not sufficiently check the validity of the comment and a control field. Specially crafted GPG data could cause a buffer overflow. This could be exploited to execute arbitrary code with the user’s privileges if an attacker can trick an user into processing a malicious encrypted/signed document with gnupg.

3 August 2006

USN-330-1: tiff vulnerabilities

Tavis Ormandy discovered that the TIFF library did not sufficiently check handled images for validity. By tricking an user or an automated system into processing a specially crafted TIFF image, an attacker could exploit these weaknesses to execute arbitrary code with the target application’s privileges. This library is used in many client and…

3 August 2006

USN-328-1: Apache vulnerability

Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module’s ldap scheme handling. On systems which activate “RewriteEngine on”, a remote attacker could exploit certain rewrite rules to crash Apache, or potentially even execute arbitrary code (this has not been verified). “RewriteEngine on” is disabled by default. Systems which…

28 July 2006

USN-326-1: heartbeat vulnerability

Yan Rong Ge discovered that heartbeat did not set proper permissions for an allocated shared memory segment. A local attacker could exploit this to render the heartbeat service unavailable (Denial of Service).

28 July 2006

USN-325-1: ruby1.8 vulnerability

The alias function, certain directory operations, and regular expressions did not correctly implement safe levels. Depending on the application these flaws might allow attackers to bypass safe level restrictions and perform unintended operations.

28 July 2006

USN-324-1: freetype vulnerability

An integer overflow has been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user.

28 July 2006

USN-320-2: php4 regression

USN-320-2 fixed several vulnerabilities in PHP. James Manning discovered that the Ubuntu 5.04 update introduced a regression, the function tempnam() caused a crash of the PHP interpreter in some circumstances. The updated packages fix this. We apologize for the inconvenience.

26 July 2006

USN-297-3: Thunderbird vulnerabilities

USN-297-1 fixed several vulnerabilities in Thunderbird for the Ubuntu 6.06 LTS release. This update provides the corresponding fixes for Ubuntu 5.04 and Ubuntu 5.10. For reference, these are the details of the original USN: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A…

26 July 2006

USN-323-1: mozilla vulnerabilities

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by…

26 July 2006

USN-296-2: Firefox vulnerabilities

USN-296-1 fixed several vulnerabilities in Firefox for the Ubuntu 6.06 LTS release. This update provides the corresponding fixes for Ubuntu 5.04 and Ubuntu 5.10. For reference, these are the details of the original USN: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A…

25 July 2006

USN-322-1: Konqueror vulnerability

A Denial of Service vulnerability has been reported in the replaceChild() method in KDE’s DOM handler. A malicious remote web page could exploit this to cause Konqueror to crash.

25 July 2006

USN-320-1: PHP vulnerabilities

The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in…

19 July 2006

USN-319-2: Linux kernel vulnerability

USN-319-1 fixed a Linux kernel vulnerability in Ubuntu 6.06 LTS. This followup advisory provides the corresponding updates for Ubuntu 5.04 and 5.10. For reference, these are the details of the original USN: A race condition has been discovered in the file permission handling of the /proc file system. A local attacker could exploit this to …

19 July 2006

USN-318-1: libtunepimp vulnerability

Kevin Kofler discovered several buffer overflows in the tag parser. By tricking a user into opening a specially crafted tagged multimedia file (such as .ogg or .mp3 music) with an application that uses libtunepimp, this could be exploited to execute arbitrary code with the user’s privileges. This particularly affects the KDE applications…

13 July 2006

USN-315-1: libmms, xine-lib vulnerabilities

Matthias Hopf discovered several buffer overflows in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could exploit this to execute arbitrary code with the user’s privileges. The Xine library contains an embedded copy of libmms, and thus needs the same…

13 July 2006

USN-314-1: samba vulnerability

The Samba security team reported a Denial of Service vulnerability in the handling of information about active connections. In certain circumstances an attacker could continually increase the memory usage of the smbd process by issuing a large number of share connection requests. By draining all available memory, this could be exploited to render…

13 July 2006

USN-313-1: OpenOffice.org vulnerabilities

It was possible to embed Basic macros in documents in a way that OpenOffice.org would not ask for confirmation about executing them. By tricking a user into opening a malicious document, this could be exploited to run arbitrary Basic code (including local file access and modification) with the user’s privileges. (CVE-2006-2198) A flaw was…

12 July 2006

USN-311-1: Linux kernel vulnerabilities

A race condition was discovered in the do_add_counters() functions. Processes which do not run with full root privileges, but have the CAP_NET_ADMIN capability can exploit this to crash the machine or read a random piece of kernel memory. In Ubuntu there are no packages that are affected by this, so this can only be an issue for you if you…

11 July 2006

USN-312-1: gimp vulnerability

Henning Makholm discovered that gimp did not sufficiently validate the ‘num_axes’ parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user’s privileges.

10 July 2006

USN-308-1: shadow vulnerability

Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges. This does not affect the default…

6 July 2006

USN-307-1: mutt vulnerability

TAKAHASHI Tamotsu discovered that mutt’s IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user.

28 June 2006

USN-305-1: OpenLDAP vulnerability

When processing overly long host names in OpenLDAP’s slurpd replication server, a buffer overflow caused slurpd to crash. If an attacker manages to inject a specially crafted host name into slurpd, this might also be exploited to execute arbitrary code with slurpd’s privileges; however, since slurpd is usually set up to replicate only trusted…

27 June 2006

USN-304-1: gnupg vulnerability

Evgeny Legerov discovered that GnuPG did not sufficiently check overly large user ID packets. Specially crafted user IDs caused a buffer overflow. By tricking an user or remote automated system into processing a malicous GnuPG message, an attacker could exploit this to crash GnuPG or possibly even execute arbitrary code.

27 June 2006

USN-302-1: Linux kernel vulnerabilities

An integer overflow was discovered in the do_replace() function. A local user process with the CAP_NET_ADMIN capability could exploit this to execute arbitrary commands with full root privileges. However, none of Ubuntu’s supported packages use this capability with any non-root user, so this only affects you if you use some third party software…

15 June 2006

USN-301-1: kdm vulnerability

Ludwig Nussel discovered that kdm managed the ~/.dmrc file in an insecure way. By performing a symlink attack, a local user could exploit this to read arbitrary files on the system, like private files of other users, /etc/shadow, and similarly sensitive data.

15 June 2006

USN-300-1: wv2 vulnerability

libwv2 did not sufficiently check the validity of its input. Certain invalid Word documents caused a buffer overflow. By tricking a user into opening a specially crafted Word file with an application that uses libwv2, this could be exploited to execute arbitrary code with the user’s privileges. The only packaged application using this library is…

15 June 2006

USN-298-1: libgd2 vulnerability

Xavier Roche discovered that libgd’s function for reading GIF image data did not sufficiently verify its validity. Specially crafted GIF images could cause an infinite loop which used up all available CPU resources. Since libgd is often used in PHP and Perl web applications, this could lead to a remote Denial of Service vulnerability.

14 June 2006

USN-295-1: xine-lib vulnerability

Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user’s privileges.

9 June 2006

USN-294-1: courier vulnerability

A Denial of Service vulnerability has been found in the function for encoding email addresses. Addresses containing a ‘=’ before the ‘@’ character caused the Courier to hang in an endless loop, rendering the service unusable.

9 June 2006

USN-288-3: PostgreSQL client vulnerabilities

USN-288-1 described a PostgreSQL client vulnerability in the way the >>‘<< character is escaped in SQL queries. It was determined that the PostgreSQL backends of Exim, Dovecot, and Postfix used this unsafe escaping method. For reference, these are the details of the original USN: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a…

9 June 2006

USN-292-1: binutils vulnerability

CVE-2006-2362 Jesus Olmos Gonzalez discovered a buffer overflow in the Tektronix Hex Format (TekHex) backend of the BFD library, such as used by the ‘strings’ utility. By tricking an user or automated system into processing a specially crafted file with ‘strings’ or a vulnerable third-party application using the BFD library, this could be…

9 June 2006

USN-291-1: FreeType vulnerabilities

Several integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user.

8 June 2006

USN-290-1: awstats vulnerability

Hendrik Weimer discovered a privilege escalation vulnerability in awstats. By supplying the ‘configdir’ CGI parameter and setting it to an attacker-controlled directory (such as an FTP account, /tmp, or similar), an attacker could execute arbitrary shell commands with the privileges of the web server (user ‘www-data’). This update disables the…

8 June 2006

USN-289-1: tiff vulnerabilities

A buffer overflow has been found in the tiff2pdf utility. By tricking an user into processing a specially crafted TIF file with tiff2pdf, this could potentially be exploited to execute arbitrary code with the privileges of the user. (CVE-2006-2193) A. Alejandro Hern�ndez discovered a buffer overflow in the tiffsplit utility. By calling tiffsplit…

8 June 2006

USN-288-1: PostgreSQL server/client vulnerabilities

CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote >>‘<< with >>\’<< or >>“<<), the PostgreSQL server…

29 May 2006

USN-287-1: Nagios vulnerability

The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with an invalidly large Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server…

29 May 2006

USN-286-1: Dia vulnerabilities

Several format string vulnerabilities have been discovered in dia. By tricking a user into opening a specially crafted dia file, or a file with a specially crafted name, this could be exploited to execute arbitrary code with the user’s privileges.

24 May 2006

USN-285-1: awstats vulnerability

AWStats did not properly sanitize the ‘migrate’ CGI parameter. If the update of the stats via web front-end is allowed, a remote attacker could execute arbitrary commands on the server with the privileges of the AWStats server. This does not affect AWStats installations which only build static pages.

23 May 2006

USN-284-1: Quagga vulnerabilities

Paul Jakma discovered that Quagga’s ripd daemon did not properly handle authentication of RIPv1 requests. If the RIPv1 protocol had been disabled, or authentication for RIPv2 had been enabled, ripd still replied to RIPv1 requests, which could lead to information disclosure. (CVE-2006-2223) Paul Jakma also noticed that ripd accepted…

16 May 2006

USN-274-2: MySQL vulnerability

USN-274-1 fixed a logging bypass in the MySQL server. Unfortunately it was determined that the original update was not sufficient to completely fix the vulnerability, thus another update is necessary. We apologize for the inconvenience. For reference, these are the details of the original USN: A logging bypass was discovered in the MySQL query…

15 May 2006

USN-283-1: MySQL vulnerabilities

Stefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516) Stefano Di Paola also found a similar information leak in the parser for the…

8 May 2006

USN-282-1: Nagios vulnerability

The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with a negative Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server already…

8 May 2006

USN-280-1: X.org server vulnerability

The Render extension of the X.org server incorrectly calculated the size of a memory buffer, which led to a buffer overflow. A local attacker could exploit this to crash the X server or even execute arbitrary code with root privileges.

4 May 2006

USN-281-1: Linux kernel vulnerabilities

The sys_mbind() function did not properly verify the validity of the ‘maxnod’ argument. A local user could exploit this to trigger a buffer overflow, which caused a kernel crash. (CVE-2006-0557) The SELinux module did not correctly handle the tracer SID when a process was already being traced. A local attacker could exploit this to cause a kernel…

4 May 2006

USN-279-1: libnasl/nessus vulnerability

Jayesh KS discovered that the nasl_split() function in the NASL (Nessus Attack Scripting Language) library did not check for a zero-length separator argument, which lead to an invalid memory allocation. This library is primarily used in the Nessus security scanner; a remote attacker could exploit this vulnerability to cause the Nessus daemon to…

4 May 2006

USN-278-1: gdm vulnerability

Marcus Meissner discovered a race condition in gdm’s handling of the ~/.ICEauthority file permissions. A local attacker could exploit this to become the owner of an arbitrary file in the system. When getting control over automatically executed scripts (like cron jobs), the attacker could eventually leverage this flaw to execute arbitrary commands…

4 May 2006

USN-277-1: TIFF library vulnerabilities

Tavis Ormandy and Andrey Kiselev discovered that libtiff did not sufficiently verify the validity of TIFF files. By tricking an user into opening a specially crafted TIFF file with any application that uses libtiff, an attacker could exploit this to crash the application or even execute arbitrary code with the application’s privileges.

4 May 2006

USN-276-1: Thunderbird vulnerabilities

Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious mail with embedded JavaScript could exploit this to execute arbitrary code with the privileges of the user. (CVE-2006-0292, CVE-2006-1742) The function XULDocument.persist() did not sufficiently…

3 May 2006

USN-275-1: Mozilla vulnerabilities

Web pages with extremely long titles caused subsequent launches of Mozilla browser to hang for up to a few minutes, or caused Mozilla to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious…

28 April 2006

USN-274-1: MySQL vulnerability

A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely. This only affects you if you enabled the ‘log’ parameter in the MySQL configuration.

27 April 2006

USN-273-1: Ruby vulnerability

Yukihiro Matsumoto reported that Ruby’s HTTP module uses blocking sockets. By sending large amounts of data to a server application that uses this module, a remote attacker could exploit this to render this application unusable and not respond any more to other clients (Denial of Service).

24 April 2006

USN-272-1: cyrus-sasl2 vulnerability

A Denial of Service vulnerability has been discovered in the SASL authentication library when using the DIGEST-MD5 plugin. By sending a specially crafted realm name, a malicious SASL server could exploit this to crash the application that uses SASL.

24 April 2006

USN-271-1: Firefox vulnerabilities

Web pages with extremely long titles caused subsequent launches of Firefox browser to hang for up to a few minutes, or caused Firefox to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious…

20 April 2006

USN-270-1: xpdf vulnerabilities

Derek Noonburg discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system…

13 April 2006

USN-269-1: xscreensaver vulnerability

In some cases, xscreensaver did not properly grab the keyboard when reading the password for unlocking the screen, so that the password was typed into the currently active application window. The only known vulnerable case was when xscreensaver activated while an rdesktop session was currently active.

11 April 2006

USN-268-1: Kaffeine vulnerability

Marcus Meissner discovered a buffer overflow in the http_peek() function. By tricking an user into opening a specially crafted playlist URL with Kaffeine, a remote attacker could exploit this to execute arbitrary code with the user’s privileges.

7 April 2006

USN-264-1: gnupg vulnerability

Tavis Ormandy discovered a flaw in gnupg’s signature verification. In some cases, certain invalid signature formats could cause gpg to report a ‘good signature’ result for auxiliary unsigned data which was prepended or appended to the checked message part.

4 April 2006

USN-267-1: mailman vulnerability

A remote Denial of Service vulnerability was discovered in the decoder for multipart messages. Certain parts of type “message/delivery-status” or parts containing only two blank lines triggered an exception. An attacker could exploit this to crash Mailman by sending a specially crafted email to a mailing list.

4 April 2006

USN-266-1: dia vulnerabilities

Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user’s privileges.

3 April 2006

USN-263-1: Linux kernel vulnerabilities

A flaw was found in the module reference counting for loadable protocol modules of netfilter. By performing particular socket operations, a local attacker could exploit this to crash the kernel. This flaw only affects Ubuntu 5.10. (CVE-2005-3359) David Howells noticed a race condition in the add_key(), request_key() and keyctl() functions. By…

13 March 2006

USN-261-1: PHP vulnerabilities

Stefan Esser discovered that the ‘session’ module did not sufficiently verify the validity of the user-supplied session ID. A remote attacker could exploit this to insert arbitrary HTTP headers into the response sent by the PHP application, which could lead to HTTP Response Splitting (forging of arbitrary responses on behalf the PHP application)…

10 March 2006

USN-260-1: flex vulnerability

Chris Moore discovered a buffer overflow in a particular class of lexicographical scanners generated by flex. This could be exploited to execute arbitrary code by processing specially crafted user-defined input to an application that uses a flex scanner for parsing. This flaw particularly affects gpc, the GNU Pascal Compiler. A potentially remote…

7 March 2006

USN-258-1: PostgreSQL vulnerability

Akio Ishida discovered that the SET SESSION AUTHORIZATION command did not properly verify the validity of its argument. An authenticated PostgreSQL user could exploit this to crash the server. However, this does not affect the official binary Ubuntu packages. The crash can only be triggered if the source package is rebuilt with assertions enabled…

27 February 2006

USN-257-1: tar vulnerability

Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user. The tar version in Ubuntu 4.10 is not affected by this vulnerability.

23 February 2006

USN-255-1: openssh vulnerability

Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like ‘*‘), an attacker could exploit this to execute arbitrary…

22 February 2006

USN-254-1: noweb vulnerability

Javier Fern�ndez-Sanguino Pe�a discovered that noweb scripts created temporary files in an insecure way. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running noweb.

22 February 2006

USN-256-1: bluez-hcidump vulnerability

Pierre Betouin discovered a Denial of Service vulnerability in the handling of the L2CAP (Logical Link Control and Adaptation Layer Protocol) layer. By sending a specially crafted L2CAP packet through a wireless Bluetooth connection, a remote attacker could crash hcidump. Since hcidump is mainly a debugging tool, the impact of this flaw is very…

22 February 2006

USN-253-1: heimdal vulnerability

A remote Denial of Service vulnerability was discovered in the heimdal implementation of the telnet daemon. A remote attacker could force the server to crash due to a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. Please note that the heimdal-servers package is not…

18 February 2006

USN-252-1: gnupg vulnerability

Tavis Ormandy discovered a potential weakness in the signature verification of gnupg. gpgv and gpg –verify returned a successful exit code even if the checked file did not have any signature at all. The recommended way of checking the result is to evaluate the status messages, but some third party applications might just check the exit code for…

18 February 2006

USN-251-1: libtasn vulnerability

Evgeny Legerov discovered a buffer overflow in the DER format decoding function of the libtasn library. This library is mainly used by the GNU TLS library; by sending a specially crafted X.509 certificate to a server which uses TLS encryption/authentication, a remote attacker could exploit this to crash that server process and possibly…

17 February 2006

USN-248-2: unzip regression fix

USN-248-1 fixed a vulnerability in unzip. However, that update inadvertedly changed the field order in the contents listing output, which broke unzip frontends like file-roller. The updated packages fix this regression.

15 February 2006

USN-249-1: xpdf/poppler/kpdf vulnerabilities

The splash image handler in xpdf did not check the validity of coordinates. By tricking a user into opening a specially crafted PDF file, an attacker could exploit this to trigger a buffer overflow which could lead to arbitrary code execution with the privileges of the user. The poppler library and kpdf also contain xpdf code, and thus…

15 February 2006

USN-248-1: unzip vulnerability

A buffer overflow was discovered in the handling of file name arguments. By tricking a user or automated system into processing a specially crafted, excessively long file name with unzip, an attacker could exploit this to execute arbitrary code with the user’s privileges.

15 February 2006

USN-247-1: Heimdal vulnerability

A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them. Please note that the heimdal-servers package is not officially supported in Ubuntu (it is in the ‘universe’ component of the archive). However, this affects you if you…

11 February 2006

USN-246-1: imagemagick vulnerabilities

Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be…

25 January 2006

USN-245-1: KDE library vulnerability

Maksim Orlovich discovered that kjs, the Javascript interpreter engine used by Konqueror and other parts of KDE, did not sufficiently verify the validity of UTF-8 encoded URIs. Specially crafted URIs could trigger a buffer overflow. By tricking an user into visiting a web site with malicious JavaScript code, a remote attacker could exploit this to…

20 January 2006

USN-244-1: Linux kernel vulnerabilities

Doug Chapman discovered a flaw in the reference counting in the sys_mq_open() function. By calling this function in a special way, a local attacker could exploit this to cause a kernel crash. (CVE-2005-3356) Karl Janmar discovered that the /proc file system module used signed data types in a wrong way. A local attacker could exploit this to…

18 January 2006

USN-242-1: mailman vulnerabilities

Aliet Santiesteban Sifontes discovered a remote Denial of Service vulnerability in the attachment handler. An email with an attachment whose filename contained invalid UTF-8 characters caused mailman to crash. (CVE-2005-3573) Mailman did not sufficiently verify the validity of email dates. Very large numbers in dates caused mailman to crash….

16 January 2006

USN-241-1: Apache vulnerabilities

The “mod_imap” module (which provides support for image maps) did not properly escape the “referer” URL which rendered it vulnerable against a cross-site scripting attack. A malicious web page (or HTML email) could trick a user into visiting a site running the vulnerable mod_imap, and employ cross-site-scripting techniques to gather sensitive…

13 January 2006

USN-194-2: texinfo regression fix

USN-194-1 fixed a vulnerability in the ‘texindex’ program. Unfortunately this update introduced a regression that caused the program to abort when cleaning up temporary files (which are used with extraordinarily large input files). The updated packages fix this.

9 January 2006

USN-235-2: sudo vulnerability

USN-235-1 fixed a vulnerability in sudo’s handling of environment variables. Tavis Ormandy noticed that sudo did not filter out the PYTHONINSPECT environment variable, so that users with the limited privilege of calling a python script with sudo could still escalate their privileges. For reference, this is the original advisory: Charles Morris…

9 January 2006

USN-236-2: xpdf vulnerabilities in kword, kpdf

USN-236-1 fixed several vulnerabilities in xpdf. kpdf and kword contain copies of xpdf code and are thus vulnerable to the same issues. For reference, this is the original advisory: Chris Evans discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into…

9 January 2006

USN-239-1: libapache2-mod-auth-pgsql vulnerability

Several format string vulnerabilities were discovered in the error logging handling. By sending specially crafted user names, an unauthenticated remote attacker could exploit this to crash the Apache server or possibly even execute arbitrary code with the privileges of Apache (user ‘www-data’).

9 January 2006

USN-236-1: xpdf vulnerabilities

Chris Evans discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system also…

6 January 2006

USN-235-1: sudo vulnerability

Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl’s library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the…

6 January 2006

USN-234-1: cpio vulnerability

Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with…

3 January 2006

USN-233-1: fetchmail vulnerability

Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in ‘multidrop’ mode, a malicious email server could cause a crash by sending an email without any headers. Since fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed.

3 January 2006

USN-232-1: PHP vulnerabilities

Eric Romang discovered a local Denial of Service vulnerability in the handling of the ‘session.save_path’ parameter in PHP’s Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319) A Denial of Service flaw was found in the EXIF module. By sending an image…

23 December 2005

USN-231-1: Linux kernel vulnerabilities

Rudolf Polzer reported an abuse of the ‘loadkeys’ command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the…

23 December 2005

USN-230-2: ffmpeg/xine-lib vulnerability

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw. For reference, this is the original advisory: Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening…

16 December 2005

USN-230-1: ffmpeg vulnerability

Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user’s privileges.

15 December 2005

USN-228-1: curl library vulnerability

Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with…

13 December 2005

USN-222-2: Perl vulnerability

USN-222-1 fixed a vulnerability in the Perl interpreter. It was discovered that the version of USN-222-1 was not sufficient to handle all possible cases of malformed input that could lead to arbitrary code execution, so another update is necessary. Original advisory: Jack Louis of Dyad Security discovered that Perl did not sufficiently check…

13 December 2005

USN-227-1: xpdf vulnerabilities

infamous41md discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, tetex-bin, KOffice, and kpdf. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS…

12 December 2005

USN-226-1: Courier vulnerability

Patrick Cheong Shu Yang discovered a flaw in the user account handling of courier-authdaemon. After successful authorization, the Courier mail server granted access to deactivated accounts.

10 December 2005

USN-225-1: Apache 2 vulnerability

A memory leak was found in the Apache 2 ‘worker’ module in the handling of aborted TCP connections. By repeatedly triggering this situation, a remote attacker could drain all available memory, which eventually led to a Denial of Service.

7 December 2005

USN-224-1: Kerberos vulnerabilities

Ga�l Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Ga�l Delalleau discovered a buffer overflow in the…

6 December 2005

USN-223-1: Inkscape vulnerability

Javier Fern�ndez-Sanguino Pe�a discovered that Inkscape’s ps2epsi.sh script, which converts PostScript files to Encapsulated PostScript format, creates a temporary file in an insecure way. A local attacker could exploit this with a symlink attack to create or overwrite arbitrary files with the privileges of the user running Inkscape.

5 December 2005

USN-222-1: Perl vulnerability

Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the…

2 December 2005

USN-221-1: racoon vulnerability

The Oulu University Secure Programming Group discovered a remote Denial of Service vulnerability in the racoon daemon. When the daemon is configured to use aggressive mode, then it did not check whether the peer sent all required payloads during the IKE negotiation phase. A malicious IPsec peer could exploit this to crash the racoon…

1 December 2005

USN-220-1: w3c-libwww vulnerability

Sam Varshavchik discovered several buffer overflows in the HTBoundary_put_block() function. By sending specially crafted HTTP multipart/byteranges MIME messages, a malicious HTTP server could trigger an out of bounds memory access in the libwww library, which causes the program that uses the library to crash.

1 December 2005

USN-218-1: netpbm vulnerabilities

Two buffer overflows were discovered in the ‘pnmtopng’ tool, which were triggered by processing an image with exactly 256 colors when using the -alpha option (CVE-2005-3662) or by processing a text file with very long lines when using the -text option (CVE-2005-3632). A remote attacker could exploit these to execute arbitrary code by tricking an…

22 November 2005

USN-190-2: ucs-snmp vulnerability

USN-190-1 fixed a vulnerability in the net-snmp library. It was discovered that the same problem also affects the ucs-snmp implementation (which is used by the Cyrus email server). Original advisory: A remote Denial of Service has been discovered in the SMNP (Simple Network Management Protocol) library. If a SNMP agent uses TCP sockets for…

21 November 2005

USN-216-1: GDK vulnerabilities

Two integer overflows have been discovered in the XPM image loader of the GDK pixbuf library. By tricking an user into opening a specially crafted XPM image with any Gnome desktop application that uses this library, this could be exploited to execute arbitrary code with the privileges of the user running the application. (CVE-2005-2976,…

16 November 2005

USN-151-4: rpm vulnerability

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since lsb-rpm is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed…

9 November 2005

USN-215-1: fetchmailconf vulnerability

Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program. The output configuration file was initially created with insecure permissions, and secure permissions were applied after writing the configuration into the file. During this time, the file was world readable on a standard system (unless the user…

8 November 2005

USN-214-1: libungif vulnerabilities

Chris Evans discovered several buffer overflows in the libungif library. By tricking an user (or automated system) into processing a specially crafted GIF image, this could be exploited to execute arbitrary code with the privileges of the application using libungif.

7 November 2005

USN-206-2: Fixed lynx packages for USN-206-1

USN-206-1 fixed a security vulnerability in lynx. Unfortunately the fix contained an error that caused lynx to crash under certain circumstances. The updated packages fix this.

29 October 2005

USN-151-3: zlib vulnerabilities

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since aide is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed zlib.

29 October 2005

USN-213-1: sudo vulnerability

Tavis Ormandy discovered a privilege escalation vulnerability in sudo. On executing shell scripts with sudo, the “P4” and “SHELLOPTS” environment variables were not cleaned properly. If sudo is set up to grant limited sudo privileges to normal users this could be exploited to run arbitrary commands as the target user. Updated packags for Ubuntu…

28 October 2005

USN-212-1: libgda2 vulnerability

Steve Kemp discovered two format string vulnerabilities in the logging handler of the Gnome database access library. Depending on the application that uses the library, this could have been exploited to execute arbitrary code with the permission of the user running the application.

28 October 2005

USN-211-1: Enigmail vulnerability

Hadmut Danish discovered an information disclosure vulnerability in the key selection dialog of the Mozilla/Thunderbird enigmail plugin. If a user’s keyring contained a key with an empty user id (i. e. a key without a name and email address), this key was selected by default when the user attempted to send an encrypted email. Unless this empty key…

20 October 2005

USN-210-1: netpbm vulnerability

A buffer overflow was found in the “pnmtopng” conversion program. By tricking an user (or automated system) to process a specially crafted PNM image with pnmtopng, this could be exploited to execute arbitrary code with the privileges of the user running pnmtopng.

18 October 2005

USN-209-1: SSH server vulnerability

An information disclosure vulnerability has been found in the SSH server. When the GSSAPIAuthentication option was enabled, the SSH server could send GSSAPI credentials even to users who attempted to log in with a method other than GSSAPI. This could inadvertently expose these credentials to an untrusted user. Please note that this does not…

18 October 2005

USN-208-1: graphviz vulnerability

Javier Fern�ndez-Sanguino Pe�a discovered that the “dotty” tool created and used temporary files in an insecure way. A local attacker could exploit this with a symlink attack to create or overwrite arbitrary files with the privileges of the user running dotty.

17 October 2005

USN-207-1: PHP vulnerability

A bug has been found in the handling of the open_basedir directive handling. Contrary to the specification, the value of open_basedir was handled as a prefix instead of a proper directory name even if it was terminated by a slash (‘/’). For example, this allowed PHP scripts to access the directory /home/user10 when open_basedir was configured to…

17 October 2005

USN-206-1: Lynx vulnerability

Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges…

17 October 2005

USN-205-1: Curl and wget vulnerabilities

A buffer overflow has been found in the NTLM authentication handler of the Curl library and wget. By tricking an user or automatic system that uses the Curl library, the curl application, or wget into visiting a specially-crafted web site, a remote attacker could exploit this to execute arbitrary code with the privileges of the calling user. The…

14 October 2005

USN-204-1: SSL library vulnerability

Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL applications. Applications using the OpenSSL library can use the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the former) to maintain compatibility with third party products, which is achieved by working around known bugs in them. The…

14 October 2005

USN-203-1: Abiword vulnerabilities

Chris Evans discovered several buffer overflows in the RTF import module of AbiWord. By tricking a user into opening an RTF file with specially crafted long identifiers, an attacker could exploit this to execute arbitrary code with the privileges of the AbiWord user.

13 October 2005

USN-202-1: KOffice vulnerability

Chris Evans discovered a buffer overflow in the RTF import module of KOffice. By tricking a user into opening a specially-crafted RTF file, an attacker could exploit this to execute arbitrary code with the privileges of the AbiWord user.

12 October 2005

USN-201-1: SqWebmail vulnerabilities

Several Cross Site Scripting vulnerabilities were discovered in SqWebmail. A remote attacker could exploit this to execute arbitrary JavaScript or other active HTML embeddable content in the web browser of an SqWebmail user by sending specially crafted emails to him. Please note that the “sqwebmail” package is not officially supported by Ubuntu…

12 October 2005

USN-200-1: Thunderbird vulnerabilities

A buffer overflow was discovered in the XBM image handler. By tricking an user into opening a specially crafted XBM image, an attacker could exploit this to execute arbitrary code with the user’s privileges. (CAN-2005-2701) Mats Palmgren discovered a buffer overflow in the Unicode string parser. Unicode strings that contained “zero-width…

11 October 2005

USN-199-1: Linux kernel vulnerabilities

A Denial of Service vulnerability was discovered in the sys_set_mempolicy() function. By calling the function with a negative first argument, a local attacker could cause a kernel crash. (CAN-2005-3053) A race condition was discovered in the handling of shared memory mappings with CLONE_VM. A local attacker could exploit this to cause a deadlock…

11 October 2005

USN-198-1: cfengine vulnerabilities

Javier Fern�ndez-Sanguino Pe�a discovered that several tools in the cfengine package (vicf, cfmailfilter, and cfcron) create and use temporary files in an insecure way. A local attacker could exploit this with a symlink attack to create or overwrite arbitrary files with the privileges of the user running the cfengine program.

10 October 2005

USN-197-1: Shorewall vulnerability

A firewall bypass vulnerability has been found in shorewall. If MACLIST_TTL was set to a value greater than 0 or MACLIST_DISPOSITION was set to “ACCEPT” in /etc/shorewall/shorewall.conf, and a client was positively identified through its MAC address, that client bypassed all other policies/rules in place. This could allow external computers to get…

10 October 2005

USN-196-1: Xine library vulnerability

Ulf Harnhammar discovered a format string vulnerability in the CDDB module’s cache file handling in the Xine library, which is used by packages such as xine-ui, totem-xine, and gxine. By tricking an user into playing a particular audio CD which has a specially-crafted CDDB entry, a remote attacker could exploit this vulnerability to execute…

10 October 2005

USN-195-1: Ruby vulnerability

The object oriented scripting language Ruby supports safely executing untrusted code with two mechanisms: safe level and taint flag on objects. Dr. Yutaka Oiwa discovered a vulnerability that allows Ruby methods to bypass these mechanisms. In systems which use this feature, this could be exploited to execute Ruby code beyond the restrictions…

10 October 2005

USN-194-1: texinfo vulnerability

Frank Lichtenheld discovered that the “texindex” program created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running texindex.

6 October 2005

USN-155-3: Fixed mozilla locale packages

USN-155-3 and USN-186-3 updated the version of the mozilla-browser package to fix several vulnerabilities. It was determined that this rendered the Dansk, German, and French locale packages uninstallable since their dependencies were too specific. The updated locale packages work with all present and future versions of mozilla-browser.

4 October 2005

USN-193-1: dia vulnerability

Joxean Koret discovered that the SVG import plugin did not properly sanitise data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.

4 October 2005

USN-192-1: Squid vulnerability

Mike Diggins discovered a remote Denial of Service vulnerability in Squid. Sending specially crafted NTML authentication requests to Squid caused the server to crash.

1 October 2005

USN-191-1: unzip vulnerability

Imran Ghory found a race condition in the handling of output files. While a file was unpacked by unzip, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the unzip user.

30 September 2005

USN-190-1: SNMP vulnerability

A remote Denial of Service has been discovered in the SMNP (Simple Network Management Protocol) library. If a SNMP agent uses TCP sockets for communication, a malicious SNMP server could exploit this to crash the agent. Please note that by default SNMP uses UDP sockets.

30 September 2005

USN-189-1: cpio vulnerabilities

Imran Ghory found a race condition in the handling of output files. While a file was unpacked with cpio, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the cpio user. (CAN-2005-1111) Imran Ghory discovered a path traversal vulnerability. Even when…

29 September 2005

USN-188-1: AbiWord vulnerability

Chris Evans discovered a buffer overflow in the RTF import module of AbiWord. By tricking a user into opening an RTF file with specially crafted long identifiers, an attacker could exploit this to execute arbitrary code with the privileges of the AbiWord user.

29 September 2005

USN-187-1: Linux kernel vulnerabilities

A Denial of Service vulnerability was detected in the stack segment fault handler. A local attacker could exploit this by causing stack fault exceptions under special circumstances (scheduling), which lead to a kernel crash. (CAN-2005-1767) Vasiliy Averin discovered a Denial of Service vulnerability in the “tiocgdev” ioctl call and in the…

25 September 2005

USN-186-1: Mozilla and Firefox vulnerabilities

Peter Zelezny discovered that URLs which are passed to Firefox or Mozilla on the command line are not correctly protected against interpretation by the shell. If Firefox or Mozilla is configured as the default handler for URLs (which is the default in Ubuntu), this could be exploited to execute arbitrary code with user privileges by tricking the…

23 September 2005

USN-184-1: umount vulnerability

David Watson discovered that “umount -r” removed some restrictive mount options like the “nosuid” flag. If /etc/fstab contains user-mountable removable devices which specify the “nosuid” flag (which is common practice for such devices), a local attacker could exploit this to execute arbitrary programs with root privileges by calling “umount -r” on…

19 September 2005

USN-183-1: Squid vulnerabilities

A Denial of Service vulnerability was discovered in the handling of aborted requests. A remote attacker could exploit this to crash Squid by sending specially crafted requests. (CAN-2005-2794) Alex Masterov discovered a Denial of Service vulnerability in the sslConnectTimeout() function. By sending specially crafted SSL requests, a remote…

13 September 2005

USN-181-1: Mozilla products vulnerability

Tom Ferris discovered a buffer overflow in the Mozilla products (Mozilla browser, Firefox, Thunderbird). By tricking an user to click on a Hyperlink with a specially crafted destination URL, a remote attacker could crash the application. It might even be possible to exploit this vulnerability to execute arbitrary code, but this has not yet been…

12 September 2005

USN-182-1: X server vulnerability

A local privilege escalation vulnerability has been discovered in the pixmap allocation handling of the X server. By allocating a huge pixmap, a local user could trigger an integer overflow that resulted in a memory allocation that was too small for the requested pixmap. This resulted in a buffer overflow which could eventually be exploited to…

12 September 2005

USN-180-1: MySQL vulnerability

AppSecInc Team SHATTER discovered a buffer overflow in the “CREATE FUNCTION” statement. By specifying a specially crafted long function name, a local or remote attacker with function creation privileges could crash the server or execute arbitrary code with server privileges. However, the right to create function is usually not granted…

12 September 2005

USN-179-1: openssl weak default configuration

The current default algorithm for creating “message digests” (electronic signatures) for certificates created by openssl is MD5. However, this algorithm is not deemed secure any more, and some practical attacks have been demonstrated which could allow an attacker to forge certificates with a valid certification authority signature even if he does…

10 September 2005

USN-178-1: Linux kernel vulnerabilities

Oleg Nesterov discovered a local Denial of Service vulnerability in the timer handling. When a non group-leader thread called exec() to execute a different program while an itimer was pending, the timer expiry would signal the old group leader task, which did not exist any more. This caused a kernel panic. This vulnerability only affects Ubuntu…

9 September 2005

USN-177-1: Apache 2 vulnerabilities

Apache did not honour the “SSLVerifyClient require” directive within a <Location> block if the surrounding <VirtualHost> block contained a directive “SSLVerifyClient optional”. This allowed clients to bypass client certificate validation on servers with the above configuration. (CAN-2005-2700) Filip Sneppe discovered a Denial of Service…

7 September 2005

USN-176-1: kcheckpass vulnerability

Ilja van Sprundel discovered a flaw in the lock file handling of kcheckpass. A local attacker could exploit this to execute arbitrary code with root privileges.

7 September 2005

USN-145-2: wget bug fix

USN-145-1 fixed several vulnerabilities in wget. However, Ralph Corderoy discovered some regressions that caused wget to crash in some cases. The updated version fixes this flaw.

6 September 2005

USN-173-4: PCRE vulnerabilities

USN-173-1 fixed a buffer overflow vulnerability in the PCRE library. However, it was found that the various python packages and gnumeric contain static copies of the library code, so these packages need to be updated as well. In gnumeric this bug could be exploited to execute arbitrary code with the privileges of the user if the user was tricked…

31 August 2005

USN-174-1: courier vulnerability

A Denial of Service vulnerability has been discovered in the Courier mail server. Due to a flawed status code check, failed DNS (domain name service) queries for SPF (sender policy framework) were not handled properly and could lead to memory corruption. A malicious DNS server could exploit this to crash the Courier server. However, SPF is not…

26 August 2005

USN-173-2: PCRE vulnerability

USN-173-1 fixed a buffer overflow vulnerability in the PCRE library. However, it was determined that this did not suffice to prevent all possible overflows, so another update is necessary. In addition, it was found that the Ubuntu 4.10 version of Apache 2 contains a static copy of the library code, so this package needs to be updated as well. In…

25 August 2005

USN-173-1: PCRE vulnerability

A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the…

24 August 2005

USN-172-1: lm-sensors vulnerability

Javier Fern�ndez-Sanguino Pe�a noticed that the pwmconfig script created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with full root privileges since pwmconfig is usually executed by root.

24 August 2005

USN-171-1: PHP4 vulnerabilities

CAN-2005-1751: The php4-dev package ships a copy of the “shtool” utility in /usr/lib/php4/build/, which provides useful functionality for developers of software packages. Eric Romang discovered that shtool created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the …

21 August 2005

USN-170-1: gnupg vulnerability

Serge Mister and Robert Zuccherato discovered a weakness of the symmetrical encryption algorithm of gnupg. When decrypting a message, gnupg uses a feature called “quick scan”; this can quickly check whether the key that is used for decryption is (probably) the right one, so that wrong keys can be determined quickly without decrypting the whole…

20 August 2005

USN-169-1: Linux kernel vulnerabilities

David Howells discovered a local Denial of Service vulnerability in the key session joining function. Under certain user-triggerable conditions, a semaphore was not released properly, which caused processes which also attempted to join a key session to hang forever. This only affects Ubuntu 5.04 (Hoary Hedgehog). (CAN-2005-2098) David Howells…

19 August 2005

USN-168-1: Gaim vulnerabilities

Daniel Atallah discovered a Denial of Service vulnerability in the file transfer handler of OSCAR (the module that handles various instant messaging protocols like ICQ). A remote attacker could crash the Gaim client of an user by attempting to send him a file with a name that contains invalid UTF-8 characters. (CAN-2005-2102) It was found that…

12 August 2005

USN-167-1: AWStats vulnerability

Peter Vreugdenhil discovered a command injection vulnerability in AWStats. As part of the statistics reporting function, AWStats displays information about the most common referrer values that caused users to visit the website. Referer URLs could be crafted in a way that they contained arbitrary Perl code which would have been executed with the…

12 August 2005

USN-166-1: Evolution vulnerabilities

Ulf Harnhammar disovered several format string vulnerabilities in Evolution. By tricking an user into viewing a specially crafted vCard attached to an email, specially crafted contact data from an LDAP server, specially crafted task lists from remote servers, or saving Calendar entries with this malicious task list data, it was possible for an…

11 August 2005

USN-165-1: heartbeat vulnerability

Eric Romang discovered that heartbeat created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with root privileges as soon as heartbeat is started.

11 August 2005

USN-164-1: netpbm vulnerability

Max Vozeler discovered that the the “pstopnm” conversion tool did not use the -dSAFER option when calling ghostscript. This option prohibits file operations and calling commands within PostScript code. This flaw could be exploited by an attacker to execute arbitrary code if he tricked an user (or an automatic server) into processing a…

11 August 2005

USN-163-1: xpdf vulnerability

xpdf and kpdf did not sufficiently verify the validity of the “loca” table in PDF files, a table that contains glyph description information for embedded TrueType fonts. After detecting the broken table, xpdf attempted to reconstruct the information in it, which caused the generation of a huge temporary file that quickly filled up available disk…

10 August 2005

USN-162-1: ekg and Gadu library vulnerabilities

Marcin Owsiany and Wojtek Kaniewski discovered that some contributed scripts (contrib/ekgh, contrib/ekgnv.sh, and contrib/getekg.sh) in the ekg package created temporary files in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the script. (CAN-2005-1850) Marcin…

9 August 2005

USN-161-1: bzip2 utility vulnerability

USN-158-1 fixed a command injection vulnerability in the “zgrep” utility. It was determined that the “bzgrep” counterpart in the bzip2 package is vulnerable to the same flaw. bzgrep did not handle shell metacharacters like ‘|’ and ‘&’ properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user…

5 August 2005

USN-160-1: Apache 2 vulnerabilities

Marc Stern discovered a buffer overflow in the SSL module’s certificate revocation list (CRL) handler. If Apache is configured to use a malicious CRL, this could possibly lead to a server crash or arbitrary code execution with the privileges of the Apache web server. (CAN-2005-1268) Watchfire discovered that Apache insufficiently verified…

4 August 2005

USN-159-1: unzip vulnerability

If a ZIP archive contains binaries with the setuid and/or setgid bit set, unzip preserved those bits when extracting the archive. This could be exploited by tricking the administrator into unzipping an archive with a setuid-root binary into a directory the attacker can access. This allowed the attacker to execute arbitrary commands with root…

1 August 2005

USN-158-1: gzip utility vulnerability

zgrep did not handle shell metacharacters like ‘|’ and ‘&’ properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.

1 August 2005

USN-157-1: Mozilla Thunderbird vulnerabilities

Vladimir V. Perepelitsa discovered a bug in Thunderbird’s handling of anonymous functions during regular expression string replacement. A malicious HTML email could exploit this to capture a random block of client memory. (CAN-2005-0989) Georgi Guninski discovered that the types of certain XPInstall related JavaScript objects were not…

1 August 2005

USN-156-1: TIFF vulnerability

Wouter Hanegraaff discovered that the TIFF library did not sufficiently validate the “YCbCr subsampling” value in TIFF image headers. Decoding a malicious image with a zero value resulted in an arithmetic exception, which caused the program that uses the TIFF library to crash. This leads to a Denial of Service in server applications that use…

29 July 2005

USN-155-1: Mozilla vulnerabilities

Secunia.com reported that one of the recent security patches in Firefox reintroduced the frame injection patch that was originally known as CAN-2004-0718. This allowed a malicious web site to spoof the contents of other web sites. (CAN-2005-1937) It was discovered that a malicious website could inject arbitrary scripts into a target site by…

27 July 2005

USN-154-1: vim vulnerability

Georgi Guninski discovered that it was possible to construct Vim modelines that execute arbitrary shell commands by wrapping them in glob() or expand() function calls. If an attacker tricked an user to open a file with a specially crafted modeline, he could exploit this to execute arbitrary commands with the user’s privileges.

26 July 2005

USN-153-1: fetchmail vulnerability

Ross Boylan discovered a remote buffer overflow in fetchmail. By sending invalid responses with very long UIDs, a faulty or malicious POP server could crash fetchmail or execute arbitrary code with the privileges of the user invoking fetchmail. fetchmail is commonly run as root to fetch mail for multiple user accounts; in this case, this…

26 July 2005

USN-149-2: Fixed Firefox packages for USN-149-1

USN-149-1 fixed several vulnerabilities in the Firefox web browser. Unfortunately that update introduced a lot of regressions, especially when using extensions, so another update is necessary. The new packages ship Firefox version 1.0.6 which should now work well with most extensions (one known exception is the…

26 July 2005

USN-151-2: zlib vulnerabilities

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Most applications use the shared library provided by the “zlib1g” package; however, some packages contain copies of the affected zlib code, so they need to be upgraded…

23 July 2005

USN-152-1: PAM/NSS LDAP vulnerabilitiy

Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master.

21 July 2005

USN-151-1: zlib vulnerability

USN-148-1 fixed an improver input verification of zlib (CAN-2005-2096). Markus Oberhumer discovered additional ways a disrupted stream could trigger a buffer overflow and crash the application using zlib, so another update is necessary. zlib is used by hundreds of server and client applications, so this vulnerability could be exploited to cause…

21 July 2005

USN-150-1: KDE library vulnerability

Kate and Kwrite create a backup file before saving a modified file. These backup files were created with default permissions, even if the original file had more strict permissions set, so that other local users could possibly read the backup file even if they are not permitted to read the original file.

21 July 2005

USN-149-1: Firefox vulnerabilities

Secunia.com reported that one of the recent security patches in Firefox reintroduced the frame injection patch that was originally known as CAN-2004-0718. This allowed a malicious web site to spoof the contents of other web sites. (CAN-2005-1937) In several places the browser user interface did not correctly distinguish between true user events,…

21 July 2005

USN-147-2: Fixed php4-pear packages for USN-147-1

USN-147-1 [1] fixed a remote code execution vulnerability in the XMLRPC module of the PEAR library. Unfortunately the packages announced in USN-147-1 were faulty and shipped broken xmlrpc modules. The updated packages ship correct modules. We apologize for the inconvenience. [1] https://www.ubuntulinux.org/support/documentation/usn/usn-147-1

6 July 2005

USN-148-1: zlib vulnerability

Tavis Ormandy discovered that zlib did not properly verify data streams. Decompressing certain invalid compressed files caused corruption of internal data structures, which caused applications which link to zlib to crash. Specially crafted input might even have allowed arbitrary code execution. zlib is used by hundreds of server and client…

6 July 2005

USN-147-1: PHP XMLRPC vulnerability

A remote code execution vulnerability has been discovered in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server’s privileges. In Ubuntu 5.04 (Hoary…

5 July 2005

USN-146-1: Ruby vulnerability

Nobuhiro IMAI discovered that the changed default value of the Module#public_instance_methods() method broke the security protection of XMLRPC server handlers. A remote attacker could exploit this to execute arbitrary commands on an XMLRPC server.

29 June 2005

USN-145-1: wget vulnerabilities

Jan Minar discovered a path traversal vulnerability in wget. If the name “..” was a valid host name (which can be achieved with a malicious or poisoned domain name server), it was possible to trick wget into creating downloaded files into arbitrary locations with arbitrary names. For example, wget could silently overwrite the users ~/.bashrc and…

28 June 2005

USN-143-1: Linux amd64 kernel vulnerabilities

A Denial of Service vulnerability has been discovered in the ptrace() call on the amd64 platform. By calling ptrace() with specially crafted (“non-canonical”) addresses, a local attacker could cause the kernel to crash. This only affects the amd64 platform. (CAN-2005-1762) ZouNanHai discovered that a local user could hang the kernel by invoking…

27 June 2005

USN-142-1: sudo vulnerability

Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command “ALL”, that user could execute arbitrary commands with sudo by creating symbolic links at a certain time. Please note…

21 June 2005

USN-141-1: tcpdump vulnerability

It was discovered that certain invalid BGP packets triggered an infinite loop in tcpdump, which caused tcpdump to stop working. This could be abused by a remote attacker to bypass tcpdump analysis of network traffic.

21 June 2005

USN-140-1: Gaim vulnerability

A remote Denial of Service vulnerability was discovered in Gaim. A remote attacker could crash the Gaim client of an MSN user by sending a specially crafted MSN package which states an invalid body length in the header.

15 June 2005

USN-139-1: Gaim vulnerability

A remote Denial of Service vulnerability was discovered in Gaim. By initiating a file transfer with a file name containing certain international characters (like an accented “a”), a remote attacker could crash the Gaim client of an arbitrary Yahoo IM member.

10 June 2005

USN-138-1: gedit vulnerability

A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user. This becomes security relevant if e. g. your web browser is configued to open URLs in gedit. If you never open…

9 June 2005

USN-137-1: Linux kernel vulnerabilities

Alexander Nyberg discovered that ptrace() insufficiently validated addresses on the amd64 platform so that it was possible to set an invalid segment base. A local attacker could exploit this to crash the kernel. This does not affect the i386 and powerpc platforms in any way. (CAN-2005-0756) Chris Wright discovered that the mmap() function could…

8 June 2005

USN-136-2: Fixed packages for USN-136-1

It was discovered that the packages from USN-136-1 had a flawed patch with regressions that caused the ld linker to fail. The updated packages fix this. We apologize for the inconvenience.

27 May 2005

USN-136-1: binutils vulnerability

Tavis Ormandy found an integer overflow in the Binary File Descriptor (BFD) parser in the GNU debugger. The same vulnerable code is also present in binutils. By tricking an user into processing a specially crafted executable with the binutils tools (strings, objdump, nm, readelf, etc.), an attacker could exploit this to execute arbitrary code with…

27 May 2005

USN-135-1: gdb vulnerabilities

Tavis Ormandy found an integer overflow in the GNU debugger. By tricking an user into merely load a specially crafted executable, an attacker could exploit this to execute arbitrary code with the privileges of the user running gdb. However, loading untrusted binaries without actually executing them is rather uncommon, so the risk of this flaw is…

27 May 2005

USN-114-2: Fixed packages for USN-114-1

USN-114-1 fixed a vulnerability in the PCX decoder of kimgio. Unfortunately it was discovered that the original patches were faulty and caused regressions. This update now has the correct patches. This update also fixes the disappearing KDE settings which were caused by the accidential removal of…

27 May 2005

USN-134-1: Firefox vulnerabilities

It was discovered that a malicious website could inject arbitrary scripts into a target site by loading it into a frame and navigating back to a previous Javascript URL that contained an eval() call. This could be used to steal cookies or other confidential data from the target site. If the target site is allowed to raise the install confirmation…

27 May 2005

USN-132-1: ImageMagick vulnerabilities

Damian Put discovered a buffer overflow in the PNM image decoder. Processing a specially crafted PNM file with a small “colors” value resulted in a crash of the application that used the ImageMagick library. (CAN-2005-1275) Another Denial of Service vulnerability was found in the XWD decoder. Specially crafted invalid color masks resulted in an…

23 May 2005

USN-131-1: Linux kernel vulnerabilities

Colin Percival discovered an information disclosure in the “Hyper Threading Technology” architecture in processors which are capable of simultaneous multithreading (in particular Intel Pentium 4, Intel Mobile Pentium 4, and Intel Xeon processors). This allows a malicious thread to monitor the execution of another thread on the same CPU. This could…

23 May 2005

USN-130-1: TIFF library vulnerability

Tavis Ormandy discovered a buffer overflow in the TIFF library. A malicious image with an invalid “bits per sample” number could be constructed which, when decoded, would have resulted in execution of arbitrary code with the privileges of the process using the library. Since this library is used in many applications like “ghostscript” and the…

20 May 2005

USN-129-1: Squid vulnerability

It was discovered that Squid did not verify the validity of DNS server responses. When Squid is started, it opens a DNS client UDP port whose number is randomly assigned by the operating system. Unless your network firewall is configured to accept DNS responses only from known good nameservers, this vulnerability allowed users within the…

18 May 2005

USN-128-1: nasm vulnerability

Josh Bressers discovered a buffer overflow in the ieee_putascii() function of nasm. If an attacker tricked a user into assembling a malicious source file, they could exploit this to execute arbitrary code with the privileges of the user that runs nasm.

18 May 2005

USN-127-1: bzip2 vulnerabilities

Imran Ghory discovered a race condition in the file permission restore code of bunzip2. While a user was decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause bzip2 to restore the file permissions to the hard link target instead of to the bzip2…

17 May 2005

USN-126-1: GNU TLS library vulnerability

A Denial of Service vulnerability was discovered in the GNU TLS library, which provides common cryptographic algorithms and is used by many applications in Ubuntu. Due to a missing sanity check of the padding length field, specially crafted ciphertext blocks caused an out of bounds memory access which could crash the application. It was not…

13 May 2005

USN-125-1: Gaim vulnerabilities

Marco Alvarez found a Denial of Service vulnerability in the Jabber protocol handler. A remote attacker could exploit this to crash Gaim by sending specially crafted file transfers to the user. (CAN-2005-0967) Stu Tomlinson discovered an insufficient bounds checking flaw in the URL parser. By sending a message containing a very long URL, a…

13 May 2005

USN-124-2: Fixed packages for USN-124-1

USN-124-1 fixed several vulnerabilities of Firefox. After that update, several users experienced XML errors on various actions like adding bookmarks (see https://bugzilla.ubuntu.com/show_bug.cgi?id=10643). After installing these new packages and restarting the browser, these problems should be fixed.

13 May 2005

USN-124-1: Mozilla and Firefox vulnerabilities

When a popup is blocked the user is given the ability to open that popup through the popup-blocking status bar icon and, in Firefox, through the information bar. Doron Rosenberg noticed that popups which are permitted by the user were executed with elevated privileges, which could be abused to automatically install and execute arbitrary code with…

11 May 2005

USN-123-1: Xine library vulnerabilities

Two buffer overflows have been discovered in the MMS and Real RTSP stream handlers of the Xine library. By tricking a user to connect to a malicious MMS or RTSP video/audio stream source with an application that uses this library, an attacker could crash the client and possibly even execute arbitrary code with the privileges of the…

6 May 2005

USN-122-1: Squid vulnerability

Michael Bhola discovered that errors in the http_access configuration, in particular missing or invalid ACLs, did not cause a fatal error. This could lead to wider access permissions than intended by the administrator.

6 May 2005

USN-121-1: OpenOffice.org vulnerability

The StgCompObjStream::Load() failed to check the validity of a length field in documents. If an attacker tricked a user to open a specially crafted OpenOffice file, this triggered a buffer overflow which could lead to arbitrary code execution with the privileges of the user opening the document. The update for Ubuntu 5.04 (Hoary Hedgehog) also…

6 May 2005

USN-120-1: Apache 2 vulnerability

Luca Ercoli discovered that the “htdigest” program did not perform any bounds checking when it copied the “user” and “realm” arguments into local buffers. If this program is used in remotely callable CGI scripts, this could be exploited by a remote attacker to execute arbitrary code with the privileges of the CGI script.

6 May 2005

USN-119-1: tcpdump vulnerabilities

It was discovered that certain invalid GRE, LDP, BGP, and RSVP packets triggered infinite loops in tcpdump, which caused tcpdump to stop working. This could be abused by a remote attacker to bypass tcpdump analysis of network traffic.

6 May 2005

USN-118-1: PostgreSQL vulnerabilities

It was discovered that unprivileged users were allowed to call internal character conversion functions. However, since these functions were not designed to be safe against malicious choices of argument values, this could potentially be exploited to execute arbitrary code with the privileges of the PostgreSQL server (user “postgres”)….

4 May 2005

USN-117-1: cvs vulnerability

Alen Zukich discovered a buffer overflow in the processing of version and author information in the CVS client. By tricking an user to connect to a malicious CVS server, an attacker could exploit this to execute arbitrary code with the privileges of the connecting user.

4 May 2005

USN-116-1: gzip vulnerabilities

Imran Ghory discovered a race condition in the file permission restore code of gzip and gunzip. While a user was compressing or decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause gzip to restore the file permissions to the hard link…

4 May 2005

USN-115-1: Kommander vulnerability

Eckhart W�rner discovered that Kommander opens files from remote and possibly untrusted locations without user confirmation. Since Kommander files can contain scripts, this would allow an attacker to execute arbitrary code with the privileges of the user opening the file. The updated Kommander will not automatically open files from…

4 May 2005

USN-114-1: kimgio vulnerability

Bruno Rohee discovered a buffer overflow in the PCX decoder of kimgio. If an attacker tricked a user into loading a malicious PCX image with a KDE application, he could exploit this to execute arbitrary code with the privileges of the user opening the image.

3 May 2005

USN-113-1: libnet-ssleay-perl vulnerability

Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content. The updated package requires the…

3 May 2005