USNs for ubuntu 5.10

USN-452-1: KDE library vulnerability

The Qt library did not correctly handle truncated UTF8 strings, which could cause some applications to incorrectly filter malicious strings. If a Konqueror user were tricked into visiting a web site containing specially crafted strings, normal XSS prevention could be bypassed allowing a remote attacker to steal confidential data.

11 April 2007

USN-450-1: ipsec-tools vulnerability

A flaw was discovered in the IPSec key exchange server “racoon”. Remote attackers could send a specially crafted packet and disrupt established IPSec tunnels, leading to a denial of service.

9 April 2007

USN-449-1: krb5 vulnerabilities

The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root…

4 April 2007

USN-448-1: X.org vulnerabilities

Sean Larsson of iDefense Labs discovered that the MISC-XC extension of Xorg did not correctly verify the size of allocated memory. An authenticated user could send a specially crafted X11 request and execute arbitrary code with root privileges. (CVE-2007-1003) Greg MacManus of iDefense Labs discovered that the BDF font handling code in Xorg…

3 April 2007

USN-447-1: KDE library vulnerabilities

It was discovered that Konqueror did not correctly handle iframes from JavaScript. If a user were tricked into visiting a malicious website, Konqueror could crash, resulting in a denial of service. (CVE-2007-1308) A flaw was discovered in how Konqueror handled PASV FTP responses. If a user were tricked into visiting a malicious FTP server, a…

29 March 2007

USN-446-1: NAS vulnerabilities

Luigi Auriemma discovered multiple flaws in the Network Audio System server. Remote attackers could send specially crafted network requests that could lead to a denial of service or execution of arbitrary code. Note that default Ubuntu installs do not include the NAS server.

28 March 2007

USN-445-1: XMMS vulnerabilities

Sven Krewitt of Secunia Research discovered that XMMS did not correctly handle BMP images when loading GUI skins. If a user were tricked into loading a specially crafted skin, a remote attacker could execute arbitrary code with user privileges.

27 March 2007

USN-444-1: OpenOffice.org vulnerabilities

A stack overflow was discovered in OpenOffice.org’s StarCalc parser. If a user were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges. (CVE-2007-0238) A flaw was discovered in OpenOffice.org’s link handling code. If a user were tricked into clicking a link in a specially…

27 March 2007

USN-443-1: Firefox vulnerability

A flaw was discovered in how Firefox handled PASV FTP responses. If a user were tricked into visiting a malicious FTP server, a remote attacker could perform a port-scan of machines within the user’s network, leading to private information disclosure.

27 March 2007

USN-439-1: file vulnerability

Jean-Sebastien Guay-Leroux discovered that “file” did not correctly check the size of allocated heap memory. If a user were tricked into examining a specially crafted file with the “file” utility, a remote attacker could execute arbitrary code with user privileges.

22 March 2007

USN-438-1: Inkscape vulnerability

A flaw was discovered in Inkscape’s use of format strings. If a user were tricked into opening a specially crafted URI in Inkscape, a remote attacker could execute arbitrary code with user privileges.

21 March 2007

USN-437-1: libwpd vulnerability

Sean Larsson of iDefense Labs discovered that libwpd was vulnerable to integer overflows. If a user were tricked into opening a specially crafted WordPerfect document with an application that used libwpd, an attacker could execute arbitrary code with user privileges.

19 March 2007

USN-435-1: Xine vulnerability

Moritz Jodeit discovered that the DirectShow loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user’s privileges.

12 March 2007

USN-434-1: Ekiga vulnerability

It was discovered that Ekiga had format string vulnerabilities beyond those fixed in USN-426-1. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user’s privileges.

9 March 2007

USN-433-1: Xine vulnerability

Moritz Jodeit discovered that the DMO loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user’s privileges.

9 March 2007

USN-432-1: GnuPG vulnerability

Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without –status-fd, there is no way to distinguish initial unsigned messages from a following signed message. An attacker could inject an unsigned message, which could fool the user into thinking the message was entirely signed by the original sender.

8 March 2007

USN-424-2: PHP regression

USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes were not included, which caused errors in the stream filters. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted…

8 March 2007

USN-431-1: Thunderbird vulnerabilities

The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user’s privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify…

7 March 2007

USN-430-1: mod_python vulnerability

Miles Egan discovered that mod_python, when used in output filter mode, did not handle output larger than 16384 bytes, and would display freed memory, possibly disclosing private data. Thanks to Jim Garrison of the Software Freedom Law Center for identifying the original bug as a security vulnerability.

6 March 2007

USN-429-1: tcpdump vulnerability

Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service.

6 March 2007

USN-428-1: Firefox vulnerabilities

Several flaws have been found that could be used to perform Cross-site scripting attacks. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996) The SSLv2 protocol support…

1 March 2007

USN-427-1: enigmail vulnerability

Mikhail Markin reported that enigmail incorrectly handled memory allocations for certain large encrypted attachments. This caused Thunderbird to crash and thus caused the entire message to be inaccessible.

23 February 2007

USN-426-1: Ekiga vulnerabilities

Mu Security discovered a format string vulnerability in Ekiga. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user’s privileges.

22 February 2007

USN-424-1: PHP vulnerabilities

Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted data with functions of the session or zip module, or various string functions, a remote attacker could exploit this to execute arbitrary code with the privileges of the web server. (CVE-2007-0906) The sapi_header_op() function had a…

22 February 2007

USN-423-1: MoinMoin vulnerabilities

A flaw was discovered in MoinMoin’s debug reporting sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user’s authentication information for the domain where MoinMoin was…

20 February 2007

USN-422-1: ImageMagick vulnerabilities

Vladimir Nadvornik discovered that the fix for CVE-2006-5456, released in USN-372-1, did not correctly solve the original flaw in PALM image handling. By tricking a user into processing a specially crafted image with an application that uses imagemagick, an attacker could execute arbitrary code with the user’s privileges.

15 February 2007

USN-421-1: MoinMoin vulnerability

A flaw was discovered in MoinMoin’s page name sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin page, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user’s authentication information for the domain where MoinMoin was hosted.

10 February 2007

USN-416-1: Linux kernel vulnerabilities

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented IPv6 packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has has already been fixed for Ubuntu 6.10 in USN-395-1; this is the corresponding fix for Ubuntu 6.06.(CVE-2006-4572) Doug Chapman…

10 February 2007

USN-420-1: KDE library vulnerability

Jose Avila III and Robert Tasarz discovered that the KDE HTML library did not correctly parse HTML comments inside the “title” tag. By tricking a Konqueror user into visiting a malicious website, an attacker could bypass cross-site scripting protections.

6 February 2007

USN-419-1: Samba vulnerabilities

A flaw was discovered in Samba’s file opening code, which in certain situations could lead to an endless loop, resulting in a denial of service. (CVE-2007-0452) A format string overflow was discovered in Samba’s ACL handling on AFS shares. Remote users with access to an AFS share could create crafted filenames and execute arbitrary code…

6 February 2007

USN-417-1: PostgreSQL vulnerabilities

Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. An authenticated attacker could exploit this to crash the database server or read out arbitrary locations in the server’s memory, which could allow retrieving database content the attacker should not be able to see….

6 February 2007

USN-418-1: Bind vulnerabilities

A flaw was discovered in Bind’s DNSSEC validation code. Remote attackers could send a specially crafted DNS query which would cause the Bind server to crash, resulting in a denial of service. Only servers configured to use DNSSEC extensions were vulnerable.

6 February 2007

USN-415-1: GTK vulnerability

A flaw was discovered in the error handling of GTK’s image loading library. Applications opening certain corrupted images could be made to crash, causing a denial of service.

1 February 2007

USN-398-4: Firefox regression

USN-398-2 fixed vulnerabilities in Firefox 1.5. However, when auto-filling saved-password login forms without a username field, Firefox would crash. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Various flaws have been reported that allow an attacker to execute arbitrary code with user…

27 January 2007

USN-410-2: teTeX vulnerability

USN-410-1 fixed vulnerabilities in the poppler PDF loader library. This update provides the corresponding updates for a copy of this code in tetex-bin in Ubuntu 5.10. Versions of tetex-bin after Ubuntu 5.10 use poppler directly and do not need a separate update. Original advisory details: The poppler PDF loader library did not limit the…

26 January 2007

USN-413-1: BlueZ vulnerability

A flaw was discovered in the HID daemon of bluez-utils. A remote attacker could gain control of the mouse and keyboard if hidd was enabled. This does not affect a default Ubuntu installation, since hidd is normally disabled.

24 January 2007

USN-412-1: GeoIP vulnerability

Dean Gaudet discovered that the GeoIP update tool did not validate the filename responses from the update server. A malicious server, or man-in-the-middle system posing as a server, could write to arbitrary files with user privileges.

24 January 2007

USN-411-1: libsoup vulnerability

Roland Lezuo and Josselin Mouette discovered that the HTTP server code in libsoup did not correctly verify request headers. Remote attackers could crash applications using libsoup by sending a crafted HTTP request, resulting in a denial of service.

23 January 2007

USN-410-1: poppler vulnerability

The poppler PDF loader library did not limit the recursion depth of the page model tree. By tricking a user into opening a specially crafter PDF file, this could be exploited to trigger an infinite loop and eventually crash an application that uses this library. kpdf in Ubuntu 5.10, and KOffice in all Ubuntu releases contains a copy of this code…

19 January 2007

USN-409-1: ksirc vulnerability

Federico L. Bossi Bonin discovered a Denial of Service vulnerability in ksirc. By sending a special response packet, a malicious IRC server could crash ksirc.

16 January 2007

USN-407-1: libgtop2 vulnerability

Liu Qishuai discovered a buffer overflow in the /proc parsing routines in libgtop. By creating and running a process in a specially crafted long path and tricking an user into running gnome-system-monitor, an attacker could exploit this to execute arbitrary code with the user’s privileges.

15 January 2007

USN-406-1: OpenOffice.org vulnerability

An integer overflow was discovered in OpenOffice.org’s handling of WMF files. If a user were tricked into opening a specially crafted WMF file, an attacker could execute arbitrary code with user privileges.

12 January 2007

USN-405-1: fetchmail vulnerability

It was discovered that fetchmail did not correctly require TLS negotiation in certain situations. This would result in a user’s unencrypted password being sent across the network. If fetchmail has been configured to use the “sslproto tls1”, “sslcertck”, or “sslfingerprint” options with a server that does not correctly support TLS…

11 January 2007

USN-403-1: X.org vulnerabilities

The DBE and Render extensions in X.org were vulnerable to integer overflows, which could lead to memory overwrites. An authenticated user could make a specially crafted request and execute arbitrary code with root privileges.

9 January 2007

USN-402-1: Avahi vulnerability

A flaw was discovered in Avahi’s handling of compressed DNS packets. If a specially crafted reply were received over the network, the Avahi daemon would go into an infinite loop, causing a denial of service.

5 January 2007

USN-400-1: Thunderbird vulnerabilities

Georgi Guninski and David Bienvenu discovered that long Content-Type and RFC2047-encoded headers we vulnerable to heap overflows. By tricking the user into opening a specially crafted email, an attacker could execute arbitrary code with user privileges. (CVE-2006-6506) Various flaws have been reported that allow an attacker to execute…

5 January 2007

USN-401-1: D-Bus vulnerability

Kimmo Hämäläinen discovered that local users could delete other users’ D-Bus match rules. Applications would stop receiving D-Bus messages, resulting in a local denial of service, and potential data loss for applications that depended on D-Bus for storing information.

4 January 2007

USN-398-2: Firefox vulnerabilities

USN-398-1 fixed vulnerabilities in Firefox 2.0. This update provides the corresponding updates for Firefox 1.5. Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page containing JavaScript or SVG. (CVE-2006-6497, CVE-2006-6498,…

3 January 2007

USN-399-1: w3m vulnerabilities

A format string vulnerability was discovered in w3m. If a user were tricked into visiting an HTTPS URL protected by a specially crafted SSL certificate, an attacker could execute arbitrary code with user privileges.

3 January 2007

USN-380-2: avahi regression

USN-380-1 fixed a vulnerability in Avahi. However, if used with Network manager, that version occasionally failed to resolve .local DNS names until Avahi got restarted. This update fixes the problem. We apologize for the inconvenience.

14 December 2006

USN-395-1: Linux kernel vulnerabilities

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has only be fixed for Ubuntu 6.10; the corresponding fix for Ubuntu 5.10 and 6.06 will follow soon. (CVE-2006-4572) Dmitriy Monakhov…

14 December 2006

USN-394-1: Ruby vulnerability

An error was found in Ruby’s CGI library that did not correctly quote the boundary of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU.

8 December 2006

USN-393-1: GnuPG vulnerability

Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user’s privileges.

7 December 2006

USN-390-2: evince vulnerability

USN-390-1 fixed a vulnerability in evince. The original fix did not fully solve the problem, allowing for a denial of service in certain situations. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could…

6 December 2006

USN-392-1: xine-lib vulnerability

A buffer overflow was discovered in the Real Media input plugin in xine-lib. If a user were tricked into loading a specially crafted stream from a malicious server, the attacker could execute arbitrary code with the user’s privileges.

4 December 2006

USN-391-1: libgsf vulnerability

A heap overflow was discovered in the OLE processing code in libgsf. If a user were tricked into opening a specially crafted OLE document, an attacker could execute arbitrary code with the user’s privileges.

4 December 2006

USN-390-1: evince vulnerability

A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user’s privileges.

30 November 2006

USN-389-1: GnuPG vulnerability

A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user’s privileges. This vulnerability is not exposed when running gpg in batch mode.

29 November 2006

USN-388-1: KOffice vulnerability

An integer overflow was discovered in KOffice’s filtering code. By tricking a user into opening a specially crafted PPT file, attackers could crash KOffice or possibly execute arbitrary code with the user’s privileges.

29 November 2006

USN-386-1: ImageMagick vulnerability

Daniel Kobras discovered multiple buffer overflows in ImageMagick’s SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user’s privileges.

28 November 2006

USN-385-1: tar vulnerability

Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.

27 November 2006

USN-382-1: Thunderbird vulnerabilities

USN-352-1 fixed a flaw in the verification of PKCS certificate signatures. Ulrich Kuehn discovered a variant of the original attack which the original fix did not cover. (CVE-2006-5462) Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email…

21 November 2006

USN-381-1: Firefox vulnerabilities

USN-351-1 fixed a flaw in the verification of PKCS certificate signatures. Ulrich Kuehn discovered a variant of the original attack which the original fix did not cover. (CVE-2006-5462) Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page…

21 November 2006

USN-384-1: OpenLDAP vulnerability

Evgeny Legerov discovered that the OpenLDAP libraries did not correctly truncate authcid names. This situation would trigger an assert and abort the program using the libraries. A remote attacker could send specially crafted bind requests that would lead to an LDAP server denial of service.

21 November 2006

USN-383-1: libpng vulnerability

Tavis Ormandy discovered that libpng did not correctly calculate the size of sPLT structures when reading an image. By tricking a user or an automated system into processing a specially crafted PNG file, an attacker could exploit this weakness to crash the application using the library.

17 November 2006

USN-380-1: Avahi vulnerability

Steve Grubb discovered that netlink messages were not being checked for their sender identity. This could lead to local users manipulating the Avahi service.

11 November 2006

USN-379-1: texinfo vulnerability

Miloslav Trmac discovered a buffer overflow in texinfo’s index processor. If a user is tricked into processing a .texi file with texindex, this could lead to arbitrary code execution with user privileges.

9 November 2006

USN-376-2: imlib2 regression fix

USN-376-1 provided an update to imlib2 to fix several security vulnerabilities. Unfortunately the update broke JPG file handling in certain situations. This update corrects this problem. We apologize for the inconvenience.

6 November 2006

USN-376-1: imlib2 vulnerabilities

M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user’s privileges.

3 November 2006

USN-375-1: PHP vulnerability

Stefan Esser discovered two buffer overflows in the htmlentities() and htmlspecialchars() functions. By supplying specially crafted input to PHP applications which process that input with these functions, a remote attacker could potentially exploit this to execute arbitrary code with the privileges of the application. (CVE-2006-5465) This update…

3 November 2006

USN-372-1: imagemagick vulnerability

M. Joonas Pihlaja discovered that ImageMagick did not sufficiently verify the validity of PALM and DCM images. When processing a specially crafted image with an application that uses imagemagick, this could be exploited to execute arbitrary code with the application’s privileges.

1 November 2006

USN-373-1: mutt vulnerabilities

Race conditions were discovered in mutt’s handling of temporary files. Under certain conditions when using a shared temp directory (the default), other local users could overwrite arbitrary files owned by the user running mutt. This vulnerability is more likely when the temp directory is over NFS.

1 November 2006

USN-371-1: Ruby vulnerability

An error was found in Ruby’s CGI library that did not correctly check for the end of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU.

1 November 2006

USN-370-1: screen vulnerability

cstone and Rich Felker discovered a programming error in the UTF8 string handling code of “screen” leading to a denial of service. If a crafted string was displayed within a screen session, screen would crash or possibly execute arbitrary code.

1 November 2006

USN-368-1: Qt vulnerability

An integer overflow was discovered in Qt’s image loader. By processing a specially crafted image with an application that uses this library (like Konqueror), a remote attacker could exploit this to execute arbitrary code with the application’s privileges.

24 October 2006

USN-366-1: binutils vulnerability

A buffer overflow was discovered in gas (the GNU assembler). By tricking an user or automated system (like a compile farm) into assembling a specially crafted source file with gcc or gas, this could be exploited to execute arbitrary code with the user’s privileges.

18 October 2006

USN-364-1: Xsession vulnerability

A race condition existed that would allow other local users to see error messages generated during another user’s X session. This could allow potentially sensitive information to be leaked.

16 October 2006

USN-363-1: libmusicbrainz vulnerability

Luigi Auriemma discovered multiple buffer overflows in libmusicbrainz. When a user made queries to MusicBrainz servers, it was possible for malicious servers, or man-in-the-middle systems posing as servers, to send a crafted reply to the client request and remotely gain access to the user’s system with the user’s privileges.

11 October 2006

USN-362-1: PHP vulnerabilities

The stripos() function did not check for invalidly long or empty haystack strings. In an application that uses this function on arbitrary untrusted data this could be exploited to crash the PHP interpreter. (CVE-2006-4485) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the “memory_limit” setting…

11 October 2006

USN-361-1: Mozilla vulnerabilities

Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565, CVE-2006-4568, CVE-2006-4571) A bug was found in the script handler for automatic…

10 October 2006

USN-360-1: awstats vulnerabilities

awstats did not fully sanitize input, which was passed directly to the user’s browser, allowing for an XSS attack. If a user was tricked into following a specially crafted awstats URL, the user’s authentication information could be exposed for the domain where awstats was hosted. (CVE-2006-3681) awstats could display its installation path under…

10 October 2006

USN-359-1: Python vulnerability

Benjamin C. Wiley Sittler discovered that Python’s repr() function did not properly handle UTF-32/UCS-4 strings. If an application uses repr() on arbitrary untrusted data, this could be exploited to execute arbitrary code with the privileges of the python application.

6 October 2006

USN-357-1: Mono vulnerability

Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Under some circumstances, a local attacker could also exploit this to inject…

5 October 2006

USN-353-2: OpenSSL vulnerability

USN-353-1 fixed several vulnerabilities in OpenSSL. However, Mark J Cox noticed that the applied patch for CVE-2006-2940 was flawed. This update corrects that patch. For reference, this is the relevant part of the original advisory: Certain types of public key could take disproportionate amounts of time to process. The library now limits the…

5 October 2006

USN-358-1: ffmpeg, xine-lib vulnerabilities

XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not correctly validate certain headers. By tricking a user into playing an AVI with malicious headers, an attacker could execute arbitrary code with the target user’s privileges. (CVE-2006-4799) Multiple integer overflows were discovered in ffmpeg and tools that contain…

5 October 2006

USN-356-1: gdb vulnerability

Will Drewry, of the Google Security Team, discovered buffer overflows in GDB’s DWARF processing. This would allow an attacker to execute arbitrary code with user privileges by tricking the user into using GDB to load an executable that contained malicious debugging information.

2 October 2006

USN-355-1: openssh vulnerabilities

Tavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the…

2 October 2006

USN-353-1: openssl vulnerabilities

Dr. Henson of the OpenSSL core team and Open Network Security discovered a mishandled error condition in the ASN.1 parser. By sending specially crafted packet data, a remote attacker could exploit this to trigger an infinite loop, which would render the service unusable and consume all available system memory. (CVE-2006-2937) Certain types of…

29 September 2006

USN-350-1: Thunderbird vulnerabilities

This update upgrades Thunderbird from 1.0.8 to 1.5.0.7. This step was necessary since the 1.0.x series is not supported by upstream any more. Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email containing JavaScript. Please note that…

22 September 2006

USN-349-1: gzip vulnerabilities

Tavis Ormandy discovered that gzip did not sufficiently verify the validity of gzip or compress archives while unpacking. By tricking an user or automated system into unpacking a specially crafted compressed file, this could be exploited to execute arbitrary code with the user’s privileges.

20 September 2006

USN-348-1: GnuTLS vulnerability

The GnuTLS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.

19 September 2006

USN-347-1: Linux kernel vulnerabilities

Sridhar Samudrala discovered a local Denial of Service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535) Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the…

19 September 2006

USN-346-1: Linux kernel vulnerabilities

A Denial of service vulnerability was reported in iptables’ SCTP conntrack module. On computers which use this iptables module, a remote attacker could expoit this to trigger a kernel crash. (CVE-2006-2934) A buffer overflow has been discovered in the dvd_read_bca() function. By inserting a specially crafted DVD, USB stick, or…

15 September 2006

USN-345-1: mailman vulnerabilities

Steve Alexander discovered that mailman did not properly handle attachments with special filenames. A remote user could exploit that to stop mail delivery until the server administrator manually cleaned these posts. (CVE-2006-2941) Various cross-site scripting vulnerabilities have been reported by Barry Warsaw. By using specially crafted email…

13 September 2006

USN-344-1: X.org vulnerabilities

iDefense security researchers found several integer overflows in X.org’s font handling library. By using a specially crafted Type1 CID font file, a local user could exploit these to crash the X server or execute arbitrary code with root privileges.

13 September 2006

USN-343-1: bind9 vulnerabilities

bind did not sufficiently verify particular requests and responses from other name servers and users. By sending a specially crafted packet, a remote attacker could exploit this to crash the name server.

8 September 2006

USN-342-1: PHP vulnerabilities

The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application’s privileges. (CVE-2006-4020) The file_exists() and imap_reopen() functions did not…

7 September 2006

USN-341-1: libxfont vulnerability

An integer overflow has been discovered in X.org’s font handling library. By using a specially crafted font file, this could be exploited to crash the X server or execute arbitrary code with root privileges.

7 September 2006

USN-340-1: imagemagick vulnerabilities

Tavis Ormandy discovered several buffer overflows in imagemagick’s Sun Raster and XCF (Gimp) image decoders. By tricking a user or automated system into processing a specially crafted image, this could be exploited to execute arbitrary code with the users’ privileges.

6 September 2006

USN-339-1: OpenSSL vulnerability

Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google Security discovered that the OpenSSL library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.

5 September 2006

USN-337-1: imagemagick vulnerability

Damian Put discovered a buffer overflow in imagemagick’s SGI file format decoder. By tricking an user or automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user’s privileges.

17 August 2006

USN-336-1: binutils vulnerability

A buffer overflow was discovered in gas (the GNU assembler). By tricking an user or automated system (like a compile farm) into assembling a specially crafted source file with gcc or gas, this could be exploited to execute arbitrary code with the user’s privileges.

17 August 2006

USN-335-1: heartbeat vulnerability

Yan Rong Ge discovered that heartbeat did not sufficiently verify some packet input data, which could lead to an out-of-boundary memory access. A remote attacker could exploit this to crash the daemon (Denial of Service).

16 August 2006

USN-334-1: krb5 vulnerabilities

Michael Calmer and Marcus Meissner discovered that several krb5 tools did not check the return values from setuid() system calls. On systems that have configured user process limits, it may be possible for an attacker to cause setuid() to fail via resource starvation. In that situation, the tools will not reduce their privilege levels, and…

16 August 2006

USN-333-1: libwmf vulnerability

An integer overflow was found in the handling of the MaxRecordSize field in the WMF header parser. By tricking a user into opening a specially crafted WMF image file with an application that uses this library, an attacker could exploit this to execute arbitrary code with the user’s privileges.

9 August 2006

USN-332-1: gnupg vulnerability

Evgeny Legerov discovered that gnupg did not sufficiently check the validity of the comment and a control field. Specially crafted GPG data could cause a buffer overflow. This could be exploited to execute arbitrary code with the user’s privileges if an attacker can trick an user into processing a malicious encrypted/signed document with gnupg.

3 August 2006

USN-330-1: tiff vulnerabilities

Tavis Ormandy discovered that the TIFF library did not sufficiently check handled images for validity. By tricking an user or an automated system into processing a specially crafted TIFF image, an attacker could exploit these weaknesses to execute arbitrary code with the target application’s privileges. This library is used in many client and…

3 August 2006

USN-328-1: Apache vulnerability

Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module’s ldap scheme handling. On systems which activate “RewriteEngine on”, a remote attacker could exploit certain rewrite rules to crash Apache, or potentially even execute arbitrary code (this has not been verified). “RewriteEngine on” is disabled by default. Systems which…

28 July 2006

USN-326-1: heartbeat vulnerability

Yan Rong Ge discovered that heartbeat did not set proper permissions for an allocated shared memory segment. A local attacker could exploit this to render the heartbeat service unavailable (Denial of Service).

28 July 2006

USN-325-1: ruby1.8 vulnerability

The alias function, certain directory operations, and regular expressions did not correctly implement safe levels. Depending on the application these flaws might allow attackers to bypass safe level restrictions and perform unintended operations.

28 July 2006

USN-324-1: freetype vulnerability

An integer overflow has been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user.

28 July 2006

USN-297-3: Thunderbird vulnerabilities

USN-297-1 fixed several vulnerabilities in Thunderbird for the Ubuntu 6.06 LTS release. This update provides the corresponding fixes for Ubuntu 5.04 and Ubuntu 5.10. For reference, these are the details of the original USN: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A…

26 July 2006

USN-323-1: mozilla vulnerabilities

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by…

26 July 2006

USN-296-2: Firefox vulnerabilities

USN-296-1 fixed several vulnerabilities in Firefox for the Ubuntu 6.06 LTS release. This update provides the corresponding fixes for Ubuntu 5.04 and Ubuntu 5.10. For reference, these are the details of the original USN: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A…

25 July 2006

USN-322-1: Konqueror vulnerability

A Denial of Service vulnerability has been reported in the replaceChild() method in KDE’s DOM handler. A malicious remote web page could exploit this to cause Konqueror to crash.

25 July 2006

USN-321-1: mysql-dfsg-4.1 vulnerability

Jean-David Maillefer discovered a format string bug in the date_format() function’s error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server.

21 July 2006

USN-320-1: PHP vulnerabilities

The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in…

19 July 2006

USN-319-2: Linux kernel vulnerability

USN-319-1 fixed a Linux kernel vulnerability in Ubuntu 6.06 LTS. This followup advisory provides the corresponding updates for Ubuntu 5.04 and 5.10. For reference, these are the details of the original USN: A race condition has been discovered in the file permission handling of the /proc file system. A local attacker could exploit this to …

19 July 2006

USN-313-2: OpenOffice.org vulnerabilities

USN-313-1 fixed several vulnerabilities in OpenOffice for Ubuntu 5.04 and Ubuntu 6.06 LTS. This followup advisory provides the corresponding update for Ubuntu 5.10. For reference, these are the details of the original USN: It was possible to embed Basic macros in documents in a way that OpenOffice.org would not ask for confirmation about…

19 July 2006

USN-318-1: libtunepimp vulnerability

Kevin Kofler discovered several buffer overflows in the tag parser. By tricking a user into opening a specially crafted tagged multimedia file (such as .ogg or .mp3 music) with an application that uses libtunepimp, this could be exploited to execute arbitrary code with the user’s privileges. This particularly affects the KDE applications…

13 July 2006

USN-317-1: zope2.8 vulnerability

Zope did not deactivate the ‘raw’ command when exposing RestructuredText functionalities to untrusted users. A remote user with the privilege of editing Zope webpages with RestructuredText could exploit this to expose arbitrary files that can be read with the privileges of the Zope server.

13 July 2006

USN-315-1: libmms, xine-lib vulnerabilities

Matthias Hopf discovered several buffer overflows in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could exploit this to execute arbitrary code with the user’s privileges. The Xine library contains an embedded copy of libmms, and thus needs the same…

13 July 2006

USN-314-1: samba vulnerability

The Samba security team reported a Denial of Service vulnerability in the handling of information about active connections. In certain circumstances an attacker could continually increase the memory usage of the smbd process by issuing a large number of share connection requests. By draining all available memory, this could be exploited to render…

13 July 2006

USN-311-1: Linux kernel vulnerabilities

A race condition was discovered in the do_add_counters() functions. Processes which do not run with full root privileges, but have the CAP_NET_ADMIN capability can exploit this to crash the machine or read a random piece of kernel memory. In Ubuntu there are no packages that are affected by this, so this can only be an issue for you if you…

11 July 2006

USN-312-1: gimp vulnerability

Henning Makholm discovered that gimp did not sufficiently validate the ‘num_axes’ parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user’s privileges.

10 July 2006

USN-310-1: ppp vulnerability

Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local…

6 July 2006

USN-309-1: libmms vulnerability

Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program. In Ubuntu 5.10, this affects the GStreamer MMS plugin (gstreamer0.8-mms). Other Ubuntu…

6 July 2006

USN-308-1: shadow vulnerability

Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges. This does not affect the default…

6 July 2006

USN-307-1: mutt vulnerability

TAKAHASHI Tamotsu discovered that mutt’s IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user.

28 June 2006

USN-306-1: MySQL 4.1 vulnerability

MySQL did not correctly handle NULL as the second argument to the str_to_date() function. An authenticated user could exploit this to crash the server.

27 June 2006

USN-305-1: OpenLDAP vulnerability

When processing overly long host names in OpenLDAP’s slurpd replication server, a buffer overflow caused slurpd to crash. If an attacker manages to inject a specially crafted host name into slurpd, this might also be exploited to execute arbitrary code with slurpd’s privileges; however, since slurpd is usually set up to replicate only trusted…

27 June 2006

USN-304-1: gnupg vulnerability

Evgeny Legerov discovered that GnuPG did not sufficiently check overly large user ID packets. Specially crafted user IDs caused a buffer overflow. By tricking an user or remote automated system into processing a malicous GnuPG message, an attacker could exploit this to crash GnuPG or possibly even execute arbitrary code.

27 June 2006

USN-303-1: MySQL vulnerability

An SQL injection vulnerability has been discovered when using less popular multibyte encodings (such as SJIS, or BIG5) which contain valid multibyte characters that end with the byte 0x5c (the representation of the backslash character >>&lt;< in ASCII). Many client libraries and applications use the non-standard, but popular way of escaping the…

17 June 2006

USN-302-1: Linux kernel vulnerabilities

An integer overflow was discovered in the do_replace() function. A local user process with the CAP_NET_ADMIN capability could exploit this to execute arbitrary commands with full root privileges. However, none of Ubuntu’s supported packages use this capability with any non-root user, so this only affects you if you use some third party software…

15 June 2006

USN-301-1: kdm vulnerability

Ludwig Nussel discovered that kdm managed the ~/.dmrc file in an insecure way. By performing a symlink attack, a local user could exploit this to read arbitrary files on the system, like private files of other users, /etc/shadow, and similarly sensitive data.

15 June 2006

USN-300-1: wv2 vulnerability

libwv2 did not sufficiently check the validity of its input. Certain invalid Word documents caused a buffer overflow. By tricking a user into opening a specially crafted Word file with an application that uses libwv2, this could be exploited to execute arbitrary code with the user’s privileges. The only packaged application using this library is…

15 June 2006

USN-298-1: libgd2 vulnerability

Xavier Roche discovered that libgd’s function for reading GIF image data did not sufficiently verify its validity. Specially crafted GIF images could cause an infinite loop which used up all available CPU resources. Since libgd is often used in PHP and Perl web applications, this could lead to a remote Denial of Service vulnerability.

14 June 2006

USN-295-1: xine-lib vulnerability

Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user’s privileges.

9 June 2006

USN-294-1: courier vulnerability

A Denial of Service vulnerability has been found in the function for encoding email addresses. Addresses containing a ‘=’ before the ‘@’ character caused the Courier to hang in an endless loop, rendering the service unusable.

9 June 2006

USN-288-3: PostgreSQL client vulnerabilities

USN-288-1 described a PostgreSQL client vulnerability in the way the >>‘<< character is escaped in SQL queries. It was determined that the PostgreSQL backends of Exim, Dovecot, and Postfix used this unsafe escaping method. For reference, these are the details of the original USN: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a…

9 June 2006

USN-292-1: binutils vulnerability

CVE-2006-2362 Jesus Olmos Gonzalez discovered a buffer overflow in the Tektronix Hex Format (TekHex) backend of the BFD library, such as used by the ‘strings’ utility. By tricking an user or automated system into processing a specially crafted file with ‘strings’ or a vulnerable third-party application using the BFD library, this could be…

9 June 2006

USN-293-1: gdm vulnerability

If the admin configured a gdm theme that provided an user list, any user could activate the gdm setup program by first choosing the setup option from the menu, clicking on the user list and entering his own (instead of root’s) password. This allowed normal users to configure potentially dangerous features like remote or automatic login. Please…

9 June 2006

USN-291-1: FreeType vulnerabilities

Several integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user.

8 June 2006

USN-290-1: awstats vulnerability

Hendrik Weimer discovered a privilege escalation vulnerability in awstats. By supplying the ‘configdir’ CGI parameter and setting it to an attacker-controlled directory (such as an FTP account, /tmp, or similar), an attacker could execute arbitrary shell commands with the privileges of the web server (user ‘www-data’). This update disables the…

8 June 2006

USN-289-1: tiff vulnerabilities

A buffer overflow has been found in the tiff2pdf utility. By tricking an user into processing a specially crafted TIF file with tiff2pdf, this could potentially be exploited to execute arbitrary code with the privileges of the user. (CVE-2006-2193) A. Alejandro Hern�ndez discovered a buffer overflow in the tiffsplit utility. By calling tiffsplit…

8 June 2006

USN-288-1: PostgreSQL server/client vulnerabilities

CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote >>‘<< with >>\’<< or >>“<<), the PostgreSQL server…

29 May 2006

USN-287-1: Nagios vulnerability

The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with an invalidly large Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server…

29 May 2006

USN-286-1: Dia vulnerabilities

Several format string vulnerabilities have been discovered in dia. By tricking a user into opening a specially crafted dia file, or a file with a specially crafted name, this could be exploited to execute arbitrary code with the user’s privileges.

24 May 2006

USN-285-1: awstats vulnerability

AWStats did not properly sanitize the ‘migrate’ CGI parameter. If the update of the stats via web front-end is allowed, a remote attacker could execute arbitrary commands on the server with the privileges of the AWStats server. This does not affect AWStats installations which only build static pages.

23 May 2006

USN-284-1: Quagga vulnerabilities

Paul Jakma discovered that Quagga’s ripd daemon did not properly handle authentication of RIPv1 requests. If the RIPv1 protocol had been disabled, or authentication for RIPv2 had been enabled, ripd still replied to RIPv1 requests, which could lead to information disclosure. (CVE-2006-2223) Paul Jakma also noticed that ripd accepted…

16 May 2006

USN-274-2: MySQL vulnerability

USN-274-1 fixed a logging bypass in the MySQL server. Unfortunately it was determined that the original update was not sufficient to completely fix the vulnerability, thus another update is necessary. We apologize for the inconvenience. For reference, these are the details of the original USN: A logging bypass was discovered in the MySQL query…

15 May 2006

USN-283-1: MySQL vulnerabilities

Stefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516) Stefano Di Paola also found a similar information leak in the parser for the…

8 May 2006

USN-282-1: Nagios vulnerability

The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with a negative Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server already…

8 May 2006

USN-280-1: X.org server vulnerability

The Render extension of the X.org server incorrectly calculated the size of a memory buffer, which led to a buffer overflow. A local attacker could exploit this to crash the X server or even execute arbitrary code with root privileges.

4 May 2006

USN-281-1: Linux kernel vulnerabilities

The sys_mbind() function did not properly verify the validity of the ‘maxnod’ argument. A local user could exploit this to trigger a buffer overflow, which caused a kernel crash. (CVE-2006-0557) The SELinux module did not correctly handle the tracer SID when a process was already being traced. A local attacker could exploit this to cause a kernel…

4 May 2006

USN-279-1: libnasl/nessus vulnerability

Jayesh KS discovered that the nasl_split() function in the NASL (Nessus Attack Scripting Language) library did not check for a zero-length separator argument, which lead to an invalid memory allocation. This library is primarily used in the Nessus security scanner; a remote attacker could exploit this vulnerability to cause the Nessus daemon to…

4 May 2006

USN-278-1: gdm vulnerability

Marcus Meissner discovered a race condition in gdm’s handling of the ~/.ICEauthority file permissions. A local attacker could exploit this to become the owner of an arbitrary file in the system. When getting control over automatically executed scripts (like cron jobs), the attacker could eventually leverage this flaw to execute arbitrary commands…

4 May 2006

USN-277-1: TIFF library vulnerabilities

Tavis Ormandy and Andrey Kiselev discovered that libtiff did not sufficiently verify the validity of TIFF files. By tricking an user into opening a specially crafted TIFF file with any application that uses libtiff, an attacker could exploit this to crash the application or even execute arbitrary code with the application’s privileges.

4 May 2006

USN-276-1: Thunderbird vulnerabilities

Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious mail with embedded JavaScript could exploit this to execute arbitrary code with the privileges of the user. (CVE-2006-0292, CVE-2006-1742) The function XULDocument.persist() did not sufficiently…

3 May 2006

USN-275-1: Mozilla vulnerabilities

Web pages with extremely long titles caused subsequent launches of Mozilla browser to hang for up to a few minutes, or caused Mozilla to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious…

28 April 2006

USN-274-1: MySQL vulnerability

A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely. This only affects you if you enabled the ‘log’ parameter in the MySQL configuration.

27 April 2006

USN-273-1: Ruby vulnerability

Yukihiro Matsumoto reported that Ruby’s HTTP module uses blocking sockets. By sending large amounts of data to a server application that uses this module, a remote attacker could exploit this to render this application unusable and not respond any more to other clients (Denial of Service).

24 April 2006

USN-272-1: cyrus-sasl2 vulnerability

A Denial of Service vulnerability has been discovered in the SASL authentication library when using the DIGEST-MD5 plugin. By sending a specially crafted realm name, a malicious SASL server could exploit this to crash the application that uses SASL.

24 April 2006

USN-271-1: Firefox vulnerabilities

Web pages with extremely long titles caused subsequent launches of Firefox browser to hang for up to a few minutes, or caused Firefox to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious…

20 April 2006

USN-270-1: xpdf vulnerabilities

Derek Noonburg discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system…

13 April 2006

USN-268-1: Kaffeine vulnerability

Marcus Meissner discovered a buffer overflow in the http_peek() function. By tricking an user into opening a specially crafted playlist URL with Kaffeine, a remote attacker could exploit this to execute arbitrary code with the user’s privileges.

7 April 2006

USN-264-1: gnupg vulnerability

Tavis Ormandy discovered a flaw in gnupg’s signature verification. In some cases, certain invalid signature formats could cause gpg to report a ‘good signature’ result for auxiliary unsigned data which was prepended or appended to the checked message part.

4 April 2006

USN-267-1: mailman vulnerability

A remote Denial of Service vulnerability was discovered in the decoder for multipart messages. Certain parts of type “message/delivery-status” or parts containing only two blank lines triggered an exception. An attacker could exploit this to crash Mailman by sending a specially crafted email to a mailing list.

4 April 2006

USN-266-1: dia vulnerabilities

Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user’s privileges.

3 April 2006

USN-265-1: cairo/Evolution library vulnerability

When rendering glyphs, the cairo graphics rendering library did not check the maximum length of character strings. A request to display an excessively long string with cairo caused a program crash due to an X library error. Mike Davis discovered that this could be turned into a Denial of Service attack in Evolution. An email with an attachment…

23 March 2006

USN-263-1: Linux kernel vulnerabilities

A flaw was found in the module reference counting for loadable protocol modules of netfilter. By performing particular socket operations, a local attacker could exploit this to crash the kernel. This flaw only affects Ubuntu 5.10. (CVE-2005-3359) David Howells noticed a race condition in the add_key(), request_key() and keyctl() functions. By…

13 March 2006

USN-262-1: Ubuntu 5.10 installer password disclosure

Karl �ie discovered that the Ubuntu 5.10 installer failed to clean passwords in the installer log files. Since these files were world-readable, any local user could see the password of the first user account, which has full sudo privileges by default. The updated packages remove the passwords and additionally make the log files readable only by…

13 March 2006

USN-261-1: PHP vulnerabilities

Stefan Esser discovered that the ‘session’ module did not sufficiently verify the validity of the user-supplied session ID. A remote attacker could exploit this to insert arbitrary HTTP headers into the response sent by the PHP application, which could lead to HTTP Response Splitting (forging of arbitrary responses on behalf the PHP application)…

10 March 2006

USN-260-1: flex vulnerability

Chris Moore discovered a buffer overflow in a particular class of lexicographical scanners generated by flex. This could be exploited to execute arbitrary code by processing specially crafted user-defined input to an application that uses a flex scanner for parsing. This flaw particularly affects gpc, the GNU Pascal Compiler. A potentially remote…

7 March 2006

USN-259-1: irssi vulnerability

A Denial of Service vulnerability was discoverd in irssi. The DCC ACCEPT command handler did not sufficiently verify the remotely specified arguments. A remote attacker could exploit this to crash irssi by sending a specially crafted DCC commands.

2 March 2006

USN-258-1: PostgreSQL vulnerability

Akio Ishida discovered that the SET SESSION AUTHORIZATION command did not properly verify the validity of its argument. An authenticated PostgreSQL user could exploit this to crash the server. However, this does not affect the official binary Ubuntu packages. The crash can only be triggered if the source package is rebuilt with assertions enabled…

27 February 2006

USN-257-1: tar vulnerability

Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user. The tar version in Ubuntu 4.10 is not affected by this vulnerability.

23 February 2006

USN-255-1: openssh vulnerability

Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like ‘*‘), an attacker could exploit this to execute arbitrary…

22 February 2006

USN-254-1: noweb vulnerability

Javier Fern�ndez-Sanguino Pe�a discovered that noweb scripts created temporary files in an insecure way. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running noweb.

22 February 2006

USN-256-1: bluez-hcidump vulnerability

Pierre Betouin discovered a Denial of Service vulnerability in the handling of the L2CAP (Logical Link Control and Adaptation Layer Protocol) layer. By sending a specially crafted L2CAP packet through a wireless Bluetooth connection, a remote attacker could crash hcidump. Since hcidump is mainly a debugging tool, the impact of this flaw is very…

22 February 2006

USN-253-1: heimdal vulnerability

A remote Denial of Service vulnerability was discovered in the heimdal implementation of the telnet daemon. A remote attacker could force the server to crash due to a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. Please note that the heimdal-servers package is not…

18 February 2006

USN-252-1: gnupg vulnerability

Tavis Ormandy discovered a potential weakness in the signature verification of gnupg. gpgv and gpg –verify returned a successful exit code even if the checked file did not have any signature at all. The recommended way of checking the result is to evaluate the status messages, but some third party applications might just check the exit code for…

18 February 2006

USN-251-1: libtasn vulnerability

Evgeny Legerov discovered a buffer overflow in the DER format decoding function of the libtasn library. This library is mainly used by the GNU TLS library; by sending a specially crafted X.509 certificate to a server which uses TLS encryption/authentication, a remote attacker could exploit this to crash that server process and possibly…

17 February 2006

USN-248-2: unzip regression fix

USN-248-1 fixed a vulnerability in unzip. However, that update inadvertedly changed the field order in the contents listing output, which broke unzip frontends like file-roller. The updated packages fix this regression.

15 February 2006

USN-250-1: Linux kernel vulnerability

Herbert Xu discovered a remote Denial of Service vulnerability in the ICMP packet handler. In some situations a memory allocation was released twice, which led to memory corruption. A remote attacker could exploit this to crash the machine.

15 February 2006

USN-249-1: xpdf/poppler/kpdf vulnerabilities

The splash image handler in xpdf did not check the validity of coordinates. By tricking a user into opening a specially crafted PDF file, an attacker could exploit this to trigger a buffer overflow which could lead to arbitrary code execution with the privileges of the user. The poppler library and kpdf also contain xpdf code, and thus…

15 February 2006

USN-248-1: unzip vulnerability

A buffer overflow was discovered in the handling of file name arguments. By tricking a user or automated system into processing a specially crafted, excessively long file name with unzip, an attacker could exploit this to execute arbitrary code with the user’s privileges.

15 February 2006

USN-247-1: Heimdal vulnerability

A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them. Please note that the heimdal-servers package is not officially supported in Ubuntu (it is in the ‘universe’ component of the archive). However, this affects you if you…

11 February 2006

USN-246-1: imagemagick vulnerabilities

Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be…

25 January 2006

USN-245-1: KDE library vulnerability

Maksim Orlovich discovered that kjs, the Javascript interpreter engine used by Konqueror and other parts of KDE, did not sufficiently verify the validity of UTF-8 encoded URIs. Specially crafted URIs could trigger a buffer overflow. By tricking an user into visiting a web site with malicious JavaScript code, a remote attacker could exploit this to…

20 January 2006

USN-244-1: Linux kernel vulnerabilities

Doug Chapman discovered a flaw in the reference counting in the sys_mq_open() function. By calling this function in a special way, a local attacker could exploit this to cause a kernel crash. (CVE-2005-3356) Karl Janmar discovered that the /proc file system module used signed data types in a wrong way. A local attacker could exploit this to…

18 January 2006

USN-243-1: tuxpaint vulnerability

Javier Fern�ndez-Sanguino Pe�a discovered that the tuxpaint-import.sh script created a temporary file in an insecure way. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running tuxpaint.

16 January 2006

USN-242-1: mailman vulnerabilities

Aliet Santiesteban Sifontes discovered a remote Denial of Service vulnerability in the attachment handler. An email with an attachment whose filename contained invalid UTF-8 characters caused mailman to crash. (CVE-2005-3573) Mailman did not sufficiently verify the validity of email dates. Very large numbers in dates caused mailman to crash….

16 January 2006

USN-241-1: Apache vulnerabilities

The “mod_imap” module (which provides support for image maps) did not properly escape the “referer” URL which rendered it vulnerable against a cross-site scripting attack. A malicious web page (or HTML email) could trick a user into visiting a site running the vulnerable mod_imap, and employ cross-site-scripting techniques to gather sensitive…

13 January 2006

USN-240-1: bogofilter vulnerability

A buffer overflow was found in bogofilter’s character set conversion handling. Certain invalid UTF-8 character sequences caused an invalid memory access. By sending a specially crafted email, a remote attacker could exploit this to crash bogofilter or possibly even execute arbitrary code with bogofilter’s privileges.

12 January 2006

USN-194-2: texinfo regression fix

USN-194-1 fixed a vulnerability in the ‘texindex’ program. Unfortunately this update introduced a regression that caused the program to abort when cleaning up temporary files (which are used with extraordinarily large input files). The updated packages fix this.

9 January 2006

USN-235-2: sudo vulnerability

USN-235-1 fixed a vulnerability in sudo’s handling of environment variables. Tavis Ormandy noticed that sudo did not filter out the PYTHONINSPECT environment variable, so that users with the limited privilege of calling a python script with sudo could still escalate their privileges. For reference, this is the original advisory: Charles Morris…

9 January 2006

USN-236-2: xpdf vulnerabilities in kword, kpdf

USN-236-1 fixed several vulnerabilities in xpdf. kpdf and kword contain copies of xpdf code and are thus vulnerable to the same issues. For reference, this is the original advisory: Chris Evans discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into…

9 January 2006

USN-239-1: libapache2-mod-auth-pgsql vulnerability

Several format string vulnerabilities were discovered in the error logging handling. By sending specially crafted user names, an unauthenticated remote attacker could exploit this to crash the Apache server or possibly even execute arbitrary code with the privileges of Apache (user ‘www-data’).

9 January 2006

USN-238-2: Blender vulnerability

Damian Put discovered that Blender did not properly validate a ‘length’ value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.

6 January 2006

USN-238-1: Blender vulnerability

Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.

6 January 2006

USN-237-1: nbd vulnerability

Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.

6 January 2006

USN-236-1: xpdf vulnerabilities

Chris Evans discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, and tetex-bin. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system also…

6 January 2006

USN-235-1: sudo vulnerability

Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl’s library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the…

6 January 2006

USN-234-1: cpio vulnerability

Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with…

3 January 2006

USN-233-1: fetchmail vulnerability

Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in ‘multidrop’ mode, a malicious email server could cause a crash by sending an email without any headers. Since fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed.

3 January 2006

USN-232-1: PHP vulnerabilities

Eric Romang discovered a local Denial of Service vulnerability in the handling of the ‘session.save_path’ parameter in PHP’s Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319) A Denial of Service flaw was found in the EXIF module. By sending an image…

23 December 2005

USN-231-1: Linux kernel vulnerabilities

Rudolf Polzer reported an abuse of the ‘loadkeys’ command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the…

23 December 2005

USN-230-2: ffmpeg/xine-lib vulnerability

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw. For reference, this is the original advisory: Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening…

16 December 2005

USN-229-1: Zope vulnerability

Zope did not deactivate the file inclusion feature when exposing RestructuredText functionalities to untrusted users. A remote user with the privilege of editing Zope webpages with RestructuredText could exploit this to expose arbitrary files that can be read with the privileges of the Zope server, or execute arbitrary Zope code.

14 December 2005

USN-228-1: curl library vulnerability

Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with…

13 December 2005

USN-222-2: Perl vulnerability

USN-222-1 fixed a vulnerability in the Perl interpreter. It was discovered that the version of USN-222-1 was not sufficient to handle all possible cases of malformed input that could lead to arbitrary code execution, so another update is necessary. Original advisory: Jack Louis of Dyad Security discovered that Perl did not sufficiently check…

13 December 2005

USN-227-1: xpdf vulnerabilities

infamous41md discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, tetex-bin, KOffice, and kpdf. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS…

12 December 2005

USN-226-1: Courier vulnerability

Patrick Cheong Shu Yang discovered a flaw in the user account handling of courier-authdaemon. After successful authorization, the Courier mail server granted access to deactivated accounts.

10 December 2005

USN-225-1: Apache 2 vulnerability

A memory leak was found in the Apache 2 ‘worker’ module in the handling of aborted TCP connections. By repeatedly triggering this situation, a remote attacker could drain all available memory, which eventually led to a Denial of Service.

7 December 2005

USN-180-2: MySQL 4.1 vulnerability

USN-180-1 fixed a vulnerability in the mysql-server package (which ships version 4.0). Version 4.1 is vulnerable against the same flaw. Please note that this package is not officially supported in Ubuntu 5.10. Origial advisory: “AppSecInc Team SHATTER discovered a buffer overflow in the “CREATE FUNCTION” statement. By specifying a specially…

5 December 2005

USN-222-1: Perl vulnerability

Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the…

2 December 2005

USN-221-1: racoon vulnerability

The Oulu University Secure Programming Group discovered a remote Denial of Service vulnerability in the racoon daemon. When the daemon is configured to use aggressive mode, then it did not check whether the peer sent all required payloads during the IKE negotiation phase. A malicious IPsec peer could exploit this to crash the racoon…

1 December 2005

USN-220-1: w3c-libwww vulnerability

Sam Varshavchik discovered several buffer overflows in the HTBoundary_put_block() function. By sending specially crafted HTTP multipart/byteranges MIME messages, a malicious HTTP server could trigger an out of bounds memory access in the libwww library, which causes the program that uses the library to crash.

1 December 2005

USN-218-1: netpbm vulnerabilities

Two buffer overflows were discovered in the ‘pnmtopng’ tool, which were triggered by processing an image with exactly 256 colors when using the -alpha option (CVE-2005-3662) or by processing a text file with very long lines when using the -text option (CVE-2005-3632). A remote attacker could exploit these to execute arbitrary code by tricking an…

22 November 2005

USN-217-1: Inkscape vulnerability

A buffer overflow has been discovered in the SVG importer of Inkscape. By tricking an user into opening a specially crafted SVG image this could be exploited to execute arbitrary code with the privileges of the Inkscape user.

21 November 2005

USN-190-2: ucs-snmp vulnerability

USN-190-1 fixed a vulnerability in the net-snmp library. It was discovered that the same problem also affects the ucs-snmp implementation (which is used by the Cyrus email server). Original advisory: A remote Denial of Service has been discovered in the SMNP (Simple Network Management Protocol) library. If a SNMP agent uses TCP sockets for…

21 November 2005

USN-216-1: GDK vulnerabilities

Two integer overflows have been discovered in the XPM image loader of the GDK pixbuf library. By tricking an user into opening a specially crafted XPM image with any Gnome desktop application that uses this library, this could be exploited to execute arbitrary code with the privileges of the user running the application. (CVE-2005-2976,…

16 November 2005

USN-151-4: rpm vulnerability

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since lsb-rpm is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed…

9 November 2005

USN-215-1: fetchmailconf vulnerability

Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program. The output configuration file was initially created with insecure permissions, and secure permissions were applied after writing the configuration into the file. During this time, the file was world readable on a standard system (unless the user…

8 November 2005

USN-206-2: Fixed lynx packages for USN-206-1

USN-206-1 fixed a security vulnerability in lynx. Unfortunately the fix contained an error that caused lynx to crash under certain circumstances. The updated packages fix this.

29 October 2005

USN-151-3: zlib vulnerabilities

USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since aide is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed zlib.

29 October 2005

USN-213-1: sudo vulnerability

Tavis Ormandy discovered a privilege escalation vulnerability in sudo. On executing shell scripts with sudo, the “P4” and “SHELLOPTS” environment variables were not cleaned properly. If sudo is set up to grant limited sudo privileges to normal users this could be exploited to run arbitrary commands as the target user. Updated packags for Ubuntu…

28 October 2005

USN-212-1: libgda2 vulnerability

Steve Kemp discovered two format string vulnerabilities in the logging handler of the Gnome database access library. Depending on the application that uses the library, this could have been exploited to execute arbitrary code with the permission of the user running the application.

28 October 2005

USN-211-1: Enigmail vulnerability

Hadmut Danish discovered an information disclosure vulnerability in the key selection dialog of the Mozilla/Thunderbird enigmail plugin. If a user’s keyring contained a key with an empty user id (i. e. a key without a name and email address), this key was selected by default when the user attempted to send an encrypted email. Unless this empty key…

20 October 2005

USN-210-1: netpbm vulnerability

A buffer overflow was found in the “pnmtopng” conversion program. By tricking an user (or automated system) to process a specially crafted PNM image with pnmtopng, this could be exploited to execute arbitrary code with the privileges of the user running pnmtopng.

18 October 2005

USN-206-1: Lynx vulnerability

Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges…

17 October 2005

USN-205-1: Curl and wget vulnerabilities

A buffer overflow has been found in the NTLM authentication handler of the Curl library and wget. By tricking an user or automatic system that uses the Curl library, the curl application, or wget into visiting a specially-crafted web site, a remote attacker could exploit this to execute arbitrary code with the privileges of the calling user. The…

14 October 2005

USN-204-1: SSL library vulnerability

Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL applications. Applications using the OpenSSL library can use the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the former) to maintain compatibility with third party products, which is achieved by working around known bugs in them. The…

14 October 2005