USNs for ubuntu 6.10

USN-602-1: Firefox vulnerabilities

Flaws were discovered in Firefox which could lead to crashes during JavaScript garbage collection. If a user were tricked into opening a malicious web page, an attacker may be able to crash the browser or possibly execute arbitrary code with the user’s privileges. (CVE-2008-1380)

22 April 2008

USN-604-1: Gnumeric vulnerability

Thilo Pfennig and Morten Welinder discovered that the XLS spreadsheet handling code in Gnumeric did not correctly calculate needed memory sizes. If a user or automated system were tricked into loading a specially crafted XLS document, a remote attacker could execute arbitrary code with user privileges.

22 April 2008

USN-603-2: KOffice vulnerability

USN-603-1 fixed vulnerabilities in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote…

17 April 2008

USN-603-1: poppler vulnerability

It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote attacker could execute arbitrary code with user privileges.

17 April 2008

USN-601-1: Squid vulnerability

It was discovered that Squid did not perform proper bounds checking when processing cache update replies. A remote authenticated user may be able to trigger an assertion error and cause a denial of service. This vulnerability is due to an incorrect upstream fix for CVE-2007-6239. (CVE-2008-1612)

14 April 2008

USN-599-1: Ghostscript vulnerability

Chris Evans discovered that Ghostscript contained a buffer overflow in its color space handling code. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2008-0411)

9 April 2008

USN-598-1: CUPS vulnerabilities

It was discovered that the CUPS administration interface contained a heap- based overflow flaw. A local attacker, and a remote attacker if printer sharing is enabled, could send a malicious request and possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the…

2 April 2008

USN-597-1: OpenSSH vulnerability

Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards.

1 April 2008

USN-596-1: Ruby vulnerabilities

Chris Clark discovered that Ruby’s HTTPS module did not check for commonName mismatches early enough during SSL negotiation. If a remote attacker were able to perform man-in-the-middle attacks, this flaw could be exploited to view sensitive information in HTTPS requests coming from Ruby applications. (CVE-2007-5162) It was discovered that Ruby’s…

26 March 2008

USN-595-1: SDL_image vulnerabilities

Michael Skladnikiewicz discovered that SDL_image did not correctly load GIF images. If a user or automated system were tricked into processing a specially crafted GIF, a remote attacker could execute arbitrary code or cause a crash, leading to a denial of service. (CVE-2007-6697) David Raulo discovered that SDL_image did not correctly load ILBM…

26 March 2008

USN-594-1: libnet-dns-perl vulnerability

It was discovered that Net::DNS did not correctly validate the size of DNS replies. A remote attacker could send a specially crafted DNS response and cause applications using Net::DNS to abort, leading to a denial of service.

26 March 2008

USN-593-1: Dovecot vulnerabilities

It was discovered that the default configuration of dovecot could allow access to any email files with group “mail” without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user’s email. (CVE-2008-1199) By default, dovecot passed special characters to…

26 March 2008

USN-592-1: Firefox vulnerabilities

Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu discovered flaws in Firefox’s character encoding handling. If a user were tricked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Various flaws were discovered in the JavaScript engine. By tricking a user into opening a malicious web…

26 March 2008

USN-591-1: libicu vulnerabilities

Will Drewry discovered that libicu did not properly handle ‘\0’ when processing regular expressions. If an application linked against libicu processed a crafted regular expression, an attacker could execute arbitrary code with privileges of the user invoking the program. (CVE-2007-4770) Will Drewry discovered that libicu did not properly limit…

24 March 2008

USN-590-1: bzip2 vulnerability

It was discovered that bzip2 did not correctly handle certain malformed archives. If a user or automated system were tricked into processing a specially crafted bzip2 archive, applications linked against libbz2 could be made to crash, possibly leading to a denial of service.

24 March 2008

USN-589-1: unzip vulnerability

Tavis Ormandy discovered that unzip did not correctly clean up pointers. If a user or automated service was tricked into processing a specially crafted ZIP archive, a remote attacker could execute arbitrary code with user privileges.

20 March 2008

USN-588-1: MySQL vulnerabilities

Masaaki Hirose discovered that MySQL could be made to dereference a NULL pointer. An authenticated user could cause a denial of service (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232) Alexander Nozdrin discovered that MySQL did not restore database…

19 March 2008

USN-587-1: Kerberos vulnerabilities

It was discovered that krb5 did not correctly handle certain krb4 requests. An unauthenticated remote attacker could exploit this flaw by sending a specially crafted traffic, which could expose sensitive information, cause a crash, or execute arbitrary code. (CVE-2008-0062, CVE-2008-0063) A flaw was discovered in the kadmind service’s handling…

19 March 2008

USN-586-1: mailman vulnerability

Multiple cross-site scripting flaws were discovered in mailman. A malicious list administrator could exploit this to execute arbitrary JavaScript, potentially stealing user credentials.

15 March 2008

USN-585-1: Python vulnerabilities

Piotr Engelking discovered that strxfrm in Python was not correctly calculating the size of the destination buffer. This could lead to small information leaks, which might be used by attackers to gain additional knowledge about the state of a running Python script. (CVE-2007-2052) A flaw was discovered in the Python imageop module. If a script…

11 March 2008

USN-582-2: Thunderbird regression

USN-582-1 fixed several vulnerabilities in Thunderbird. The upstream fixes were incomplete, and after performing certain actions Thunderbird would crash due to memory errors. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Thunderbird did not properly set the size of a …

6 March 2008

USN-584-1: OpenLDAP vulnerabilities

Jonathan Clarke discovered that the OpenLDAP slapd server did not properly handle modify requests when using the Berkeley DB backend and specifying the NOOP control. An authenticated user with modify permissions could send a crafted modify request and cause a denial of service via application crash. Ubuntu 7.10 is not affected by this issue….

5 March 2008

USN-583-1: Evolution vulnerability

Ulf Harnhammar discovered that Evolution did not correctly handle format strings when processing encrypted emails. A remote attacker could exploit this by sending a specially crafted email, resulting in arbitrary code execution.

5 March 2008

USN-582-1: Thunderbird vulnerabilities

It was discovered that Thunderbird did not properly set the size of a buffer when parsing an external-body MIME-type. If a user were to open a specially crafted email, an attacker could cause a denial of service via application crash or possibly execute arbitrary code as the user. (CVE-2008-0304) Various flaws were discovered in Thunderbird and…

29 February 2008

USN-581-1: PCRE vulnerability

It was discovered that PCRE did not correctly handle very long strings containing UTF8 sequences. In certain situations, an attacker could exploit applications linked against PCRE by tricking a user or automated system in processing a malicious regular expression leading to a denial of service or possibly arbitrary code execution.

21 February 2008

USN-580-1: libcdio vulnerability

Devon Miller discovered that the iso-info and cd-info tools did not properly perform bounds checking. If a user were tricked into using these tools with a crafted iso image, an attacker could cause a denial of service (core dump) and possibly execute arbitrary code.

20 February 2008

USN-577-1: Linux kernel vulnerability

Wojciech Purczynski discovered that the vmsplice system call did not properly perform verification of user-memory pointers. A local attacker could exploit this to overwrite arbitrary kernel memory and gain root privileges. (CVE-2008-0600)

12 February 2008

USN-576-1: Firefox vulnerabilities

Various flaws were discovered in the browser and JavaScript engine. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2008-0412, CVE-2008-0413) Flaws were discovered in the file upload form control. A malicious website could force arbitrary files from the user’s…

8 February 2008

USN-575-1: Apache vulnerabilities

It was discovered that Apache did not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a…

4 February 2008

USN-574-1: Linux kernel vulnerabilities

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058) The signal…

4 February 2008

USN-571-2: X.org regression

USN-571-1 fixed vulnerabilities in X.org. The upstream fixes were incomplete, and under certain situations, applications using the MIT-SHM extension (e.g. Java, wxWidgets) would crash with BadAlloc X errors. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple overflows were discovered in the…

19 January 2008

USN-571-1: X.org vulnerabilities

Multiple overflows were discovered in the XFree86-Misc, XInput-Misc, TOG-CUP, EVI, and MIT-SHM extensions which did not correctly validate function arguments. An authenticated attacker could send specially crafted requests and gain root privileges. (CVE-2007-5760, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429) It was discovered that the X.org…

18 January 2008

USN-570-1: boost vulnerabilities

Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash.

16 January 2008

USN-569-1: libxml2 vulnerability

Brad Fitzpatrick discovered that libxml2 did not correctly handle certain UTF-8 sequences. If a remote attacker were able to trick a user or automated system into processing a specially crafted XML document, the application linked against libxml2 could enter an infinite loop, leading to a denial of service via CPU resource consumption.

14 January 2008

USN-568-1: PostgreSQL vulnerabilities

Nico Leidecker discovered that PostgreSQL did not properly restrict dblink functions. An authenticated user could exploit this flaw to access arbitrary accounts and execute arbitrary SQL queries. (CVE-2007-3278, CVE-2007-6601) It was discovered that the TCL regular expression parser used by PostgreSQL did not properly check its input. An…

14 January 2008

USN-566-1: OpenSSH vulnerability

Jan Pechanec discovered that ssh would forward trusted X11 cookies when untrusted cookie generation failed. This could lead to unintended privileges being forwarded to a remote host.

9 January 2008

USN-565-1: Squid vulnerability

It was discovered that Squid did not always clean up cache memory correctly. A remote attacker could manipulate cache update replies and cause Squid to use all available memory, leading to a denial of service.

9 January 2008

USN-564-1: Net-SNMP vulnerability

Bill Trost discovered that snmpd did not properly limit GETBULK requests. A remote attacker could specify a large number of max-repetitions and cause a denial of service via resource exhaustion.

9 January 2008

USN-563-1: CUPS vulnerabilities

Wei Wang discovered that the SNMP discovery backend did not correctly calculate the length of strings. If a user were tricked into scanning for printers, a remote attacker could send a specially crafted packet and possibly execute arbitrary code. Elias Pipping discovered that temporary files were not handled safely in certain situations when…

9 January 2008

USN-562-1: opal vulnerability

Jose Miguel Esparza discovered that certain SIP headers were not correctly validated. A remote attacker could send a specially crafted packet to an application linked against opal (e.g. Ekiga) causing it to crash, leading to a denial of service.

8 January 2008

USN-561-1: pwlib vulnerability

Jose Miguel Esparza discovered that pwlib did not correctly handle large string lengths. A remote attacker could send specially crafted packets to applications linked against pwlib (e.g. Ekiga) causing them to crash, leading to a denial of service.

8 January 2008

USN-560-1: Tomboy vulnerability

Jan Oravec discovered that Tomboy did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program.

7 January 2008

USN-559-1: MySQL vulnerabilities

Joe Gallo and Artem Russakovskii discovered that the InnoDB engine in MySQL did not properly perform input validation. An authenticated user could use a crafted CONTAINS statement to cause a denial of service. (CVE-2007-5925) It was discovered that under certain conditions MySQL could be made to overwrite system table information. An…

21 December 2007

USN-558-1: Linux kernel vulnerabilities

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Certain calculations in the hugetlb code were not correct. A…

19 December 2007

USN-557-1: GD library vulnerability

Mattias Bengtsson and Philip Olausson discovered that the GD library did not properly perform bounds checking when creating images. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code.

18 December 2007

USN-556-1: Samba vulnerability

Alin Rad Pop discovered that Samba did not correctly check the size of reply packets to mailslot requests. If a server was configured with domain logon enabled, an unauthenticated remote attacker could send a specially crafted domain logon packet and execute arbitrary code or crash the Samba service. By default, domain logon is disabled in…

18 December 2007

USN-550-3: Cairo regression

USN-550-1 fixed vulnerabilities in Cairo. A bug in font glyph rendering was uncovered as a result of the new memory allocation routines. In certain situations, fonts containing characters with no width or height would not render any more. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Peter…

13 December 2007

USN-555-1: e2fsprogs vulnerability

Rafal Wojtczuk discovered multiple integer overflows in e2fsprogs. If a user or automated system were tricked into fscking a malicious ext2/ext3 filesystem, a remote attacker could execute arbitrary code with the user’s privileges.

8 December 2007

USN-554-1: teTeX and TeX Live vulnerabilities

Bastien Roucaries discovered that dvips as included in tetex-bin and texlive-bin did not properly perform bounds checking. If a user or automated system were tricked into processing a specially crafted dvi file, dvips could be made to crash and execute code as the user invoking the program. (CVE-2007-5935) Joachim Schrod discovered that the…

6 December 2007

USN-553-1: Mono vulnerability

It was discovered that Mono did not correctly bounds check certain BigInteger actions. Remote attackers could exploit this to crash a Mono application or possibly execute arbitrary code with user privileges.

4 December 2007

USN-552-1: Perl vulnerability

It was discovered that Perl’s regular expression library did not correctly handle certain UTF sequences. If a user or automated system were tricked into running a specially crafted regular expression, a remote attacker could crash the application or possibly execute arbitrary code with user privileges.

4 December 2007

USN-546-2: Firefox regression

USN-546-1 fixed vulnerabilities in Firefox. The upstream update included a faulty patch which caused the drawImage method of the canvas element to fail. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:“…

4 December 2007

USN-551-1: OpenLDAP vulnerabilities

Thomas Sesselmann discovered that the OpenLDAP slapd server did not properly handle certain modify requests. A remote attacker could send malicious modify requests to the server and cause a denial of service. (CVE-2007-5707) Toby Blake discovered that slapd did not properly terminate an array while running as a proxy-caching server. A…

4 December 2007

USN-550-1: Cairo vulnerability

Peter Valchev discovered that Cairo did not correctly decode PNG image data. By tricking a user or automated system into processing a specially crafted PNG with Cairo, a remote attacker could execute arbitrary code with user privileges.

3 December 2007

USN-549-1: PHP vulnerabilities

It was discovered that the wordwrap function did not correctly check lengths. Remote attackers could exploit this to cause a crash or monopolize CPU resources, resulting in a denial of service. (CVE-2007-3998) Integer overflows were discovered in the strspn and strcspn functions. Attackers could exploit this to read arbitrary areas of memory,…

29 November 2007

USN-547-1: PCRE vulnerabilities

Tavis Ormandy and Will Drewry discovered multiple flaws in the regular expression handling of PCRE. By tricking a user or service into running specially crafted expressions via applications linked against libpcre3, a remote attacker could crash the application, monopolize CPU resources, or possibly execute arbitrary code with the application’s…

27 November 2007

USN-546-1: Firefox vulnerabilities

It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:” contents. A malicious web site could exploit this to modify or steal confidential data (such as passwords) from other web sites. (CVE-2007-5947) Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a…

26 November 2007

USN-544-2: Samba regression

USN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398 are unchanged, but the upstream changes for CVE-2007-4572 introduced a regression in all releases which caused Linux smbfs mounts to fail. Additionally, Dapper and Edgy included an incomplete patch which caused configurations using NetBIOS to fail. A proper fix for these…

16 November 2007

USN-544-1: Samba vulnerabilities

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered…

16 November 2007

USN-543-1: VMWare vulnerabilities

Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server did not correctly handle certain packet structures. Remote attackers could send specially crafted packets and gain root privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063) Rafal Wojtczvk discovered multiple memory corruption issues in VMWare Player. Attackers with…

15 November 2007

USN-542-2: KOffice vulnerabilities

USN-542-1 fixed a vulnerability in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly…

15 November 2007

USN-542-1: poppler vulnerabilities

Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the user’s privileges in applications linked against poppler.

14 November 2007

USN-540-1: flac vulnerability

Sean de Regge discovered that flac did not properly perform bounds checking in many situations. An attacker could send a specially crafted FLAC audio file and execute arbitrary code as the user or cause a denial of service in flac or applications that link against flac.

13 November 2007

USN-539-1: CUPS vulnerability

Alin Rad Pop discovered that CUPS did not correctly validate buffer lengths when processing IPP tags. Remote attackers successfully exploiting this vulnerability would gain access to the non-root CUPS user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile.

6 November 2007

USN-538-1: libpng vulnerabilities

It was discovered that libpng did not properly perform bounds checking and comparisons in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng.

25 October 2007

USN-531-2: dhcp vulnerability

USN-531-1 fixed vulnerabilities in dhcp. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes the problem. Original advisory details: Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send …

23 October 2007

USN-536-1: Thunderbird vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-5339, CVE-2007-5340) Flaws were discovered in the file upload form control. By tricking a user into opening a malicious web page, an attacker could…

23 October 2007

USN-535-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-5336, CVE-2007-5339, CVE-2007-5340) Michal Zalewski discovered that the onUnload event handlers were incorrectly able to access information outside…

22 October 2007

USN-501-2: Ghostscript vulnerability

USN-501-1 fixed vulnerabilities in Jasper. This update provides the corresponding update for the Jasper internal to Ghostscript. Original advisory details: It was discovered that Jasper did not correctly handle corrupted JPEG2000 images. By tricking a user into opening a specially crafted JPG, a remote attacker could cause the application…

22 October 2007

USN-534-1: OpenSSL vulnerability

Andy Polyakov discovered that the DTLS implementation in OpenSSL was vulnerable. A remote attacker could send a specially crafted connection request to services using DTLS and execute arbitrary code with the service’s privileges. There are no known Ubuntu applications that are currently using DTLS.

22 October 2007

USN-533-1: util-linux vulnerability

Ludwig Nussel discovered that mount and umount did not properly drop privileges when using helper programs. Local attackers may be able to bypass security restrictions and gain root privileges using programs such as mount.nfs or mount.cifs.

22 October 2007

USN-531-1: dhcp vulnerability

Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send malicious DHCP replies to the server and execute arbitrary code.

22 October 2007

USN-530-1: hplip vulnerability

It was discovered that the hpssd tool of hplip did not correctly handle shell meta-characters. A local attacker could exploit this to execute arbitrary commands as the hplip user.

12 October 2007

USN-529-1: Tk vulnerability

It was discovered that Tk could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

11 October 2007

USN-528-1: MySQL vulnerabilities

Neil Kettle discovered that MySQL could be made to dereference a NULL pointer and divide by zero. An authenticated user could exploit this with a crafted IF clause, leading to a denial of service. (CVE-2007-2583) Victoria Reznichenko discovered that MySQL did not always require the DROP privilege. An authenticated user could exploit this via…

11 October 2007

USN-526-1: debian-goodies vulnerability

Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.

4 October 2007

USN-525-1: libsndfile vulnerability

Robert Buchholz discovered that libsndfile did not correctly validate the size of its memory buffers. If a user were tricked into playing a specially crafted FLAC file, a remote attacker could execute arbitrary code with user privileges.

4 October 2007

USN-524-1: OpenOffice.org vulnerability

An integer overflow was discovered in the TIFF handling code in OpenOffice. If a user were tricked into loading a malicious TIFF image, a remote attacker could execute arbitrary code with user privileges.

4 October 2007

USN-523-1: ImageMagick vulnerabilities

Multiple vulnerabilities were found in the image decoders of ImageMagick. If a user or automated system were tricked into processing a malicious DCM, DIB, XBM, XCF, or XWD image, a remote attacker could execute arbitrary code with user privileges.

3 October 2007

USN-522-1: openssl vulnerabilities

It was discovered that OpenSSL did not correctly perform Montgomery multiplications. Local attackers might be able to reconstruct RSA private keys by examining another user’s OpenSSL processes. (CVE-2007-3108) Moritz Jodeit discovered that OpenSSL’s SSL_get_shared_ciphers function did not correctly check the size of the buffer it was writing…

28 September 2007

USN-521-1: libmodplug vulnerability

Luigi Auriemma discovered that libmodplug did not properly sanitize its input. A specially crafted AMF file could be used to exploit this situation to cause buffer overflows and possibly execute arbitrary code as the user.

27 September 2007

USN-520-1: fetchmail vulnerabilities

Gaetan Leurent discovered a vulnerability in the APOP protocol based on MD5 collisions. As fetchmail supports the APOP protocol, this vulnerability can be used by attackers to discover a portion of the APOP user’s authentication credentials. (CVE-2007-1558) Earl Chew discovered that fetchmail can be made to de-reference a NULL pointer when…

26 September 2007

USN-519-1: elinks vulnerability

Kalle Olavi Niemitalo discovered that if elinks makes a POST request to an HTTPS URL through a proxy, information may be sent in clear-text between elinks and the proxy. Attackers with access to the network could steal sensitive information (such as passwords).

25 September 2007

USN-517-1: kdm vulnerability

It was discovered that KDM would allow logins without password checks under certain circumstances. If autologin was configured, and “shutdown with password” enabled, a local user could exploit the problem and gain root privileges.

25 September 2007

USN-518-1: linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities

Evan Teran discovered that the Linux kernel ptrace routines did not correctly handle certain requests robustly. Local attackers could exploit this to crash the system, causing a denial of service. (CVE-2007-3731) It was discovered that hugetlb kernels on PowerPC systems did not prevent the stack from colliding with reserved kernel memory. …

25 September 2007

USN-516-1: xfsdump vulnerability

Paul Martin discovered that xfs_fsr creates a temporary directory with insecure permissions. This allows a local attacker to exploit a race condition in xfs_fsr to read or overwrite arbitrary files on xfs filesystems.

20 September 2007

USN-515-1: t1lib vulnerability

It was discovered that t1lib does not properly perform bounds checking which can result in a buffer overflow vulnerability. An attacker could send specially crafted input to applications linked against t1lib which could result in a DoS or arbitrary code execution.

19 September 2007

USN-513-1: Qt vulnerability

Dirk Mueller discovered that UTF8 strings could be made to cause a small buffer overflow. A remote attacker could exploit this by sending specially crafted strings to applications that use the Qt3 library for UTF8 processing, potentially leading to arbitrary code execution with user privileges, or a denial of service.

18 September 2007

USN-512-1: Quagga vulnerability

It was discovered that Quagga did not correctly verify OPEN messages or COMMUNITY attributes sent from configured peers. Malicious authenticated remote peers could send a specially crafted message which would cause bgpd to abort, leading to a denial of service.

15 September 2007

USN-511-2: Kerberos vulnerability

USN-511-1 fixed vulnerabilities in krb5 and librpcsecgss. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes the problem. Original advisory details: It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An…

7 September 2007

USN-511-1: Kerberos vulnerability

It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges.

4 September 2007

USN-509-1: Linux kernel vulnerabilities

A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was…

30 August 2007

USN-469-2: Enigmail regression

USN-469-1 fixed vulnerabilities in the Mozilla Thunderbird email client. The updated Thunderbird version broken compatibility with the Enigmail plugin. This update corrects the problem. We apologize for the inconvenience.

28 August 2007

USN-506-1: tar vulnerability

Dmitry V. Levin discovered that tar did not correctly detect the “..” file path element when unpacking archives. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.

28 August 2007

USN-505-1: vim vulnerability

Ulf Harnhammar discovered that vim does not properly sanitise the “helptags_one()” function when running the “helptags” command. By tricking a user into running a crafted help file, a remote attacker could execute arbitrary code with the user’s privileges.

28 August 2007

USN-504-1: Emacs vulnerability

Hendrik Tews discovered that emacs21 did not correctly handle certain GIF images. By tricking a user into opening a specially crafted GIF, a remote attacker could cause emacs21 to crash, resulting in a denial of service.

28 August 2007

USN-502-1: KDE vulnerabilities

It was discovered that Konqueror could be tricked into displaying incorrect URLs. Remote attackers could exploit this to increase their chances of tricking a user into visiting a phishing URL, which could lead to credential theft.

26 August 2007

USN-503-1: Thunderbird vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious email, an attacker could execute arbitrary code with the user’s privileges. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3844) Jesper…

25 August 2007

USN-501-1: jasper vulnerability

It was discovered that Jasper did not correctly handle corrupted JPEG2000 images. By tricking a user into opening a specially crafted JPG, a remote attacker could cause the application using libjasper to crash, resulting in a denial of service.

21 August 2007

USN-500-1: rsync vulnerability

Sebastian Krahmer discovered that rsync contained an off-by-one miscalculation when handling certain file paths. By creating a specially crafted tree of files and tricking an rsync server into processing them, a remote attacker could write a single NULL to stack memory, possibly leading to arbitrary code execution.

20 August 2007

USN-499-1: Apache vulnerabilities

Stefan Esser discovered that mod_status did not force a character set, which could result in browsers becoming vulnerable to XSS attacks when processing the output. If a user were tricked into viewing server status output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such…

17 August 2007

USN-498-1: libvorbis vulnerabilities

David Thiel discovered that libvorbis did not correctly verify the size of certain headers, and did not correctly clean up a broken stream. If a user were tricked into processing a specially crafted Vorbis stream, a remote attacker could execute arbitrary code with the user’s privileges.

16 August 2007

USN-497-1: xfce4-terminal vulnerability

Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly escape shell meta-characters during “Open Link” actions. If a remote attacker tricked a user into opening a specially crafted URI, they could execute arbitrary commands with the user’s privileges.

14 August 2007

USN-496-2: poppler vulnerability

USN-496-1 fixed a vulnerability in koffice. This update provides the corresponding updates for poppler, the library used for PDF handling in Gnome. Original advisory details: Derek Noonburg discovered an integer overflow in the Xpdf function StreamPredictor::StreamPredictor(). By importing a specially crafted PDF file into KWord, this could…

7 August 2007

USN-495-1: Qt vulnerability

Several format string vulnerabilities have been discovered in Qt warning messages. By causing an application to process specially crafted input data which triggered Qt warnings, this could be exploited to execute arbitrary code with the privilege of the user running the application.

3 August 2007

USN-496-1: koffice vulnerability

Derek Noonburg discovered an integer overflow in the Xpdf function StreamPredictor::StreamPredictor(). By importing a specially crafted PDF file into KWord, this could be exploited to run arbitrary code with the user’s privileges.

3 August 2007

USN-494-1: Gimp vulnerability

Sean Larsson discovered multiple integer overflows in Gimp. By tricking a user into opening a specially crafted DICOM, PNM, PSD, PSP, RAS, XBM, or XWD image, a remote attacker could exploit this to execute arbitrary code with the user’s privileges.

2 August 2007

USN-493-1: Firefox vulnerabilities

A flaw was discovered in handling of “about:blank” windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In…

1 August 2007

USN-492-1: tcpdump vulnerability

A flaw was discovered in the BGP dissector of tcpdump. Remote attackers could send specially crafted packets and execute arbitrary code with user privileges.

31 July 2007

USN-491-1: Bind vulnerability

A flaw was discovered in Bind’s sequence number generator. A remote attacker could calculate future sequence numbers and send forged DNS query responses. This could lead to client connections being directed to attacker-controlled hosts, resulting in credential theft and other attacks.

25 July 2007

USN-490-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-3734, CVE-2007-3735) Flaws were discovered in the JavaScript methods addEventListener and setTimeout which could be used to inject script into…

20 July 2007

USN-486-1: Linux kernel vulnerabilities

The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges….

18 July 2007

USN-488-1: mod_perl vulnerability

Alex Solovey discovered that mod_perl did not correctly validate certain regular expression matches. A remote attacker could send a specially crafted request to a web application using mod_perl, causing the web server to monopolize CPU resources. This could lead to a remote denial of service.

18 July 2007

USN-487-1: Dovecot vulnerability

It was discovered that Dovecot, when configured to use non-system-user spools and compressed folders, would allow directory traversals in mailbox names. Remote authenticated users could potentially read email owned by other users.

17 July 2007

USN-485-1: PHP vulnerabilities

It was discovered that the PHP xmlrpc extension did not correctly check heap memory allocation sizes. A remote attacker could send a specially crafted request to a PHP application using xmlrpc and execute arbitrary code as the Apache user. (CVE-2007-1864) Stefan Esser discovered a flaw in the random number initialization of the PHP SOAP…

17 July 2007

USN-484-1: curl vulnerability

It was discovered that the GnuTLS certificate verification methods implemented in Curl did not check for expiration and activation dates. When performing validations, tools using libcurl3-gnutls would incorrectly allow connections to sites using expired certificates.

17 July 2007

USN-483-1: libnet-dns-perl vulnerabilities

Peter Johannes Holzer discovered that the Net::DNS Perl module had predictable sequence numbers. This could allow remote attackers to carry out DNS spoofing, leading to possible man-in-the-middle attacks. (CVE-2007-3377) Steffen Ullrich discovered that the Net::DNS Perl module did not correctly detect recursive compressed responses. A remote…

13 July 2007

USN-482-1: OpenOffice.org vulnerability

John Heasman discovered that OpenOffice did not correctly validate the sizes of tags in RTF documents. If a user were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges.

11 July 2007

USN-481-1: ImageMagick vulnerabilities

Multiple vulnerabilities were found in ImageMagick’s handling of DCM and WXD image files. By tricking a user into processing a specially crafted image with an application that uses imagemagick, an attacker could execute arbitrary code with the user’s privileges.

10 July 2007

USN-480-1: Gimp vulnerability

Stefan Cornelius discovered that Gimp could miscalculate the size of heap buffers when processing PSD images. By tricking a user into opening a specially crafted PSD file with Gimp, an attacker could exploit this to execute arbitrary code with the user’s privileges.

4 July 2007

USN-479-1: MadWifi vulnerabilities

Multiple flaws in the MadWifi driver were discovered that could lead to a system crash. A physically near-by attacker could generate specially crafted wireless network traffic and cause a denial of service. (CVE-2006-7177, CVE-2006-7178, CVE-2006-7179, CVE-2007-2829, CVE-2007-2830) A flaw was discovered in the MadWifi driver that would allow…

29 June 2007

USN-478-1: libexif vulnerability

Sean Larsson discovered that libexif did not correctly verify the size of EXIF components. By tricking a user into opening an image with specially crafted EXIF headers, a remote attacker could cause the application using libexif to execute arbitrary code with user privileges.

27 June 2007

USN-477-1: krb5 vulnerabilities

Wei Wang discovered that the krb5 RPC library did not correctly handle certain error conditions. A remote attacker could cause kadmind to free an uninitialized pointer, leading to a denial of service or possibly execution of arbitrary code with root privileges. (CVE-2007-2442) Wei Wang discovered that the krb5 RPC library did not correctly…

27 June 2007

USN-475-1: evolution-data-server vulnerability

Philip Van Hoof discovered that the IMAP client in Evolution did not correctly verify the SEQUENCE value. A malicious or spoofed server could exploit this to execute arbitrary code with user privileges.

21 June 2007

USN-474-1: xscreensaver vulnerability

It was discovered that xscreensaver did not correctly validate the return values from network authentication systems such as LDAP or NIS. A local attacker could bypass a locked screen if they were able to interrupt network connectivity.

12 June 2007

USN-473-1: libgd2 vulnerabilities

A buffer overflow was discovered in libgd2’s font renderer. By tricking an application using libgd2 into rendering a specially crafted string with a JIS encoded font, a remote attacker could read heap memory or crash the application, leading to a denial of service. (CVE-2007-0455) Xavier Roche discovered that libgd2 did not correctly validate…

12 June 2007

USN-472-1: libpng vulnerability

It was discovered that libpng did not correctly handle corrupted CRC in grayscale PNG images. By tricking a user into opening a specially crafted PNG, a remote attacker could cause the application using libpng to crash, resulting in a denial of service.

12 June 2007

USN-471-1: libexif vulnerability

Victor Stinner discovered that libexif did not correctly validate the size of some EXIF header fields. By tricking a user into opening an image with specially crafted EXIF headers, a remote attacker could cause the application using libexif to crash, resulting in a denial of service.

11 June 2007

USN-439-2: file vulnerability

USN-439-1 fixed a vulnerability in file. The original fix did not fully solve the problem. This update provides a more complete solution. Original advisory details: Jean-Sebastien Guay-Leroux discovered that “file” did not correctly check the size of allocated heap memory. If a user were tricked into examining a specially crafted file with…

11 June 2007

USN-469-1: Thunderbird vulnerabilities

Gaëtan Leurent showed a weakness in APOP authentication. An attacker posing as a trusted server could recover portions of the user’s password via multiple authentication attempts. (CVE-2007-1558) Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious email, an attacker could…

6 June 2007

USN-468-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-2867, CVE-2007-2868) A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker…

1 June 2007

USN-467-1: Gimp vulnerability

It was discovered that Gimp did not correctly handle RAS image format color tables. By tricking a user into opening a specially crafted RAS file with Gimp, an attacker could exploit this to execute arbitrary code with the user’s privileges.

31 May 2007

USN-466-1: freetype vulnerability

Victor Stinner discovered that freetype did not correctly verify the number of points in a TrueType font. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with user privileges.

30 May 2007

USN-464-1: Linux kernel vulnerabilities

Philipp Richter discovered that the AppleTalk protocol handler did not sufficiently verify the length of packets. By sending a crafted AppleTalk packet, a remote attacker could exploit this to crash the kernel. (CVE-2007-1357) Gabriel Campana discovered that the do_ipv6_setsockopt() function did not sufficiently verifiy option values for…

24 May 2007

USN-463-1: vim vulnerability

Tomas Golembiovsky discovered that some vim commands were accidentally allowed in modelines. By tricking a user into opening a specially crafted file in vim, an attacker could execute arbitrary code with user privileges.

23 May 2007

USN-462-1: PHP vulnerabilities

A flaw was discovered in the FTP command handler in PHP. Commands were not correctly filtered for control characters. An attacker could issue arbitrary FTP commands using specially crafted arguments. (CVE-2007-2509) Ilia Alshanetsky discovered a buffer overflow in the SOAP request handler in PHP. Remote attackers could send a specially…

22 May 2007

USN-436-2: KTorrent vulnerability

USN-436-1 fixed a vulnerability in KTorrent. The original fix for path traversal was incomplete, allowing for alternate vectors of attack. This update solves the problem. Original advisory details: Bryan Burns of Juniper Networks discovered that KTorrent did not correctly validate the destination file paths nor the HAVE statements sent…

18 May 2007

USN-461-1: Quagga vulnerability

It was discovered that Quagga did not correctly verify length information sent from configured peers. Remote malicious peers could send a specially crafted UPDATE message which would cause bgpd to abort, leading to a denial of service.

17 May 2007

USN-460-1: Samba vulnerabilities

Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. (CVE-2007-2444) Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker…

16 May 2007

USN-459-1: pptpd vulnerability

A flaw was discovered in the PPTP tunnel server. Remote attackers could send a specially crafted packet and disrupt established PPTP tunnels, leading to a denial of service.

14 May 2007

USN-458-1: MoinMoin vulnerabilities

A flaw was discovered in MoinMoin’s error reporting when using the AttachFile action. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user’s authentication information for the domain where MoinMoin was hosted. (CVE-2007-2423) Flaws were…

8 May 2007

USN-457-1: elinks vulnerability

Arnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges.

7 May 2007

USN-454-1: PostgreSQL vulnerability

PostgreSQL did not handle the “search_path” configuration option in a secure way for functions declared as “SECURITY DEFINER”. Previously, an attacker could override functions and operators used by the security definer function to execute arbitrary SQL commands with the privileges of the user who created the security definer function. The…

27 April 2007

USN-455-1: PHP vulnerabilities

Stefan Esser discovered multiple vulnerabilities in the “Month of PHP bugs”. The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375) The shared memory (shmop) functions did not verify resource…

27 April 2007

USN-453-2: rdesktop regression

USN-453-1 provided an updated libx11 package to fix a security vulnerability. This triggered an error in rdesktop so that it crashed on startup. This update fixes the problem.

26 April 2007

USN-453-1: X.org vulnerability

Multiple integer overflows were found in the XGetPixel function of libx11. If a user were tricked into opening a specially crafted XWD image, remote attackers could execute arbitrary code with user privileges.

18 April 2007

USN-452-1: KDE library vulnerability

The Qt library did not correctly handle truncated UTF8 strings, which could cause some applications to incorrectly filter malicious strings. If a Konqueror user were tricked into visiting a web site containing specially crafted strings, normal XSS prevention could be bypassed allowing a remote attacker to steal confidential data.

11 April 2007

USN-451-1: Linux kernel vulnerabilities

The kernel key management code did not correctly handle key reuse. A local attacker could create many key requests, leading to a denial of service. (CVE-2007-0006) The kernel NFS code did not correctly validate NFSACL2 ACCESS requests. If a system was serving NFS mounts, a remote attacker could send a specially crafted packet, leading to a…

11 April 2007

USN-450-1: ipsec-tools vulnerability

A flaw was discovered in the IPSec key exchange server “racoon”. Remote attackers could send a specially crafted packet and disrupt established IPSec tunnels, leading to a denial of service.

9 April 2007

USN-449-1: krb5 vulnerabilities

The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root…

4 April 2007

USN-448-1: X.org vulnerabilities

Sean Larsson of iDefense Labs discovered that the MISC-XC extension of Xorg did not correctly verify the size of allocated memory. An authenticated user could send a specially crafted X11 request and execute arbitrary code with root privileges. (CVE-2007-1003) Greg MacManus of iDefense Labs discovered that the BDF font handling code in Xorg…

3 April 2007

USN-447-1: KDE library vulnerabilities

It was discovered that Konqueror did not correctly handle iframes from JavaScript. If a user were tricked into visiting a malicious website, Konqueror could crash, resulting in a denial of service. (CVE-2007-1308) A flaw was discovered in how Konqueror handled PASV FTP responses. If a user were tricked into visiting a malicious FTP server, a…

29 March 2007

USN-446-1: NAS vulnerabilities

Luigi Auriemma discovered multiple flaws in the Network Audio System server. Remote attackers could send specially crafted network requests that could lead to a denial of service or execution of arbitrary code. Note that default Ubuntu installs do not include the NAS server.

28 March 2007

USN-445-1: XMMS vulnerabilities

Sven Krewitt of Secunia Research discovered that XMMS did not correctly handle BMP images when loading GUI skins. If a user were tricked into loading a specially crafted skin, a remote attacker could execute arbitrary code with user privileges.

27 March 2007

USN-444-1: OpenOffice.org vulnerabilities

A stack overflow was discovered in OpenOffice.org’s StarCalc parser. If a user were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges. (CVE-2007-0238) A flaw was discovered in OpenOffice.org’s link handling code. If a user were tricked into clicking a link in a specially…

27 March 2007

USN-443-1: Firefox vulnerability

A flaw was discovered in how Firefox handled PASV FTP responses. If a user were tricked into visiting a malicious FTP server, a remote attacker could perform a port-scan of machines within the user’s network, leading to private information disclosure.

27 March 2007

USN-442-1: Evolution vulnerability

Ulf Harnhammar of Secunia Research discovered that Evolution did not correctly handle format strings when displaying shared memos. If a remote attacker tricked a user into viewing a specially crafted shared memo, they could execute arbitrary code with user privileges.

26 March 2007

USN-441-1: Squid vulnerability

A flaw was discovered in Squid’s handling of the TRACE request method which could lead to a crash. Remote attackers with access to the Squid server could send malicious TRACE requests, and cause a denial of service.

26 March 2007

USN-440-1: MySQL vulnerability

Stefan Streichbier and B. Mueller of SEC Consult discovered that MySQL subselect queries using “ORDER BY” could be made to crash the MySQL server. An attacker with access to a MySQL instance could cause an intermitant denial of service.

22 March 2007

USN-439-1: file vulnerability

Jean-Sebastien Guay-Leroux discovered that “file” did not correctly check the size of allocated heap memory. If a user were tricked into examining a specially crafted file with the “file” utility, a remote attacker could execute arbitrary code with user privileges.

22 March 2007

USN-438-1: Inkscape vulnerability

A flaw was discovered in Inkscape’s use of format strings. If a user were tricked into opening a specially crafted URI in Inkscape, a remote attacker could execute arbitrary code with user privileges.

21 March 2007

USN-437-1: libwpd vulnerability

Sean Larsson of iDefense Labs discovered that libwpd was vulnerable to integer overflows. If a user were tricked into opening a specially crafted WordPerfect document with an application that used libwpd, an attacker could execute arbitrary code with user privileges.

19 March 2007

USN-432-2: GnuPG2, GPGME vulnerability

USN-432-1 fixed a vulnerability in GnuPG. This update provides the corresponding updates for GnuPG2 and the GPGME library. Original advisory details: Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without –status-fd, there is no way to distinguish initial unsigned messages from a following signed…

13 March 2007

USN-436-1: KTorrent vulnerabilities

Bryan Burns of Juniper Networks discovered that KTorrent did not correctly validate the destination file paths nor the HAVE statements sent by torrent peers. A malicious remote peer could send specially crafted messages to overwrite files or execute arbitrary code with user privileges.

13 March 2007

USN-435-1: Xine vulnerability

Moritz Jodeit discovered that the DirectShow loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user’s privileges.

12 March 2007

USN-434-1: Ekiga vulnerability

It was discovered that Ekiga had format string vulnerabilities beyond those fixed in USN-426-1. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user’s privileges.

9 March 2007

USN-433-1: Xine vulnerability

Moritz Jodeit discovered that the DMO loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user’s privileges.

9 March 2007

USN-432-1: GnuPG vulnerability

Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without –status-fd, there is no way to distinguish initial unsigned messages from a following signed message. An attacker could inject an unsigned message, which could fool the user into thinking the message was entirely signed by the original sender.

8 March 2007

USN-424-2: PHP regression

USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes were not included, which caused errors in the stream filters. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted…

8 March 2007

USN-431-1: Thunderbird vulnerabilities

The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user’s privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify…

7 March 2007

USN-429-1: tcpdump vulnerability

Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service.

6 March 2007

USN-416-2: nvidia-glx-config regression

USN-416-1 fixed various vulnerabilities in the Linux kernel. Unfortunately that update caused the ‘nvidia-glx-config’ script to not work any more. The new version fixes the problem. We apologize for the inconvenience.

1 March 2007

USN-428-1: Firefox vulnerabilities

Several flaws have been found that could be used to perform Cross-site scripting attacks. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996) The SSLv2 protocol support…

1 March 2007

USN-427-1: enigmail vulnerability

Mikhail Markin reported that enigmail incorrectly handled memory allocations for certain large encrypted attachments. This caused Thunderbird to crash and thus caused the entire message to be inaccessible.

23 February 2007

USN-426-1: Ekiga vulnerabilities

Mu Security discovered a format string vulnerability in Ekiga. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user’s privileges.

22 February 2007

USN-425-1: slocate vulnerability

A flaw was discovered in the permission checking code of slocate. When reporting matching files, locate would not correctly respect the parent directory’s “read” bits. This could result in filenames being displayed when the file owner had expected them to remain hidden from other system users.

22 February 2007

USN-424-1: PHP vulnerabilities

Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted data with functions of the session or zip module, or various string functions, a remote attacker could exploit this to execute arbitrary code with the privileges of the web server. (CVE-2007-0906) The sapi_header_op() function had a…

22 February 2007

USN-423-1: MoinMoin vulnerabilities

A flaw was discovered in MoinMoin’s debug reporting sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user’s authentication information for the domain where MoinMoin was…

20 February 2007

USN-422-1: ImageMagick vulnerabilities

Vladimir Nadvornik discovered that the fix for CVE-2006-5456, released in USN-372-1, did not correctly solve the original flaw in PALM image handling. By tricking a user into processing a specially crafted image with an application that uses imagemagick, an attacker could execute arbitrary code with the user’s privileges.

15 February 2007

USN-417-3: PostgreSQL regression

USN-417-2 fixed a severe regression in the PostgreSQL server that was introduced in USN-417-1 and caused some valid queries to be aborted with a type error. This update fixes a similar (but much less prominent) error. At the same time, PostgreSQL is updated to version 8.1.8, which fixes a range of important bugs.

13 February 2007

USN-421-1: MoinMoin vulnerability

A flaw was discovered in MoinMoin’s page name sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin page, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user’s authentication information for the domain where MoinMoin was hosted.

10 February 2007

USN-416-1: Linux kernel vulnerabilities

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented IPv6 packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has has already been fixed for Ubuntu 6.10 in USN-395-1; this is the corresponding fix for Ubuntu 6.06.(CVE-2006-4572) Doug Chapman…

10 February 2007

USN-417-2: PostgreSQL 8.1 regression

USN-417-1 fixed several vulnerabilities in the PostgreSQL server. Unfortunately this update had a regression that caused some valid queries to be aborted with a type error. This update corrects that problem. We apologize for the inconvenience.

7 February 2007

USN-420-1: KDE library vulnerability

Jose Avila III and Robert Tasarz discovered that the KDE HTML library did not correctly parse HTML comments inside the “title” tag. By tricking a Konqueror user into visiting a malicious website, an attacker could bypass cross-site scripting protections.

6 February 2007

USN-419-1: Samba vulnerabilities

A flaw was discovered in Samba’s file opening code, which in certain situations could lead to an endless loop, resulting in a denial of service. (CVE-2007-0452) A format string overflow was discovered in Samba’s ACL handling on AFS shares. Remote users with access to an AFS share could create crafted filenames and execute arbitrary code…

6 February 2007

USN-417-1: PostgreSQL vulnerabilities

Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. An authenticated attacker could exploit this to crash the database server or read out arbitrary locations in the server’s memory, which could allow retrieving database content the attacker should not be able to see….

6 February 2007

USN-418-1: Bind vulnerabilities

A flaw was discovered in Bind’s DNSSEC validation code. Remote attackers could send a specially crafted DNS query which would cause the Bind server to crash, resulting in a denial of service. Only servers configured to use DNSSEC extensions were vulnerable.

6 February 2007

USN-415-1: GTK vulnerability

A flaw was discovered in the error handling of GTK’s image loading library. Applications opening certain corrupted images could be made to crash, causing a denial of service.

1 February 2007

USN-414-1: Squid vulnerabilities

David Duncan Ross Palmer and Henrik Nordstrom discovered that squid incorrectly handled special characters in FTP URLs. Remote users with access to squid could crash the server leading to a denial of service. (CVE-2007-0247) Erick Dantas Rotole and Henrik Nordstrom discovered that squid could end up in an endless loop when exhausted of…

25 January 2007

USN-412-1: GeoIP vulnerability

Dean Gaudet discovered that the GeoIP update tool did not validate the filename responses from the update server. A malicious server, or man-in-the-middle system posing as a server, could write to arbitrary files with user privileges.

24 January 2007

USN-411-1: libsoup vulnerability

Roland Lezuo and Josselin Mouette discovered that the HTTP server code in libsoup did not correctly verify request headers. Remote attackers could crash applications using libsoup by sending a crafted HTTP request, resulting in a denial of service.

23 January 2007

USN-410-1: poppler vulnerability

The poppler PDF loader library did not limit the recursion depth of the page model tree. By tricking a user into opening a specially crafter PDF file, this could be exploited to trigger an infinite loop and eventually crash an application that uses this library. kpdf in Ubuntu 5.10, and KOffice in all Ubuntu releases contains a copy of this code…

19 January 2007

USN-409-1: ksirc vulnerability

Federico L. Bossi Bonin discovered a Denial of Service vulnerability in ksirc. By sending a special response packet, a malicious IRC server could crash ksirc.

16 January 2007

USN-408-1: krb5 vulnerability

The server-side portion of Kerberos’ RPC library had a memory management flaw which allowed users of that library to call a function pointer located in unallocated memory. By doing specially crafted calls to the kadmind server, a remote attacker could exploit this to execute arbitrary code with root privileges on the target computer.

16 January 2007

USN-407-1: libgtop2 vulnerability

Liu Qishuai discovered a buffer overflow in the /proc parsing routines in libgtop. By creating and running a process in a specially crafted long path and tricking an user into running gnome-system-monitor, an attacker could exploit this to execute arbitrary code with the user’s privileges.

15 January 2007

USN-405-1: fetchmail vulnerability

It was discovered that fetchmail did not correctly require TLS negotiation in certain situations. This would result in a user’s unencrypted password being sent across the network. If fetchmail has been configured to use the “sslproto tls1”, “sslcertck”, or “sslfingerprint” options with a server that does not correctly support TLS…

11 January 2007

USN-404-1: MadWifi vulnerability

Laurent Butti, Jerome Razniewski, and Julien Tinnes discovered that the MadWifi wireless driver did not correctly check packet contents when receiving scan replies. A remote attacker could send a specially crafted packet and execute arbitrary code with root privileges.

9 January 2007

USN-403-1: X.org vulnerabilities

The DBE and Render extensions in X.org were vulnerable to integer overflows, which could lead to memory overwrites. An authenticated user could make a specially crafted request and execute arbitrary code with root privileges.

9 January 2007

USN-402-1: Avahi vulnerability

A flaw was discovered in Avahi’s handling of compressed DNS packets. If a specially crafted reply were received over the network, the Avahi daemon would go into an infinite loop, causing a denial of service.

5 January 2007

USN-400-1: Thunderbird vulnerabilities

Georgi Guninski and David Bienvenu discovered that long Content-Type and RFC2047-encoded headers we vulnerable to heap overflows. By tricking the user into opening a specially crafted email, an attacker could execute arbitrary code with user privileges. (CVE-2006-6506) Various flaws have been reported that allow an attacker to execute…

5 January 2007

USN-401-1: D-Bus vulnerability

Kimmo Hämäläinen discovered that local users could delete other users’ D-Bus match rules. Applications would stop receiving D-Bus messages, resulting in a local denial of service, and potential data loss for applications that depended on D-Bus for storing information.

4 January 2007

USN-398-3: Firefox theme regression

USN-398-1 fixed vulnerabilities in Firefox. Due to the updated version, a flaw was uncovered in the Firefox Themes bundle, which erroneously reported to be incompatible with the updated Firefox. This update fixes the problem. We apologize for the inconvenience.

4 January 2007

USN-399-1: w3m vulnerabilities

A format string vulnerability was discovered in w3m. If a user were tricked into visiting an HTTPS URL protected by a specially crafted SSL certificate, an attacker could execute arbitrary code with user privileges.

3 January 2007

USN-398-1: Firefox vulnerabilities

Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page containing JavaScript or SVG. (CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502, CVE-2006-6504) Various flaws have been reported that allow an attacker to bypass…

3 January 2007

USN-397-1: mono vulnerability

Jose Ramon Palanco discovered that the mono System.Web class did not consistently verify local file paths. As a result, the source code for mono web applications could be retrieved remotely, possibly leading to further compromise via the application’s source.

20 December 2006

USN-396-1: gdm vulnerability

A format string vulnerability was discovered in the gdmchooser component of the GNOME Display Manager. By typing a specially crafted host name, local users could gain gdm user privileges, which could lead to further account information exposure.

14 December 2006

USN-380-2: avahi regression

USN-380-1 fixed a vulnerability in Avahi. However, if used with Network manager, that version occasionally failed to resolve .local DNS names until Avahi got restarted. This update fixes the problem. We apologize for the inconvenience.

14 December 2006

USN-395-1: Linux kernel vulnerabilities

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has only be fixed for Ubuntu 6.10; the corresponding fix for Ubuntu 5.10 and 6.06 will follow soon. (CVE-2006-4572) Dmitriy Monakhov…

14 December 2006

USN-394-1: Ruby vulnerability

An error was found in Ruby’s CGI library that did not correctly quote the boundary of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU.

8 December 2006

USN-393-2: GnuPG2 vulnerabilities

USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update provides the corresponding updates for gnupg2. Original advisory details: A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user’s privileges. …

7 December 2006

USN-393-1: GnuPG vulnerability

Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user’s privileges.

7 December 2006

USN-390-3: evince-gtk vulnerability

USN-390-2 fixed vulnerabilities in evince. This update provides the corresponding update for evince-gtk. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with…

7 December 2006

USN-390-2: evince vulnerability

USN-390-1 fixed a vulnerability in evince. The original fix did not fully solve the problem, allowing for a denial of service in certain situations. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could…

6 December 2006

USN-392-1: xine-lib vulnerability

A buffer overflow was discovered in the Real Media input plugin in xine-lib. If a user were tricked into loading a specially crafted stream from a malicious server, the attacker could execute arbitrary code with the user’s privileges.

4 December 2006

USN-391-1: libgsf vulnerability

A heap overflow was discovered in the OLE processing code in libgsf. If a user were tricked into opening a specially crafted OLE document, an attacker could execute arbitrary code with the user’s privileges.

4 December 2006

USN-390-1: evince vulnerability

A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user’s privileges.

30 November 2006

USN-389-1: GnuPG vulnerability

A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user’s privileges. This vulnerability is not exposed when running gpg in batch mode.

29 November 2006

USN-387-1: Dovecot vulnerability

Dovecot was discovered to have an error when handling its index cache files. This error could be exploited by authenticated POP and IMAP users to cause a crash of the Dovecot server, or possibly to execute arbitrary code. Only servers using the non-default option “mmap_disable=yes” were vulnerable.

28 November 2006

USN-385-1: tar vulnerability

Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.

27 November 2006

USN-382-1: Thunderbird vulnerabilities

USN-352-1 fixed a flaw in the verification of PKCS certificate signatures. Ulrich Kuehn discovered a variant of the original attack which the original fix did not cover. (CVE-2006-5462) Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email…

21 November 2006

USN-384-1: OpenLDAP vulnerability

Evgeny Legerov discovered that the OpenLDAP libraries did not correctly truncate authcid names. This situation would trigger an assert and abort the program using the libraries. A remote attacker could send specially crafted bind requests that would lead to an LDAP server denial of service.

21 November 2006

USN-383-1: libpng vulnerability

Tavis Ormandy discovered that libpng did not correctly calculate the size of sPLT structures when reading an image. By tricking a user or an automated system into processing a specially crafted PNG file, an attacker could exploit this weakness to crash the application using the library.

17 November 2006

USN-380-1: Avahi vulnerability

Steve Grubb discovered that netlink messages were not being checked for their sender identity. This could lead to local users manipulating the Avahi service.

11 November 2006

USN-379-1: texinfo vulnerability

Miloslav Trmac discovered a buffer overflow in texinfo’s index processor. If a user is tricked into processing a .texi file with texindex, this could lead to arbitrary code execution with user privileges.

9 November 2006

USN-376-2: imlib2 regression fix

USN-376-1 provided an update to imlib2 to fix several security vulnerabilities. Unfortunately the update broke JPG file handling in certain situations. This update corrects this problem. We apologize for the inconvenience.

6 November 2006

USN-378-1: RPM vulnerability

An error was found in the RPM library’s handling of query reports. In some locales, certain RPM packages would cause the library to crash. If a user was tricked into querying a specially crafted RPM package, the flaw could be exploited to execute arbitrary code with the user’s privileges.

4 November 2006

USN-377-1: NVIDIA vulnerability

Derek Abdine discovered that the NVIDIA Xorg driver did not correctly verify the size of buffers used to render text glyphs. When displaying very long strings of text, the Xorg server would crash. If a user were tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.

4 November 2006

USN-376-1: imlib2 vulnerabilities

M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user’s privileges.

3 November 2006

USN-375-1: PHP vulnerability

Stefan Esser discovered two buffer overflows in the htmlentities() and htmlspecialchars() functions. By supplying specially crafted input to PHP applications which process that input with these functions, a remote attacker could potentially exploit this to execute arbitrary code with the privileges of the application. (CVE-2006-5465) This update…

3 November 2006

USN-372-1: imagemagick vulnerability

M. Joonas Pihlaja discovered that ImageMagick did not sufficiently verify the validity of PALM and DCM images. When processing a specially crafted image with an application that uses imagemagick, this could be exploited to execute arbitrary code with the application’s privileges.

1 November 2006

USN-369-2: postgresql-8.1 vulnerabilities

USN-369-1 fixed three minor PostgreSQL 8.1 vulnerabilities for Ubuntu 6.06 LTS. This update provides the corresponding update for Ubuntu 6.10. Original advisory details: Michael Fuhr discovered an incorrect type check when handling unknown literals. By attempting to coerce such a literal to the ANYARRAY type, a local authenticated attacker…

1 November 2006

USN-374-1: wvWare vulnerability

An integer overflow was discovered in the DOC file parser of the wv library. By tricking a user into opening a specially crafted MSWord (.DOC) file, remote attackers could execute arbitrary code with the user’s privileges.

1 November 2006

USN-373-1: mutt vulnerabilities

Race conditions were discovered in mutt’s handling of temporary files. Under certain conditions when using a shared temp directory (the default), other local users could overwrite arbitrary files owned by the user running mutt. This vulnerability is more likely when the temp directory is over NFS.

1 November 2006

USN-371-1: Ruby vulnerability

An error was found in Ruby’s CGI library that did not correctly check for the end of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU.

1 November 2006

USN-370-1: screen vulnerability

cstone and Rich Felker discovered a programming error in the UTF8 string handling code of “screen” leading to a denial of service. If a crafted string was displayed within a screen session, screen would crash or possibly execute arbitrary code.

1 November 2006