USNs for ubuntu 7.04

USN-656-1: CUPS vulnerabilities

It was discovered that the SGI image filter in CUPS did not perform proper bounds checking. If a user or automated system were tricked into opening a crafted SGI image, an attacker could cause a denial of service. (CVE-2008-3639) It was discovered that the texttops filter in CUPS did not properly validate page metrics. If a user or automated…

15 October 2008

USN-655-1: exiv2 vulnerabilities

Meder Kydyraliev discovered that exiv2 did not correctly handle certain EXIF headers. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexiv2 to crash, leading to a denial of service, or possibly executing arbitrary code with user privileges….

15 October 2008

USN-654-1: libexif vulnerabilities

Meder Kydyraliev discovered that libexif did not correctly handle certain EXIF headers. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexif to crash, leading to a denial of service, or possibly executing arbitrary code with user privileges.

14 October 2008

USN-653-1: D-Bus vulnerabilities

Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies. If a local user sent a specially crafted D-Bus request, they could bypass security policies that had a “send_interface” defined. (CVE-2008-0595) It was discovered that the D-Bus library did not correctly validate certain corrupted signatures. …

14 October 2008

USN-651-1: Ruby vulnerabilities

Akira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2376) Laurent Gaffie discovered that Ruby did…

10 October 2008

USN-650-1: cpio vulnerability

A buffer overflow was discovered in cpio. If a user were tricked into opening a crafted cpio archive, an attacker could cause a denial of service via application crash, or possibly execute code with the privileges of the user invoking the program. (CVE-2007-4476)

2 October 2008

USN-649-1: OpenSSH vulnerabilities

It was discovered that the ForceCommand directive could be bypassed. If a local user created a malicious ~/.ssh/rc file, they could execute arbitrary commands as their user id. This only affected Ubuntu 7.10. (CVE-2008-1657) USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that the fixes for this issue were incomplete. A remote…

1 October 2008

USN-647-1: Thunderbird vulnerabilities

It was discovered that the same-origin check in Thunderbird could be bypassed. If a user had JavaScript enabled and were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the browser engine of Thunderbird. If a user had…

26 September 2008

USN-645-1: Firefox and xulrunner vulnerabilities

Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016) It was discovered that the same-origin check in Firefox could be bypassed. If a user were tricked into…

24 September 2008

USN-646-1: rdesktop vulnerabilities

It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801) Multiple buffer overflows were discovered…

18 September 2008

USN-644-1: libxml2 vulnerabilities

It was discovered that libxml2 did not correctly handle long entity names. If a user were tricked into processing a specially crafted XML document, a remote attacker could execute arbitrary code with user privileges or cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2008-3529) USN-640-1 fixed…

11 September 2008

USN-643-1: FreeType vulnerabilities

Multiple flaws were discovered in the PFB and TTF font handling code in freetype. If a user were tricked into using a specially crafted font file, a remote attacker could execute arbitrary code with user privileges or cause the application linked against freetype to crash, leading to a denial of service.

11 September 2008

USN-641-1: Racoon vulnerabilities

It was discovered that there were multiple ways to leak memory during the IKE negotiation when handling certain packets. If a remote attacker sent repeated malicious requests, the “racoon” key exchange server could allocate large amounts of memory, possibly leading to a denial of service.

8 September 2008

USN-640-1: libxml2 vulnerability

Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system’s CPU resources, leading to a denial of service.

3 September 2008

USN-639-1: tiff vulnerability

Drew Yao discovered that the TIFF library did not correctly validate LZW compressed TIFF images. If a user or automated system were tricked into processing a malicious image, a remote attacker could execute arbitrary code or cause an application linked against libtiff to crash, leading to a denial of service.

2 September 2008

USN-637-1: Linux kernel vulnerabilities

It was discovered that there were multiple NULL-pointer function dereferences in the Linux kernel terminal handling code. A local attacker could exploit this to execute arbitrary code as root, or crash the system, leading to a denial of service. (CVE-2008-2812) The do_change_type routine did not correctly validation administrative users. A local…

25 August 2008

USN-636-1: Postfix vulnerability

Sebastian Krahmer discovered that Postfix was not correctly handling mailbox ownership when dealing with Linux’s implementation of hardlinking to symlinks. In certain mail spool configurations, a local attacker could exploit this to append data to arbitrary files as the root user. The default Ubuntu configuration was not vulnerable.

19 August 2008

USN-635-1: xine-lib vulnerabilities

Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer…

6 August 2008

USN-633-1: libxslt vulnerabilities

It was discovered that long transformation matches in libxslt could overflow. If an attacker were able to make an application linked against libxslt process malicious XSL style sheet input, they could execute arbitrary code with user privileges or cause the application to crash, leading to a denial of serivce. (CVE-2008-1767) Chris Evans…

1 August 2008

USN-632-1: Python vulnerabilities

It was discovered that there were new integer overflows in the imageop module. If an attacker were able to trick a Python application into processing a specially crafted image, they could execute arbitrary code with user privileges. (CVE-2008-1679) Justin Ferguson discovered that the zlib module did not correctly handle certain archives. If an…

1 August 2008

USN-634-1: OpenLDAP vulnerability

Cameron Hotchkies discovered that OpenLDAP did not correctly handle certain ASN.1 BER data. A remote attacker could send a specially crafted packet and crash slapd, leading to a denial of service.

1 August 2008

USN-629-1: Thunderbird vulnerabilities

Various flaws were discovered in the browser engine. If a user had Javascript enabled and were tricked into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799) It was discovered that…

25 July 2008

USN-628-1: PHP vulnerabilities

It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and…

23 July 2008

USN-623-1: Firefox vulnerabilities

A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785) Billy Rios discovered that…

17 July 2008

USN-625-1: Linux kernel vulnerabilities

Dirk Nehring discovered that the IPsec protocol stack did not correctly handle fragmented ESP packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2007-6282) Johannes Bauer discovered that the 64bit kernel did not correctly handle hrtimer updates. A local attacker could request a large expiration…

15 July 2008

USN-624-1: PCRE vulnerability

Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause applications linked against pcre3 to crash, leading to a denial of service.

15 July 2008

USN-622-1: Bind vulnerability

Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic.

8 July 2008

USN-619-1: Firefox vulnerabilities

Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799) Several problems were discovered in the JavaScript…

2 July 2008

USN-617-2: Samba regression

USN-617-1 fixed vulnerabilities in Samba. The upstream patch introduced a regression where under certain circumstances accessing large files might cause the client to report an invalid packet length error. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Samba developers discovered that nmbd could…

30 June 2008

USN-621-1: Ruby vulnerabilities

Drew Yao discovered several vulnerabilities in Ruby which lead to integer overflows. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2662, CVE-2008-2663, CVE-2008-2725,…

26 June 2008

USN-618-1: Linux kernel vulnerabilities

It was discovered that the ALSA /proc interface did not write the correct number of bytes when reporting memory allocations. A local attacker might be able to access sensitive kernel memory, leading to a loss of privacy. (CVE-2007-4571) Multiple buffer overflows were discovered in the handling of CIFS filesystems. A malicious CIFS server could…

19 June 2008

USN-612-11: openssl-blacklist update

USN-612-3 addressed a weakness in OpenSSL certificate and key generation and introduced openssl-blacklist to aid in detecting vulnerable certificates and keys. This update adds RSA-4096 blacklists to the openssl-blacklist-extra package and adjusts openssl-vulnkey to properly handle RSA-4096 and higher moduli. Original advisory details: A…

18 June 2008

USN-617-1: Samba vulnerabilities

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered…

17 June 2008

USN-616-1: X.org vulnerabilities

Multiple flaws were found in the RENDER, RECORD, and Security extensions of X.org which did not correctly validate function arguments. An authenticated attacker could send specially crafted requests and gain root privileges or crash X. (CVE-2008-1377, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362) It was discovered that the MIT-SHM extension of…

13 June 2008

USN-612-10: OpenVPN regression

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS with password protected certificates which caused OpenVPN to not start when used with applications such as NetworkManager. Original advisory…

12 June 2008

USN-612-9: openssl-blacklist update

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check Certificate Signing Requests, accept input from STDIN, and check moduli without a certificate. It was also discovered that…

12 June 2008

USN-615-1: Evolution vulnerabilities

Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or possibly execute code with user privileges. Note that the ITip Formatter…

6 June 2008

USN-612-8: openssl-blacklist update

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check X.509 certificates as well, and provides the corresponding update for Ubuntu 6.06. While the OpenSSL in Ubuntu 6.06 was not…

21 May 2008

USN-613-1: GnuTLS vulnerabilities

Multiple flaws were discovered in the connection handling of GnuTLS. A remote attacker could exploit this to crash applications linked against GnuTLS, or possibly execute arbitrary code with permissions of the application’s user.

21 May 2008

USN-612-6: OpenVPN regression

USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS, multi-client/server mode, and specifying a user or group which caused OpenVPN to not start when using valid SSL certificates. It was also…

14 May 2008

USN-612-5: OpenSSH update

Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as “no-port-forwarding” or forced commands) were ignored by the new ssh-vulnkey tool introduced in OpenSSH (see USN-612-2). This could cause some compromised keys not to be listed in ssh-vulnkey’s output. This update also adds more information to ssh-vulnkey’s…

14 May 2008

USN-612-4: ssl-cert vulnerability

USN-612-1 fixed vulnerabilities in openssl. This update provides the corresponding updates for ssl-cert – potentially compromised snake-oil SSL certificates will be regenerated. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this …

14 May 2008

USN-612-3: OpenVPN vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use…

13 May 2008

USN-612-2: OpenSSH vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use…

13 May 2008

USN-612-1: OpenSSL vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use…

13 May 2008

USN-611-3: GStreamer Good Plugins vulnerability

USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for GStreamer Good Plugins. Original advisory details: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker…

8 May 2008

USN-611-2: vorbis-tools vulnerability

USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for ogg123, part of vorbis-tools. Original advisory details: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an…

8 May 2008

USN-611-1: Speex vulnerability

It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program.

8 May 2008

USN-610-1: LTSP vulnerability

Christian Herzog discovered that it was possible to connect to any LTSP client’s X session over the network. A remote attacker could eavesdrop on X events, read window contents, and record keystrokes, possibly gaining access to private information.

6 May 2008

USN-609-1: OpenOffice.org vulnerabilities

It was discovered that arbitrary Java methods were not filtered out when opening databases in OpenOffice.org. If a user were tricked into running a specially crafted query, a remote attacker could execute arbitrary Java with user privileges. (CVE-2007-4575) Multiple memory overflow flaws were discovered in OpenOffice.org’s handling of Quattro…

6 May 2008

USN-605-1: Thunderbird vulnerabilities

Various flaws were discovered in the JavaScript engine. If a user had JavaScript enabled and were tricked into opening a malicious email, an attacker could escalate privileges within Thunderbird, perform cross-site scripting attacks and/or execute arbitrary code with the user’s privileges. (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235) Several…

6 May 2008

USN-608-1: KDE vulnerability

It was discovered that start_kdeinit in KDE 3 did not properly sanitize its input. A local attacker could exploit this to send signals to other processes and cause a denial of service or possibly execute arbitrary code. (CVE-2008-1671)

6 May 2008

USN-607-1: Emacs vulnerabilities

It was discovered that Emacs did not account for precision when formatting integers. If a user were tricked into opening a specially crafted file, an attacker could cause a denial of service or possibly other unspecified actions. This issue does not affect Ubuntu 8.04. (CVE-2007-6109) Steve Grubb discovered that the vcdiff script as included in…

6 May 2008

USN-606-1: CUPS vulnerability

Thomas Pollet discovered that CUPS did not properly validate the size of PNG images. A local attacker, and a remote attacker if printer sharing is enabled, could send a crafted file and cause a denial of service or possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS and 7.04. In Ubuntu 7.10, attackers would be isolated by the…

5 May 2008

USN-602-1: Firefox vulnerabilities

Flaws were discovered in Firefox which could lead to crashes during JavaScript garbage collection. If a user were tricked into opening a malicious web page, an attacker may be able to crash the browser or possibly execute arbitrary code with the user’s privileges. (CVE-2008-1380)

22 April 2008

USN-604-1: Gnumeric vulnerability

Thilo Pfennig and Morten Welinder discovered that the XLS spreadsheet handling code in Gnumeric did not correctly calculate needed memory sizes. If a user or automated system were tricked into loading a specially crafted XLS document, a remote attacker could execute arbitrary code with user privileges.

22 April 2008

USN-603-2: KOffice vulnerability

USN-603-1 fixed vulnerabilities in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote…

17 April 2008

USN-603-1: poppler vulnerability

It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote attacker could execute arbitrary code with user privileges.

17 April 2008

USN-601-1: Squid vulnerability

It was discovered that Squid did not perform proper bounds checking when processing cache update replies. A remote authenticated user may be able to trigger an assertion error and cause a denial of service. This vulnerability is due to an incorrect upstream fix for CVE-2007-6239. (CVE-2008-1612)

14 April 2008

USN-600-1: rsync vulnerability

Sebastian Krahmer discovered that rsync could overflow when handling ACLs. An attacker could construct a malicious set of files that when processed by rsync could lead to arbitrary code execution or a crash.

11 April 2008

USN-599-1: Ghostscript vulnerability

Chris Evans discovered that Ghostscript contained a buffer overflow in its color space handling code. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2008-0411)

9 April 2008

USN-598-1: CUPS vulnerabilities

It was discovered that the CUPS administration interface contained a heap- based overflow flaw. A local attacker, and a remote attacker if printer sharing is enabled, could send a malicious request and possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the…

2 April 2008

USN-597-1: OpenSSH vulnerability

Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards.

1 April 2008

USN-596-1: Ruby vulnerabilities

Chris Clark discovered that Ruby’s HTTPS module did not check for commonName mismatches early enough during SSL negotiation. If a remote attacker were able to perform man-in-the-middle attacks, this flaw could be exploited to view sensitive information in HTTPS requests coming from Ruby applications. (CVE-2007-5162) It was discovered that Ruby’s…

26 March 2008

USN-595-1: SDL_image vulnerabilities

Michael Skladnikiewicz discovered that SDL_image did not correctly load GIF images. If a user or automated system were tricked into processing a specially crafted GIF, a remote attacker could execute arbitrary code or cause a crash, leading to a denial of service. (CVE-2007-6697) David Raulo discovered that SDL_image did not correctly load ILBM…

26 March 2008

USN-593-1: Dovecot vulnerabilities

It was discovered that the default configuration of dovecot could allow access to any email files with group “mail” without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user’s email. (CVE-2008-1199) By default, dovecot passed special characters to…

26 March 2008

USN-592-1: Firefox vulnerabilities

Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu discovered flaws in Firefox’s character encoding handling. If a user were tricked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Various flaws were discovered in the JavaScript engine. By tricking a user into opening a malicious web…

26 March 2008

USN-591-1: libicu vulnerabilities

Will Drewry discovered that libicu did not properly handle ‘\0’ when processing regular expressions. If an application linked against libicu processed a crafted regular expression, an attacker could execute arbitrary code with privileges of the user invoking the program. (CVE-2007-4770) Will Drewry discovered that libicu did not properly limit…

24 March 2008

USN-590-1: bzip2 vulnerability

It was discovered that bzip2 did not correctly handle certain malformed archives. If a user or automated system were tricked into processing a specially crafted bzip2 archive, applications linked against libbz2 could be made to crash, possibly leading to a denial of service.

24 March 2008

USN-589-1: unzip vulnerability

Tavis Ormandy discovered that unzip did not correctly clean up pointers. If a user or automated service was tricked into processing a specially crafted ZIP archive, a remote attacker could execute arbitrary code with user privileges.

20 March 2008

USN-588-1: MySQL vulnerabilities

Masaaki Hirose discovered that MySQL could be made to dereference a NULL pointer. An authenticated user could cause a denial of service (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232) Alexander Nozdrin discovered that MySQL did not restore database…

19 March 2008

USN-587-1: Kerberos vulnerabilities

It was discovered that krb5 did not correctly handle certain krb4 requests. An unauthenticated remote attacker could exploit this flaw by sending a specially crafted traffic, which could expose sensitive information, cause a crash, or execute arbitrary code. (CVE-2008-0062, CVE-2008-0063) A flaw was discovered in the kadmind service’s handling…

19 March 2008

USN-586-1: mailman vulnerability

Multiple cross-site scripting flaws were discovered in mailman. A malicious list administrator could exploit this to execute arbitrary JavaScript, potentially stealing user credentials.

15 March 2008

USN-585-1: Python vulnerabilities

Piotr Engelking discovered that strxfrm in Python was not correctly calculating the size of the destination buffer. This could lead to small information leaks, which might be used by attackers to gain additional knowledge about the state of a running Python script. (CVE-2007-2052) A flaw was discovered in the Python imageop module. If a script…

11 March 2008

USN-582-2: Thunderbird regression

USN-582-1 fixed several vulnerabilities in Thunderbird. The upstream fixes were incomplete, and after performing certain actions Thunderbird would crash due to memory errors. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Thunderbird did not properly set the size of a …

6 March 2008

USN-584-1: OpenLDAP vulnerabilities

Jonathan Clarke discovered that the OpenLDAP slapd server did not properly handle modify requests when using the Berkeley DB backend and specifying the NOOP control. An authenticated user with modify permissions could send a crafted modify request and cause a denial of service via application crash. Ubuntu 7.10 is not affected by this issue….

5 March 2008

USN-583-1: Evolution vulnerability

Ulf Harnhammar discovered that Evolution did not correctly handle format strings when processing encrypted emails. A remote attacker could exploit this by sending a specially crafted email, resulting in arbitrary code execution.

5 March 2008

USN-582-1: Thunderbird vulnerabilities

It was discovered that Thunderbird did not properly set the size of a buffer when parsing an external-body MIME-type. If a user were to open a specially crafted email, an attacker could cause a denial of service via application crash or possibly execute arbitrary code as the user. (CVE-2008-0304) Various flaws were discovered in Thunderbird and…

29 February 2008

USN-581-1: PCRE vulnerability

It was discovered that PCRE did not correctly handle very long strings containing UTF8 sequences. In certain situations, an attacker could exploit applications linked against PCRE by tricking a user or automated system in processing a malicious regular expression leading to a denial of service or possibly arbitrary code execution.

21 February 2008

USN-580-1: libcdio vulnerability

Devon Miller discovered that the iso-info and cd-info tools did not properly perform bounds checking. If a user were tricked into using these tools with a crafted iso image, an attacker could cause a denial of service (core dump) and possibly execute arbitrary code.

20 February 2008

USN-577-1: Linux kernel vulnerability

Wojciech Purczynski discovered that the vmsplice system call did not properly perform verification of user-memory pointers. A local attacker could exploit this to overwrite arbitrary kernel memory and gain root privileges. (CVE-2008-0600)

12 February 2008

USN-576-1: Firefox vulnerabilities

Various flaws were discovered in the browser and JavaScript engine. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2008-0412, CVE-2008-0413) Flaws were discovered in the file upload form control. A malicious website could force arbitrary files from the user’s…

8 February 2008

USN-575-1: Apache vulnerabilities

It was discovered that Apache did not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a…

4 February 2008

USN-574-1: Linux kernel vulnerabilities

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058) The signal…

4 February 2008

USN-573-1: PulseAudio vulnerability

It was discovered that PulseAudio did not properly drop privileges when running as a daemon. Local users may be able to exploit this and gain privileges. The default Ubuntu configuration is not affected.

31 January 2008

USN-571-2: X.org regression

USN-571-1 fixed vulnerabilities in X.org. The upstream fixes were incomplete, and under certain situations, applications using the MIT-SHM extension (e.g. Java, wxWidgets) would crash with BadAlloc X errors. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple overflows were discovered in the…

19 January 2008

USN-572-1: apt-listchanges vulnerability

Felipe Sateler discovered that apt-listchanges did not use safe paths when importing additional Python libraries. A local attacker could exploit this and execute arbitrary commands as the user running apt-listchanges.

18 January 2008

USN-571-1: X.org vulnerabilities

Multiple overflows were discovered in the XFree86-Misc, XInput-Misc, TOG-CUP, EVI, and MIT-SHM extensions which did not correctly validate function arguments. An authenticated attacker could send specially crafted requests and gain root privileges. (CVE-2007-5760, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429) It was discovered that the X.org…

18 January 2008

USN-570-1: boost vulnerabilities

Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash.

16 January 2008

USN-569-1: libxml2 vulnerability

Brad Fitzpatrick discovered that libxml2 did not correctly handle certain UTF-8 sequences. If a remote attacker were able to trick a user or automated system into processing a specially crafted XML document, the application linked against libxml2 could enter an infinite loop, leading to a denial of service via CPU resource consumption.

14 January 2008

USN-568-1: PostgreSQL vulnerabilities

Nico Leidecker discovered that PostgreSQL did not properly restrict dblink functions. An authenticated user could exploit this flaw to access arbitrary accounts and execute arbitrary SQL queries. (CVE-2007-3278, CVE-2007-6601) It was discovered that the TCL regular expression parser used by PostgreSQL did not properly check its input. An…

14 January 2008

USN-567-1: Dovecot vulnerability

It was discovered that in very rare configurations using LDAP, Dovecot may reuse cached connections for users with the same password. As a result, a user may be able to login as another if the connection is reused. The default Ubuntu configuration of Dovecot was not vulnerable.

10 January 2008

USN-566-1: OpenSSH vulnerability

Jan Pechanec discovered that ssh would forward trusted X11 cookies when untrusted cookie generation failed. This could lead to unintended privileges being forwarded to a remote host.

9 January 2008

USN-565-1: Squid vulnerability

It was discovered that Squid did not always clean up cache memory correctly. A remote attacker could manipulate cache update replies and cause Squid to use all available memory, leading to a denial of service.

9 January 2008

USN-564-1: Net-SNMP vulnerability

Bill Trost discovered that snmpd did not properly limit GETBULK requests. A remote attacker could specify a large number of max-repetitions and cause a denial of service via resource exhaustion.

9 January 2008

USN-563-1: CUPS vulnerabilities

Wei Wang discovered that the SNMP discovery backend did not correctly calculate the length of strings. If a user were tricked into scanning for printers, a remote attacker could send a specially crafted packet and possibly execute arbitrary code. Elias Pipping discovered that temporary files were not handled safely in certain situations when…

9 January 2008

USN-562-1: opal vulnerability

Jose Miguel Esparza discovered that certain SIP headers were not correctly validated. A remote attacker could send a specially crafted packet to an application linked against opal (e.g. Ekiga) causing it to crash, leading to a denial of service.

8 January 2008

USN-561-1: pwlib vulnerability

Jose Miguel Esparza discovered that pwlib did not correctly handle large string lengths. A remote attacker could send specially crafted packets to applications linked against pwlib (e.g. Ekiga) causing them to crash, leading to a denial of service.

8 January 2008

USN-560-1: Tomboy vulnerability

Jan Oravec discovered that Tomboy did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program.

7 January 2008

USN-559-1: MySQL vulnerabilities

Joe Gallo and Artem Russakovskii discovered that the InnoDB engine in MySQL did not properly perform input validation. An authenticated user could use a crafted CONTAINS statement to cause a denial of service. (CVE-2007-5925) It was discovered that under certain conditions MySQL could be made to overwrite system table information. An…

21 December 2007

USN-558-1: Linux kernel vulnerabilities

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Certain calculations in the hugetlb code were not correct. A…

19 December 2007

USN-557-1: GD library vulnerability

Mattias Bengtsson and Philip Olausson discovered that the GD library did not properly perform bounds checking when creating images. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code.

18 December 2007

USN-556-1: Samba vulnerability

Alin Rad Pop discovered that Samba did not correctly check the size of reply packets to mailslot requests. If a server was configured with domain logon enabled, an unauthenticated remote attacker could send a specially crafted domain logon packet and execute arbitrary code or crash the Samba service. By default, domain logon is disabled in…

18 December 2007

USN-550-3: Cairo regression

USN-550-1 fixed vulnerabilities in Cairo. A bug in font glyph rendering was uncovered as a result of the new memory allocation routines. In certain situations, fonts containing characters with no width or height would not render any more. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Peter…

13 December 2007

USN-550-2: Cairo regression

USN-550-1 fixed vulnerabilities in Cairo. The upstream fixes were incomplete, and under certain situations, applications using Cairo would crash with a floating point error. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Peter Valchev discovered that Cairo did not correctly decode PNG image…

10 December 2007

USN-555-1: e2fsprogs vulnerability

Rafal Wojtczuk discovered multiple integer overflows in e2fsprogs. If a user or automated system were tricked into fscking a malicious ext2/ext3 filesystem, a remote attacker could execute arbitrary code with the user’s privileges.

8 December 2007

USN-554-1: teTeX and TeX Live vulnerabilities

Bastien Roucaries discovered that dvips as included in tetex-bin and texlive-bin did not properly perform bounds checking. If a user or automated system were tricked into processing a specially crafted dvi file, dvips could be made to crash and execute code as the user invoking the program. (CVE-2007-5935) Joachim Schrod discovered that the…

6 December 2007

USN-553-1: Mono vulnerability

It was discovered that Mono did not correctly bounds check certain BigInteger actions. Remote attackers could exploit this to crash a Mono application or possibly execute arbitrary code with user privileges.

4 December 2007

USN-552-1: Perl vulnerability

It was discovered that Perl’s regular expression library did not correctly handle certain UTF sequences. If a user or automated system were tricked into running a specially crafted regular expression, a remote attacker could crash the application or possibly execute arbitrary code with user privileges.

4 December 2007

USN-546-2: Firefox regression

USN-546-1 fixed vulnerabilities in Firefox. The upstream update included a faulty patch which caused the drawImage method of the canvas element to fail. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:“…

4 December 2007

USN-551-1: OpenLDAP vulnerabilities

Thomas Sesselmann discovered that the OpenLDAP slapd server did not properly handle certain modify requests. A remote attacker could send malicious modify requests to the server and cause a denial of service. (CVE-2007-5707) Toby Blake discovered that slapd did not properly terminate an array while running as a proxy-caching server. A…

4 December 2007

USN-550-1: Cairo vulnerability

Peter Valchev discovered that Cairo did not correctly decode PNG image data. By tricking a user or automated system into processing a specially crafted PNG with Cairo, a remote attacker could execute arbitrary code with user privileges.

3 December 2007

USN-549-1: PHP vulnerabilities

It was discovered that the wordwrap function did not correctly check lengths. Remote attackers could exploit this to cause a crash or monopolize CPU resources, resulting in a denial of service. (CVE-2007-3998) Integer overflows were discovered in the strspn and strcspn functions. Attackers could exploit this to read arbitrary areas of memory,…

29 November 2007

USN-547-1: PCRE vulnerabilities

Tavis Ormandy and Will Drewry discovered multiple flaws in the regular expression handling of PCRE. By tricking a user or service into running specially crafted expressions via applications linked against libpcre3, a remote attacker could crash the application, monopolize CPU resources, or possibly execute arbitrary code with the application’s…

27 November 2007

USN-546-1: Firefox vulnerabilities

It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:” contents. A malicious web site could exploit this to modify or steal confidential data (such as passwords) from other web sites. (CVE-2007-5947) Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a…

26 November 2007

USN-544-2: Samba regression

USN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398 are unchanged, but the upstream changes for CVE-2007-4572 introduced a regression in all releases which caused Linux smbfs mounts to fail. Additionally, Dapper and Edgy included an incomplete patch which caused configurations using NetBIOS to fail. A proper fix for these…

16 November 2007

USN-544-1: Samba vulnerabilities

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered…

16 November 2007

USN-543-1: VMWare vulnerabilities

Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server did not correctly handle certain packet structures. Remote attackers could send specially crafted packets and gain root privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063) Rafal Wojtczvk discovered multiple memory corruption issues in VMWare Player. Attackers with…

15 November 2007

USN-542-2: KOffice vulnerabilities

USN-542-1 fixed a vulnerability in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly…

15 November 2007

USN-542-1: poppler vulnerabilities

Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the user’s privileges in applications linked against poppler.

14 November 2007

USN-540-1: flac vulnerability

Sean de Regge discovered that flac did not properly perform bounds checking in many situations. An attacker could send a specially crafted FLAC audio file and execute arbitrary code as the user or cause a denial of service in flac or applications that link against flac.

13 November 2007

USN-539-1: CUPS vulnerability

Alin Rad Pop discovered that CUPS did not correctly validate buffer lengths when processing IPP tags. Remote attackers successfully exploiting this vulnerability would gain access to the non-root CUPS user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile.

6 November 2007

USN-538-1: libpng vulnerabilities

It was discovered that libpng did not properly perform bounds checking and comparisons in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng.

25 October 2007

USN-531-2: dhcp vulnerability

USN-531-1 fixed vulnerabilities in dhcp. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes the problem. Original advisory details: Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send …

23 October 2007

USN-536-1: Thunderbird vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-5339, CVE-2007-5340) Flaws were discovered in the file upload form control. By tricking a user into opening a malicious web page, an attacker could…

23 October 2007

USN-535-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-5336, CVE-2007-5339, CVE-2007-5340) Michal Zalewski discovered that the onUnload event handlers were incorrectly able to access information outside…

22 October 2007

USN-501-2: Ghostscript vulnerability

USN-501-1 fixed vulnerabilities in Jasper. This update provides the corresponding update for the Jasper internal to Ghostscript. Original advisory details: It was discovered that Jasper did not correctly handle corrupted JPEG2000 images. By tricking a user into opening a specially crafted JPG, a remote attacker could cause the application…

22 October 2007

USN-534-1: OpenSSL vulnerability

Andy Polyakov discovered that the DTLS implementation in OpenSSL was vulnerable. A remote attacker could send a specially crafted connection request to services using DTLS and execute arbitrary code with the service’s privileges. There are no known Ubuntu applications that are currently using DTLS.

22 October 2007

USN-533-1: util-linux vulnerability

Ludwig Nussel discovered that mount and umount did not properly drop privileges when using helper programs. Local attackers may be able to bypass security restrictions and gain root privileges using programs such as mount.nfs or mount.cifs.

22 October 2007

USN-531-1: dhcp vulnerability

Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send malicious DHCP replies to the server and execute arbitrary code.

22 October 2007

USN-530-1: hplip vulnerability

It was discovered that the hpssd tool of hplip did not correctly handle shell meta-characters. A local attacker could exploit this to execute arbitrary commands as the hplip user.

12 October 2007

USN-529-1: Tk vulnerability

It was discovered that Tk could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

11 October 2007

USN-528-1: MySQL vulnerabilities

Neil Kettle discovered that MySQL could be made to dereference a NULL pointer and divide by zero. An authenticated user could exploit this with a crafted IF clause, leading to a denial of service. (CVE-2007-2583) Victoria Reznichenko discovered that MySQL did not always require the DROP privilege. An authenticated user could exploit this via…

11 October 2007

USN-527-1: xen-3.0 vulnerability

Joris van Rantwijk discovered that the Xen host did not correctly validate the contents of a Xen guests’s grug.conf file. Xen guest root users could exploit this to run arbitrary commands on the host when the guest system was rebooted.

5 October 2007

USN-526-1: debian-goodies vulnerability

Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.

4 October 2007

USN-525-1: libsndfile vulnerability

Robert Buchholz discovered that libsndfile did not correctly validate the size of its memory buffers. If a user were tricked into playing a specially crafted FLAC file, a remote attacker could execute arbitrary code with user privileges.

4 October 2007

USN-524-1: OpenOffice.org vulnerability

An integer overflow was discovered in the TIFF handling code in OpenOffice. If a user were tricked into loading a malicious TIFF image, a remote attacker could execute arbitrary code with user privileges.

4 October 2007

USN-523-1: ImageMagick vulnerabilities

Multiple vulnerabilities were found in the image decoders of ImageMagick. If a user or automated system were tricked into processing a malicious DCM, DIB, XBM, XCF, or XWD image, a remote attacker could execute arbitrary code with user privileges.

3 October 2007

USN-522-1: openssl vulnerabilities

It was discovered that OpenSSL did not correctly perform Montgomery multiplications. Local attackers might be able to reconstruct RSA private keys by examining another user’s OpenSSL processes. (CVE-2007-3108) Moritz Jodeit discovered that OpenSSL’s SSL_get_shared_ciphers function did not correctly check the size of the buffer it was writing…

28 September 2007

USN-520-1: fetchmail vulnerabilities

Gaetan Leurent discovered a vulnerability in the APOP protocol based on MD5 collisions. As fetchmail supports the APOP protocol, this vulnerability can be used by attackers to discover a portion of the APOP user’s authentication credentials. (CVE-2007-1558) Earl Chew discovered that fetchmail can be made to de-reference a NULL pointer when…

26 September 2007

USN-519-1: elinks vulnerability

Kalle Olavi Niemitalo discovered that if elinks makes a POST request to an HTTPS URL through a proxy, information may be sent in clear-text between elinks and the proxy. Attackers with access to the network could steal sensitive information (such as passwords).

25 September 2007

USN-517-1: kdm vulnerability

It was discovered that KDM would allow logins without password checks under certain circumstances. If autologin was configured, and “shutdown with password” enabled, a local user could exploit the problem and gain root privileges.

25 September 2007

USN-518-1: linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities

Evan Teran discovered that the Linux kernel ptrace routines did not correctly handle certain requests robustly. Local attackers could exploit this to crash the system, causing a denial of service. (CVE-2007-3731) It was discovered that hugetlb kernels on PowerPC systems did not prevent the stack from colliding with reserved kernel memory. …

25 September 2007

USN-516-1: xfsdump vulnerability

Paul Martin discovered that xfs_fsr creates a temporary directory with insecure permissions. This allows a local attacker to exploit a race condition in xfs_fsr to read or overwrite arbitrary files on xfs filesystems.

20 September 2007

USN-515-1: t1lib vulnerability

It was discovered that t1lib does not properly perform bounds checking which can result in a buffer overflow vulnerability. An attacker could send specially crafted input to applications linked against t1lib which could result in a DoS or arbitrary code execution.

19 September 2007

USN-513-1: Qt vulnerability

Dirk Mueller discovered that UTF8 strings could be made to cause a small buffer overflow. A remote attacker could exploit this by sending specially crafted strings to applications that use the Qt3 library for UTF8 processing, potentially leading to arbitrary code execution with user privileges, or a denial of service.

18 September 2007

USN-512-1: Quagga vulnerability

It was discovered that Quagga did not correctly verify OPEN messages or COMMUNITY attributes sent from configured peers. Malicious authenticated remote peers could send a specially crafted message which would cause bgpd to abort, leading to a denial of service.

15 September 2007

USN-511-2: Kerberos vulnerability

USN-511-1 fixed vulnerabilities in krb5 and librpcsecgss. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes the problem. Original advisory details: It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An…

7 September 2007

USN-511-1: Kerberos vulnerability

It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges.

4 September 2007

USN-510-1: Linux kernel vulnerabilities

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the…

31 August 2007

USN-507-1: tcp-wrappers vulnerability

It was discovered that the TCP wrapper library was incorrectly allowing connections to services that did not specify server-side connection details. Remote attackers could connect to services that had been configured to block such connections. This only affected Ubuntu Feisty.

29 August 2007

USN-469-2: Enigmail regression

USN-469-1 fixed vulnerabilities in the Mozilla Thunderbird email client. The updated Thunderbird version broken compatibility with the Enigmail plugin. This update corrects the problem. We apologize for the inconvenience.

28 August 2007

USN-506-1: tar vulnerability

Dmitry V. Levin discovered that tar did not correctly detect the “..” file path element when unpacking archives. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.

28 August 2007

USN-505-1: vim vulnerability

Ulf Harnhammar discovered that vim does not properly sanitise the “helptags_one()” function when running the “helptags” command. By tricking a user into running a crafted help file, a remote attacker could execute arbitrary code with the user’s privileges.

28 August 2007

USN-504-1: Emacs vulnerability

Hendrik Tews discovered that emacs21 did not correctly handle certain GIF images. By tricking a user into opening a specially crafted GIF, a remote attacker could cause emacs21 to crash, resulting in a denial of service.

28 August 2007

USN-502-1: KDE vulnerabilities

It was discovered that Konqueror could be tricked into displaying incorrect URLs. Remote attackers could exploit this to increase their chances of tricking a user into visiting a phishing URL, which could lead to credential theft.

26 August 2007

USN-503-1: Thunderbird vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious email, an attacker could execute arbitrary code with the user’s privileges. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3844) Jesper…

25 August 2007

USN-501-1: jasper vulnerability

It was discovered that Jasper did not correctly handle corrupted JPEG2000 images. By tricking a user into opening a specially crafted JPG, a remote attacker could cause the application using libjasper to crash, resulting in a denial of service.

21 August 2007

USN-500-1: rsync vulnerability

Sebastian Krahmer discovered that rsync contained an off-by-one miscalculation when handling certain file paths. By creating a specially crafted tree of files and tricking an rsync server into processing them, a remote attacker could write a single NULL to stack memory, possibly leading to arbitrary code execution.

20 August 2007

USN-499-1: Apache vulnerabilities

Stefan Esser discovered that mod_status did not force a character set, which could result in browsers becoming vulnerable to XSS attacks when processing the output. If a user were tricked into viewing server status output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such…

17 August 2007

USN-498-1: libvorbis vulnerabilities

David Thiel discovered that libvorbis did not correctly verify the size of certain headers, and did not correctly clean up a broken stream. If a user were tricked into processing a specially crafted Vorbis stream, a remote attacker could execute arbitrary code with the user’s privileges.

16 August 2007

USN-497-1: xfce4-terminal vulnerability

Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly escape shell meta-characters during “Open Link” actions. If a remote attacker tricked a user into opening a specially crafted URI, they could execute arbitrary commands with the user’s privileges.

14 August 2007

USN-496-2: poppler vulnerability

USN-496-1 fixed a vulnerability in koffice. This update provides the corresponding updates for poppler, the library used for PDF handling in Gnome. Original advisory details: Derek Noonburg discovered an integer overflow in the Xpdf function StreamPredictor::StreamPredictor(). By importing a specially crafted PDF file into KWord, this could…

7 August 2007

USN-495-1: Qt vulnerability

Several format string vulnerabilities have been discovered in Qt warning messages. By causing an application to process specially crafted input data which triggered Qt warnings, this could be exploited to execute arbitrary code with the privilege of the user running the application.

3 August 2007

USN-496-1: koffice vulnerability

Derek Noonburg discovered an integer overflow in the Xpdf function StreamPredictor::StreamPredictor(). By importing a specially crafted PDF file into KWord, this could be exploited to run arbitrary code with the user’s privileges.

3 August 2007

USN-494-1: Gimp vulnerability

Sean Larsson discovered multiple integer overflows in Gimp. By tricking a user into opening a specially crafted DICOM, PNM, PSD, PSP, RAS, XBM, or XWD image, a remote attacker could exploit this to execute arbitrary code with the user’s privileges.

2 August 2007

USN-493-1: Firefox vulnerabilities

A flaw was discovered in handling of “about:blank” windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In…

1 August 2007

USN-492-1: tcpdump vulnerability

A flaw was discovered in the BGP dissector of tcpdump. Remote attackers could send specially crafted packets and execute arbitrary code with user privileges.

31 July 2007

USN-491-1: Bind vulnerability

A flaw was discovered in Bind’s sequence number generator. A remote attacker could calculate future sequence numbers and send forged DNS query responses. This could lead to client connections being directed to attacker-controlled hosts, resulting in credential theft and other attacks.

25 July 2007

USN-490-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-3734, CVE-2007-3735) Flaws were discovered in the JavaScript methods addEventListener and setTimeout which could be used to inject script into…

20 July 2007

USN-488-1: mod_perl vulnerability

Alex Solovey discovered that mod_perl did not correctly validate certain regular expression matches. A remote attacker could send a specially crafted request to a web application using mod_perl, causing the web server to monopolize CPU resources. This could lead to a remote denial of service.

18 July 2007

USN-487-1: Dovecot vulnerability

It was discovered that Dovecot, when configured to use non-system-user spools and compressed folders, would allow directory traversals in mailbox names. Remote authenticated users could potentially read email owned by other users.

17 July 2007

USN-485-1: PHP vulnerabilities

It was discovered that the PHP xmlrpc extension did not correctly check heap memory allocation sizes. A remote attacker could send a specially crafted request to a PHP application using xmlrpc and execute arbitrary code as the Apache user. (CVE-2007-1864) Stefan Esser discovered a flaw in the random number initialization of the PHP SOAP…

17 July 2007

USN-484-1: curl vulnerability

It was discovered that the GnuTLS certificate verification methods implemented in Curl did not check for expiration and activation dates. When performing validations, tools using libcurl3-gnutls would incorrectly allow connections to sites using expired certificates.

17 July 2007

USN-482-1: OpenOffice.org vulnerability

John Heasman discovered that OpenOffice did not correctly validate the sizes of tags in RTF documents. If a user were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges.

11 July 2007

USN-481-1: ImageMagick vulnerabilities

Multiple vulnerabilities were found in ImageMagick’s handling of DCM and WXD image files. By tricking a user into processing a specially crafted image with an application that uses imagemagick, an attacker could execute arbitrary code with the user’s privileges.

10 July 2007

USN-480-1: Gimp vulnerability

Stefan Cornelius discovered that Gimp could miscalculate the size of heap buffers when processing PSD images. By tricking a user into opening a specially crafted PSD file with Gimp, an attacker could exploit this to execute arbitrary code with the user’s privileges.

4 July 2007

USN-479-1: MadWifi vulnerabilities

Multiple flaws in the MadWifi driver were discovered that could lead to a system crash. A physically near-by attacker could generate specially crafted wireless network traffic and cause a denial of service. (CVE-2006-7177, CVE-2006-7178, CVE-2006-7179, CVE-2007-2829, CVE-2007-2830) A flaw was discovered in the MadWifi driver that would allow…

29 June 2007

USN-478-1: libexif vulnerability

Sean Larsson discovered that libexif did not correctly verify the size of EXIF components. By tricking a user into opening an image with specially crafted EXIF headers, a remote attacker could cause the application using libexif to execute arbitrary code with user privileges.

27 June 2007

USN-477-1: krb5 vulnerabilities

Wei Wang discovered that the krb5 RPC library did not correctly handle certain error conditions. A remote attacker could cause kadmind to free an uninitialized pointer, leading to a denial of service or possibly execution of arbitrary code with root privileges. (CVE-2007-2442) Wei Wang discovered that the krb5 RPC library did not correctly…

27 June 2007

USN-476-1: redhat-cluster-suite vulnerability

Fabio Massimo Di Nitto discovered that cman did not correctly validate the size of client messages. A local user could send a specially crafted message and execute arbitrary code with cluster manager privileges or crash the manager, leading to a denial of service.

22 June 2007

USN-475-1: evolution-data-server vulnerability

Philip Van Hoof discovered that the IMAP client in Evolution did not correctly verify the SEQUENCE value. A malicious or spoofed server could exploit this to execute arbitrary code with user privileges.

21 June 2007

USN-474-1: xscreensaver vulnerability

It was discovered that xscreensaver did not correctly validate the return values from network authentication systems such as LDAP or NIS. A local attacker could bypass a locked screen if they were able to interrupt network connectivity.

12 June 2007

USN-473-1: libgd2 vulnerabilities

A buffer overflow was discovered in libgd2’s font renderer. By tricking an application using libgd2 into rendering a specially crafted string with a JIS encoded font, a remote attacker could read heap memory or crash the application, leading to a denial of service. (CVE-2007-0455) Xavier Roche discovered that libgd2 did not correctly validate…

12 June 2007

USN-472-1: libpng vulnerability

It was discovered that libpng did not correctly handle corrupted CRC in grayscale PNG images. By tricking a user into opening a specially crafted PNG, a remote attacker could cause the application using libpng to crash, resulting in a denial of service.

12 June 2007

USN-471-1: libexif vulnerability

Victor Stinner discovered that libexif did not correctly validate the size of some EXIF header fields. By tricking a user into opening an image with specially crafted EXIF headers, a remote attacker could cause the application using libexif to crash, resulting in a denial of service.

11 June 2007

USN-439-2: file vulnerability

USN-439-1 fixed a vulnerability in file. The original fix did not fully solve the problem. This update provides a more complete solution. Original advisory details: Jean-Sebastien Guay-Leroux discovered that “file” did not correctly check the size of allocated heap memory. If a user were tricked into examining a specially crafted file with…

11 June 2007

USN-470-1: Linux kernel vulnerabilities

USN-464-1 fixed several vulnerabilities in the Linux kernel. Some additional code changes were accidentally included in the Feisty update which caused trouble for some people who were not using UUID-based filesystem mounts. These changes have been reverted. We apologize for the inconvenience. For more information see: …

8 June 2007

USN-469-1: Thunderbird vulnerabilities

Gaëtan Leurent showed a weakness in APOP authentication. An attacker posing as a trusted server could recover portions of the user’s password via multiple authentication attempts. (CVE-2007-1558) Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious email, an attacker could…

6 June 2007

USN-468-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-2867, CVE-2007-2868) A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker…

1 June 2007

USN-467-1: Gimp vulnerability

It was discovered that Gimp did not correctly handle RAS image format color tables. By tricking a user into opening a specially crafted RAS file with Gimp, an attacker could exploit this to execute arbitrary code with the user’s privileges.

31 May 2007

USN-466-1: freetype vulnerability

Victor Stinner discovered that freetype did not correctly verify the number of points in a TrueType font. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with user privileges.

30 May 2007

USN-465-1: PulseAudio vulnerability

Luigi Auriemma discovered multiple flaws in pulseaudio’s network processing code. If an unauthenticated attacker sent specially crafted requests to the pulseaudio daemon, it would crash, resulting in a denial of service.

25 May 2007

USN-464-1: Linux kernel vulnerabilities

Philipp Richter discovered that the AppleTalk protocol handler did not sufficiently verify the length of packets. By sending a crafted AppleTalk packet, a remote attacker could exploit this to crash the kernel. (CVE-2007-1357) Gabriel Campana discovered that the do_ipv6_setsockopt() function did not sufficiently verifiy option values for…

24 May 2007

USN-463-1: vim vulnerability

Tomas Golembiovsky discovered that some vim commands were accidentally allowed in modelines. By tricking a user into opening a specially crafted file in vim, an attacker could execute arbitrary code with user privileges.

23 May 2007

USN-462-1: PHP vulnerabilities

A flaw was discovered in the FTP command handler in PHP. Commands were not correctly filtered for control characters. An attacker could issue arbitrary FTP commands using specially crafted arguments. (CVE-2007-2509) Ilia Alshanetsky discovered a buffer overflow in the SOAP request handler in PHP. Remote attackers could send a specially…

22 May 2007

USN-460-2: Samba regression

USN-460-1 fixed several vulnerabilities in Samba. The upstream changes for CVE-2007-2444 had an unexpected side-effect in Feisty. Shares configured with the “force group” option no longer behaved correctly. This update corrects the problem. We apologize for the inconvenience. Original advisory details: Paul Griffith and Andrew Hogue…

22 May 2007

USN-436-2: KTorrent vulnerability

USN-436-1 fixed a vulnerability in KTorrent. The original fix for path traversal was incomplete, allowing for alternate vectors of attack. This update solves the problem. Original advisory details: Bryan Burns of Juniper Networks discovered that KTorrent did not correctly validate the destination file paths nor the HAVE statements sent…

18 May 2007

USN-461-1: Quagga vulnerability

It was discovered that Quagga did not correctly verify length information sent from configured peers. Remote malicious peers could send a specially crafted UPDATE message which would cause bgpd to abort, leading to a denial of service.

17 May 2007

USN-460-1: Samba vulnerabilities

Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. (CVE-2007-2444) Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker…

16 May 2007

USN-459-1: pptpd vulnerability

A flaw was discovered in the PPTP tunnel server. Remote attackers could send a specially crafted packet and disrupt established PPTP tunnels, leading to a denial of service.

14 May 2007

USN-458-1: MoinMoin vulnerabilities

A flaw was discovered in MoinMoin’s error reporting when using the AttachFile action. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user’s authentication information for the domain where MoinMoin was hosted. (CVE-2007-2423) Flaws were…

8 May 2007

USN-457-1: elinks vulnerability

Arnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges.

7 May 2007

USN-454-1: PostgreSQL vulnerability

PostgreSQL did not handle the “search_path” configuration option in a secure way for functions declared as “SECURITY DEFINER”. Previously, an attacker could override functions and operators used by the security definer function to execute arbitrary SQL commands with the privileges of the user who created the security definer function. The…

27 April 2007

USN-455-1: PHP vulnerabilities

Stefan Esser discovered multiple vulnerabilities in the “Month of PHP bugs”. The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375) The shared memory (shmop) functions did not verify resource…

27 April 2007