USNs for ubuntu 7.10

USN-760-1: CUPS vulnerability

It was discovered that CUPS did not properly check the height of TIFF images. If a user or automated system were tricked into opening a crafted TIFF image file, a remote attacker could cause a denial of service or possibly execute arbitrary code with user privileges. In Ubuntu 7.10, 8.04 LTS, and 8.10, attackers would be isolated by the AppArmor…

16 April 2009

USN-758-1: udev vulnerabilities

Sebastian Krahmer discovered that udev did not correctly validate netlink message senders. A local attacker could send specially crafted messages to udev in order to gain root privileges. (CVE-2009-1185) Sebastian Krahmer discovered a buffer overflow in the path encoding routines in udev. A local attacker could exploit this to crash udev,…

15 April 2009

USN-755-1: Kerberos vulnerabilities

Multiple flaws were discovered in the Kerberos GSS-API and ASN.1 routines that did not correctly handle certain requests. An unauthenticated remote attacker could send specially crafted traffic to crash services using the Kerberos library, leading to a denial of service.

7 April 2009

USN-751-1: Linux kernel vulnerabilities

NFS did not correctly handle races between fcntl and interrupts. A local attacker on an NFS mount could consume unlimited kernel memory, leading to a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-4307) Sparc syscalls did not correctly check mmap regions. A local attacker could cause a system panic, leading to a denial of service….

6 April 2009

USN-750-1: OpenSSL vulnerability

It was discovered that OpenSSL did not properly validate the length of an encoded BMPString or UniversalString when printing ASN.1 strings. If a user or automated system were tricked into processing a crafted certificate, an attacker could cause a denial of service via application crash in applications linked against OpenSSL.

30 March 2009

USN-749-1: libsndfile vulnerability

It was discovered that libsndfile did not correctly handle description chunks in CAF audio files. If a user or automated system were tricked into opening a specially crafted CAF audio file, an attacker could execute arbitrary code with the privileges of the user invoking the program.

30 March 2009

USN-745-1: Firefox and Xulrunner vulnerabilities

It was discovered that Firefox did not properly perform XUL garbage collection. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS and 8.10. (CVE-2009-1044) A flaw was…

28 March 2009

USN-746-1: xine-lib vulnerability

It was discovered that the 4xm demuxer in xine-lib did not correctly handle a large current_track value in a 4xm file, resulting in an integer overflow. If a user or automated system were tricked into opening a specially crafted 4xm movie file, an attacker could crash xine-lib or possibly execute arbitrary code with the privileges of the user…

26 March 2009

USN-747-1: ICU vulnerability

It was discovered that libicu did not correctly handle certain invalid encoded data. If a user or automated system were tricked into processing specially crafted data with applications linked against libicu, certain content filters could be bypassed.

26 March 2009

USN-744-1: LittleCMS vulnerabilities

Chris Evans discovered that LittleCMS did not properly handle certain error conditions, resulting in a large memory leak. If a user or automated system were tricked into processing an image with malicious ICC tags, a remote attacker could cause a denial of service. (CVE-2009-0581) Chris Evans discovered that LittleCMS contained multiple integer…

23 March 2009

USN-743-1: Ghostscript vulnerabilities

It was discovered that Ghostscript contained multiple integer overflows in its ICC color management library. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0583) It was discovered…

23 March 2009

USN-741-1: Thunderbird vulnerabilities

Several flaws were discovered in the browser engine. If Javascript were enabled, an attacker could exploit these flaws to crash Thunderbird and possibly execute arbitrary code with user privileges. (CVE-2009-0352) Jesse Ruderman and Gary Kwong discovered flaws in the browser engine. If a user had Javascript enabled, these problems could allow a…

19 March 2009

USN-742-1: JasPer vulnerabilities

It was discovered that JasPer did not correctly handle memory allocation when parsing certain malformed JPEG2000 images. If a user were tricked into opening a specially crafted image with an application that uses libjasper, an attacker could cause a denial of service and possibly execute arbitrary code with the user’s privileges….

19 March 2009

USN-740-1: NSS vulnerability

The MD5 algorithm is known not to be collision resistant. This update blacklists the proof of concept rogue certificate authority as discussed in http://www.win.tue.nl/hashclash/rogue-ca/.

17 March 2009

USN-739-1: Amarok vulnerabilities

It was discovered that Amarok did not correctly handle certain malformed tags in Audible Audio (.aa) files. If a user were tricked into opening a crafted Audible Audio file, an attacker could execute arbitrary code with the privileges of the user invoking the program.

17 March 2009

USN-734-1: FFmpeg vulnerabilities

It was discovered that FFmpeg did not correctly handle certain malformed Ogg Media (OGM) files. If a user were tricked into opening a crafted Ogg Media file, an attacker could cause the application using FFmpeg to crash, leading to a denial of service. (CVE-2008-4610) It was discovered that FFmpeg did not correctly handle certain parameters when…

16 March 2009

USN-738-1: GLib vulnerability

Diego Petteno discovered that the Base64 encoding functions in GLib did not properly handle large strings. If a user or automated system were tricked into processing a crafted Base64 string, an attacker could possibly execute arbitrary code with the privileges of the user invoking the program.

16 March 2009

USN-737-1: libsoup vulnerability

It was discovered that the Base64 encoding functions in libsoup did not properly handle large strings. If a user were tricked into connecting to a malicious server, an attacker could possibly execute arbitrary code with user privileges.

16 March 2009

USN-736-1: GStreamer Good Plugins vulnerabilities

It was discovered that GStreamer Good Plugins did not correctly handle malformed Composition Time To Sample (ctts) atom data in Quicktime (mov) movie files. If a user were tricked into opening a crafted mov file, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0386) It was discovered that…

16 March 2009

USN-733-1: evolution-data-server vulnerability

It was discovered that the Base64 encoding functions in evolution-data-server did not properly handle large strings. If a user were tricked into opening a specially crafted image file, or tricked into connecting to a malicious server, an attacker could possibly execute arbitrary code with user privileges.

16 March 2009

USN-731-1: Apache vulnerabilities

It was discovered that Apache did not sanitize the method specifier header from an HTTP request when it is returned in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a…

10 March 2009

USN-730-1: libpng vulnerabilities

It was discovered that libpng did not properly perform bounds checking in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng. This issue only affected Ubuntu 8.04 LTS. (CVE-2007-5268, CVE-2007-5269) Tavis Ormandy discovered that libpng did not properly…

6 March 2009

USN-728-2: Firefox vulnerabilities

Jesse Ruderman and Gary Kwong discovered flaws in the browser engine. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0772, CVE-2009-0774) Georgi Guninski discovered a flaw when Firefox…

6 March 2009

USN-729-1: Python Crypto vulnerability

Mike Wiacek discovered that the ARC2 implementation in Python Crypto did not correctly check the key length. If a user or automated system were tricked into processing a malicious ARC2 stream, a remote attacker could execute arbitrary code or crash the application using Python Crypto, leading to a denial of service.

5 March 2009

USN-727-1: network-manager-applet vulnerabilities

It was discovered that network-manager-applet did not properly enforce permissions when responding to dbus requests. A local user could perform dbus queries to view other users’ network connection passwords and pre-shared keys. (CVE-2009-0365) It was discovered that network-manager-applet did not properly enforce permissions when responding to…

3 March 2009

USN-726-1: curl vulnerability

It was discovered that curl did not enforce any restrictions when following URL redirects. If a user or automated system were tricked into opening a URL to an untrusted server, an attacker could use redirects to gain access to abitrary files. This update changes curl behavior to prevent following “file” URLs after a redirect.

3 March 2009

USN-725-1: KMail vulnerability

It was discovered that Kmail did not adequately prevent execution of arbitrary code when a user clicked on a URL to an executable within an HTML mail. If a user clicked on a malicious URL and chose to execute the file, a remote attacker could execute arbitrary code with user privileges. This update changes KMail’s behavior to instead launch a…

26 February 2009

USN-723-1: Git vulnerabilities

It was discovered that Git did not properly handle long file paths. If a user were tricked into performing commands on a specially crafted Git repository, an attacker could possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-3546) It was discovered that the Git web interface (gitweb) did not correctly…

18 February 2009

USN-720-1: PHP vulnerabilities

It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) It was discovered that…

12 February 2009

USN-717-2: Firefox vulnerabilities

A flaw was discovered in the browser engine when restoring closed tabs. If a user were tricked into restoring a tab to a malicious website with form input controls, an attacker could steal local files on the user’s system. (CVE-2009-0355) Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a…

10 February 2009

USN-716-1: MoinMoin vulnerabilities

Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the…

30 January 2009

USN-714-1: Linux kernel vulnerabilities

Hugo Dias discovered that the ATM subsystem did not correctly manage socket counts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5079) It was discovered that the libertas wireless driver did not correctly handle beacon and probe responses. A physically near-by attacker could generate…

29 January 2009

USN-712-1: Vim vulnerabilities

Jan Minar discovered that Vim did not properly sanitize inputs before invoking the execute or system functions inside Vim scripts. If a user were tricked into running Vim scripts with a specially crafted input, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2712) Ben Schmidt discovered…

27 January 2009

USN-711-1: KTorrent vulnerabilities

It was discovered that KTorrent did not properly restrict access when using the web interface plugin. A remote attacker could use a crafted http request and upload arbitrary torrent files to trigger the start of downloads and seeding. (CVE-2008-5905) It was discovered that KTorrent did not properly handle certain parameters when using the web…

26 January 2009

USN-710-1: xine-lib vulnerabilities

It was discovered that xine-lib did not correctly handle certain malformed Ogg and Windows Media files. If a user or automated system were tricked into opening a specially crafted Ogg or Windows Media file, an attacker could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS….

26 January 2009

USN-709-1: tar vulnerability

Dmitry V. Levin discovered a buffer overflow in tar. If a user or automated system were tricked into opening a specially crafted tar file, an attacker could crash tar or possibly execute arbitrary code with the privileges of the user invoking the program.

15 January 2009

USN-708-1: HPLIP vulnerability

It was discovered that an installation script in the HPLIP package would change permissions on the hplip config files located in user’s home directories. A local user could exploit this and change permissions on arbitrary files upon an HPLIP installation or upgrade, which could lead to root privileges.

13 January 2009

USN-707-1: CUPS vulnerabilities

It was discovered that CUPS didn’t properly handle adding a large number of RSS subscriptions. A local user could exploit this and cause CUPS to crash, leading to a denial of service. This issue only applied to Ubuntu 7.10, 8.04 LTS and 8.10. (CVE-2008-5183) It was discovered that CUPS did not authenticate users when adding and cancelling RSS…

12 January 2009

USN-706-1: Bind vulnerability

It was discovered that Bind did not properly perform signature verification. When DNSSEC with DSA signatures are in use, a remote attacker could exploit this to bypass signature validation to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic.

9 January 2009

USN-705-1: NTP vulnerability

It was discovered that NTP did not properly perform signature verification. A remote attacker could exploit this to bypass certificate validation via a malformed SSL/TLS signature.

8 January 2009

USN-704-1: OpenSSL vulnerability

It was discovered that OpenSSL did not properly perform signature verification on DSA and ECDSA keys. If user or automated system connected to a malicious server or a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

7 January 2009

USN-701-1: Thunderbird vulnerabilities

Several flaws were discovered in the browser engine. If a user had Javascript enabled, these problems could allow an attacker to crash Thunderbird and possibly execute arbitrary code with user privileges. (CVE-2008-5500) Boris Zbarsky discovered that the same-origin check in Thunderbird could be bypassed by utilizing XBL-bindings. If a user had…

6 January 2009

USN-703-1: xterm vulnerabilities

Paul Szabo discovered that the DECRQSS escape sequences were not handled correctly by xterm. Additionally, window title operations were also not safely handled. If a user were tricked into viewing a specially crafted series of characters while in xterm, a remote attacker could execute arbitrary commands with user privileges. (CVE-2006-7236,…

6 January 2009

USN-700-1: Perl vulnerabilities

Jonathan Smith discovered that the Archive::Tar Perl module did not correctly handle symlinks when extracting archives. If a user or automated system were tricked into opening a specially crafted tar file, a remote attacker could over-write arbitrary files. (CVE-2007-4829) Tavis Ormandy and Will Drewry discovered that Perl did not…

24 December 2008

USN-697-1: Imlib2 vulnerability

It was discovered that Imlib2 did not correctly handle certain malformed XPM and PNG images. If a user were tricked into opening a specially crafted image with an application that uses Imlib2, an attacker could cause a denial of service and possibly execute arbitrary code with the user’s privileges.

22 December 2008

USN-696-1: Avahi vulnerabilities

Emanuele Aina discovered that Avahi did not properly validate its input when processing data over D-Bus. A local attacker could send an empty TXT message via D-Bus and cause a denial of service (failed assertion). This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3372) Hugo Dias discovered that Avahi did not properly verify its input…

18 December 2008

USN-695-1: shadow vulnerability

Paul Szabo discovered a race condition in login. While setting up tty permissions, login did not correctly handle symlinks. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.

18 December 2008

USN-694-1: libvirt vulnerability

It was discovered that libvirt did not mark certain operations as read-only. A local attacker may be able to perform privileged actions such as migrating virtual machines, adjusting autostart flags, or accessing privileged data in the virtual machine memory and disks.

18 December 2008

USN-690-2: Firefox vulnerabilities

Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2008-5500) Boris Zbarsky discovered that the same-origin check in Firefox could be bypassed by utilizing XBL-bindings. An attacker could exploit this to read data from…

18 December 2008

USN-693-1: LittleCMS vulnerability

It was discovered that certain gamma operations in lcms were not correctly bounds-checked. If a user or automated system were tricked into processing a malicious image, a remote attacker could crash applications linked against liblcms1, leading to a denial of service, or possibly execute arbitrary code with user privileges.

17 December 2008

USN-692-1: Gadu vulnerability

It was discovered that the Gadu library, used by some Instant Messaging clients, did not correctly verify certain packet sizes from the server. If a user connected to a malicious server, clients using Gadu could be made to crash, leading to a denial of service.

17 December 2008

USN-678-2: GnuTLS regression

USN-678-1 fixed a vulnerability in GnuTLS. The upstream patch introduced a regression when validating certain certificate chains that would report valid certificates as untrusted. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Martin von Gagern discovered that GnuTLS did not properly verify…

10 December 2008

USN-688-1: Compiz vulnerability

It was discovered that the Expo plugin for Compiz did not correctly restrict the screensaver window from being moved with the mouse. A local attacker could use the mouse to move the screensaver off the screen and gain access to the locked desktop session underneath. Default installs of Ubuntu were not vulnerable as Expo does not come…

9 December 2008

USN-687-1: nfs-utils vulnerability

It was discovered that nfs-utils did not properly enforce netgroup restrictions when using TCP Wrappers. Remote attackers could bypass the netgroup restrictions enabled by the administrator and possibly gain access to sensitive information.

4 December 2008

USN-686-1: AWStats vulnerability

Morgan Todd discovered that AWStats did not correctly strip quotes from certain parameters, allowing for an XSS attack when running as a CGI. If a user was tricked by a remote attacker into following a specially crafted URL, the user’s authentication information could be exposed for the domain where AWStats was hosted.

4 December 2008

USN-685-1: Net-SNMP vulnerabilities

Wes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. An unauthenticated remote attacker could send specially crafted SNMPv3 traffic with a valid username and gain access to the user’s views without a valid authentication passphrase. (CVE-2008-0960) John Kortink discovered that the Net-SNMP Perl…

3 December 2008

USN-683-1: Imlib2 vulnerability

It was discovered that Imlib2 did not correctly handle certain malformed XPM images. If a user were tricked into opening a specially crafted image with an application that uses Imlib2, an attacker could cause a denial of service and possibly execute arbitrary code with the user’s privileges.

2 December 2008

USN-682-1: libvorbis vulnerabilities

It was discovered that libvorbis did not correctly handle certain malformed sound files. If a user were tricked into opening a specially crafted sound file with an application that uses libvorbis, an attacker could execute arbitrary code with the user’s privileges.

1 December 2008

USN-681-1: ImageMagick vulnerability

It was discovered that ImageMagick did not correctly handle certain malformed XCF images. If a user were tricked into opening a specially crafted image with an application that uses ImageMagick, an attacker could cause a denial of service and possibly execute arbitrary code with the user’s privileges.

1 December 2008

USN-679-1: Linux kernel vulnerabilities

It was discovered that the Xen hypervisor block driver did not correctly validate requests. A user with root privileges in a guest OS could make a malicious IO request with a large number of blocks that would crash the host OS, leading to a denial of service. This only affected Ubuntu 7.10. (CVE-2007-5498) It was discovered the the i915 video…

27 November 2008

USN-678-1: GnuTLS vulnerability

Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2008-4989)

26 November 2008

USN-677-1: OpenOffice.org vulnerabilities

Multiple memory overflow flaws were discovered in OpenOffice.org’s handling of WMF and EMF files. If a user were tricked into opening a specially crafted document, a remote attacker might be able to execute arbitrary code with user privileges. (CVE-2008-2237, CVE-2008-2238) Dmitry E. Oboukhov discovered that senddoc, as included in…

26 November 2008

USN-668-1: Thunderbird vulnerabilities

Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the same-origin check in Thunderbird could be bypassed. If a user were tricked into opening a malicious website, an attacker could obtain private information from data stored in the images, or discover information about software on the user’s computer. (CVE-2008-5012) Jesse Ruderman…

26 November 2008

USN-675-1: Pidgin vulnerabilities

It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927) It was discovered that Pidgin did not properly handle file transfers containing a long filename and special…

24 November 2008

USN-674-2: HPLIP vulnerabilities

USN-674-1 provided packages to fix vulnerabilities in HPLIP. Due to an internal archive problem, the updates for Ubuntu 7.10 would not install properly. This update provides fixed packages for Ubuntu 7.10. We apologize for the inconvenience. Original advisory details: It was discovered that the hpssd tool of hplip did not validate privileges…

24 November 2008

USN-674-1: HPLIP vulnerabilities

It was discovered that the hpssd tool of hplip did not validate privileges in the alert-mailing function. A local attacker could exploit this to gain privileges and send e-mail messages from the account of the hplip user. This update alters hplip behaviour by preventing users from setting alerts and by moving alert configuration to a…

19 November 2008

USN-673-1: libxml2 vulnerabilities

Drew Yao discovered that libxml2 did not correctly handle certain corrupt XML documents. If a user or automated system were tricked into processing a malicious XML document, a remote attacker could cause applications linked against libxml2 to enter an infinite loop, leading to a denial of service. (CVE-2008-4225) Drew Yao discovered that libxml2…

19 November 2008

USN-667-1: Firefox and xulrunner vulnerabilities

Liu Die Yu discovered an information disclosure vulnerability in Firefox when using saved .url shortcut files. If a user were tricked into downloading a crafted .url file and a crafted HTML file, an attacker could steal information from the user’s cache. (CVE-2008-4582) Georgi Guninski, Michal Zalewsk and Chris Evans discovered that…

17 November 2008

USN-671-1: MySQL vulnerabilities

It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX…

17 November 2008

USN-670-1: VMBuilder vulnerability

Mathias Gug discovered that vm-builder improperly set the root password when creating virtual machines. An attacker could exploit this to gain root privileges to the virtual machine by using a predictable password. This vulnerability only affects virtual machines created with vm-builder under Ubuntu 8.10, and does not affect native…

13 November 2008

USN-669-1: gnome-screensaver vulnerabilities

It was discovered that the notify feature in gnome-screensaver could let a local attacker read the clipboard contents of a locked session by using Ctrl-V. (CVE-2007-6389) Alan Matsuoka discovered that gnome-screensaver did not properly handle network outages when using a remote authentication service. During a network interruption, or by…

11 November 2008

USN-662-2: Ubuntu kernel modules vulnerability

USN-662-1 fixed vulnerabilities in ndiswrapper in Ubuntu 8.10. This update provides the corresponding updates for Ubuntu 8.04 and 7.10. Original advisory details: Anders Kaseorg discovered that ndiswrapper did not correctly handle long ESSIDs. For a system using ndiswrapper, a physically near-by attacker could generate specially crafted…

6 November 2008

USN-665-1: Netpbm vulnerability

It was discovered that Netpbm could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

6 November 2008

USN-664-1: Tk vulnerability

It was discovered that Tk could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

6 November 2008

USN-660-1: enscript vulnerability

Ulf Härnhammar discovered multiple stack overflows in enscript’s handling of special escape arguments. If a user or automated system were tricked into processing a malicious file with the “-e” option enabled, a remote attacker could execute arbitrary code or cause enscript to crash, possibly leading to a denial of service.

3 November 2008

USN-659-1: Linux kernel vulnerabilities

It was discovered that the direct-IO subsystem did not correctly validate certain structures. A local attacker could exploit this to cause a system crash, leading to a denial of service. (CVE-2007-6716) It was discovered that the disabling of the ZERO_PAGE optimization could lead to large memory consumption. A local attacker could exploit this…

27 October 2008

USN-658-1: Moodle vulnerability

Lukasz Pilorz discovered that the HTML filtering used in Moodle was not strict enough. A remote attacker could send malicious requests to Moodle and execute arbitrary code as the web server user.

23 October 2008

USN-657-1: Amarok vulnerability

Dwayne Litzenberger discovered that Amarok created temporary files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. (CVE-2008-3699)

21 October 2008

USN-656-1: CUPS vulnerabilities

It was discovered that the SGI image filter in CUPS did not perform proper bounds checking. If a user or automated system were tricked into opening a crafted SGI image, an attacker could cause a denial of service. (CVE-2008-3639) It was discovered that the texttops filter in CUPS did not properly validate page metrics. If a user or automated…

15 October 2008

USN-655-1: exiv2 vulnerabilities

Meder Kydyraliev discovered that exiv2 did not correctly handle certain EXIF headers. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexiv2 to crash, leading to a denial of service, or possibly executing arbitrary code with user privileges….

15 October 2008

USN-654-1: libexif vulnerabilities

Meder Kydyraliev discovered that libexif did not correctly handle certain EXIF headers. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexif to crash, leading to a denial of service, or possibly executing arbitrary code with user privileges.

14 October 2008

USN-653-1: D-Bus vulnerabilities

Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies. If a local user sent a specially crafted D-Bus request, they could bypass security policies that had a “send_interface” defined. (CVE-2008-0595) It was discovered that the D-Bus library did not correctly validate certain corrupted signatures. …

14 October 2008

USN-651-1: Ruby vulnerabilities

Akira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2376) Laurent Gaffie discovered that Ruby did…

10 October 2008

USN-650-1: cpio vulnerability

A buffer overflow was discovered in cpio. If a user were tricked into opening a crafted cpio archive, an attacker could cause a denial of service via application crash, or possibly execute code with the privileges of the user invoking the program. (CVE-2007-4476)

2 October 2008

USN-649-1: OpenSSH vulnerabilities

It was discovered that the ForceCommand directive could be bypassed. If a local user created a malicious ~/.ssh/rc file, they could execute arbitrary commands as their user id. This only affected Ubuntu 7.10. (CVE-2008-1657) USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that the fixes for this issue were incomplete. A remote…

1 October 2008

USN-647-1: Thunderbird vulnerabilities

It was discovered that the same-origin check in Thunderbird could be bypassed. If a user had JavaScript enabled and were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the browser engine of Thunderbird. If a user had…

26 September 2008

USN-645-1: Firefox and xulrunner vulnerabilities

Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016) It was discovered that the same-origin check in Firefox could be bypassed. If a user were tricked into…

24 September 2008

USN-646-1: rdesktop vulnerabilities

It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801) Multiple buffer overflows were discovered…

18 September 2008

USN-644-1: libxml2 vulnerabilities

It was discovered that libxml2 did not correctly handle long entity names. If a user were tricked into processing a specially crafted XML document, a remote attacker could execute arbitrary code with user privileges or cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2008-3529) USN-640-1 fixed…

11 September 2008

USN-643-1: FreeType vulnerabilities

Multiple flaws were discovered in the PFB and TTF font handling code in freetype. If a user were tricked into using a specially crafted font file, a remote attacker could execute arbitrary code with user privileges or cause the application linked against freetype to crash, leading to a denial of service.

11 September 2008

USN-642-1: Postfix vulnerability

Wietse Venema discovered that Postfix leaked internal file descriptors when executing non-Postfix commands. A local attacker could exploit this to cause Postfix to run out of descriptors, leading to a denial of service.

10 September 2008

USN-641-1: Racoon vulnerabilities

It was discovered that there were multiple ways to leak memory during the IKE negotiation when handling certain packets. If a remote attacker sent repeated malicious requests, the “racoon” key exchange server could allocate large amounts of memory, possibly leading to a denial of service.

8 September 2008

USN-640-1: libxml2 vulnerability

Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system’s CPU resources, leading to a denial of service.

3 September 2008

USN-639-1: tiff vulnerability

Drew Yao discovered that the TIFF library did not correctly validate LZW compressed TIFF images. If a user or automated system were tricked into processing a malicious image, a remote attacker could execute arbitrary code or cause an application linked against libtiff to crash, leading to a denial of service.

2 September 2008

USN-638-1: Yelp vulnerability

Aaron Grattafiori discovered that the Gnome Help Viewer did not handle format strings correctly when displaying certain error messages. If a user were tricked into opening a specially crafted URI, a remote attacker could execute arbitrary code with user privileges.

27 August 2008

USN-637-1: Linux kernel vulnerabilities

It was discovered that there were multiple NULL-pointer function dereferences in the Linux kernel terminal handling code. A local attacker could exploit this to execute arbitrary code as root, or crash the system, leading to a denial of service. (CVE-2008-2812) The do_change_type routine did not correctly validation administrative users. A local…

25 August 2008

USN-636-1: Postfix vulnerability

Sebastian Krahmer discovered that Postfix was not correctly handling mailbox ownership when dealing with Linux’s implementation of hardlinking to symlinks. In certain mail spool configurations, a local attacker could exploit this to append data to arbitrary files as the root user. The default Ubuntu configuration was not vulnerable.

19 August 2008

USN-635-1: xine-lib vulnerabilities

Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer…

6 August 2008

USN-633-1: libxslt vulnerabilities

It was discovered that long transformation matches in libxslt could overflow. If an attacker were able to make an application linked against libxslt process malicious XSL style sheet input, they could execute arbitrary code with user privileges or cause the application to crash, leading to a denial of serivce. (CVE-2008-1767) Chris Evans…

1 August 2008

USN-632-1: Python vulnerabilities

It was discovered that there were new integer overflows in the imageop module. If an attacker were able to trick a Python application into processing a specially crafted image, they could execute arbitrary code with user privileges. (CVE-2008-1679) Justin Ferguson discovered that the zlib module did not correctly handle certain archives. If an…

1 August 2008

USN-634-1: OpenLDAP vulnerability

Cameron Hotchkies discovered that OpenLDAP did not correctly handle certain ASN.1 BER data. A remote attacker could send a specially crafted packet and crash slapd, leading to a denial of service.

1 August 2008

USN-631-1: poppler vulnerability

Felipe Andres Manzano discovered that poppler did not correctly initialize certain page widgets. If a user were tricked into viewing a malicious PDF file, a remote attacker could exploit this to crash applications linked against poppler, leading to a denial of service.

28 July 2008

USN-630-1: ffmpeg vulnerability

It was discovered that ffmpeg did not correctly handle STR file demuxing. If a user were tricked into processing a malicious STR file, a remote attacker could execute arbitrary code with user privileges via applications linked against ffmpeg.

28 July 2008

USN-629-1: Thunderbird vulnerabilities

Various flaws were discovered in the browser engine. If a user had Javascript enabled and were tricked into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799) It was discovered that…

25 July 2008

USN-628-1: PHP vulnerabilities

It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and…

23 July 2008

USN-623-1: Firefox vulnerabilities

A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785) Billy Rios discovered that…

17 July 2008

USN-625-1: Linux kernel vulnerabilities

Dirk Nehring discovered that the IPsec protocol stack did not correctly handle fragmented ESP packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2007-6282) Johannes Bauer discovered that the 64bit kernel did not correctly handle hrtimer updates. A local attacker could request a large expiration…

15 July 2008

USN-624-1: PCRE vulnerability

Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause applications linked against pcre3 to crash, leading to a denial of service.

15 July 2008

USN-622-1: Bind vulnerability

Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic.

8 July 2008

USN-619-1: Firefox vulnerabilities

Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799) Several problems were discovered in the JavaScript…

2 July 2008

USN-617-2: Samba regression

USN-617-1 fixed vulnerabilities in Samba. The upstream patch introduced a regression where under certain circumstances accessing large files might cause the client to report an invalid packet length error. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Samba developers discovered that nmbd could…

30 June 2008

USN-621-1: Ruby vulnerabilities

Drew Yao discovered several vulnerabilities in Ruby which lead to integer overflows. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2662, CVE-2008-2663, CVE-2008-2725,…

26 June 2008

USN-618-1: Linux kernel vulnerabilities

It was discovered that the ALSA /proc interface did not write the correct number of bytes when reporting memory allocations. A local attacker might be able to access sensitive kernel memory, leading to a loss of privacy. (CVE-2007-4571) Multiple buffer overflows were discovered in the handling of CIFS filesystems. A malicious CIFS server could…

19 June 2008

USN-612-11: openssl-blacklist update

USN-612-3 addressed a weakness in OpenSSL certificate and key generation and introduced openssl-blacklist to aid in detecting vulnerable certificates and keys. This update adds RSA-4096 blacklists to the openssl-blacklist-extra package and adjusts openssl-vulnkey to properly handle RSA-4096 and higher moduli. Original advisory details: A…

18 June 2008

USN-617-1: Samba vulnerabilities

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered…

17 June 2008

USN-616-1: X.org vulnerabilities

Multiple flaws were found in the RENDER, RECORD, and Security extensions of X.org which did not correctly validate function arguments. An authenticated attacker could send specially crafted requests and gain root privileges or crash X. (CVE-2008-1377, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362) It was discovered that the MIT-SHM extension of…

13 June 2008

USN-612-10: OpenVPN regression

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS with password protected certificates which caused OpenVPN to not start when used with applications such as NetworkManager. Original advisory…

12 June 2008

USN-612-9: openssl-blacklist update

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check Certificate Signing Requests, accept input from STDIN, and check moduli without a certificate. It was also discovered that…

12 June 2008

USN-615-1: Evolution vulnerabilities

Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or possibly execute code with user privileges. Note that the ITip Formatter…

6 June 2008

USN-612-8: openssl-blacklist update

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check X.509 certificates as well, and provides the corresponding update for Ubuntu 6.06. While the OpenSSL in Ubuntu 6.06 was not…

21 May 2008

USN-613-1: GnuTLS vulnerabilities

Multiple flaws were discovered in the connection handling of GnuTLS. A remote attacker could exploit this to crash applications linked against GnuTLS, or possibly execute arbitrary code with permissions of the application’s user.

21 May 2008

USN-612-6: OpenVPN regression

USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS, multi-client/server mode, and specifying a user or group which caused OpenVPN to not start when using valid SSL certificates. It was also…

14 May 2008

USN-612-5: OpenSSH update

Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as “no-port-forwarding” or forced commands) were ignored by the new ssh-vulnkey tool introduced in OpenSSH (see USN-612-2). This could cause some compromised keys not to be listed in ssh-vulnkey’s output. This update also adds more information to ssh-vulnkey’s…

14 May 2008

USN-612-4: ssl-cert vulnerability

USN-612-1 fixed vulnerabilities in openssl. This update provides the corresponding updates for ssl-cert – potentially compromised snake-oil SSL certificates will be regenerated. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this …

14 May 2008

USN-612-3: OpenVPN vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use…

13 May 2008

USN-612-2: OpenSSH vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use…

13 May 2008

USN-612-1: OpenSSL vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use…

13 May 2008

USN-611-3: GStreamer Good Plugins vulnerability

USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for GStreamer Good Plugins. Original advisory details: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker…

8 May 2008

USN-611-2: vorbis-tools vulnerability

USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for ogg123, part of vorbis-tools. Original advisory details: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an…

8 May 2008

USN-611-1: Speex vulnerability

It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program.

8 May 2008

USN-610-1: LTSP vulnerability

Christian Herzog discovered that it was possible to connect to any LTSP client’s X session over the network. A remote attacker could eavesdrop on X events, read window contents, and record keystrokes, possibly gaining access to private information.

6 May 2008

USN-609-1: OpenOffice.org vulnerabilities

It was discovered that arbitrary Java methods were not filtered out when opening databases in OpenOffice.org. If a user were tricked into running a specially crafted query, a remote attacker could execute arbitrary Java with user privileges. (CVE-2007-4575) Multiple memory overflow flaws were discovered in OpenOffice.org’s handling of Quattro…

6 May 2008

USN-605-1: Thunderbird vulnerabilities

Various flaws were discovered in the JavaScript engine. If a user had JavaScript enabled and were tricked into opening a malicious email, an attacker could escalate privileges within Thunderbird, perform cross-site scripting attacks and/or execute arbitrary code with the user’s privileges. (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235) Several…

6 May 2008

USN-608-1: KDE vulnerability

It was discovered that start_kdeinit in KDE 3 did not properly sanitize its input. A local attacker could exploit this to send signals to other processes and cause a denial of service or possibly execute arbitrary code. (CVE-2008-1671)

6 May 2008

USN-607-1: Emacs vulnerabilities

It was discovered that Emacs did not account for precision when formatting integers. If a user were tricked into opening a specially crafted file, an attacker could cause a denial of service or possibly other unspecified actions. This issue does not affect Ubuntu 8.04. (CVE-2007-6109) Steve Grubb discovered that the vcdiff script as included in…

6 May 2008

USN-606-1: CUPS vulnerability

Thomas Pollet discovered that CUPS did not properly validate the size of PNG images. A local attacker, and a remote attacker if printer sharing is enabled, could send a crafted file and cause a denial of service or possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS and 7.04. In Ubuntu 7.10, attackers would be isolated by the…

5 May 2008

USN-602-1: Firefox vulnerabilities

Flaws were discovered in Firefox which could lead to crashes during JavaScript garbage collection. If a user were tricked into opening a malicious web page, an attacker may be able to crash the browser or possibly execute arbitrary code with the user’s privileges. (CVE-2008-1380)

22 April 2008

USN-604-1: Gnumeric vulnerability

Thilo Pfennig and Morten Welinder discovered that the XLS spreadsheet handling code in Gnumeric did not correctly calculate needed memory sizes. If a user or automated system were tricked into loading a specially crafted XLS document, a remote attacker could execute arbitrary code with user privileges.

22 April 2008

USN-603-2: KOffice vulnerability

USN-603-1 fixed vulnerabilities in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote…

17 April 2008

USN-603-1: poppler vulnerability

It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote attacker could execute arbitrary code with user privileges.

17 April 2008

USN-601-1: Squid vulnerability

It was discovered that Squid did not perform proper bounds checking when processing cache update replies. A remote authenticated user may be able to trigger an assertion error and cause a denial of service. This vulnerability is due to an incorrect upstream fix for CVE-2007-6239. (CVE-2008-1612)

14 April 2008

USN-600-1: rsync vulnerability

Sebastian Krahmer discovered that rsync could overflow when handling ACLs. An attacker could construct a malicious set of files that when processed by rsync could lead to arbitrary code execution or a crash.

11 April 2008

USN-599-1: Ghostscript vulnerability

Chris Evans discovered that Ghostscript contained a buffer overflow in its color space handling code. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2008-0411)

9 April 2008

USN-598-1: CUPS vulnerabilities

It was discovered that the CUPS administration interface contained a heap- based overflow flaw. A local attacker, and a remote attacker if printer sharing is enabled, could send a malicious request and possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the…

2 April 2008

USN-597-1: OpenSSH vulnerability

Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards.

1 April 2008

USN-596-1: Ruby vulnerabilities

Chris Clark discovered that Ruby’s HTTPS module did not check for commonName mismatches early enough during SSL negotiation. If a remote attacker were able to perform man-in-the-middle attacks, this flaw could be exploited to view sensitive information in HTTPS requests coming from Ruby applications. (CVE-2007-5162) It was discovered that Ruby’s…

26 March 2008

USN-595-1: SDL_image vulnerabilities

Michael Skladnikiewicz discovered that SDL_image did not correctly load GIF images. If a user or automated system were tricked into processing a specially crafted GIF, a remote attacker could execute arbitrary code or cause a crash, leading to a denial of service. (CVE-2007-6697) David Raulo discovered that SDL_image did not correctly load ILBM…

26 March 2008

USN-593-1: Dovecot vulnerabilities

It was discovered that the default configuration of dovecot could allow access to any email files with group “mail” without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user’s email. (CVE-2008-1199) By default, dovecot passed special characters to…

26 March 2008

USN-592-1: Firefox vulnerabilities

Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu discovered flaws in Firefox’s character encoding handling. If a user were tricked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Various flaws were discovered in the JavaScript engine. By tricking a user into opening a malicious web…

26 March 2008

USN-591-1: libicu vulnerabilities

Will Drewry discovered that libicu did not properly handle ‘\0’ when processing regular expressions. If an application linked against libicu processed a crafted regular expression, an attacker could execute arbitrary code with privileges of the user invoking the program. (CVE-2007-4770) Will Drewry discovered that libicu did not properly limit…

24 March 2008

USN-590-1: bzip2 vulnerability

It was discovered that bzip2 did not correctly handle certain malformed archives. If a user or automated system were tricked into processing a specially crafted bzip2 archive, applications linked against libbz2 could be made to crash, possibly leading to a denial of service.

24 March 2008

USN-589-1: unzip vulnerability

Tavis Ormandy discovered that unzip did not correctly clean up pointers. If a user or automated service was tricked into processing a specially crafted ZIP archive, a remote attacker could execute arbitrary code with user privileges.

20 March 2008

USN-588-1: MySQL vulnerabilities

Masaaki Hirose discovered that MySQL could be made to dereference a NULL pointer. An authenticated user could cause a denial of service (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232) Alexander Nozdrin discovered that MySQL did not restore database…

19 March 2008

USN-587-1: Kerberos vulnerabilities

It was discovered that krb5 did not correctly handle certain krb4 requests. An unauthenticated remote attacker could exploit this flaw by sending a specially crafted traffic, which could expose sensitive information, cause a crash, or execute arbitrary code. (CVE-2008-0062, CVE-2008-0063) A flaw was discovered in the kadmind service’s handling…

19 March 2008

USN-586-1: mailman vulnerability

Multiple cross-site scripting flaws were discovered in mailman. A malicious list administrator could exploit this to execute arbitrary JavaScript, potentially stealing user credentials.

15 March 2008

USN-585-1: Python vulnerabilities

Piotr Engelking discovered that strxfrm in Python was not correctly calculating the size of the destination buffer. This could lead to small information leaks, which might be used by attackers to gain additional knowledge about the state of a running Python script. (CVE-2007-2052) A flaw was discovered in the Python imageop module. If a script…

11 March 2008

USN-584-1: OpenLDAP vulnerabilities

Jonathan Clarke discovered that the OpenLDAP slapd server did not properly handle modify requests when using the Berkeley DB backend and specifying the NOOP control. An authenticated user with modify permissions could send a crafted modify request and cause a denial of service via application crash. Ubuntu 7.10 is not affected by this issue….

5 March 2008

USN-583-1: Evolution vulnerability

Ulf Harnhammar discovered that Evolution did not correctly handle format strings when processing encrypted emails. A remote attacker could exploit this by sending a specially crafted email, resulting in arbitrary code execution.

5 March 2008

USN-582-1: Thunderbird vulnerabilities

It was discovered that Thunderbird did not properly set the size of a buffer when parsing an external-body MIME-type. If a user were to open a specially crafted email, an attacker could cause a denial of service via application crash or possibly execute arbitrary code as the user. (CVE-2008-0304) Various flaws were discovered in Thunderbird and…

29 February 2008

USN-581-1: PCRE vulnerability

It was discovered that PCRE did not correctly handle very long strings containing UTF8 sequences. In certain situations, an attacker could exploit applications linked against PCRE by tricking a user or automated system in processing a malicious regular expression leading to a denial of service or possibly arbitrary code execution.

21 February 2008

USN-580-1: libcdio vulnerability

Devon Miller discovered that the iso-info and cd-info tools did not properly perform bounds checking. If a user were tricked into using these tools with a crafted iso image, an attacker could cause a denial of service (core dump) and possibly execute arbitrary code.

20 February 2008

USN-579-1: Qt vulnerability

It was discovered that QSslSocket did not properly verify SSL certificates. A remote attacker may be able to trick applications using QSslSocket into accepting invalid SSL certificates.

20 February 2008

USN-577-1: Linux kernel vulnerability

Wojciech Purczynski discovered that the vmsplice system call did not properly perform verification of user-memory pointers. A local attacker could exploit this to overwrite arbitrary kernel memory and gain root privileges. (CVE-2008-0600)

12 February 2008

USN-576-1: Firefox vulnerabilities

Various flaws were discovered in the browser and JavaScript engine. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2008-0412, CVE-2008-0413) Flaws were discovered in the file upload form control. A malicious website could force arbitrary files from the user’s…

8 February 2008

USN-575-1: Apache vulnerabilities

It was discovered that Apache did not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a…

4 February 2008

USN-574-1: Linux kernel vulnerabilities

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058) The signal…

4 February 2008

USN-573-1: PulseAudio vulnerability

It was discovered that PulseAudio did not properly drop privileges when running as a daemon. Local users may be able to exploit this and gain privileges. The default Ubuntu configuration is not affected.

31 January 2008

USN-571-2: X.org regression

USN-571-1 fixed vulnerabilities in X.org. The upstream fixes were incomplete, and under certain situations, applications using the MIT-SHM extension (e.g. Java, wxWidgets) would crash with BadAlloc X errors. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple overflows were discovered in the…

19 January 2008

USN-572-1: apt-listchanges vulnerability

Felipe Sateler discovered that apt-listchanges did not use safe paths when importing additional Python libraries. A local attacker could exploit this and execute arbitrary commands as the user running apt-listchanges.

18 January 2008

USN-571-1: X.org vulnerabilities

Multiple overflows were discovered in the XFree86-Misc, XInput-Misc, TOG-CUP, EVI, and MIT-SHM extensions which did not correctly validate function arguments. An authenticated attacker could send specially crafted requests and gain root privileges. (CVE-2007-5760, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429) It was discovered that the X.org…

18 January 2008

USN-570-1: boost vulnerabilities

Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash.

16 January 2008

USN-569-1: libxml2 vulnerability

Brad Fitzpatrick discovered that libxml2 did not correctly handle certain UTF-8 sequences. If a remote attacker were able to trick a user or automated system into processing a specially crafted XML document, the application linked against libxml2 could enter an infinite loop, leading to a denial of service via CPU resource consumption.

14 January 2008

USN-568-1: PostgreSQL vulnerabilities

Nico Leidecker discovered that PostgreSQL did not properly restrict dblink functions. An authenticated user could exploit this flaw to access arbitrary accounts and execute arbitrary SQL queries. (CVE-2007-3278, CVE-2007-6601) It was discovered that the TCL regular expression parser used by PostgreSQL did not properly check its input. An…

14 January 2008

USN-567-1: Dovecot vulnerability

It was discovered that in very rare configurations using LDAP, Dovecot may reuse cached connections for users with the same password. As a result, a user may be able to login as another if the connection is reused. The default Ubuntu configuration of Dovecot was not vulnerable.

10 January 2008

USN-566-1: OpenSSH vulnerability

Jan Pechanec discovered that ssh would forward trusted X11 cookies when untrusted cookie generation failed. This could lead to unintended privileges being forwarded to a remote host.

9 January 2008

USN-565-1: Squid vulnerability

It was discovered that Squid did not always clean up cache memory correctly. A remote attacker could manipulate cache update replies and cause Squid to use all available memory, leading to a denial of service.

9 January 2008

USN-564-1: Net-SNMP vulnerability

Bill Trost discovered that snmpd did not properly limit GETBULK requests. A remote attacker could specify a large number of max-repetitions and cause a denial of service via resource exhaustion.

9 January 2008

USN-563-1: CUPS vulnerabilities

Wei Wang discovered that the SNMP discovery backend did not correctly calculate the length of strings. If a user were tricked into scanning for printers, a remote attacker could send a specially crafted packet and possibly execute arbitrary code. Elias Pipping discovered that temporary files were not handled safely in certain situations when…

9 January 2008

USN-561-1: pwlib vulnerability

Jose Miguel Esparza discovered that pwlib did not correctly handle large string lengths. A remote attacker could send specially crafted packets to applications linked against pwlib (e.g. Ekiga) causing them to crash, leading to a denial of service.

8 January 2008

USN-560-1: Tomboy vulnerability

Jan Oravec discovered that Tomboy did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program.

7 January 2008

USN-559-1: MySQL vulnerabilities

Joe Gallo and Artem Russakovskii discovered that the InnoDB engine in MySQL did not properly perform input validation. An authenticated user could use a crafted CONTAINS statement to cause a denial of service. (CVE-2007-5925) It was discovered that under certain conditions MySQL could be made to overwrite system table information. An…

21 December 2007

USN-558-1: Linux kernel vulnerabilities

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Certain calculations in the hugetlb code were not correct. A…

19 December 2007

USN-557-1: GD library vulnerability

Mattias Bengtsson and Philip Olausson discovered that the GD library did not properly perform bounds checking when creating images. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code.

18 December 2007

USN-556-1: Samba vulnerability

Alin Rad Pop discovered that Samba did not correctly check the size of reply packets to mailslot requests. If a server was configured with domain logon enabled, an unauthenticated remote attacker could send a specially crafted domain logon packet and execute arbitrary code or crash the Samba service. By default, domain logon is disabled in…

18 December 2007

USN-550-3: Cairo regression

USN-550-1 fixed vulnerabilities in Cairo. A bug in font glyph rendering was uncovered as a result of the new memory allocation routines. In certain situations, fonts containing characters with no width or height would not render any more. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Peter…

13 December 2007

USN-550-2: Cairo regression

USN-550-1 fixed vulnerabilities in Cairo. The upstream fixes were incomplete, and under certain situations, applications using Cairo would crash with a floating point error. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Peter Valchev discovered that Cairo did not correctly decode PNG image…

10 December 2007

USN-555-1: e2fsprogs vulnerability

Rafal Wojtczuk discovered multiple integer overflows in e2fsprogs. If a user or automated system were tricked into fscking a malicious ext2/ext3 filesystem, a remote attacker could execute arbitrary code with the user’s privileges.

8 December 2007

USN-554-1: teTeX and TeX Live vulnerabilities

Bastien Roucaries discovered that dvips as included in tetex-bin and texlive-bin did not properly perform bounds checking. If a user or automated system were tricked into processing a specially crafted dvi file, dvips could be made to crash and execute code as the user invoking the program. (CVE-2007-5935) Joachim Schrod discovered that the…

6 December 2007

USN-553-1: Mono vulnerability

It was discovered that Mono did not correctly bounds check certain BigInteger actions. Remote attackers could exploit this to crash a Mono application or possibly execute arbitrary code with user privileges.

4 December 2007

USN-552-1: Perl vulnerability

It was discovered that Perl’s regular expression library did not correctly handle certain UTF sequences. If a user or automated system were tricked into running a specially crafted regular expression, a remote attacker could crash the application or possibly execute arbitrary code with user privileges.

4 December 2007

USN-546-2: Firefox regression

USN-546-1 fixed vulnerabilities in Firefox. The upstream update included a faulty patch which caused the drawImage method of the canvas element to fail. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:“…

4 December 2007

USN-551-1: OpenLDAP vulnerabilities

Thomas Sesselmann discovered that the OpenLDAP slapd server did not properly handle certain modify requests. A remote attacker could send malicious modify requests to the server and cause a denial of service. (CVE-2007-5707) Toby Blake discovered that slapd did not properly terminate an array while running as a proxy-caching server. A…

4 December 2007

USN-549-2: PHP regression

USN-549-1 fixed vulnerabilities in PHP. However, some upstream changes were incomplete, which caused crashes in certain situations with Ubuntu 7.10. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the wordwrap function did not correctly check lengths. Remote attackers…

3 December 2007

USN-550-1: Cairo vulnerability

Peter Valchev discovered that Cairo did not correctly decode PNG image data. By tricking a user or automated system into processing a specially crafted PNG with Cairo, a remote attacker could execute arbitrary code with user privileges.

3 December 2007

USN-549-1: PHP vulnerabilities

It was discovered that the wordwrap function did not correctly check lengths. Remote attackers could exploit this to cause a crash or monopolize CPU resources, resulting in a denial of service. (CVE-2007-3998) Integer overflows were discovered in the strspn and strcspn functions. Attackers could exploit this to read arbitrary areas of memory,…

29 November 2007

USN-548-1: Pidgin vulnerability

It was discovered that Pidgin did not correctly handle certain logging events. A remote attacker could send specially crafted messages and cause the application to crash, leading to a denial of service.

28 November 2007

USN-547-1: PCRE vulnerabilities

Tavis Ormandy and Will Drewry discovered multiple flaws in the regular expression handling of PCRE. By tricking a user or service into running specially crafted expressions via applications linked against libpcre3, a remote attacker could crash the application, monopolize CPU resources, or possibly execute arbitrary code with the application’s…

27 November 2007

USN-546-1: Firefox vulnerabilities

It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:” contents. A malicious web site could exploit this to modify or steal confidential data (such as passwords) from other web sites. (CVE-2007-5947) Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a…

26 November 2007

USN-545-1: link-grammar vulnerability

Alin Rad Pop discovered that AbiWord’s Link Grammar parser did not correctly handle overly-long words. If a user were tricked into opening a specially crafted document, AbiWord, or other applications using Link Grammar, could be made to crash.

26 November 2007

USN-544-2: Samba regression

USN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398 are unchanged, but the upstream changes for CVE-2007-4572 introduced a regression in all releases which caused Linux smbfs mounts to fail. Additionally, Dapper and Edgy included an incomplete patch which caused configurations using NetBIOS to fail. A proper fix for these…

16 November 2007

USN-544-1: Samba vulnerabilities

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered…

16 November 2007

USN-542-2: KOffice vulnerabilities

USN-542-1 fixed a vulnerability in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly…

15 November 2007

USN-542-1: poppler vulnerabilities

Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the user’s privileges in applications linked against poppler.

14 November 2007

USN-541-1: Emacs vulnerability

Drake Wilson discovered that Emacs did not correctly handle the safe mode of “enable-local-variables”. If a user were tricked into opening a specially crafted file while “enable-local-variables” was set to the non-default “:safe”, a remote attacker could execute arbitrary commands with the user’s privileges.

13 November 2007

USN-540-1: flac vulnerability

Sean de Regge discovered that flac did not properly perform bounds checking in many situations. An attacker could send a specially crafted FLAC audio file and execute arbitrary code as the user or cause a denial of service in flac or applications that link against flac.

13 November 2007

USN-539-1: CUPS vulnerability

Alin Rad Pop discovered that CUPS did not correctly validate buffer lengths when processing IPP tags. Remote attackers successfully exploiting this vulnerability would gain access to the non-root CUPS user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile.

6 November 2007

USN-537-2: Compiz vulnerability

USN-537-1 fixed vulnerabilities in gnome-screensaver. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes related problems in compiz. Original advisory details: Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard…

2 November 2007

USN-538-1: libpng vulnerabilities

It was discovered that libpng did not properly perform bounds checking and comparisons in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng.

25 October 2007

USN-537-1: gnome-screensaver vulnerability

Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard lock focus. A local attacker could exploit this to bypass the user’s locked screen saver.

23 October 2007

USN-531-2: dhcp vulnerability

USN-531-1 fixed vulnerabilities in dhcp. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes the problem. Original advisory details: Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send …

23 October 2007

USN-536-1: Thunderbird vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-5339, CVE-2007-5340) Flaws were discovered in the file upload form control. By tricking a user into opening a malicious web page, an attacker could…

23 October 2007

USN-535-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user’s privileges. (CVE-2007-5336, CVE-2007-5339, CVE-2007-5340) Michal Zalewski discovered that the onUnload event handlers were incorrectly able to access information outside…

22 October 2007

USN-501-2: Ghostscript vulnerability

USN-501-1 fixed vulnerabilities in Jasper. This update provides the corresponding update for the Jasper internal to Ghostscript. Original advisory details: It was discovered that Jasper did not correctly handle corrupted JPEG2000 images. By tricking a user into opening a specially crafted JPG, a remote attacker could cause the application…

22 October 2007

USN-534-1: OpenSSL vulnerability

Andy Polyakov discovered that the DTLS implementation in OpenSSL was vulnerable. A remote attacker could send a specially crafted connection request to services using DTLS and execute arbitrary code with the service’s privileges. There are no known Ubuntu applications that are currently using DTLS.

22 October 2007

USN-531-1: dhcp vulnerability

Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send malicious DHCP replies to the server and execute arbitrary code.

22 October 2007