All articles

Several vulnerabilities have been discovered in vlc, a multimedia player and streamer. Drew Yao discovered that multiple integer overflows in the MP4 demuxer, Real demuxer and Cinepak codec can lead to the execution of arbitrary code. Drew Yao discovered that the Cinepak codec is prone to a memory corruption, which can be triggered by a crafted Cinepak file. Luigi Auriemma discovered that it is possible to execute arbitrary code via a long subtitle in an SSA file. It was discovered that vlc is prone to a search path vulnerability, which allows local users to perform privilege escalations. Alin Rad Pop discovered that it is possible to execute arbitrary code when opening a WAV file containing a large fmt chunk. Pınar Yanardağ discovered that it is possible to execute arbitrary code when opening a crafted mmst link. Tobias Klein discovered that it is possible to execute arbitrary code when opening a crafted .ty file. Tobias Klein discovered that it is possible to execute arbitrary code when opening an invalid CUE image file with a crafted header. Updated packages are available from security.debian.org.

Laurent Almeras and Guillaume Smet have discovered a possible SQL injection vulnerability and cross-site scripting vulnerabilities in gforge, a collaborative development tool. Due to insufficient input sanitising, it was possible to inject arbitrary SQL statements and use several parameters to conduct cross-site scripting attacks. Updated packages are available from security.debian.org.

Michael Brooks discovered that ctorrent, a text-mode bittorrent client, does not verify the length of file paths in torrent files. An attacker can exploit this via a crafted torrent that contains a long file path to execute arbitrary code with the rights of the user opening the file. Updated packages are available from security.debian.org.

Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Multiple security flaws were discovered in Adobe Reader. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. Updated packages are available from updates.redhat.com.

The Apache HTTP Server is a popular Web server. An off-by-one overflow flaw was found in the way apr-util processed a variable list of arguments, which could potentially lead to the disclosure of sensitive information or a denial of service (application crash). A denial of service flaw was found in the apr-util Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. A heap-based underwrite flaw was found in the way apr-util created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. Updated packages are available from updates.redhat.com.

apr-util is a utility library used with the Apache Portable Runtime (APR). An off-by-one overflow flaw was found in the way apr-util processed a variable list of arguments, which could potentially lead to the disclosure of sensitive information or a denial of service (application crash). A denial of service flaw was found in the apr-util Extensible Markup Language (XML) parser that would cause excessive memory consumption when processed by the XML decoding engine. A heap-based underwrite flaw was found in the way apr-util created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. Updated packages are available from updates.redhat.com.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. A flaw in the Linux kernel Network File System daemon (nfsd) implementation could possibly lead to an information leak or privilege escalation. Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations, which could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. A missing check was found in the hypervisor_callback() function, which could cause a denial of service of a Xen guest. A flaw was found in the AGPGART driver, which could possibly lead to an information leak. Updated packages are available from updates.redhat.com.

It was discovered that the Apache web server did not properly handle the “Options=” parameter to the AllowOverride directive, leading to a privilege escalation. Updated packages are available from security.debian.org.

The Mozilla Firefox browser was updated to version 3.0.11, fixing various security issues, including crashes with evidence of memory corruption, URL spoofing with invalid unicode characters, arbitrary domain cookie access by local file: resources, SSL tampering via non-200 responses to proxy CONNECT requests a race condition while accessing the private data of a NPObject JS wrapper class object, arbitrary code execution using event listeners attached to an element whose owner document is null, incorrect principal set for file: resources loaded via location bar, XUL scripts bypass content-policy checks, and a JavaScript chrome privilege escalation. Updated packages are available from download.opensuse.org.

This update of the Linux kernel for SUSE Linux Enterprise Server 9 SP4 contains various security-fixes. nfsd allows local users to create device nodes. A buffer overflow in CIFS allows remote attackers to cause a denial of service (crash) or potential code execution. The exit_notify function allows local users to send an arbitrary signal to a process. The shm subsystem misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang). An integer overflow in rose_sendmsg might allow attackers to obtain sensitive information. Updated packages are available from download.opensuse.org.

cscope is a mature, ncurses-based, C source-code tree browsing tool. Multiple buffer overflow flaws were found in cscope. An attacker could create a specially crafted source code file that could cause cscope to crash or, possibly, execute arbitrary code when browsed with cscope. Updated packages are available from updates.redhat.com.

cscope is a mature, ncurses-based, C source-code tree browsing tool. Multiple buffer overflow flaws were found in cscope. An attacker could create a specially crafted source code file that could cause cscope to crash or, possibly, execute arbitrary code when browsed with cscope. Updated packages are available from updates.redhat.com.

Wireshark is a program for monitoring network traffic. A format string flaw was found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. Updated packages are available from updates.redhat.com.

It was discovered that the Rasterbar Bittorrent library performed insufficient validation of path names specified in torrent files, which could lead to denial of service by overwriting files. Updated packages are available from security.debian.org.

Two vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. Tobias Klein discovered that the VOC parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted VOC header. The vendor discovered that the AIFF parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted AIFF header. Updated packages are available from security.debian.org.

SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. A flaw was found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. Updated packages are available from updates.redhat.com.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site. A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. Updated packages are available from updates.redhat.com.

mod_jk is an Apache Tomcat connector that allows Apache Tomcat and the Apache HTTP Server to communicate with each other. An information disclosure flaw was found in mod_jk. In certain situations, if a faulty client set the “Content-Length” header without providing data, or if a user sent repeated requests very quickly, one user may view a response intended for another user. Updated packages are available from updates.redhat.com.

This Linux kernel update for SUSE Linux Enterprise 11 and openSUSE 11.1 fixes some security issues, including a buffer overflow in CIFS, which allows remote attackers to cause a denial of service (crash) or potential code execution. The exit_notify function allows local users to send an arbitrary signal to a process. An integer overflow in rose_sendmsg might allow attackers to obtain sensitive information via a large length value. The VMX implementation in the KVM subsystem allows guest OS users to cause a denial of service (OOPS). The __inet6_check_established function allows remote attackers to cause a denial of service (NULL pointer dereference and system crash). The agp subsystem does not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. Updated packages are available from download.opensuse.org.

This kernel update for openSUSE 11.0 fixes several security problems, including a buffer overflow in the Stream Control Transmission Protocol (sctp) implementation allows remote attackers to remotely execute code. The nfs_permission function in the NFS client implementation allows local users to bypass permissions and execute files. The audit_syscall_entry functionallows local users to bypass certain syscall audit configurations via crafted syscalls. nfsd did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes. The seccomp subsystem allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod. A buffer overflow in CIFS allows remote attackers to cause a denial of service (crash) or potential code execution. The exit_notify function did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process. The shm subsystem misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang). The VMX implementation in the KVM subsystem allows guest OS users to cause a denial of service (OOPS). Updated packages are available from download.opensuse.org.

This kernel update for openSUSE 10.3 fixes some bugs and several security problems including a buffer overflow in the Stream Control Transmission Protocol (sctp) implementation allows remote attackers to remotely execute code. A buffer overflow in CIFS allows remote attackers to cause a denial of service (crash) or potential code execution. The exit_notify function did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process. The shm subsystem misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang). An integer overflow in rose_sendmsg might allow attackers to obtain sensitive information. The clone system call kernel allows local users to send arbitrary signals to a parent process from an unprivileged child process. Updated packages are available from download.opensuse.org.

Several vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service. Updated packages are available from security.debian.org.

Apr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. “kcope” discovered a flaw in the handling of internal XML entities in the apr_xml_* interface that can be exploited to use all available memory. This denial of service can be triggered remotely in the Apache mod_dav and mod_dav_svn modules. Matthew Palmer discovered an underflow flaw in the apr_strmatch_precompile function that can be exploited to cause a daemon crash. Updated packages are available from Updated packages are available from security.debian.org.

The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The Internet Printing Protocol (IPP) allows users to print and manage printing-related tasks over a network. A NULL pointer dereference flaw was found in the CUPS IPP routine, used for processing incoming IPP requests for the CUPS scheduler. An attacker could use this flaw to send specially-crafted IPP requests that would crash the cupsd daemon. Updated packages are available from updates.redhat.com.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. A buffer overflow flaw was found in the Common Internet File System (CIFS) implementation. When mounting a CIFS share, a malicious server could send an overly-long string to the client, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. The Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. A deficiency was found in the signals implementation. The kill_something_info() function did not check if a process was outside the caller’s namespace before sending the kill signal, making it possible to kill processes in all process ID (PID) namespaces, breaking PID namespace isolation. A flaw was found in the AGPGART driver which could possibly lead to an information leak. Updated packages are available from updates.redhat.com.

Anibal Sacco discovered that cups, a general printing system for UNIX systems, suffers from null pointer dereference because of its handling of two consecutive IPP packets with certain tag attributes that are treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers to perform denial of service attacks by crashing the cups daemon. Updated packages are available from security.debian.org.

An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the “Content-Length” header without providing request body data, or if a client sent repeated equests very quickly, one client could obtain a response intended for another client. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). Updated packages are available from security.debian.org.

Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. Updated packages are available from security.debian.org.

James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Updated packages are available from security.debian.org.