Section: .. / 0702-advisories /
| /// File Name: |
MDKSA-2007-035.txt |
Description:
|
Mandriva Linux Security Advisory - Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 5939 | | Related CVE(s): | CVE-2007-0455 | | Last Modified: | Feb 7 23:50:55 2007 |
| MD5 Checksum: | b0e2205e003202d4cdf6601c6145583c |
|
| /// File Name: |
MDKSA-2007-036.txt |
Description:
|
Mandriva Linux Security Advisory - Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Libwmf uses an embedded copy of the gd source and may also be affected by this issue.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 5324 | | Related CVE(s): | CVE-2007-0455 | | Last Modified: | Feb 7 23:51:29 2007 |
| MD5 Checksum: | a701c4fd1a070d4de0401eff706afec3 |
|
| /// File Name: |
MDKSA-2007-037-1.txt |
Description:
|
Mandriva Security Advisory - Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. A user could then exploit this to crash the database server or read out arbitrary locations of the server's memory, which could be used to retrieve database contents that the user should not be able to see. Note that a user must be authenticated in order to exploit this. As well, Jeff Trout also discovered that the query planner did not verify that a table was still compatible with a previously-generated query plan, which could be exploited to read out arbitrary locations of the server's memory by using ALTER COLUMN TYPE during query execution. Again, a user must be authenticated in order to exploit this.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 9129 | | Related CVE(s): | CVE-2007-0555, CVE-2007-0556 | | Last Modified: | Feb 13 00:57:58 2007 |
| MD5 Checksum: | 03ee161b8df333666d71a19c0f9b6f14 |
|
| /// File Name: |
MDKSA-2007-037.txt |
Description:
|
Mandriva Linux Security Advisory - Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. A user could then exploit this to crash the database server or read out arbitrary locations of the server's memory, which could be used to retrieve database contents that the user should not be able to see. Note that a user must be authenticated in order to exploit this. As well, Jeff Trout also discovered that the query planner did not verify that a table was still compatible with a previously-generated query plan, which could be exploted to read out arbitrary locations of the server's memory by using ALTER COLUMN TYPE during query execution. Again, a user must be authenticated in order to exploit this.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 15287 | | Related CVE(s): | CVE-2007-0555, CVE-2007-0556 | | Last Modified: | Feb 7 23:52:45 2007 |
| MD5 Checksum: | 81f44b9308ec2b32d0d8a7917460d268 |
|
| /// File Name: |
MDKSA-2007-038.txt |
Description:
|
Mandriva Linux Security Advisory - PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ";" in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. PHP uses an embedded copy of GD and may be susceptible to the same issue.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 9964 | | Related CVE(s): | CVE-2006-6383, CVE-2007-0455 | | Last Modified: | Feb 7 23:53:55 2007 |
| MD5 Checksum: | 5d5e1a8c4a3611075117ca91b0bbc976 |
|
| /// File Name: |
MDKSA-2007-039.txt |
Description:
|
Mandriva Linux Security Advisory - The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. The version of libgtk+2.0 shipped with Mandriva Linux 2007 fails various portions of the lsb-test-desktop test suite, part of LSB 3.1 certification testing.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 7569 | | Related CVE(s): | CVE-2007-0010 | | Last Modified: | Feb 8 00:36:15 2007 |
| MD5 Checksum: | 643f32d39f38c0b82fd18855faf533bc |
|
| /// File Name: |
MDKSA-2007-040.txt |
Description:
|
Mandriva Linux Security Advisory - The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4, as well as the 2.6 kernel, does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. The listxattr syscall can corrupt user space under certain circumstances. The problem seems to be related to signed/unsigned conversion during size promotion. The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures. The mincore function in the Linux kernel before 2.4.33.6, as well as the 2.6 kernel, does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 5305 | | Related CVE(s): | CVE-2006-5749, CVE-2006-5753, CVE-2006-6053, CVE-2006-4814 | | Last Modified: | Feb 8 00:37:30 2007 |
| MD5 Checksum: | fab3fc7d2c5787fc89ce56494a201b64 |
|
| /// File Name: |
MDKSA-2007-041.txt |
Description:
|
Mandriva Security Advisory - Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and ImageMagick allows user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 7112 | | Related CVE(s): | CVE-2007-0770 | | Last Modified: | Feb 13 01:31:58 2007 |
| MD5 Checksum: | 628ffe56a059bca2328160725c889212 |
|
| /// File Name: |
MDKSA-2007-043.txt |
Description:
|
Mandriva Security Advisory - Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 7865 | | Related CVE(s): | CVE-2007-0898, CVE-2007-0897 | | Last Modified: | Feb 19 20:32:27 2007 |
| MD5 Checksum: | 8069e7901e707d1a9208bbdcb33c9a41 |
|
| /// File Name: |
MDKSA-2007-044.txt |
Description:
|
Mandriva Security Advisory - A format string flaw was discovered in how ekiga processes certain messages, which could permit a remote attacker that can connect to ekiga to potentially execute arbitrary code with the privileges of the user running ekiga.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 2376 | | Related CVE(s): | CVE-2007-1006 | | Last Modified: | Feb 23 19:08:36 2007 |
| MD5 Checksum: | b04da0ad9b3113a0763d2af567e505e3 |
|
| /// File Name: |
MDKSA-2007-045.txt |
Description:
|
Mandriva Security Advisory - A format string flaw was discovered in how GnomeMeeting processes certain messages, which could permit a remote attacker that can connect to GnomeMeeting to potentially execute arbitrary code with the privileges of the user running GnomeMeeting.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 2447 | | Related CVE(s): | CVE-2007-1007 | | Last Modified: | Feb 23 19:09:11 2007 |
| MD5 Checksum: | 7019454b07654452610ad31eebd0139c |
|
| /// File Name: |
MDKSA-2007-046.txt |
Description:
|
Mandriva Security Advisory - Gnucash versions 2.0.4 and earlier allow local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 3245 | | Related CVE(s): | CVE-2007-0007 | | Last Modified: | Feb 23 19:10:06 2007 |
| MD5 Checksum: | 8d141b4bf9618a03f0f4c24f90e06cd4 |
|
| /// File Name: |
MDKSA-2007-047.txt |
Description:
|
Mandriva Security Advisory - Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel. A double free vulnerability in the squashfs module could allow a local user to cause a Denial of Service by mounting a crafted squashfs filesystem. The zlib_inflate function allows local users to cause a crash via a malformed filesystem that uses zlib compression that triggers memory corruption. The key serial number collision avoidance code in the key_alloc_serial function in kernels 2.6.9 up to 2.6.20 allows local users to cause a crash via vectors that will trigger a null dereference. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 4757 | | Related CVE(s): | CVE-2006-5701, CVE-2006-5823, CVE-2007-0006 | | Last Modified: | Feb 23 20:41:13 2007 |
| MD5 Checksum: | d7df8353a48d46de10cb6d602dfe77c9 |
|
| /// File Name: |
MDKSA-2007-048.txt |
Description:
|
Mandriva Security Advisory - Many buffer overflow flaws were discovered in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. An attacker able to use a PHP application using any of these functions could trigger these flaws and possibly execute arbitrary code as the apache user. A one-byte memory read will always occur prior to the beginning of a buffer, which could be triggered, for example, by any use of the header() function in a script. The wddx extension, if used to import WDDX data from an untrusted source, may allow a random portion of heap memory to be exposed due to certain WDDX input packets. The odbc_result_all() function, if used to display data from a database, and if the contents of the database are under the control of an attacker, could lead to the execution of arbitrary code due to a format string vulnerability. Several flaws in the PHP could allow attackers to clobber certain super-global variables via unspecified vectors. The zend_hash_init() function can be forced into an infinite loop if unserializing untrusted data on a 64-bit platform, resulting in the consumption of CPU resources until the script timeout alarm aborts the execution of the script.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 14576 | | Related CVE(s): | CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988 | | Last Modified: | Feb 23 21:54:00 2007 |
| MD5 Checksum: | fcf252091d0bd2a2ca2cc2b59d97ab67 |
|
| /// File Name: |
MDKSA-2007-049.txt |
Description:
|
Mandriva Security Advisory - A bug in the way that SpamAssassin processes HTML emails containing URIs was discovered in versions 3.1.x. A carefully crafted mail message could make SpamAssassin consume significant amounts of CPU resources that could delay or prevent the delivery of mail if a number of these messages were sent at once. SpamAssassin has been upgraded to version 3.1.8 to correct this problem, and other upstream bugs. In addition, an invalid path setting in local.cf for the auto_whitelist_path has been fixed for Mandriva 2007.0.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 4773 | | Related CVE(s): | CVE-2007-0451 | | Last Modified: | Feb 27 19:36:48 2007 |
| MD5 Checksum: | f4d8a1a4346dd02fafbba6c3cd88b3f7 |
|
| /// File Name: |
MDKSA-2007-050.txt |
Description:
|
Mandriva Security Advisory - A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.10.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 38268 | | Related CVE(s): | CVE-2006-6077, CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0777, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996, CVE-2007-1092 | | Last Modified: | Mar 5 23:36:13 2007 |
| MD5 Checksum: | 15b10f6ffa7af181925ec1386a74cb9c |
|
| /// File Name: |
MDKSA-2007-051.txt |
Description:
|
Mandriva Security Advisory - An algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 10472 | | Related CVE(s): | CVE-2006-6931 | | Last Modified: | Mar 6 00:06:51 2007 |
| MD5 Checksum: | 53d7d5dd9bc1a6b957702dff664a6cfc |
|
| /// File Name: |
mscbo-overflow.txt |
Description:
|
Microsoft Interactive Training suffers from a buffer overflow vulnerability when accessing files with .cbo extensions.
| | Author: | Brett Moore | | File Size: | 2226 | | Last Modified: | Feb 14 15:43:54 2007 |
| MD5 Checksum: | 4578d86f1a30073759832f0148f70941 |
|
| /// File Name: |
mtcms.txt |
Description:
|
MTCMS version 2.2 suffers from upload and cross site scripting vulnerabilities.
| | Author: | laurent gaffi | | File Size: | 443 | | Last Modified: | Feb 27 19:32:29 2007 |
| MD5 Checksum: | bb98b497f1080db42973e68d02402849 |
|
| /// File Name: |
n.runs-SA-2007.001.txt |
Description:
|
A flaw in an authorization component allows for unauthorized access to the Wireless LAN through a Captive Portal, VPN, and administrative access using either the web-based administration or the command line interface. This vulnerability affects all versions of the Aruba Controller beginning with version 2.3.
| | Homepage: | http://www.nruns.com/ | | File Size: | 3286 | | Last Modified: | Feb 14 15:02:05 2007 |
| MD5 Checksum: | 6980987bd144f6f1768b0d92349b39ab |
|
| /// File Name: |
n.runs-SA-2007.002.txt |
Description:
|
Both the command line based and the web based management interface of the Aruba Mobility Controller are vulnerable to a heap based buffer overflow when overly long strings are passed as credentials. This can potentially lead to remote code execution, resulting in a system compromise.
| | Homepage: | http://www.nruns.com/ | | File Size: | 2905 | | Last Modified: | Feb 14 15:02:47 2007 |
| MD5 Checksum: | 396ed1146e2c0f39a31d176df2aa7044 |
|
| /// File Name: |
NDSA20070206.txt.asc |
Description:
|
Nth Dimension Security Advisory (NDSA20070206) - The FreeProxy HTTP proxy server suffers from a denial of service condition which causes the server to hang. This occurs when an attacker makes a request for the hostname/portnumber combination in use by the server itself.
| | Author: | Tim Brown | | Homepage: | http://www.nth-dimension.org.uk/ | | File Size: | 1582 | | Last Modified: | Feb 8 00:22:48 2007 |
| MD5 Checksum: | 0f9d113c539cc7f6a8c443c154d5ef25 |
|
| /// File Name: |
NGS00401.txt |
Description:
|
BrightStor ARCserve Backup for Laptops and Desktops r11.1 suffers from a remote resource exhaustion vulnerability. By sending a specially crafted series of packets to the LGSERVER.EXE process that listens on TCP port 2200, it is possible to cause LGSERVER.EXE to write very large files to the system disk. In addition, the LGSERVER.EXE process becomes unresponsive until the file has been written.
| | Author: | Mark Litchfield, John Heasman | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 9614 | | Last Modified: | Jan 31 23:45:51 2007 |
| MD5 Checksum: | f96044c51bcb9897bf083cf6eebbb52b |
|
| /// File Name: |
NGS00402.txt |
Description:
|
BrightStor ARCserve Backup for Laptops and Desktops r11.1 suffers from a remote denial of service vulnerability. By sending a specially crafted series of packets to the LGSERVER.EXE process that listens on TCP port 2200, it is possible to cause the process to terminate.
| | Author: | Mark Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2338 | | Last Modified: | Jan 31 23:44:38 2007 |
| MD5 Checksum: | 865b0f8edf04493798df6cd6397e3b54 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
