Showing headlines posted by dave

Steve Kemp discovered a buffer overflow in xpcd-svga which can be triggered by a long HOME environment variable. This vulnerability could be exploited by a local attacker to gain root privileges.

Another buffer overflow was discovered in xtokkaetama, involving the "-nickname" command line option. This vulnerability could be exploited by a local attacker to gain gid 'games'.

The previous man-db update (DSA-364-1) introduced an error which resulted in a segmentation fault in the "mandb" command, which runs part of the daily cron job. This error was caused by allocating a memory region which was one byte too small to hold the data written into it.

eroaster, a frontend for burning CD-R media using cdrecord, does not take appropriate security precautions when creating a temporary file for use as a lockfile. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

Several vulnerabilities have been discovered in phpgroupware:

This advisory provides a correction to the previous kernel updates, which contained an error introduced in kernel-source-2.4.18 version 2.4.18-7. This error could result in a kernel "oops" under certain circumstances.

This advisory provides a correction to the previous kernel updates, which contained an error introduced in kernel-source-2.4.18 version 2.4.18-7. This error could result in a kernel "oops" under certain circumstances.

man-db provides the standard man(1) command on Debian systems. During configuration of this package, the administrator is asked whether man(1) should run setuid to a dedicated user ("man") in order to provide a shared cache of preformatted manual pages. The default is for man(1) NOT to be setuid, and in this configuration no known vulnerability exists. However, if the user explicitly requests setuid operation, a local attacker could exploit either of the following bugs to execute arbitrary code as the "man" user.

New Postfix packages that fix two potential security issues are now available.

Postfix is a flexible MTA replacement for sendmail. Michal Zalewski has reported problems in postfix which can lead to a remote DoS attack or allow attackers to bounce-scan private networks. These problems have been fixed. Even though not all of our products are vulnerable in their default configurations, the updates should be applied.

The postfix mail transport agent in Debian 3.0 contains two vulnerabilities:

mindi, a program for creating boot/root disks, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running mindi.

New KDE packages are available for Slackware 9.0. These address a security issue where Konqueror may leak authentication credentials.

Two vulnerabilities were discovered in kdelibs:

xfstt, a TrueType font server for the X window system was found to contain two classes of vulnerabilities:

A vulnerability in Konqueror was discovered where it could inadvertently send authentication credentials to websites other than the intended site in clear text via the HTTP-referer header when authentication credentials are passed as part of a URL in the form http://user:password@host/.

Steve Kemp discovered multiple buffer overflows in atari800, an Atari emulator. In order to directly access graphics hardware, one of the affected programs is setuid root. A local attacker could exploit this vulnerability to gain root privileges.

A number of vulnerabilities have been discovered in the Linux kernel.

iSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.

A vulnerability was discovered by Janusz Niewiadomski and Wojciech Purczynski in the wu-ftpd FTP server package. They found an off-by- one bug in the fb_realpath() function which could be used by a remote attacker to obtain root privileges on the server. This bug can only be successfully accomplished by using wu-ftpd binaries compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x kernels define PATH_MAX to be 4095 characters.