Showing headlines posted by dave

Updated Xpdf packages are available that fix a vulnerability where a malicious PDF document could run arbitrary code. [Updated 16 July 2003] Updated packages are now available, as the original errata packages did not fix all possible ways of exploiting this vulnerability.

The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page.

Multiple vulnerabilities were discovered and fixed in the Linux kernel.

New nfs-utils packages are available for Slackware 8.1, 9.0, and -current to replace the ones that were issued yesterday. A bug in has been fixed in utils/mountd/auth.c that could cause mountd to crash.

The falconseye package is vulnerable to a buffer overflow exploited via a long '-s' command line option. This vulnerability could be used by an attacker to gain gid 'games' on a system where falconseye is installed.

The nfs-utils package contains various programs to offer and manage certain RPC services such as the rpc.mountd. iSEC Security Research has reported an off-by-one bug in the xlog() function used by the rpc.mountd. It is possible for remote attackers to use this off-by-one overflow to execute arbitrary code as root. Some of the products listed above seem not vulnerable to this one byte overflow due to the stack alignment generated by the compiler during the build. Nevertheless, since there is no easy workaround except shutting down the RPC services, an update is strongly recommended for every product listed above.

Updated Mozilla packages fixing various bugs and security issues are now available.

New nfs-utils packages are available for Slackware 8.1, 9.0, and -current to fix an off-by-one buffer overflow in xlog.c. Thanks to Janusz Niewiadomski for discovering and reporting this problem.

The logging code in nfs-utils contains an off-by-one buffer overrun when adding a newline to the string being logged. This vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition by sending certain RPC requests.

Updated nfs-utils packages are available that fix a remotely exploitable Denial of Service vulnerability.

traceroute-nanog, an enhanced version of the common traceroute program, contains an integer overflow bug which could be exploited to execute arbitrary code. traceroute-nanog is setuid root, but drops root privileges immediately after obtaining raw ICMP and raw IP sockets. Thus, exploitation of this bug provides only access to these sockets, and not root privileges.

teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

Albert Puigsech Galicia <ripe@7a69ezine.org> reported that phpsysinfo, a web-based program to display status information about the system, contains two vulnerabilities which could allow local files to be read, or arbitrary PHP code to be executed, under the privileges of the web server process (usually www-data). These vulnerabilities require access to a writable directory on the system in order to be exploited.

Another buffer overflow was discovered in xbl, distinct from the one addressed in DSA-327 (CAN-2003-0451), involving the -display command line option. This vulnerability could be exploited by a local attacker to gain gid 'games'.

A directory traversal vulnerability in UnZip 5.50 allows attackers to bypass a check for relative pathnames ("../") by placing certain invalid characters between the two "." characters.

skk (Simple Kana to Kanji conversion program), does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and skk.

A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two "." characters. These invalid characters are filtered which results in a ".." sequence.

mozart, a development platform based on the Oz language, includes MIME configuration data which specifies that Oz applications should be passed to the Oz interpreter for execution. This means that file managers, web browsers, and other programs which honor the mailcap file could automatically execute Oz programs downloaded from untrusted sources. Thus, a malicious Oz program could execute arbitrary code under the uid of a user running a MIME-aware client program if the user selected a file (for example, choosing a link in a web browser).

liece, an IRC client for Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and liece, potentially with contents supplied by the attacker.

NOTE: due to a combination of administrative problems, this advisory was erroneously released with the identifier "DSA-338-1". DSA-338-1 correctly refers to an earlier advisory regarding proftpd.