5.1 2007-01-29T12:57:13.488-05:00 The MITRE Corporation Sun Solaris 7 Sun Am7990 Ethernet Driver Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. Brian Soby DRAFT Matthew Wojcik DRAFT Sun Solaris 7 whodo Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. David Proulx Matthew Wojcik INTERIM Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM Sun Solaris 9 Solaris Volume Manager (SVM) The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM. Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Matthew Wojcik INTERIM Sun Solaris 8 whodo Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. David Proulx Matthew Wojcik INTERIM Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM Sun Solaris 7 Admintool Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Sun Solaris 8 Admintool Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Sun Solaris 8 Admintool Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Sun Solaris 7 Admintool Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gedit Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries. Jay Beale DRAFT INTERIM ACCEPTED Bob Towbes INTERIM INTERIM Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sadmin The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets. Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Sun Solaris 7 CDE Double-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker INTERIM Sun Solaris 8 dtspcd Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. David Proulx ACCEPTED Sun Solaris 7 dtspcd Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. David Proulx ACCEPTED Red Hat Linux 9 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Jay Beale Matt Busby ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Matt Busby Matt Busby INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 SquirrelMail Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 SquirrelMail Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 SquirrelMail SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 fetchmail Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Ethereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. Jay Beale INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ximian Evolution The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ximian Evolution Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 zgrep zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 postgresql The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gzip zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ximian Evolution The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GDM GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 fetchmail Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GDM The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 telnet Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 bzip2 Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gzip Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libxml2 Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libgd Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 sudo Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED It appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp. Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libgd Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED