The OVAL Repository 5.9 2011-12-31T05:00:15.485-05:00 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a compressed GIF file, related to gifcodec.cpp and gifimage.cpp. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 pwmconfig in LM_sensors before 2.9.1 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink attack on the fancontrol temporary file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to cause a denial of service (crash) via a crafted FlateDecode stream that triggers a null dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in the ProcDbeGetVisualInfo function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059. Robert L. Hollis DRAFT INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when net-snmp is using stream sockets such as TCP, allows remote attackers to cause a denial of service (daemon hang and CPU consumption) via a TCP packet of length 1, which triggers an infinite loop. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that (1) disable RIPv1 or (2) require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information (routing state) via REQUEST packets such as SEND UPDATE. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations". Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1, has unknown impact and attack vectors related to "missing sanity checks around exif processing." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in LHA 1.14 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to "command line processing," a different vulnerability than CVE-2004-0771. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 X Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unknown dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error) via an invalid protocol tree item length. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Jay Beale INTERIM INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small "maximum data bytes" value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer overflow in the WriteProlog function in texttops in CUPS 1.1.17 on Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2008-3640. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3; and Sun StarOffice 6, 7, and 8 Office Suite (StarSuite); allows remote attackers to execute arbitrary code via a TIFF file with crafted values of unspecified length fields, which triggers allocation of an incorrect amount of memory, resulting in a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces between the header name and the colon, which might not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP 1.0 proxy, which are ignored by the proxy but processed by the client. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to replace existing search plugins with malicious ones using sidebar.addSearchEngine and the same filename as the target engine, which may not be displayed in the GUI, which could then be used to execute malicious script, aka "Firesearching 2." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 File and Print Sharing File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the JBIG2 decoding feature in the SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and kdegraphics KPDF, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Buffer overflow in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files or execute arbitrary code via a crafted GIF image, aka CR 6804998. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Memory leak in the seq_file implemenetation in the SCSI procfs interface (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Unspecified vulnerability in the match_rule_equal function in bus/signals.c in D-Bus before 1.0.2 allows local applications to remove match rules for other applications and cause a denial of service (lost process messages). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey before 1.1.12, allow user-assisted remote attackers to move a window during a mouse click, and possibly force a file download or unspecified other drag-and-drop action, via a crafted onmousedown action that calls window.moveBy, a variant of CVE-2003-0823. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux hooks are enabled, allows local users to cause a denial of service (crash) via a malformed file stream that triggers a NULL pointer dereference in the superblock_doinit function, as demonstrated using an HFS filesystem image. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/". Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitrary code via a certain XPM image file. NOTE: it is highly likely that this candidate will be SPLIT into other candidates in the future, per CVE's content decisions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka gstreamer-plugins) 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample (aka stts) atom data in a malformed QuickTime media .mov file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The signal handling in the Linux kernel before 2.6.22, including 2.6.2, when running on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency, related to clearing of MSR bits. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple vulnerabilities in Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Javascript that leads to memory corruption, including (1) nsListControlFrame::FireMenuItemActiveEvent, (2) buffer overflows in the string class in out-of-memory conditions, (3) table row and column groups, (4) "anonymous box selectors outside of UA stylesheets," (5) stale references to "removed nodes," and (6) running the crypto.generateCRMFRequest callback on deleted context. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Buffer overflow in the X render (Xrender) extension in X.org X server 6.8.0 up to allows attackers to cause a denial of service (crash), as demonstrated by the (1) XRenderCompositeTriStrip and (2) XRenderCompositeTriFan requests in the rendertest from XCB xcb/xcb-demo, which leads to an incorrect memory allocation due to a typo in an expression that uses a "&" instead of a "*" operator. NOTE: the subject line of the original announcement used an incorrect CVE number for this issue. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to execute arbitrary code via a crafted PDF file that calls an insecure JavaScript method in the EScript.api plug-in. NOTE: this issue might be subsumed by CVE-2008-0655. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly earlier versions allows remote attackers to execute arbitrary code via a .PSD image file with a large number of layers. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size." Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to gain privileges via an untrusted application, a different issue than CVE-2008-1191, aka the "fourth" issue. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman before 2.1.9rc1 allows remote attackers to cause a denial of service via unspecified vectors involving "standards-breaking RFC 2231 formatted headers". Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to associate spoofed content with an invalid URL by setting document.location to this URL, and then writing arbitrary web script or HTML to the associated blank document, a related issue to CVE-2009-2654. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 MIT Kerberos 5 (krb5) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the protection mechanism for codebase principals and execute arbitrary script via the -moz-binding CSS property in a signed JAR file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Header.pm in Net::DNS before 0.60, a Perl module, (1) generates predictable sequence IDs with a fixed increment and (2) can use the same starting ID for all child processes of a forking server, which allows remote attackers to spoof DNS responses, as originally reported for qpsmtp and spamassassin. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The IPv6 flow label handling code (ip6_flowlabel.c) in Linux kernels 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a denial of service (crash) by triggering a free of non-allocated memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. Andrew Buttner Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The Java Virtual Machine (JVM) in Sun Java Runtime Environment (JRE) in SDK and JRE 1.3.x through 1.3.1_20 and 1.4.x through 1.4.2_15, and JDK and JRE 5.x through 5.0 Update 12 and 6.x through 6 Update 2, allows remote attackers to execute arbitrary programs, or read or modify arbitrary files, via applets that grant privileges to themselves. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in ImageMagick before 6.2.9 allow user-assisted attackers to execute arbitrary code via crafted XCF images. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Firefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Array index error in the gst_qtp_trak_handler function in gst/qtdemux/qtdemux.c in GStreamer Plug-ins (aka gstreamer-plugins) 0.6.0 allows remote attackers to have an unknown impact via a crafted QuickTime media file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by "appending to a file from a bad address," which triggers a fault that prevents the unused memory from being cleared in the kernel buffer. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel before 2.6.22-rc7 does not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled and causes the skb structure to be freed. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JavaScript engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via vectors related to "insufficient class checking" in the Date class. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to cause a denial of service (loss of new connections) by repeatedly sending data or attempting connections. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in the SCSI dissector in Wireshark (formerly Ethereal) 0.99.2 allows remote attackers to cause a denial of service (crash) via unspecified vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third party information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unknown vulnerability in the sFlow dissector in Ethereal 0.9.14 through 0.10.9 allows remote attackers to cause a denial of service (application crash). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer (SASL) library 2.1.18, and possibly other versions before 2.1.21, allows remote unauthenticated attackers to cause a denial of service (segmentation fault) via malformed inputs in DIGEST-MD5 negotiation. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in racoon in ipsec-tools before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17) PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unspecified vulnerabilities in Ethereal 0.8.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via the (1) Sniffer capture or (2) SMB PIPE dissector. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. Robert L. Hollis DRAFT INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Certain privileged UI code in Mozilla Firefox and Thunderbird before 1.5.0.4 calls content-defined setters on an object prototype, which allows remote attackers to execute code at a higher privilege than intended. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 5 The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 KDE Display Manager (KDM) in KDE 3.2.0 up to 3.5.3 allows local users to read arbitrary files via a symlink attack related to the session type for login. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer signedness error in the DNP3 dissector in Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP3 packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The copy_to_user function in the PAL emulation functionality for Xen 3.1.2 and earlier, when running on ia64 systems, allows HVM guest users to access arbitrary physical memory by triggering certain mapping operations. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and earlier does not properly perform certain time tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early, a different vulnerability than CVE-2005-2872. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple stack-based buffer overflows in the putstring function in find.c in Cscope before 15.6 allow user-assisted remote attackers to execute arbitrary code via a long (1) function name or (2) symbol in a source-code file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in Ethereal 0.10.12 and earlier might allow remote attackers to execute arbitrary code via unknown vectors in the (1) SLIMP3 and (2) AgentX dissector. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player allow remote attackers to inject arbitrary web script or HTML via a crafted SWF file, related to "pre-generated SWF files" and Adobe Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by CVE-2007-6244.1. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3) FibreChannel, (4) GSM_MAP, (5) SRVLOC, and (6) NTLMSSP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Off-by-one error in the OID printing routine in Ethereal 0.10.x up to 0.10.14 has unknown impact and remote attack vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsDOMClassInfo.cpp, (2) JS_HashTableRawLookup, and (3) MirrorWrappedNativeParent and js_LockGCThingRT. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain Cascading Style Sheets (CSS) that causes an out-of-bounds array write and buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to run arbitrary JavaScript with chrome privileges via unknown vectors in which "page content can pollute XPCNativeWrappers." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attackers to cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.12 allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug." NOTE: this was originally reported as affecting versions before 3.0.13. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (backend crash) via an out-of-bounds backref number. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). Jay Beale INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The XPCVariant::VariantDataToJS function in the XPCOM implementation in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 does not enforce intended restrictions on interaction between chrome privileged code and objects obtained from remote web sites, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via unspecified method calls, related to "doubly-wrapped objects." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4 allows remote attackers to execute arbitrary code via a crafted file that triggers a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spoof DOM objects via an XBL control that implements an internal XPCOM interface. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in Ethereal 0.10.4 up to 0.10.14 allows remote attackers to cause a denial of service (abort) via the SNDCP dissector. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The Unidirectional Lightweight Encapsulation (ULE) decapsulation component in dvb-core/dvb_net.c in the dvb driver in the Linux kernel 2.6.17.8 allows remote attackers to cause a denial of service (crash) via an SNDU length of 0 in a ULE packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The is_path_absolute function in scheduler/client.c for the daemon in CUPS before 1.1.23 allows remote attackers to cause a denial of service (CPU consumption by tight loop) via a "..\.." URL in an HTTP request. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows remote user-assisted attackers to execute privileged code by tricking a user into installing missing plugins and selecting the "Manual Install" button, then using nested javascript: URLs. NOTE: the manual install button is used for downloading software from a remote web site, so this issue would not cross privilege boundaries if the user progresses to the point of installing malicious software from the attacker-controlled site. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The focus handling for the onkeydown event in Mozilla Firefox 1.5.0.12, 2.0.0.4 and other versions before 2.0.0.8, and SeaMonkey before 1.1.5 allows remote attackers to change field focus and copy keystrokes via the "for" attribute in a label, which bypasses the focus prevention, as demonstrated by changing focus from a textarea to a file upload field. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) nested <option> tags in a select tag, (2) a DOMNodeRemoved mutation event, (3) "Content-implemented tree views," (4) BoxObjects, (5) the XBL implementation, (6) an iframe that attempts to remove itself, which leads to memory corruption. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple heap-based buffer overflows in the (1) DCTStream::readProgressiveSOF and (2) DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, as used in products such as (a) Poppler, (b) teTeX, (c) KDE kpdf, (d) pdftohtml, (e) KOffice KWord, (f) CUPS, and (g) libextractor allow user-assisted attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent attackers to obtain sensitive information (the cache location) via an untrusted application, aka CR 6704074. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allows scripts with the UniversalBrowserRead privilege to gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data by reading into a privileged context. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 allows remote attackers to gain privileges and install malicious code via the watch Javascript function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Multiple stack-based buffer overflows in the ReadSetOfCurves function in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file associated with a large integer value for the (1) input or (2) output channel, related to the ReadLUT_A2B and ReadLUT_B2A functions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Off-by-one error in the MIME Multipart dissector in Wireshark (formerly Ethereal) 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that tragger an assertion error related to unexpected length values. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Heap-based buffer overflow in the SGI parser in ImageMagick before 6.0 allows remote attackers to execute arbitrary code via a crafted SGI image file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The DOC.print function in the Adobe JavaScript API, as used by Adobe Acrobat and Reader before 8.1.2, allows remote attackers to configure silent non-interactive printing, and trigger the printing of an arbitrary number of copies of a document. NOTE: this issue might be subsumed by CVE-2008-0655. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Unspecified vulnerability in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 6 and earlier, Java System Development Kit (SDK) and JRE 1.4.2_12 and earlier 1.4.x versions, and SDK and JRE 1.3.1_18 and earlier allows attackers to use untrusted applets to "access data in other applets," aka "The second issue." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The time_out_leases function in locks.c for Linux kernel before 2.6.15-rc3 allows local users to cause a denial of service (kernel log message consumption) by causing a large number of broken leases, which is recorded to the log using the printk function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Untrusted search path vulnerability in Lynx before 2.8.6rel.4 allows local users to execute arbitrary code via malicious (1) .mailcap and (2) mime.types files in the current working directory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Double free vulnerability in the ICEP dissector in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attackers to execute arbitrary commands via (1) lynxcgi:, (2) lynxexec, and (3) lynxprog links, which are not properly restricted in the default configuration in some environments. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Squid Web Proxy Cache 2.5 might allow remote attackers to obtain sensitive information via URLs containing invalid hostnames that cause DNS operations to fail, which results in references to previously used error messages. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Various routines for the ppc64 architecture on Linux kernel 2.6 prior to 2.6.2 and 2.4 prior to 2.4.24 do not use the copy_from_user function when copying data from userspace to kernelspace, which crosses security boundaries and allows local users to cause a denial of service. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 sealert in setroubleshoot 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the sealert.log temporary file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in OpenOffice.org (aka StarOffice) 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-assisted attackers to execute arbitrary code via a crafted OpenOffice XML document that is not properly handled by (1) Calc, (2) Draw, (3) Impress, (4) Math, or (5) Writer, aka "File Format / Buffer Overflow Vulnerability." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The crypto.signText function in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to execute arbitrary code via certain optional Certificate Authority name arguments, which causes an invalid array index and triggers a buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unknown vulnerabilities in the (1) DHCP and (2) Telnet dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (abort). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 cachefsd Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5302 due to affected versions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before 2.8.7 allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in CVS before 1.11.20 allows remote attackers to execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does not properly use certain routines for formatting strings, which could leave it vulnerable to buffer overflows, as demonstrated using modified length values that are not properly handled by the dissect_pdus and pduval_to_str functions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Unspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Jet Database Engine Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. Andrew Buttner INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The XPConnect component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to (1) chrome XBL and (2) chrome JS. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in the GTP dissector for Ethereal 0.9.1 to 0.10.13 allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Unspecified vulnerability in the Virtual Machine for Sun Java Runtime Environment (JRE) and JDK 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to gain privileges via an untrusted application or applet, a different issue than CVE-2008-1186, aka "the first issue." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Hewlett-Packard Graphics Language (HPGL) filter in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via crafted pen width and pen color opcodes that overwrite arbitrary memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The BER dissector in Ethereal 0.10.3 to 0.10.12 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application crash) or possibly execute arbitrary code via a request to display a crafted text dialog box. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 ignores the '\0' escaped null character, which might allow remote attackers to bypass protection mechanisms such as sanitization routines. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in cscope 15.5 and earlier allow user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple vectors including (1) a long pathname that is not properly handled during file list parsing, (2) long pathnames that result from path variable expansion such as tilde expansion for the HOME environment variable, and (3) a long -f (aka reffile) command line argument. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox 2.x before 2.0.0.18 and SeaMonkey 1.x before 1.1.13 do not properly check when the Flash module has been dynamically unloaded properly, which allows remote attackers to execute arbitrary code via a crafted SWF file that "dynamically unloads itself from an outside JavaScript function," which triggers an access of an expired memory address. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The EPSF pipe support in enscript 1.6.3 allows remote attackers or local users to execute arbitrary commands via shell metacharacters. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Gaim 1.2.0 allows remote attackers to cause a denial of service (application crash) via a malformed file transfer request to a Jabber user, which leads to an out-of-bounds read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unknown vulnerability in the NDPS dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (memory exhaustion) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause a denial of service (segmentation fault) via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Preeti Subramanian INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The kernel in Red Hat Enterprise Linux 3, when running on SMP systems, allows local users to cause a denial of service (deadlock) by running the shmat function on an shm at the same time that shmctl is removing that shm (IPC_RMID), which prevents a spinlock from being unlocked. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The find_target function in ptrace32.c in the Linux kernel 2.4.x before 2.4.29 does not properly handle a NULL return value from another function, which allows local users to cause a denial of service (kernel crash/oops) by running a 32-bit ltrace program with the -i option on a 64-bit executable program. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The nsXMLDocument::OnChannelRedirect function in Mozilla Firefox before 2.0.0.17, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and 3.0.14 and earlier 2.x and 3.x versions, on Linux uses a predictable /tmp pathname for files selected from the Downloads window, which allows local users to replace an arbitrary downloaded file by placing a file in a /tmp location before the download occurs, related to the Download Manager component. NOTE: some of these details are obtained from third party information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empty name string, (2) with a long name string, (3) with the key quota reached, or (4) ENOMEM. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allows remote attackers to cause a denial of service (crash) via a malformed JavaScript regular expression that ends with a backslash in an unterminated character set ("[\\"), which leads to a buffer over-read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux 3 and 4, when running on 64-bit platforms, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this issue is due to an incomplete fix for CVE-2004-0888. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Untrusted search path vulnerability in a certain Red Hat build script for Standards Based Linux Instrumentation for Manageability (sblim) libraries before 1-13a.el4_6.1 in Red Hat Enterprise Linux (RHEL) 4, and before 1-31.el5_2.1 in RHEL 5, allows local users to gain privileges via a malicious library in a certain subdirectory of /var/tmp, related to an incorrect RPATH setting, as demonstrated by a malicious libc.so library for tog-pegasus. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple buffer overflows in Cscope before 15.7a allow remote attackers to execute arbitrary code via long strings in input such as (1) source-code tokens and (2) pathnames, related to integer overflows in some cases. NOTE: this issue exists because of an incomplete fix for CVE-2004-2541. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The WLCCP dissector in Wireshark 0.99.7 through 1.0.4 allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla 1.7.8, Firefox 1.0.4, Camino 0.8.4, Netscape 8.0.2, and K-Meleon 0.9, and possibly other products that use the Gecko engine, allow remote attackers to cause a denial of service (application crash) via JavaScript that repeatedly calls an empty function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Use-after-free vulnerability in the LiveConnect bridge code for Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 allows remote attackers to cause a denial of service (crash) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. NOTE: some of these details are obtained from third party information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attackers to cause a denial of service (crash) via crafted fragmented packets without a payload, which triggers a NULL pointer dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via a flood of recursive queries, which cause an INSIST failure when the response is received after the recursion queue is empty. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Multiple unspecified vulnerabilities in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 7 and earlier, and Java System Development Kit (SDK) and JRE 1.4.2_12 and earlier 1.4.x versions, allow attackers to develop Java applets or applications that are able to gain privileges, related to serialization in JRE. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Data Access Components 2.6 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED Josh Turpin DEPRECATED DEPRECATED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Directory traversal vulnerability in FastJar 0.93, as used in Gnu GCC 4.1.1 and earlier, and 3.4.6 and earlier, allows user-assisted attackers to overwrite arbitrary files via a .jar file containing filenames with "../" sequences. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 unshar (unshar.c) in sharutils 4.2.1 allows local users to overwrite arbitrary files via a symlink attack on the unsh.X temporary file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allows remote attackers to hijack native DOM methods from objects in another domain and conduct cross-site scripting (XSS) attacks using DOM methods of the top-level object. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SQL injection vulnerability in the radius_xlat function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via (1) group_membership_query, (2) simul_count_query, or (3) simul_verify_query configuration entries. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Components 2.5 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Josh Turpin DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, related to a "quantization problem," aka Bug Id 6862968. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted (1) BGP packet, which is not properly handled by RT_ROUTING_INFO, or (2) LDP packet, which is not properly handled by the ldp_print function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unknown vulnerability in the GSM dissector in Ethereal before 0.10.11 allows remote attackers to cause the dissector to access an invalid pointer. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The nsXULTemplateQueryProcessorRDF::CheckIsSeparator function in Mozilla Firefox before 3.0.12, SeaMonkey 2.0a1pre, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to loading multiple RDF files in a XUL tree element. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Cross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The Red Hat build script for the GNOME Display Manager (GDM) before 2.16.0-56 on Red Hat Enterprise Linux (RHEL) 5 omits TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions via XDMCP connections, a different vulnerability than CVE-2007-5079. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Unspecified vulnerability in the Virtual Machine for Sun Java Runtime Environment (JRE) and JDK 5.0 Update 13 and earlier, and SDK/JRE 1.4.2_16 and earlier, allows remote attackers to gain privileges via an untrusted application or applet, a different issue than CVE-2008-1185, aka "the second issue." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Off-by-one buffer overflow in pnmtopng before 2.39, when using the -alpha command line option (Alphas_Of_Color), allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PNM file with exactly 256 colors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Buffer overflow in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to execute arbitrary code via unknown vectors, a different issue than CVE-2008-1188, aka the "third" issue. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the sql_escape_func function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote attackers to cause a denial of service (crash). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to cause a denial of service (infinite loop) via streams that end prematurely, as demonstrated using the (1) CCITTFaxDecode and (2) DCTDecode streams, aka "Infinite CPU spins." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer Christine Walzer INTERIM Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in the (1) X11 and (2) Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and attack vectors, related to failure to clone arrays that are returned by the getConfigurations function, aka Bug Id 6822057. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote attackers to violate the security model for an applet's outbound connections by connecting to localhost services running on the machine that loaded the applet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 allow remote attackers to cause a denial of service (crash) via a crafted packet that triggers a NULL pointer dereference, as demonstrated by fuzz-2009-12-07-11141.pcap. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Linux kernel 2.6.18, and possibly other versions, when running on AMD64 architectures, allows local users to cause a denial of service (crash) via certain ptrace calls. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow local users to cause a denial of service (kernel OOPS from null dereference) via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put in the 32-bit routing_ioctl function on 64-bit systems. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The file watch implementation in the audit subsystem (auditctl -w) in the Red Hat Enterprise Linux (RHEL) 4 kernel 2.6.9 allows local users to cause a denial of service (kernel panic) by replacing a watched file, which does not cause the watch on the old inode to be dropped. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT HTML Help Facility Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 A certain Red Hat patch for tog-pegasus in OpenGroup Pegasus 2.7.0 does not properly configure the PAM tty name, which allows remote authenticated users to bypass intended access restrictions and send requests to OpenPegasus WBEM services. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 arch/s390/kernel/ptrace.c in Linux kernel 2.6.9, and other versions before 2.6.27-rc6, on s390 platforms allows local users to cause a denial of service (kernel panic) via the user-area-padding test from the ptrace testsuite in 31-bit mode, which triggers an invalid dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The rose_rt_ioctl function in rose_route.c for Radionet Open Source Environment (ROSE) in Linux 2.6 kernels before 2.6.12, and 2.4 before 2.4.29, does not properly verify the ndigis argument for a new route, which allows attackers to trigger array out-of-bounds errors with a large number of digipeats. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Integer overflow in RealNetworks RealPlayer 8, 10, and 10.5, RealOne Player 1 and 2, and Helix Player 10.0.0 allows remote attackers to execute arbitrary code via an .rm movie file with a large value in the length field of the first data packet, which leads to a stack-based buffer overflow, a different vulnerability than CVE-2004-1481. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting (XSS) and other attacks by using the addEventListener method to add an event listener for a site, which is executed in the context of that site. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 allows remote attackers to modify HTTP headers for client requests and conduct HTTP Request Splitting attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Multiple unspecified vulnerabilities in the color management library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allows remote attackers to cause a denial of service (crash) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first. NOTE: this issue is due to an incorrect patch for CVE-2007-5378. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 slocate before 2.7 does not properly process very long paths, which allows local users to cause a denial of service (updatedb exit and incomplete slocate database) via a certain crafted directory structure. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in the WBXML dissector in Wireshark (formerly Ethereal) 0.10.11 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger a null dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving (1) js_FindPropertyHelper, related to the definitions of Math and Date; and (2) js_CheckRedeclaration. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, (4) EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (infinite loop). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Multiple integer overflows in libgadu, as used in Kopete in KDE 3.2.3 to 3.4.1, ekg before 1.6rc3, GNU Gadu, CenterICQ, Kadu, and other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an incoming message. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The XPConnect component in Mozilla Firefox before 2.0.0.17 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to a SCRIPT element. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly, as demonstrated by (1) ffoxdie and (2) ffoxdie3. NOTE: it has been reported that Netscape 8.1 and K-Meleon 1.0.1 are also affected by ffoxdie. Mozilla confirmed to CVE that ffoxdie and ffoxdie3 trigger the same underlying vulnerability. NOTE: it was later reported that Firefox 2.0 RC2 and 1.5.0.7 are also affected. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Buffer overflow in cluster/cman/daemon/daemon.c in cman (redhat-cluster-suite) before 20070622 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via long client messages. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unknown vulnerability in the MMSE dissector in Ethereal 0.10.4 through 0.10.8 allows remote attackers to cause a denial of service by triggering a free of statically allocated memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT SNMP Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before 5.1.6 allows remote authorized users to cause a denial of service (crash) via a NULL second argument to the str_to_date function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which allows local users to gain privileges by causing setuid to fail to drop privileges using attacks such as resource exhaustion. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The z90crypt_unlocked_ioctl function in the z90crypt driver in the Linux kernel 2.6.9 does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5 6.0.12.1056 on Windows, and 10, 10.0.1.436, and other versions before 10.0.5 on Linux, allows remote attackers to execute arbitrary code via a RealMedia file with a long RealText string, such as an SMIL file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to 5.0.4 creates the mysql_install_db.X file with a predictable filename and insecure permissions, which allows local users to execute arbitrary SQL commands by modifying the file's contents. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in the GTK+ gdk-pixbuf XPM image rendering library in GTK+ 2.4.0 allows attackers to execute arbitrary code via an XPM file with a number of colors that causes insufficient memory to be allocated, which leads to a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsEventStateManager::GetContentState and nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4) IsPercentageAware; (5) PL_DHashTableFinish; (6) nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related to the atom table, DOM mutation events, and Unicode surrogates; (8) nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to changing the cursor; and other vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability." Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Josh Turpin DEPRECATED Sudhir Gandhe Shane Shaffer DEPRECATED Red Hat Enterprise Linux 5 Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Use-after-free vulnerability in CUPS before 1.1.22, and possibly other versions, allows remote attackers to cause a denial of service (crash) via crafted IPP packets. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 EvalInSandbox in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to gain privileges via javascript that calls the valueOf method on objects that were created outside of the sandbox. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 Unspecified vulnerability in Sun JDK and Java Runtime Environment (JRE) 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier; allows remote attackers to access arbitrary network services on the local host via unspecified vectors related to JavaScript and Java APIs. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a pointer during handling of a Cascading Style Sheets (CSS) attr function call with a large numerical argument, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in the LDAP dissector in Wireshark (formerly Ethereal) 0.99.3 allows remote attackers to cause a denial of service (crash) via a crafted LDAP packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in the libMagick componet of ImageMagick 6.0.6.2 might allow attackers to execute arbitrary code via an image index array that triggers the overflow during filename glob expansion by the ExpandFilenames function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk Toolkit 8.4.12 and earlier, and 8.3.5 and earlier, allows user-assisted attackers to cause a denial of service (segmentation fault) via an animated GIF in which the first subimage is smaller than a subsequent subimage, which triggers the overflow in the ReadImage function, a different vulnerability than CVE-2007-5137. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote attackers to cause a denial of service (mailing list delivery failure) via a multipart MIME message with a single part that has two blank lines between the first boundary and the end boundary. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 5 The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The HTTP dissector in Ethereal 0.10.1 through 0.10.7 allows remote attackers to cause a denial of service (application crash) via a certain packet that causes the dissector to access previously-freed memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED