The OVAL Repository 5.9 2012-01-27T05:07:21.827-05:00 Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 squirrelmail Several remote vulnerabilities have been discovered in SquirrelMail, a webmail application. The Common Vulnerabilities and Exposures project identifies the following problems: Cross site scripting was possible through a number of pages which allowed an attacker to steal sensitive session data. Code injection was possible when SquirrelMail was configured to use the map_yp_alias function to authenticate users. This is not the default. It was possible to hijack an active user session by planting a specially crafted cookie into the user's browser. Specially crafted HTML emails could use the CSS positioning feature to place email content over the SquirrelMail user interface, allowing for phishing. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 icu It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to crosssite scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libsoup It was discovered that libsoup, an HTTP library implementation in C, handles large strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 dovecot It was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 opensc b.badrignans discovered that OpenSC, a set of smart card utilities, could store private data on a smart card without proper access restrictions. Only blank cards initialised with OpenSC are affected by this problem. This update only improves creating new private data objects, but cards already initialised with such private data objects need to be modified to repair the access control conditions on such cards. Instructions for a variety of situations can be found at the OpenSC web site: http://www.opensc-project.org/security.html The oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Christian Borntraeger discovered an issue effecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all of kernel memory. Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users. Duane Griffin provided a fix for an issue in the eCryptfs subsystem which allows local users to cause a denial of service (fault or memory corruption). Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service (oops) by reading 0 bytes from a sysfs entry. Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) during a resize operation. Sami Liedes reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when accessing a specially crafted corrupt filesystem. David Maciejak reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem. David Maciejak reported an additional issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting attacks, which allows the injection of arbitrary Java or HTML code. The oldstable distribution (etch) does not contain mahara. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wesnoth Several security issues have been discovered in wesnoth, a fantasy turn-based strategy game. The Common Vulnerabilities and Exposures project identifies the following problems: Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data. Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openswan It was discovered that the pluto daemon in openswan, an implementation of IPSEC and IKE, could crash when processing a crafted X.509 certificate. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xmltooling Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libtk-img It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libtk-img Two buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libtk-img is prone to a buffer overflow via specially crafted multi-frame interlaced GIF files. It was discovered that libtk-img is prone to a buffer overflow via specially crafted GIF files with certain subimage sizes. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 tomcat5.5 It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 courier-authlib Two SQL injection vulnerabilities have been found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database interface (CVE-2008-2667). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 maradns Michael Krieger and Sam Trenholme discovered a programming error in MaraDNS, a simple security-aware Domain Name Service server, which might lead to denial of service through malformed DNS packets. For the old stable distribution (sarge), this problem has been fixed in version 1.0.27-2. For the stable distribution (etch), this problem has been fixed in version 1.2.12.04-1etch2. For the unstable distribution (sid), this problem has been fixed in version 1.2.12.08-1. We recommend that you upgrade your maradns package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cyrus-sasl2 cyrus-sasl2-heimdal James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation: Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable. Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 samba Alin Rad Pop discovered that Samba contained a buffer overflow condition when processing certain responses received while acting as a client, leading to arbitrary code execution (CVE-2008-1105). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin Several vulnerabilities have been discovered in Pidgin, a graphical multi-protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in the Jabber file transfer code may lead to denial of service or the execution of arbitrary code. Memory corruption in an internal library may lead to denial of service. The patch provided for the security issue tracked as CVE-2008-2927 - integer overflows in the MSN protocol handler - was found to be incomplete. The old stable distribution (etch) is affected under the source package name gaim. However, due to build problems the updated packages couldn't be released along with the stable version. It will be released once the build problem is resolved. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ndiswrapper Anders Kaseorg discovered that ndiswrapper suffers from buffer overflows via specially crafted wireless network traffic, due to incorrectly handling long ESSIDs. This could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 flamethrower (0.1.8-1+etch1) Dmitry E. Oboukhov discovered that flamethrower creates predictable temporary filenames, which may lead to a local denial of service through a symlink attack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 znc It was discovered that znc, an IRC proxy/bouncer, does not properly sanitize input contained in configuration change requests to the webadmin interface. This allows authenticated users to elevate their privileges and indirectly execute arbitrary commands (CVE-2009-0759). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xorg-server Several local vulnerabilities have been discovered in the X Window system. The Common Vulnerabilities and Exposures project identifies the following problems: Lack of validation of the parameters of the SProcSecurityGenerateAuthorization and SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption. An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space. An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow. An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server. Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 b2evolution "unsticky" discovered that b2evolution, a blog engine, performs insufficient input sanitising, allowing for cross site scripting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 imlib2 Julien Danjou and Peter De Wachter discovered that a buffer overflow in the XPM loader of Imlib2, a powerful image loading and rendering library, might lead to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 wireshark Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: The RPL dissector could be tricked into an infinite loop. The CIP dissector could be tricked into excessive memory allocation. For the old stable distribution (sarge), these problems have been fixed in version 0.10.10-2sarge11. (In Sarge Wireshark used to be called Ethereal). For the stable distribution (etch), these problems have been fixed in version 0.99.4-5.etch.2. For the unstable distribution (sid), these problems have been fixed in version 0.99.7-1. We recommend that you upgrade your wireshark packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libmodplug Several vulnerabilities have been discovered in libmodplug, the shared libraries for mod music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libmodplug is prone to an integer overflow when processing a MED file with a crafted song comment or song name. It was discovered that libmodplug is prone to a buffer overflow in the PATinst function, when processing a long instrument name. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a sensitive memory leak. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. Roland McGrath discovered an issue on amd64 kernels with CONFIG_SECCOMP enabled. By making a specially crafted syscall, local users can bypass access restrictions. Jiri Olsa discovered that a local user can cause a denial of service (system hang) using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. Mikulas Patocka reported an issue in the console subsystem that allows a local user to cause memory corruption by selecting a small number of 3-byte UTF-8 characters. Igor Zhbanov reported that nfsd was not properly dropping CAP_MKNOD, allowing users to create device nodes on file systems exported with root_squash. Dan Carpenter reported a coding issue in the selinux subsystem that allows local users to bypass certain networking checks when running with compat_net=1. Shaohua Li reported an issue in the AGP subsystem they may allow local users to read sensitive kernel memory due to a leak of uninitialized memory. Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops. Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data. Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to reach processes outside of the current process namespace. Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 fetchmail It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nsd nsd3 Ilja van Sprundel discovered that a buffer overflow in NSD, an authoritative name service daemon, allowed to crash the server by sending a crafted packet, creating a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mt-daapd Three vulnerabilities have been discovered in the mt-daapd DAAP audio server (also known as the Firefly Media Server). The Common Vulnerabilities and Exposures project identifies the following three problems: Insufficient validation and bounds checking of the Authorization: HTTP header enables a heap buffer overflow, potentially enabling the execution of arbitrary code. Format string vulnerabilities in debug logging within the authentication of XML-RPC requests could enable the execution of arbitrary code. An integer overflow weakness in the handling of HTTP POST variables could allow a heap buffer overflow and potentially arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gnutls13 gnutls26 Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a "\0" character in a domain name in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (CVE-2009-2730) In addition, with this update, certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. It only affects the oldstable distribution (etch).(CVE-2009-2409) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 squirrelmail Ivan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 newt Miroslav Lichvar discovered that newt, a windowing toolkit, is prone to a buffer overflow in the content processing code, which can lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wxwindows2.4 wxwidgets2.6 wxwidgets2.8 Tielei Wang has discovered an integer overflow in wxWidgets, the wxWidgets Cross-platform C++ GUI toolkit, which allows the execution of arbitrary code via a crafted JPEG file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gst-plugins-bad0.10 It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the "bad" set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xulrunner It was discovered that crashes in the Javascript engine of xulrunner, the Gecko engine library, could potentially lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apt Two vulnerabilities have been discovered in APT, the well-known dpkg frontend. The Common Vulnerabilities and Exposures project identifies the following problems: In time zones where daylight savings time occurs at midnight, the apt cron.daily script fails, stopping new security updates from being applied automatically. A repository that has been signed with an expired or revoked OpenPGP key would still be considered valid by APT. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 psi Jesus Olmos Gonzalez discovered that an integer overflow in the PSI Jabber client may lead to remote denial of service. The old stable distribution (etch) is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ctorrent Michael Brooks discovered that ctorrent, a text-mode bittorrent client, does not verify the length of file paths in torrent files. An attacker can exploit this via a crafted torrent that contains a long file path to execute arbitrary code with the rights of the user opening the file. The oldstable distribution (etch) does not contain ctorrent. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 changetrack Marek Grzybowski discovered that changetrack, a program to monitor changes to (configuration) files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 clamav Several vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Attackers can cayse a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. (no CVE Id yet) Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 vlc Several vulnerabilities have been discovered in vlc, a multimedia player and streamer. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that multiple integer overflows in the MP4 demuxer, Real demuxer and Cinepak codec can lead to the execution of arbitrary code. Drew Yao discovered that the Cinepak codec is prone to a memory corruption, which can be triggered by a crafted Cinepak file. Luigi Auriemma discovered that it is possible to execute arbitrary code via a long subtitle in an SSA file. It was discovered that vlc is prone to a search path vulnerability, which allows local users to perform privilege escalations. Alin Rad Pop discovered that it is possible to execute arbitrary code when opening a WAV file containing a large fmt chunk. PÄ?nar Yanarda discovered that it is possible to execute arbitrary code when opening a crafted mmst link. Tobias Klein discovered that it is possible to execute arbitrary code when opening a crafted .ty file. Tobias Klein discovered that it is possible to execute arbitrary code when opening an invalid CUE image file with a crafted header. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phpgedview It was discovered that phpGedView, an application to provide online access to genealogical data, performed insufficient input sanitising on some parameters, making it vulnerable to cross site scripting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 kronolith2 "The-0utl4w" discovered that the Kronolith, calendar component for the Horde Framework, didn't properly sanitise URL input, leading to a cross-site scripting vulnerability in the add event screen. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 debian-goodies Thomas de Grenier de Latour discovered that the checkrestart tool in the debian-goodies suite of utilities, allowed local users to gain privileges via shell metacharacters in the name of the executable file for a running process. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cscope Matt Murphy discovered that cscope, a source code browsing tool, does not verify the length of file names sourced in include statements, which may potentially lead to the execution of arbitrary code through specially crafted source code files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libicu Several local vulnerabilities have been discovered in libicu, International Components for Unicode, The Common Vulnerabilities and Exposures project identifies the following problems: libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 horde3 Will Drewry discovered that Horde allows remote attackers to send an email with a crafted MIME attachment filename attribute to perform cross site scripting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 php-json-ext It was discovered that php-json-ext, a JSON serialiser for PHP, is prone to a denial of service attack, when receiving a malformed string via the json_decode function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 wireshark Several remote vulnerabilities have been discovered in network traffic analyzer Wireshark. The Common Vulnerabilities and Exposures project identifies the following problems: The GSM SMS dissector is vulnerable to denial of service. The PANA and KISMET dissectors are vulnerable to denial of service. The RMI dissector could disclose system memory. The packet reassembling module is vulnerable to denial of service. The zlib uncompression module is vulnerable to denial of service. The Bluetooth ACL dissector is vulnerable to denial of service. The PRP and MATE dissectors are vulnerable to denial of service. The Q931 dissector is vulnerable to denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 suphp It was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or leak sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems: Tobias Klein reported a locally exploitable data leak in the snd_seq_oss_synth_make_info() function. This may allow local users to gain access to sensitive information. Zoltan Sogor discovered a coding error in the VFS that allows local users to exploit a kernel memory leak resulting in a denial of service. Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. Eugene Teo reported a missing bounds check in the SCTP subsystem. By exploiting an integer overflow in the SCTP_AUTH_KEY handling code, remote attackers may be able to cause a denial of service in the form of a kernel panic. Kel Modderman reported an issue in the tmpfs filesystem that allows local users to crash a system by triggering a kernel BUG() assertion. Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance function which can be exploited by local users to crash a system, resulting in a denial of service. Vlad Yasevich reported several NULL pointer reference conditions in the SCTP subsystem that can be triggered by entering sctp-auth codepaths when the AUTH feature is inactive. This may allow attackers to cause a denial of service condition via a system panic. Johann Dahm and David Richter reported an issue in the nfsd subsystem that may allow remote attackers to cause a denial of service via a buffer overflow. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 websvn Bas van Schaik discovered that WebSVN, a tool to view Subversion repositories over the web, did not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content. The old stable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 libnet-dns-perl Several remote vulnerabilities have been discovered in libnet-dns-perl. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libnet-dns-perl generates very weak transaction IDs when sending queries (CVE-2007-3377). This update switches transaction ID generation to the Perl random generator, making prediction attacks more difficult. Compression loops in domain names resulted in an infinite loop in the domain name expander written in Perl (CVE-2007-3409). The Debian package uses an expander written in C by default, but this vulnerability has been addressed nevertheless. Decoding malformed A records could lead to a crash (via an uncaught Perl exception) of certain applications using libnet-dns-perl (CVE-2007-6341). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 cupsys An integer overflow has been discovered in the image validation code of cupsys, the Common UNIX Printing System. An attacker could trigger this bug by supplying a malicious graphic that could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cups Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 unzip Tavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library"s free routine, potentially leading to arbitrary code execution (CVE-2008-0888). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 eggdrop It was discovered that eggdrop, an advanced IRC robot, was vulnerable to a buffer overflow which could result in a remote user executing arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libgd2 Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: Kees Cook discovered a buffer overflow in libgd2"s font renderer. An attacker could cause denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. This issue only affects the oldstable distribution (etch). Tomas Hoger discovered a boundary error in the "_gdGetColors()" function. An attacker could conduct a buffer overflow or buffer over-read attacks via a crafted GD file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 freetype Tavis Ormandy discovered several integer overflows in FreeType, a library to process and access font files, resulting in heap- or stack-based buffer overflows leading to application crashes or the execution of arbitrary code via a crafted font file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phpmyadmin Masako Oono discovered that phpMyAdmin, a web-based administration interface for MySQL, insufficiently sanitises input allowing a remote attacker to gather sensitive data through cross site scripting, provided that the user uses the Internet Explorer web browser. This update also fixes a regression introduced in DSA 1641, that broke changing of the language and encoding in the login screen. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin It was discovered that incorrect pointer handling in the purple library, an internal component of the multi-protocol instant messaging client Pidgin, could lead to denial of service or the execution of arbitrary code through malformed contact requests. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 poppler It was discovered that poppler, a PDF rendering library, did not properly handle embedded fonts in PDF files, allowing attackers to execute arbitrary code via a crafted font object. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 udev Sebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 streamripper Multiple buffer overflows involving HTTP header and playlist parsing have been discovered in streamripper (CVE-2007-4337, CVE-2008-4829). For the stable distribution (etch), these problems have been fixed in version 1.61.27-1+etch1. For the unstable distribution (sid) and the testing distribution (lenny), these problems have been fixed in version 1.63.5-2. We recommend that you upgrade your streamripper package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php-mail It was discovered that php-mail, a PHP PEAR module for sending email, has insufficient input sanitising, which might be used to obtain sensitive data from the system that uses php-mail. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 yaws It was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mplayer Felipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable to several integer overflows in the Real video stream demuxing code. These flaws could allow an attacker to cause a denial of service (a crash) or potentially execution of arbitrary code by supplying a maliciously crafted video file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 imagemagick Several vulnerabilities have been discovered in the imagemagick image manipulation programs which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple integer overflows in XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). Off-by-one error allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a "\0" character to an out-of-bounds address. It affects only the oldstable distribution (etch). A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only to oldstable (etch). Heap-based buffer overflow in the PCX coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption. It affects only to oldstable (etch). Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mldonkey It has been discovered that mldonkey, a client for several P2P networks, allows attackers to download arbitrary files using crafted requests to the HTTP console. The old stable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 freetype Greg MacManus discovered an integer overflow in the font handling of libfreetype, a FreeType 2 font engine, which might lead to denial of service or possibly the execution of arbitrary code if a user is tricked into opening a malformed font. For the old stable distribution (sarge) this problem will be fixed soon. For the stable distribution (etch), this problem has been fixed in version 2.2.1-5+etch2. For the unstable distribution (sid), this problem has been fixed in version 2.3.5-1. We recommend that you upgrade your freetype packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phpgedview It was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error. Note: this problem was a fundamental design flaw in the interface (API) to connect phpGedView with external programs like content management systems. Resolving this problem was only possible by completely reworking the API, which is not considered appropriate for a security update. Since these are peripheral functions probably not used by the large majority of package users, it was decided to remove these interfaces. If you require that interface nonetheless, you are advised to use a version of phpGedView backported from Debian Lenny, which has a completely redesigned API. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apache2 A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations (the information in the changelog of the updated packages is slightly inaccurate): As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or virtual host level. A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this issue. In addition, this update fixes the following issues in Apache's mod_proxy_ftp: Insufficient input validation in the mod_proxy_ftp module allowed remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. Insufficient input validation in the mod_proxy_ftp module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server. The oldstable distribution (etch), these problems have been fixed in version 2.2.3-4+etch11. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nagios2 nagios3 It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 postgresql-7.4 Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at http://www.postgresql.org/about/news.905. For the old stable distribution (sarge), some of these problems have been fixed in version 7.4.7-6sarge6 of the postgresql package. Please note that the fix for CVE-2007-6600 and for the handling of regular expressions havn't been backported due to the intrusiveness of the fix. We recommend to upgrade to the stable distribution if these vulnerabilities affect your setup. For the stable distribution (etch), these problems have been fixed in version 7.4.19-0etch1. The unstable distribution (sid) no longer contains postgres-7.4. We recommend that you upgrade your postgresql-7.4 packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 squid3 Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion error in squid3, a full featured Web Proxy cache, which could lead to a denial of service attack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libfishsound It was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn't correctly handle negative values in a particular header field. This could allow malicious files to execute arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities. Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context of signed JAR archives. "moz_bug_r_a4" discovered that XUL documents can escalate privileges by accessing the pre-compiled "fastload" file. "moz_bug_r_a4" discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceweasel itself is not affected, but some addons are. Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. Masahiro Yamada discovered that file URLS in directory listings were insufficiently escaped. John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings secure connections. Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 peercast Nico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execute arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apr-util Apr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. Two denial of service vulnerabilities have been found in apr-util: "kcope" discovered a flaw in the handling of internal XML entities in the apr_xml_* interface that can be exploited to use all available memory. This denial of service can be triggered remotely in the Apache mod_dav and mod_dav_svn modules. (No CVE id yet) Matthew Palmer discovered an underflow flaw in the apr_strmatch_precompile function that can be exploited to cause a daemon crash. The vulnerability can be triggered (1) remotely in mod_dav_svn for Apache if the "SVNMasterURI" directive is in use, (2) remotely in mod_apreq2 for Apache or other applications using libapreq2, or (3) locally in Apache by a crafted ".htaccess" file. Other exploit paths in other applications using apr-util may exist. If you use Apache, or if you use svnserve in standalone mode, you need to restart the services after you upgraded the libaprutil1 package. The oldstable distribution (etch), these problems have been fixed in version 1.2.7+dfsg-2+etch2. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 lighttpd Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: A memory leak in the http_request_parse function could be used by remote attackers to cause lighttpd to consume memory, and cause a denial of service attack. Inconsistant handling of URL patterns could lead to the disclosure of resources a server administrator did not anticipate when using rewritten URLs. Upon filesystems which don't handle case-insensitive paths differently it might be possible that unanticipated resources could be made available by mod_userdir. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 multipath-tools It was discovered that multipathd of multipath-tools, a tool-chain to manage disk multipath device maps, uses insecure permissions on its unix domain control socket which enables local attackers to issue commands to multipathd prevent access to storage devices or corrupt file system data. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 lighttpd Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 tunapie Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems: Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ejabberd It was discovered that ejabberd, a distributed, fault-tolerant Jabber/XMPP server, does not sufficiently sanitise MUC logs, allowing remote attackers to perform cross-site scripting (XSS) attacks. The oldstable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems: Dirk Nehring discovered a vulnerability in the IPsec code that allows remote users to cause a denial of service by sending a specially crafted ESP packet. Tavis Ormandy discovered a vulnerability that allows local users to access uninitialized kernel memory, possibly leaking sensitive data. This issue is specific to the amd64-flavour kernel images. Andi Kleen discovered an issue where uninitialized kernel memory was being leaked to userspace during an exception. This issue may allow local users to gain access to sensitive data. Only the amd64-flavour Debian kernel images are affected. Alan Cox discovered an issue in multiple tty drivers that allows local users to trigger a denial of service (NULL pointer dereference) and possibly obtain elevated privileges. Gabriel Campana discovered an integer overflow in the sctp code that can be exploited by local users to cause a denial of service. Miklos Szeredi reported a missing privilege check in the do_change_type() function. This allows local, unprivileged users to change the properties of mount points. Tobias Klein reported a locally exploitable data leak in the snd_seq_oss_synth_make_info() function. This may allow local users to gain access to sensitive information. Zoltan Sogor discovered a coding error in the VFS that allows local users to exploit a kernel memory leak resulting in a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara Two vulnerabilities have been discovered in mahara, an electronic portfolio, weblog, and resume builder. The Common Vulnerabilities and Exposures project identifies the following problems: Ruslan Kabalin discovered a issue with resetting passwords, which could lead to a privilege escalation of an institutional administrator account. Sven Vetsch discovered a cross-site scripting vulnerability via the resume fields. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 krb5 Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identified the following problems: The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information. Under certain conditions the SPNEGO GSS-API mechanism references a null pointer which crashes the application using the library. An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program. Under certain conditions the the ASN.1 decoder of the MIT krb5 implementation frees an uninitialized pointer which could lead to denial of service and possibly arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 libxml2 Brad Fitzpatrick discovered that the UTF-8 decoding functions of libxml2, the GNOME XML library, validate UTF-8 correctness insufficiently, which may lead to denial of service by forcing libxml2 into an infinite loop. For the old stable distribution (sarge), this problem has been fixed in version 2.6.16-7sarge1. For the stable distribution (etch), this problem has been fixed in version 2.6.27.dfsg-2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libxml2 packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mimetex Several vulnerabilities have been discovered in mimetex, a lightweight alternative to MathML. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Evans and Damien Miller, discovered multiple stack-based buffer overflow. An attacker could execute arbitrary code via a TeX file with long picture, circle, input tags. Chris Evans discovered that mimeTeX contained certain directives that may be unsuitable for handling untrusted user input. A remote attacker can obtain sensitive information. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 pdns-recursor Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (CVE-2008-1637 and CVE-2008-3217) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gst-plugins-bad0.10 Several vulnerabilities have been found in gst-plugins-bad0.10, a collection of various GStreamer plugins. The Common Vulnerabilities and Exposures project identifies the following problems: Tobias Klein discovered a buffer overflow in the quicktime stream demuxer (qtdemux), which could potentially lead to the execution of arbitrary code via crafted .mov files. Tobias Klein discovered an array index error in the quicktime stream demuxer (qtdemux), which could potentially lead to the execution of arbitrary code via crafted .mov files. Tobias Klein discovered a buffer overflow in the quicktime stream demuxer (qtdemux) similar to the issue reported in CVE-2009-0386, which could also lead to the execution of arbitrary code via crafted .mov files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ocsinventory-agent It was discovered that the ocsinventory-agent which is part of the ocsinventory suite, a hardware and software configuration indexing service, is prone to an insecure perl module search path. As the agent is started via cron and the current directory (/ in this case) is included in the default perl module path the agent scans every directory on the system for its perl modules. This enables an attacker to execute arbitrary code via a crafted ocsinventory-agent perl module placed on the system. The oldstable distribution (etch) does not contain ocsinventory-agent. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mysql-dfsg-5.0 Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code. The old stable distribution (sarge) doesn't contain mysql-dfsg-5.0. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 syslog-ng Oriol Carreras discovered that syslog-ng, a next generation logging daemon can be tricked into dereferencing a NULL pointer through malformed timestamps, which can lead to denial of service and the disguise of an subsequent attack, which would otherwise be logged. The old stable distribution (sarge) is not affected. For the stable distribution (etch), this problem has been fixed in version 2.0.0-1etch1. For the unstable distribution (sid), this problem has been fixed in version 2.0.6-1. We recommend that you upgrade your syslog-ng package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 nspr Several vulnerabilities have been discovered in the NetScape Portable Runtime Library, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: A programming error in the string handling code may lead to the execution of arbitrary code. An integer overflow in the Base64 decoding functions may lead to the execution of arbitrary code. The old stable distribution (etch) doesn't contain nspr. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 cupsys Several local vulnerabilities have been discovered in the Common UNIX Printing System. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that insufficient bounds checking in the SGI image filter may lead to the execution of arbitrary code. It was discovered that an integer overflow in the Postscript conversion tool texttops may lead to the execution of arbitrary code. It was discovered that insufficient bounds checking in the HPGL filter may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation or a leak of sensitive memory. The Common Vulnerabilities and Exposures project identifies the following problems: Herbert Xu discovered an issue in the way UDP tracks corking status that could allow local users to cause a denial of service (system crash). Tavis Ormandy and Julien Tinnes discovered that this issue could also be used by local users to gain elevated privileges. Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ipplan It was discovered that ipplan, a web-based IP address manager and tracker, does not sufficiently escape certain input parameters, which allows remote attackers to conduct cross-site scripting attacks. The oldstable distribution (etch) does not contain ipplan. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 memcached Ronald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached (on etch with root privileges). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 horde3 Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php5 Several remote vulnerabilities have been discovered in the PHP5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well: The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny): Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package: Let PHP use the system timezone database instead of the embedded timezone database which is out of date. From the source tarball, the unused "dbase" module has been removed which contained licensing problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libpam-heimdal Derek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceape Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. hong and Gregory Fleischer discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in Javascript handling, which could allow privilege escalation. Justin Dolske discovered that the password storage mechanism could be abused by malicious web sites to corrupt existing saved passwords. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure and potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (by disabling dialog elements until a timeout is reached) could be bypassed by window focus changes through Javascript. It was discovered that malformed content declarations of saved attachments could prevent a user in the opening local files with a .txt file name, resulting in minor denial of service. Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with div elements. The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 pygresql It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apr apr-util Matt Lewis discovered that the memory management code in the Apache Portable Runtime (APR) library does not guard against a wrap-around during size computations. This could cause the library to return a memory area which smaller than requested, resulting a heap overflow and possibly arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 openldap2.3 Several remote vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. The Common Vulnerabilities and Exposures project identifies the following problems: Thomas Sesselmann discovered that slapd could be crashed by a malformed modify requests. Toby Blade discovered that incorrect memory handling in slapo-pcache could lead to denial of service through crafted search requests. It was discovered that a programming error in the interface to the BDB storage backend could lead to denial of service through crafted modify requests. It was discovered that a programming error in the interface to the BDB storage backend could lead to denial of service through crafted modrdn requests. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 diatheke Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phpmyadmin Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administrate MySQL databases over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Remote authenticated users could execute arbitrary code on the host running phpMyAdmin through manipulation of a script parameter. Cross site scripting through the setup script was possible in rare circumstances. Protection has been added against remote websites loading phpMyAdmin into a frameset. Cross site request forgery allowed remote attackers to create a new database, but not perform any other action on it. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 python2.4 Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure. It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. This issue is also tracked as CVE-2008-1679 due to an initially incomplete patch. Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code. Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 awstats Morgan Todd discovered a cross-site scripting vulnerability in awstats, a log file analyzer, involving the "config" request parameter (and possibly others; CVE-2008-3714). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 openldap2.3 Cameron Hotchkies discovered that the OpenLDAP server slapd, a free implementation of the Lightweight Directory Access Protocol, could be crashed by sending malformed ASN1 requests. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libpam-krb5 Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from enviromnent variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control. Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Juan Pablo Lopez Yacubian discovered that incorrect handling of invalid URLs could be used for spoofing the location bar and the SSL certificate status of a web page. Xulrunner is no longer supported for the old stable distribution (etch). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 subversion Matt Lewis discovered that Subversion performs insufficient input validation of svndiff streams. Malicious servers could cause heap overflows in clients, and malicious clients with commit access could cause heap overflows in servers, possibly leading to arbitrary code execution in both cases. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phpmyadmin Michael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Tavis Ormandy reported a local DoS and potential privilege escalation in the Virtual Dynamic Shared Objects (vDSO) implementation. Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 slash It has been discovered that Slash, the Slashdot Like Automated Storytelling Homepage suffers from two vulnerabilities related to insufficient input sanitation, leading to execution of SQL commands (CVE-2008-2231) and cross-site scripting (CVE-2008-2553). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 uw-imap Two vulnerabilities have been found in uw-imap, an IMAP implementation. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that several buffer overflows can be triggered via a long folder extension argument to the tmail or dmail program. This could lead to arbitrary code execution (CVE-2008-5005). It was discovered that a NULL pointer dereference could be triggered by a malicious response to the QUIT command leading to a denial of service (CVE-2008-5006). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh discovered that a buffer overflow in the http-index-format parser could lead to arbitrary code execution. Liu Die Yu discovered an information leak through local shortcut files. Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution. Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. It was discovered that crashes in the layout engine could lead to arbitrary code execution. It was discovered that crashes in the Javascript engine could lead to arbitrary code execution. It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. moz_bug_r_a4 discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. Collin Jackson discovered that the -moz-binding property bypasses security checks on codebase principals. Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libdbd-pg-perl Two vulnerabilities have been discovered in libdbd-pg-perl, the DBI driver module for PostgreSQL database access (DBD::Pg). A heap-based buffer overflow may allow attackers to execute arbitrary code through applications which read rows from the database using the pg_getline and getline functions. (More common retrieval methods, such as selectall_arrayref and fetchrow_array, are not affected.) A memory leak in the routine which unquotes BYTEA values returned from the database allows attackers to cause a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drupal6 Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libcairo Peter Valchev (Google Security) discovered a series of integer overflow weaknesses in Cairo, a vector graphics rendering library used by many other applications. If an application uses cairo to render a maliciously crafted PNG image, the vulnerability allows the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 kdegraphics Two security issues have been discovered in kdegraphics, the graphics apps from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the KSVG animation element implementation suffers from a null pointer dereference flaw, which could lead to the execution of arbitrary code. It was discovered that the KSVG animation element implementation is prone to a use-after-free flaw, which could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 splitvt Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing xprop. This could allow any local user to gain the privileges of group utmp. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libxml2 Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml2, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 3.1 kernel-source-2.6.8 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process umask which may lead to unintentionally relaxed permissions. Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update: We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN. The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and allows an attacker to execute arbitrary code. Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 typo3-src Several remotely exploitable vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: Chris John Riley discovered that the TYPO3-wide used encryption key is generated with an insufficiently random seed resulting in low entropy which makes it easier for attackers to crack this key. Marcus Krause discovered that TYPO3 is not invalidating a supplied session on authentication which allows an attacker to take over a victims session via a session fixation attack. Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various arguments and user supplied strings used in the indexed search system extension, adodb extension test scripts or the workspace module. Mads Olesen discovered a remote command injection vulnerability in the indexed search system extension which allows attackers to execute arbitrary code via a crafted file name which is passed unescaped to various system tools that extract file content for the indexing. Because of CVE-2009-0255, please make sure that besides installing this update, you also create a new encryption key after the installation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 horde3 Stefan Esser discovered that Horde, a web application framework providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME, and more, is insufficiently validating and escaping user provided input. The Horde_Form_Type_image form element allows to reuse a temporary filename on reuploads which are stored in a hidden HTML field and then trusted without prior validation. An attacker can use this to overwrite arbitrary files on the system or to upload PHP code and thus execute arbitrary code with the rights of the webserver. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 horde3 Ulf Hauml rnhammar discovered that the HTML filter of the Horde web application framework performed insufficient input sanitising, which may lead to the deletion of emails if a user is tricked into viewing a malformed email inside the Imp client. This update also provides backported bugfixes to the cross-site scripting filter and the user management API from the latest Horde release 3.1.6. The old stable distribution (sarge) is not affected. An update to Etch is recommended, though. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 openoffice.org Several security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: Several bugs have been discovered in the way OpenOffice.org parses Quattro Pro files that may lead to a overflow in the heap potentially leading to the execution of arbitrary code. Specially crafted EMF files can trigger a buffer overflow in the heap that may lead to the execution of arbitrary code. A bug has been discovered in the processing of OLE files that can cause a buffer overflow in the heap potentially leading to the execution of arbitrary code. Recently reported problems in the ICU library are fixed in separate libicu packages with DSA 1511 against which OpenOffice.org is linked. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gnome-peercast Several remote vulnerabilities have been discovered in GNOME PeerCast, the GNOME interface to PeerCast, a P2P audio and video streaming server. The Common Vulnerabilities and Exposures project identifies the following problems: Luigi Auriemma discovered that PeerCast is vulnerable to a heap overflow in the HTTP server code, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request. Nico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execute arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 boinc It was discovered that the core client for the BOINC distributed computing infrastructure performs incorrect validation of the return values of OpenSSL's RSA functions. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libarchive1 Several local/remote vulnerabilities have been discovered in libarchive1, a single library to read/write tar, cpio, pax, zip, iso9660 archives. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libarchive1 would miscompute the length of a buffer resulting in a buffer overflow if yet another type of corruption occurred in a pax extension header. It was discovered that if an archive prematurely ended within a pax extension header the libarchive1 library could enter an infinite loop. If an archive prematurely ended within a tar header, immediately following a pax extension header, libarchive1 could dereference a NULL pointer. The old stable distribution (sarge), does not contain this package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 dbus Havoc Pennington discovered that DBus, a simple interprocess messaging system, performs insufficient validation of security policies, which might allow local privilege escalation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Two vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems: Wei Wang from McAfee reported a potential heap overflow in the ASN.1 decode code that is used by the SNMP NAT and CIFS subsystem. Exploitation of this issue may lead to arbitrary code execution. This issue is not believed to be exploitable with the pre-built kernel images provided by Debian, but it might be an issue for custom images built from the Debian-provided source package. Brandon Edwards of McAfee Avert labs discovered an issue in the DCCP subsystem. Due to missing feature length checks it is possible to cause an overflow that may result in remote arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Bryn M. Reeves reported a denial of service in the NFS filesystem. Local users can trigger a kernel BUG() due to a race condition in the do_setlk function. Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. Helge Deller discovered a denial of service condition that allows local users on PA-RISC systems to crash a system by attempting to unwind a stack contiaining userspace addresses. Alan Cox discovered a lack of minimum timeouts on SG_IO requests, which allows local users of systems using ATA to cause a denial of service by forcing drives into PIO mode. Vlad Malov reported an issue on 64-bit MIPS systems where a local user could cause a system crash by crafing a malicious binary which makes o32 syscalls with a number less than 4000. Zvonimir Rakamaric reported an off-by-one error in the ib700wdt watchdog driver which allows local users to cause a buffer underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl call. Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. Christian Borntraeger discovered an issue effecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all of kernel memory. Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users, permitting remote code execution. Duane Griffin provided a fix for an issue in the eCryptfs subsystem which allows local users to cause a denial of service (fault or memory corruption). Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service (oops) by reading 0 bytes from a sysfs entry. Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) during a resize operation. Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. Jiri Olsa discovered that a local user can cause a denial of service (system hang) using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. Mikulas Patocka reported an issue in the console subsystem that allows a local user to cause memory corruption by selecting a small number of 3-byte UTF-8 characters. Shaohua Li reported an issue in the AGP subsystem that may allow local users to read sensitive kernel memory due to a leak of uninitialized memory. Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops. Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data. Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to reach processes outside of the current process namespace. Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libxml Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 samba Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems: The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. The old stable distribution (etch) is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 clamav Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers from an off-by-one-error in its VBA project file processing, leading to a heap-based buffer overflow and potentially arbitrary code execution (>CVE-2008-5050). Ilja van Sprundel discovered that ClamAV contains a denial of service condition in its JPEG file processing because it does not limit the recursion depth when processing JPEG thumbnails (CVE-2008-5314). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nginx A denial of service vulnerability has been found in nginx, a small and efficient web server. Jasson Bell discovered that a remote attacker could cause a denial of service (segmentation fault) by sending a crafted request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 nss Several vulnerabilities have been discovered in the Network Security Service libraries. The Common Vulnerabilities and Exposures project identifies the following problems: Moxie Marlinspike discovered that a buffer overflow in the regular expression parser could lead to the execution of arbitrary code. Dan Kaminsky discovered that NULL characters in certificate names could lead to man-in-the-middle attacks by tricking the user into accepting a rogue certificate. Certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. The old stable distribution (etch) doesn't contain nss. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 wordpress Several remote vulnerabilities have been discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a ".." (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. Wordpress is not present in the oldstable distribution (sarge). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 imlib2 Stefan Cornelius discovered two buffer overflows in Imlib"s - a powerful image loading and rendering library - image loaders for PNM and XPM images, which may result in the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 slurm-llnl It was discovered that the Simple Linux Utility for Resource Management (SLURM), a cluster job management and scheduling system, did not drop the supplemental groups. These groups may be system groups with elevated privileges, which may allow a valid SLURM user to gain elevated privileges. The old stable distribution (etch) does not contain a slurm-llnl package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 xfree86 The X.org fix for CVE-2007-6429 introduced a regression in the MIT-SHM extension, which prevented the start of a few applications. This update provides updated packages for the xfree86 version included in Debian old stable (sarge) in addition to the fixed packages for Debian stable (etch), which were provided in DSA 1466-2. For reference the original advisory text below: Several local vulnerabilities have been discovered in the X.Org X server. The Common Vulnerabilities and Exposures project identifies the following problems: regenrecht discovered that missing input sanitising within the XFree86-Misc extension may lead to local privilege escalation. It was discovered that error messages of security policy file handling may lead to a minor information leak disclosing the existence of files otherwise inaccessible to the user. regenrecht discovered that missing input sanitising within the XInput-Misc extension may lead to local privilege escalation. regenrecht discovered that missing input sanitising within the TOG-CUP extension may lead to disclosure of memory contents. regenrecht discovered that integer overflows in the EVI and MIT-SHM extensions may lead to local privilege escalation. It was discovered that insufficient validation of PCF fonts could lead to local privilege escalation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 glib2.0 Diego Pettenograve discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 dspam Tobias Gruuml tzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line. This allowed a local attacker to read the contents of the dspam database, such as emails. The old stable distribution (sarge) does not contain the dspam package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 moodle Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code. It was discovered that certain input via the "Login as" function was not properly sanitised leading to the injection of arbitrary web script. Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 dbus Colin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gforge Laurent Almeras and Guillaume Smet have discovered a possible SQL injection vulnerability and cross-site scripting vulnerabilities in gforge, a collaborative development tool. Due to insufficient input sanitising, it was possible to inject arbitrary SQL statements and use several parameters to conduct cross-site scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 git-core Peter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. This issue only affects the DEC Alpha and MIPS (big and little endian) architectures. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 cpio Dmitry Levin discovered a vulnerability in path handling code used by the cpio archive utility. The weakness could enable a denial of service (crash) or potentially the execution of arbitrary code if a vulnerable version of cpio is used to extract or to list the contents of a maliciously crafted archive. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 wzdftpd k1tk4t discovered that wzdftpd, a portable, modular, small and efficient ftp server, did not correctly handle the receipt of long usernames. This could allow remote users to cause the daemon to exit. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ganglia-monitor-core Spike Spiegel discovered a stack-based buffer overflow in gmetad, the meta-daemon for the ganglia cluster monitoring toolkit, which could be triggered via a request with long path names and might enable arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 wordpress Several remote vulnerabilities have been discovered in Wordpress, the weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information. The XML-RPC implementation, when registration is enabled, allows remote attackers to edit posts of other blog users. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 krb5 Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identifies the following problems: An unauthenticated remote attacker may cause a krb4-enabled KDC to crash, expose information, or execute arbitrary code. Successful exploitation of this vulnerability could compromise the Kerberos key database and host security on the KDC host. An unauthenticated remote attacker may cause a krb4-enabled KDC to expose information. It is theoretically possible for the exposed information to include secret key data on some platforms. An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. In versions of MIT Kerberos shipped by Debian, this bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mantis It was discovered that the Debian Mantis package, a web based bug tracking system, installed the database credentials in a file with world-readable permissions onto the local filesystem. This allows local users to acquire the credentials used to control the Mantis database. This updated package corrects this problem for new installations and will carefully try to update existing ones. Administrators can check the permissions of the file /etc/mantis/config_db.php to see if they are safe for their environment. The old stable distribution (etch) does not contain a mantis package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 bind9 Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. Note that this security update changes BIND network behavior in a fundamental way, and the following steps are recommended to ensure a smooth upgrade. 1. Make sure that your network configuration is compatible with source port randomization. If you guard your resolver with a stateless packet filter, you may need to make sure that no non-DNS services listen on the 1024--65535 UDP port range and open it at the packet filter. For instance, packet filters based on etch's Linux 2.6.18 kernel only support stateless filtering of IPv6 packets, and therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED rules, networking changes are likely not required.) 2. Install the BIND 9 upgrade, using "apt-get update" followed by "apt-get install bind9". Verify that the named process has been restarted and answers recursive queries. (If all queries result in timeouts, this indicates that networking changes are necessary; see the first step.) 3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form right after the "listening on IPv6 interface" and "listening on IPv4 interface" messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration, or replace the port numbers contained within them with "*" sign (e.g., replace "port 53" with "port *"). For additional certainty, use tcpdump or some other network monitoring tool to check for varying UDP source ports. If there is a NAT device in front of your resolver, make sure that it does not defeat the effect of source port randomization. 4. If you cannot activate source port randomization, consider configuring BIND 9 to forward queries to a resolver which can, possibly over a VPN such as OpenVPN to create the necessary trusted network link. (Use BIND's forward-only mode in this case.) Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1. The updated bind9 packages contain changes originally scheduled for the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug #449148). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 python-django Simon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorized modification of data through cross site request forgery. This is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909. In this update the affected feature is disabled; this is in accordance with upstream"s preferred solution for this situation. This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisation framework, known as CVE-2007-5712. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 util-linux It was discovered that util-linux, miscellaneous system utilities, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 acpid It was discovered that acpid, a daemon for delivering ACPI events, is prone to a denial of service attack by opening a large number of UNIX sockets, which are not closed properly. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 libexif Several vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed image. The Common Vulnerabilities and Exposures project identifies the following problems: Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. Meder Kydyraliev discovered an infinite loop, which may result in denial of service. Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. This update also fixes two potential NULL pointer deferences. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 kdelibs Several security issues have been discovered in kdelibs, core libraries from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets (CSS) attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 openssh It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability (CVE-2008-4109). The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051), but the patch backported to the version released with etch was incorrect. Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a "[net]" process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability. It is possible to trigger this denial of service condition by accident. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 php5 Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: Buffer overflow in the imageloadfont function allows a denial of service or code execution through a crafted font file. Buffer overflow in the memnstr function allows a denial of service or code execution via a crafted delimiter parameter to the explode function. Denial of service is possible in the FastCGI module by a remote attacker by making a request with multiple dots before the extension. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 imp4 Several vulnerabilities have been found in imp4, a webmail component for the horde framework. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that imp4 suffers from a cross-site scripting (XSS) attack via the user field in an IMAP session, which allows attackers to inject arbitrary HTML code. It was discovered that imp4 is prone to several cross-site scripting (XSS) attacks via several vectors in the mail code allowing attackers to inject arbitrary HTML code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 sympa It was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). This update also fixes a regression introduced by the fix for CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on systems with SELinux enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libxml2 It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a leak of sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems: Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations. Olaf Kirch discovered an issue with the i915 driver that may allow local users to cause memory corruption by use of an ioctl with insufficient privilege restrictions. Eugene Teo discovered two issues in the SCTP subsystem which allow local users to obtain access to sensitive memory when the SCTP-AUTH extension is enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cups cupsys Anibal Sacco discovered that cups, a general printing system for UNIX systems, suffers from null pointer dereference because of its handling of two consecutive IPP packets with certain tag attributes that are treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers to perform denial of service attacks by crashing the cups daemon. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wordpress Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. It was discovered that the administrator interface is prone to a cross-site scripting attack. It was discovered that remote attackers can gain privileges via certain direct requests. It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 perl It has been discovered that the Perl interpreter may encounter a buffer overflow condition when compiling certain regular expressions containing Unicode characters. This also happens if the offending characters are contained in a variable reference protected by the \Q...\E quoting construct. When encountering this condition, the Perl interpreter typically crashes, but arbitrary code execution cannot be ruled out. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 hplip Kees Cook discovered that the hpssd tool of the HP Linux Printing and Imaging System (HPLIP) performs insufficient input sanitising of shell meta characters, which may result in local privilege escalation to the hplip user. The old stable distribution (sarge) is not affected by this problem. For the stable distribution (etch), this problem has been fixed in version 1.6.10-3etch1. For the unstable distribution (sid), this problem has been fixed in version 1.6.10-4.3. We recommend that you upgrade your hplip packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 blender Stefan Cornelius discovered a vulnerability in the Radiance High Dynamic Range (HDR) image parser in Blender, a 3D modelling application. The weakness could enable a stack-based buffer overflow and the execution of arbitrary code if a maliciously-crafted HDR file is opened, or if a directory containing such a file is browsed via Blender's image-open dialog. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 amule Sam Hocevar discovered that amule, a client for the eD2k and Kad networks, does not properly sanitise the filename, when using the preview function. This could lead to the injection of arbitrary commands passed to the video player. The oldstable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 feta Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gforge It was discovered that gforge, collaborative development tool, is prone to a cross-site scripting attack via the helpname parameter. Beside fixing this issue, the update also introduces some additional input sanitising. However, there are no known attack vectors. The oldstable distribution (etch), these problems have been fixed in version 4.5.14-22etch12. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 php4 Several vulnerabilities have been discovered in PHP version 4, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: The session_start function allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from various parameters. A denial of service was possible through a malicious script abusing the glob() function. Certain maliciously constructed input to the wordwrap() function could lead to a denial of service attack. Large len values of the stspn() or strcspn() functions could allow an attacker to trigger integer overflows to expose memory or cause denial of service. The escapeshellcmd API function could be attacked via incomplete multibyte chars. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 3.1 kernel-source-2.4.27 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitrary code. Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update: We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceape It was discovered that crashes in the JavaScript engine of Iceape, an unbranded version of the Seamonkey internet suite could potentially lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gaim It was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mplayer Several vulnerabilities have been discovered in mplayer, a movie player for Unix-like systems. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that multiple buffer overflows could lead to the execution of arbitrary code. It was discovered that watching a malformed TwinVQ file could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gnumeric Thilo Pfennig and Morten Welinder discovered several integer overflow weaknesses in Gnumeric, a GNOME spreadsheet application. These vulnerabilities could result in the execution of arbitrary code through the opening of a maliciously crafted Excel spreadsheet. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 dhcp3 Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ruby1.9 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. The Common Vulnerabilities and Exposures project identifies the following problems: Keita Yamaguchi discovered that several safe level restrictions are insufficiently enforced. Christian Neukirchen discovered that the WebRick module uses inefficient algorithms for HTTP header splitting, resulting in denial of service through resource exhaustion. It was discovered that the dl module doesn't perform taintness checks. Luka Treiber and Mitja Kolsek discovered that recursively nested XML entities can lead to denial of service through resource exhaustion in rexml. Tanaka Akira discovered that the resolv module uses sequential transaction IDs and a fixed source port for DNS queries, which makes it more vulnerable to DNS spoofing attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 dovecot Prior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory on the server (for example, through an SSH login) could read and also delete via a symbolic link mailboxes owned by other users for which they do not have direct access (CVE-2008-1199). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (CVE-2008-1218). Note that applying this update requires manual action: The configuration setting mail_extra_groups = mail has been replaced with mail_privileged_group = mail. The update will show a configuration file conflict in /etc/dovecot/dovecot.conf. It is recommended that you keep the currently installed configuration file, and change the affected line. For your reference, the sample configuration (without your local changes) will have been written to /etc/dovecot/dovecot.conf.dpkg-new. If your current configuration uses mail_extra_groups with a value different from mail, you may have to resort to the mail_access_groups configuration directive. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 newsx It was discovered that newsx, an NNTP news exchange utility, was affected by a buffer overflow allowing remote attackers to execute arbitrary code via a news article containing a large number of lines starting with a period. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ldapscripts Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing. The old stable distribution (sarge) does not contain an ldapscripts package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ipsec-tools Several remote vulnerabilities have been discovered in racoon, the Internet Key Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures project identified the following problems: Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets that contain no payload. This results in the daemon crashing which can be used for denial of service attacks. Various memory leaks in the X.509 certificate authentication handling and the NAT-Traversal keepalive implementation can result in memory exhaustion and thus denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 turba2 Peter Paul Elfferich discovered that turba2, a contact management component for horde framework, did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 strongswan Several remote vulnerabilities have been discovered in strongswan, an implementation of the IPSEC and IKE protocols. The Common Vulnerabilities and Exposures project identifies the following problems: The charon daemon can crash when processing certain crafted IKEv2 packets. (The old stable distribution (etch) was not affected by these two problems because it lacks IKEv2 support.) The pluto daemon could crash when processing a crafted X.509 certificate. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 libtorrent-rasterbar It was discovered that the Rasterbar Bittorrent library performed insufficient validation of path names specified in torrent files, which could lead to denial of service by overwriting files. The old stable distribution (etch) doesn't include libtorrent-rasterbar. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 expat Peter Valchev discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. moz_bug_r_a4 discovered several cross-site scripting vulnerabilities. Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context of signed JAR archives. moz_bug_r_a4 discovered that XUL documents can escalate privileges by accessing the pre-compiled fastload file. moz_bug_r_a4 discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceweasel itself is not affected, but some addons are. Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. Masahiro Yamada discovered that file URLs in directory listings were insufficiently escaped. John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofing of secure connections. Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code. Billy Rios discovered that passing an URL containing a pipe symbol to Iceweasel can lead to Chrome privilege escalation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 fckeditor Vinny Guido discovered that multiple input sanitising vulnerabilities in Fckeditor, a rich text web editor component, may lead to the execution of arbitrary code. The old stable distribution (etch) doesn't contain fckeditor. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ntp Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phpmyadmin Several remote vulnerabilities have been discovered in phpMyAdmin, an application to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems: Attackers with CREATE table permissions were allowed to read arbitrary files readable by the webserver via a crafted HTTP POST request. The PHP session data file stored the username and password of a logged in user, which in some setups can be read by a local user. Cross site scripting and SQL injection were possible by attackers that had permission to create cookies in the same cookie domain as phpMyAdmin runs in. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 afuse Anders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openssl It was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 openjdk-6 Several vulnerabilities have been identified in OpenJDK, an implementation of the Java SE platform. Creation of large, temporary fonts could use up available disk space, leading to a denial of service condition. Several vulnerabilities existed in the embedded LittleCMS library, exploitable through crafted images: a memory leak, resulting in a denial of service condition (CVE-2009-0581), heap-based buffer overflows, potentially allowing arbitrary code execution (CVE-2009-0723, CVE-2009-0733), and a null-pointer dereference, leading to denial of service (CVE-2009-0793). The LDAP server implementation (in com.sun.jdni.ldap) did not properly close sockets if an error was encountered, leading to a denial-of-service condition. The LDAP client implementation (in com.sun.jdni.ldap) allowed malicious LDAP servers to execute arbitrary code on the client. The HTTP server implementation (sun.net.httpserver) contained an unspecified denial of service vulnerability. Several issues in Java Web Start have been addressed. The Debian packages currently do not support Java Web Start, so these issues are not directly exploitable, but the relevant code has been updated nevertheless. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 icedove Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: The execution of arbitrary code might be possible via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables. (MFSA 2009-10) It is possible to execute arbitrary code via vectors related to the layout engine. (MFSA 2009-01) It is possible to execute arbitrary code via vectors related to the JavaScript engine. (MFSA 2009-01) Bjoern Hoehrmann and Moxie Marlinspike discovered a possible spoofing attack via Unicode box drawing characters in internationalized domain names. (MFSA 2009-15) Memory corruption and assertion failures have been discovered in the layout engine, leading to the possible execution of arbitrary code. (MFSA 2009-07) The layout engine allows the execution of arbitrary code in vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection. (MFSA 2009-07) The JavaScript engine is prone to the execution of arbitrary code via several vectors. (MFSA 2009-07) The layout engine allows the execution of arbitrary code via vectors related to gczeal. (MFSA 2009-07) Georgi Guninski discovered that it is possible to obtain xml data via an issue related to the nsIRDFService. (MFSA 2009-09) The browser engine is prone to a possible memory corruption via several vectors. (MFSA 2009-14) The browser engine is prone to a possible memory corruption via the nsSVGElement::BindToTree function. (MFSA 2009-14) Gregory Fleischer discovered that it is possible to bypass the Same Origin Policy when opening a Flash file via the view-source: scheme. (MFSA 2009-17) The possible arbitrary execution of code was discovered via vectors involving "double frame construction." (MFSA 2009-24) Several issues were discovered in the browser engine as used by icedove, which could lead to the possible execution of arbitrary code. (MFSA 2009-24) Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential man-in-the-middle attack, when using a proxy due to insufficient checks on a certain proxy response. (MFSA 2009-27) moz_bug_r_a4 discovered that it is possible to execute arbitrary JavaScript with chrome privileges due to an error in the garbage collection implementation. (MFSA 2009-29) moz_bug_r_a4 reported that it is possible for scripts from page content to run with elevated privileges and thus potentially executing arbitrary code with the object's chrome privileges. (MFSA 2009-32) Bernd Jendrissek discovered a potentially exploitable crash when viewing a multipart/alternative mail message with a text/enhanced part. (MFSA 2009-33) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 eggdrop Several vulnerabilities have been discovered in eggdrop, an advanced IRC robot. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that eggdrop is vulnerable to a buffer overflow, which could result in a remote user executing arbitrary code. The previous DSA (DSA-1448-1) did not fix the issue correctly. It was discovered that eggdrop is vulnerable to a denial of service attack, that allows remote attackers to cause a crash via a crafted PRIVMSG. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libhtml-parser-perl A denial of service vulnerability has been found in libhtml-parser-perl, a collection of modules to parse HTML in text documents which is used by several other projects like e.g. SpamAssassin. Mark Martinec discovered that the decode_entities() function will get stuck in an infinite loop when parsing certain HTML entities with invalid UTF-8 characters. An attacker can use this to perform denial of service attacks by submitting crafted HTML to an application using this functionality. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 dovecot It was discovered that Dovecot, a POP3 and IMAP server, only when used # Remark: "base" refers to a variable(?!) and should not contain something as # base = %r! with LDAP authentication and base contains variables, could allow a user to log in to the account of another user with the same password. The old stable distribution (sarge) is not affected. For the stable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch3. For the unstable distribution (sid), this problem has been fixed in version 1.0.10-1. We recommend that you upgrade your dovecot packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 policyd-weight Chris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitrary files from the local system. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gforge Stephen Gran and Mark Hymers discovered that some scripts run by GForge, a collaborative development tool, open files in write mode in a potentially insecure manner. This may be exploited to overwrite arbitrary files on the local system. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 phpbb2 Several remote vulnerabilities have been discovered in phpBB, a web based bulletin board. The Common Vulnerabilities and Exposures project identifies the following problems: Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page. Cross site request forgery enabled an attacker to perform various actions on behalf of a logged in user. (Applies to sarge only.) A negative start parameter could allow an attacker to create invalid output. (Applies to sarge only.) Redirection targets were not fully checked, leaving room for unauthorised external redirections via a phpBB forum. (Applies to sarge only.) An authenticated forum administrator may upload files of any type by using specially crafted filenames. (Applies to sarge only.) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: Johannes Bauer discovered an integer overflow condition in the hrtimer subsystem on 64-bit systems. This can be exploited by local users to trigger a denial of service (DoS) by causing the kernel to execute an infinite loop. Jan Kratochvil reported a local denial of service condition that permits local users on systems running the amd64 flavor kernel to cause a system crash. Paul Harks discovered a memory leak in the Simple Internet Transition (SIT) code used for IPv6 over IPv4 tunnels. This can be exploited by remote users to cause a denial of service condition. David Miller and Jan Lieskovsky discovered issues with the virtual address range checking of mmaped regions on the sparc architecture that may be exploited by local users to cause a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 clamav Damian Put discovered a vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. In some configurations, such as when clamav is used in combination with mail servers, this could cause a system to fail open, facilitating a follow-on viral attack. A previous version of this advisory referenced packages that were built incorrectly and omitted the intended correction. This issue was fixed in packages referenced by the -2 revision of the advisory. The Common Vulnerabilities and Exposures project identifies this weakness as CVE-2008-2713 and CVE-2008-3215. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 sork-passwd-h3 It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Julien Tinnes and Tavis Ormandy reported an issue in the Linux personality code. Local users can take advantage of a setuid binary that can either be made to dereference a NULL pointer or drop privileges and return control to the user. This allows a user to bypass mmap_min_addr restrictions which can be exploited to execute arbitrary code. Mikulas Patocka discovered an issue in sparc64 kernels that allows local users to cause a denial of service (crash) by reading the /proc/iomem file. Miklos Szeredi reported an issue in the ocfs2 filesystem. Local users can create a denial of service (filesystem deadlock) using a particular sequence of splice system calls. Ramon de Carvalho Valle discovered two issues with the eCryptfs layered filesystem using the fsfuzzer utility. A local user with permissions to perform an eCryptfs mount may modify the contents of a eCryptfs file, overflowing the stack and potentially gaining elevated privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 moin It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260). Another cross-site scripting vulnerability was discovered in the antispam feature (CVE-2009-0312). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 icedove Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. (MFSA 2008-37) It was discovered that crashes in the Javascript engine could potentially lead to the execution of arbitrary code. (MFSA 2008-20) "moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed. (MFSA 2008-38) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling. (MFSA 2008-41) Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. (MFSA 2008-43) It was discovered that a directory traversal allows attackers to read arbitrary files via a certain character. (MFSA 2008-44) It was discovered that a directory traversal allows attackers to bypass security restrictions and obtain sensitive information. (MFSA 2008-44) It was discovered that a buffer overflow could be triggered via a long header in a news article, which could lead to arbitrary code execution. (MFSA 2008-46) Liu Die Yu and Boris Zbarsky discovered an information leak through local shortcut files. (MFSA 2008-47, MFSA 2008-59) Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. (MFSA 2008-48) Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. (MFSA 2008-50) It was discovered that crashes in the layout engine could lead to arbitrary code execution. (MFSA 2008-52) It was discovered that crashes in the Javascript engine could lead to arbitrary code execution. (MFSA 2008-52) It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. (MFSA 2008-55) "moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. (MFSA 2008-56) Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents. (MFSA 2008-58) Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 libvorbis Several vulnerabilities were found in the Vorbis General Audio Compression Codec, which may lead to denial of service or the execution of arbitrary code, if a user is tricked into opening a malformed Ogg Audio file with an application linked against libvorbis. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 nss-ldapd Leigh James discovered that nss-ldapd, an NSS module for using LDAP as a naming service, by default creates the configuration file /etc/nss-ldapd.conf world-readable which could leak the configured LDAP password if one is used for connecting to the LDAP server. The old stable distribution (etch) doesn't contain nss-ldapd. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 roundup Roundup, an issue tracking system, fails to properly escape HTML input, allowing an attacker to inject client-side code (typically JavaScript) into a document that may be viewed in the victim's browser. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 pulseaudio Marcus Meissner discovered that the PulseAudio sound server performed insufficient checks when dropping privileges, which could lead to local privilege escalation. The old stable distribution (sarge) doesn't contain pulseaudio. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libvorbis Several local (remote) vulnerabilities have been discovered in libvorbis, a library for the Vorbis general-purpose compressed audio codec. The Common Vulnerabilities and Exposures project identifies the following problems: libvorbis does not properly handle a zero value which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow. Integer overflow in libvorbis allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. Integer overflow in libvorbis allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file which triggers a heap overflow. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 evolution-data-server Several vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 kazehakase Andrews Salomon reported that kazehakase, a GTK+-based web browser that allows pluggable rendering engines, contained an embedded copy of the PCRE library in its source tree which was compiled in and used in preference to the system-wide version of this library. The PCRE library has been updated to fix the security issues reported against it in previous Debian Security Advisories. This update ensures that kazehakase uses that supported library, and not its own embedded and insecure version. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: "moz_bug_r_a4" discovered that a programming error in the FeedWriter module could lead to the execution of Javascript code with elevated privileges. Prateek Saxena discovered a cross-site scripting vulnerability in the MozSearch plugin interface. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openoffice.org Several vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in an integer underflow that may lead to heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. A vulnerability has been discovered in the parser of EMF files of OpenOffice/Go-oo 2.x and 3.x that can be triggered by a specially crafted document and lead to the execution of arbitrary commands the privileges of the user running OpenOffice.org/Go-oo. This vulnerability does not exist in the packages for oldstable, testing and unstable. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openswan Two vulnerabilities have been discovered in openswan, an IPSec implementation for linux. The Common Vulnerabilities and Exposures project identifies the following problems: Dmitry E. Oboukhov discovered that the livetest tool is using temporary files insecurely, which could lead to a denial of service attack. Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 asterisk Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. This update also fixes a format string vulnerability, which can only be triggered through configuration files under control of the local administrator. In later releases of Asterisk this issue is remotely exploitable and tracked as CVE-2008-1333. The status of the old stable distribution (sarge) is currently being investigated. If affected, an update will be released through security.debian.org. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceweasel It was discovered that crashes in the Javascript engine of Iceweasel, an unbranded version of the Firefox browser, could potentially lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. hong and Gregory Fleischer discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in JavaScript handling, which could allow privilege escalation. Justin Dolske discovered that the password storage mechanism could be abused by malicious web sites to corrupt existing saved passwords. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which could lead to information disclosure or potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (which disable dialog elements until a timeout is reached) could be bypassed by window focus changes through JavaScript. It was discovered that malformed content declarations of saved attachments could prevent a user from opening local files with a .txt file name, resulting in minor denial of service. Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with div elements. The old stable distribution (sarge) doesn't contain xulrunner. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xwine Steve Kemp from the Debian Security Audit project discovered several local vulnerabilities in xwine, a graphical user interface for the WINE emulator. The Common Vulnerabilities and Exposures project identifies the following problems: The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 python-cherrypy It was discovered that a directory traversal vulnerability in CherryPy, a pythonic, object-oriented web development framework, may lead to denial of service by deleting files through malicious session IDs in cookies. The old stable distribution (sarge) doesn't contain python-cherrypy. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libsndfile Two vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. The Common Vulnerabilities and Exposures project identified the following problems: Tobias Klein discovered that the VOC parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted VOC header. The vendor discovered that the AIFF parsing routines suffer of a heap-based buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker via a crafted AIFF header. In both cases the overflowing data is not completely attacker controlled but still leads to application crashes or under some circumstances might still lead to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 no-ip A buffer overflow has been discovered in the HTTP parser of the No-IP.com Dynamic DNS update client, which may result in the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 opensaml shibboleth-sp Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignored key usage constraints. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 squid It was discovered that malformed cache update replies against the Squid WWW proxy cache could lead to the exhaustion of system memory, resulting in potential denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Martijn Wargers, Jesse Ruderman and Josh Soref discovered crashes in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman discovered crashes in the layout engine, which might allow the execution of arbitrary code. Gary Kwong, and Timothee Groleau discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. It was discovered that incorrect memory management in the DOM element handling may lead to the execution of arbitrary code. Georgi Guninski discovered a violation of the same-origin policy through RDFXMLDataSource and cross-domain redirects. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 tomcat5.5 Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that single quotes (') in cookies were treated as a delimiter, which could lead to an information leak. It was discovered that the character sequence \' in cookies was handled incorrectly, which could lead to an information leak. It was discovered that the host manager servlet performed insufficient input validation, which could lead to a cross-site scripting attack. It was discovered that the JULI logging component did not restrict its target path, resulting in potential denial of service through file overwrites. It was discovered that the WebDAV servlet is vulnerable to absolute path traversal. The old stable distribution (sarge) doesn't contain tomcat5.5. For the stable distribution (etch), these problems have been fixed in version 5.5.20-2etch1. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your tomcat5.5 packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 tomcat5 Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that single quotes (') in cookies were treated as a delimiter, which could lead to an information leak. It was discovered that the character sequence \' in cookies was handled incorrectly, which could lead to an information leak. It was discovered that the WebDAV servlet is vulnerable to absolute path traversal. The old stable distribution (sarge) doesn't contain tomcat5. For the stable distribution (etch), these problems have been fixed in version 5.0.30-12etch1. The unstable distribution (sid) no longer contains tomcat5. We recommend that you upgrade your tomcat5 packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xpdf Alin Rad Pop (Secunia) discovered a number of vulnerabilities in xpdf, a set of tools for display and conversion of Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following three problems: Inadequate DCT stream validation allows an attacker to corrupt memory and potentially execute arbitrary code by supplying a maliciously crafted PDF file. An integer overflow vulnerability in DCT stream handling could allow an attacker to overflow a heap buffer, enabling the execution of arbitrary code. A buffer overflow vulnerability in xpdf's CCITT image compression handlers allows overflow on the heap, allowing an attacker to execute arbitrary code by supplying a maliciously crafted CCITTFaxDecode filter. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libxslt It was discovered that libxslt, an XSLT processing runtime library, could be coerced into executing arbitrary code via a buffer overflow when an XSL style sheet file with a long XSLT "transformation match" condition triggered a large number of steps. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 python2.5 Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure. It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. This issue is also tracked as CVE-2008-1679 due to an initially incomplete patch. Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code. Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. Wei Yongjun reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel panic. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. Johannes Berg reported a remote DoS issue in the libertas wireless driver, which can be triggered by a specially crafted beacon/probe response. Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 net-snmp The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 openssh The recently announced vulnerability in Debian's openssl package (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied. 1. Install the security updates This update contains a dependency on the openssl update and will automatically install a corrected version of the libssl0.9.8 package, and a new package openssh-blacklist. Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3). OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step. 2. Update OpenSSH known_hosts files The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this: In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message. It is recommended that you use a trustworthy channel to exchange the server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on the server; its fingerprint can be printed using the command: ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub In addition to user-specific known_hosts files, there may be a system-wide known hosts file /etc/ssh/ssh_known_hosts. This is file is used both by the ssh client and by sshd for the hosts.equiv functionality. This file needs to be updated as well. 3. Check all OpenSSH user keys The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of certainty that the key was generated on an unaffected system. Check whether your key is affected by running the ssh-vulnkey tool, included in the security update. By default, ssh-vulnkey will check the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys and ~/.ssh/authorized_keys2), and the system's host keys (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). To check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): ssh-vulnkey To check all keys on your system: sudo ssh-vulnkey -a To check a key in a non-standard location: ssh-vulnkey /path/to/key If ssh-vulnkey says "Unknown (no blacklist information)", then it has no information about whether that key is affected. In this case, you can examine the modification time (mtime) of the file using "ls -l". Keys generated before September 2006 are not affected. Keep in mind that, although unlikely, backup procedures may have changed the file date back in time (or the system clock may have been incorrectly set). If in doubt, generate a new key and remove the old one from any servers. 4. Regenerate any affected user keys OpenSSH keys used for user authentication must be manually regenerated, including those which may have since been transferred to a different system after being generated. New keys can be generated using ssh-keygen, e.g.: 5. Update authorized_keys files (if necessary) Once the user keys have been regenerated, the relevant public keys must be propagated to any authorized_keys files (and authorized_keys2 files, if applicable) on remote systems. Be sure to delete the lines containing old keys from those files. In addition to countermeasures to mitigate the randomness vulnerability, this OpenSSH update fixes several other vulnerabilities: CVE-2008-1483: Timo Juhani Lindfors discovered that, when using X11 forwarding, the SSH client selects an X11 forwarding port without ensuring that it can be bound on all address families. If the system is configured with IPv6 (even if it does not have working IPv6 connectivity), this could allow a local attacker on the remote server to hijack X11 forwarding. CVE-2007-4752: Jan Pechanec discovered that ssh falls back to creating a trusted X11 cookie if creating an untrusted cookie fails, potentially exposing the local display to a malicious remote server when using X11 forwarding. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 lighttpd It was discovered that lighttpd, a fast webserver with minimal memory footprint, would display the source to CGI scripts if their execution failed in some circumstances. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 rdesktop Several remote vulnerabilities have been discovered in rdesktop, a Remote Desktop Protocol client. The Common Vulnerabilities and Exposures project identifies the following problems: Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 silc-client/silc-toolkit Several vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. The Common Vulnerabilities and Exposures project identifies the following problems: An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. CVE-2008-7160 An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. silc-server doesn't need an update as it uses the shared library provided by silc-toolkit. silc-client/silc-toolkit in the oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 typo3-src Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. Marcus Krause and Michael Stucki from the TYPO3 security team discovered that the jumpUrl mechanism discloses secret hashes enabling a remote attacker to bypass access control by submitting the correct value as a URL parameter and thus being able to read the content of arbitrary files. Jelmer de Hen and Dmitry Dulepov discovered multiple cross-site scripting vulnerabilities in the backend user interface allowing remote attackers to inject arbitrary web script or HTML. As it is very likely that your encryption key has been exposed we strongly recommend to change your encyption key via the install tool after installing the update. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 wordnet Rob Holland discovered several programming errors in WordNet, an electronic lexical database of the English language. These flaws could allow arbitrary code execution when used with untrusted input, for example when WordNet is in use as a back end for a web application. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libxml2 Andreas Solberg discovered that libxml2, the GNOME XML library, could be forced to recursively evaluate entities, until available CPU and memory resources were exhausted. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 cupsys Several local/remote vulnerabilities have been discovered in cupsys, the Common Unix Printing System. The Common Vulnerabilities and Exposures project identifies the following problems: Heap-based buffer overflow in CUPS, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions. Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly the execution of arbitrary code via crafted packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xine-lib Multiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player. The Common Vulnerabilities and Exposures project identifies the following three problems: Integer overflow vulnerabilities exist in xine's FLV, QuickTime, RealMedia, MVE and CAK demuxers, as well as the EBML parser used by the Matroska demuxer. These weaknesses allow an attacker to overflow heap buffers and potentially execute arbitrary code by supplying a maliciously crafted file of those types. Insufficient input validation in the Speex implementation used by this version of xine enables an invalid array access and the execution of arbitrary code by supplying a maliciously crafted Speex file. Inadequate bounds checking in the NES Sound Format (NSF) demuxer enables a stack buffer overflow and the execution of arbitrary code through a maliciously crafted NSF file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mon Dmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 proftpd-dfsg Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 netpbm-free A vulnerability was discovered in the GIF reader implementation in netpbm-free, a suite of image manipulation utilities. Insufficient input data validation could allow a maliciously-crafted GIF file to overrun a stack buffer, potentially permitting the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 qemu Dmitry E. Oboukhov discovered that the qemu-make-debian-root script in qemu, fast processor emulator, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cups It was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-ocaml It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 alsa-driver Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 camlimages It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 auth2db It was discovered that auth2db, an IDS logger, log viewer and alert generator, is prone to an SQL injection vulnerability, when used with multibyte character encodings. The oldstable distribution (etch) doesn't contain auth2db. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 djbdns Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain Name System server, does not constrain offsets in the required manner, which allows remote attackers with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain. The old stable distribution (etch) does not contain djbdns. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceape Several remote vulnerabilities have been discovered in Iceape an unbranded version of the Seamonkey internet suite. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. (MFSA 2008-37) It was discovered that a buffer overflow in MIME decoding can lead to the execution of arbitrary code. (MFSA 2008-26) It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. (MFSA 2008-34) Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-21) Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-21) "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities. (MFSA 2008-22) Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context or signed JAR archives. (MFSA 2008-23) "moz_bug_r_a4" discovered that XUL documements can escalate privileges by accessing the pre-compiled "fastload" file. (MFSA 2008-24) "moz_bug_r_a4" discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceape itself is not affected, but some addons are. (MFSA 2008-25) Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. (MFSA 2008-27) Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. (MFSA 2008-29) Masahiro Yamada discovered that file URLs in directory listings were insufficiently escaped. (MFSA 2008-30) John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings of secure connections. (MFSA 2008-31) It was discovered that URL shortcut files could be used to bypass the same-origin restrictions. This issue does not affect current Iceape, but might occur with additional extensions installed. (MFSA 2008-32) Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code. (MFSA 2008-33) Billy Rios discovered that passing an URL containing a pipe symbol to Iceape can lead to Chrome privilege escalation. (MFSA 2008-35) "moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed. (MFSA 2008-38) "moz_bug_r_a4" discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. (MFSA 2008-39) Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. (MFSA 2008-40) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling. (MFSA 2008-41) Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. (MFSA 2008-43) Boris Zbarsky discovered that resource: URLs allow directory traversal when using URL-encoded slashes. (MFSA 2008-44) Georgi Guninski discovered that resource: URLs could bypass local access restrictions. (MFSA 2008-44) Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory. (MFSA 2008-45) It was discovered that a buffer overflow could be triggered via a long header in a news article, which could lead to arbitrary code execution. (MFSA 2008-46) Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. (MFSA 2008-48) It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution. (MFSA 2008-49) Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. (MFSA 2008-50) It was discovered that crashes in the layout engine could lead to arbitrary code execution. (MFSA 2008-52) Justin Schuh discovered that a buffer overflow in http-index-format parser could lead to arbitrary code execution. (MFSA 2008-54) It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. (MFSA 2008-55) "moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. (MFSA 2008-56) Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents. (MFSA 2008-58) Liu Die Yu discovered an information leak through local shortcut files. (MFSA 2008-59) Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gnatsweb r0t discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitize the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or JavaScript code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 proftpd-dfsg Maksymilian Arciemowicz of securityreason.com reported that ProFTPD is vulnerable to cross-site request forgery (CSRF) attacks and executes arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 openssl Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since that date propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. A detector for known weak key material will be published at: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz (OpenPGP signature) Instructions how to implement key rollover for various packages will be published at: http://www.debian.org/security/key-rollover/ This web site will be continuously updated to reflect new and updated instructions on key rollovers for packages using SSL certificates. Popular packages not affected will also be listed. In addition to this critical change, two other vulnerabilities have been fixed in the openssl package which were originally scheduled for release with the next etch point release: OpenSSL's DTLS (Datagram TLS, basically SSL over UDP) implementation did not actually implement the DTLS specification, but a potentially much weaker protocol, and contained a vulnerability permitting arbitrary code execution (CVE-2007-4995). A side channel attack in the integer multiplication routines is also addressed (CVE-2007-3108). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers, Daniel Banchero, David Keeler and Boris Zbarsky reported crashes in layout engine, which might allow the execution of arbitrary code. Carsten Book reported a crash in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman and Sid Stamm discovered spoofing vulnerability in the file download dialog. Gregory Fleischer discovered a bypass of the same-origin policy using the document.getSelection() function. "moz_bug_r_a4" discovered a privilege escalation to Chrome status in the XPCOM utility XPCVariant::VariantDataToJS. "regenrecht" discovered a buffer overflow in the GIF parser, which might lead to the execution of arbitrary code. Marco C. discovered that a programming error in the proxy auto configuration code might lead to denial of service or the execution of arbitrary code. Jeremy Brown discovered that the filename of a downloaded file which is opened by the user is predictable, which might lead to tricking the user into a malicious file if the attacker has local access to the system. Paul Stone discovered that history information from web forms could be stolen. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 lighttpd It was discovered that lighttpd, a fast webserver with minimal memory footprint, didn't correctly handle SSL errors. This could allow a remote attacker to disconnect all active SSL connections. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 bugzilla Max Kanat-Alexander, Bradley Baetz, and Fr?Šd?Šric Buclin discovered an SQL injection vulnerability in the Bug.create WebService function in Bugzilla, a web-based bug tracking system, which allows remote attackers to execute arbitrary SQL commands. The oldstable distribution (etch) isn't affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 A vulnerability has been discovered in the Linux kernel that may lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problem: Alexander Viro discovered a race condition in the fcntl code that may permit local users on multi-processor systems to execute parallel code paths that are otherwise prohibited and gain re-ordered access to the descriptor table. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 rsync Sebastian Krahmer discovered that an integer overflow in rsync"s code for handling extended attributes may lead to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 moodle Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution. Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276). Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023). Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755). SQL injection issue in the hotpot module (MSA-08-0010). An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gnutls13 Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine. (CVE-2008-4989) In addition, this update tightens the checks for X.509v1 certificates which causes GNUTLS to reject certain certificate chains it accepted before. (In certificate chain processing, GNUTLS does not recognize X.509v1 certificates as valid unless explicitly requested by the application.) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6.24 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp"N" device is found, remote attackers can cause a denial of service by consuming large amounts of system memory. Loic Minier discovered an issue in the eCryptfs filesystem. A local user can cause a denial of service (kernel oops) by causing a dentry value to go negative. Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops). Jan Beulich discovered the existence of a sensitive kernel memory leak. Systems running the "amd64" kernel do not properly sanitize registers for 32-bit processes. Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory. Eric Dumazet reported an instance of uninitialized kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. CVE-2009-3238 Linus Torvalds provided a change to the get_random_int() function to increase its randomness. Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. Jiri Pirko discovered a typo in the initialization of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service (IOMMU space exhaustion and system crash) by transmitting a large amount of jumbo frames. Ben Hutchings discovered an issue in the DRM manager for ATI Rage 128 graphics adapters. Local users may be able to exploit this vulnerability to cause a denial of service (NULL pointer dereference). Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mediawiki1.7 Several vulnerabilities have been discovered in mediawiki1.7, a website engine for collaborative work. The Common Vulnerabilities and Exposures project identifies the following problems: David Remahl discovered that mediawiki1.7 is prone to a cross-site scripting attack. David Remahl discovered that mediawiki1.7, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page. David Remahl discovered that mediawiki1.7 is prone to a cross-site request forgery vulnerability in the Special:Import feature. It was discovered that mediawiki1.7 is prone to a cross-site scripting attack in the web-based installer. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ruby1.8 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. The Common Vulnerabilities and Exposures project identifies the following problems: Keita Yamaguchi discovered that several safe level restrictions are insufficiently enforced. Christian Neukirchen discovered that the WebRick module uses inefficient algorithms for HTTP header splitting, resulting in denial of service through resource exhaustion. It was discovered that the dl module doesn't perform taintness checks. Luka Treiber and Mitja Kolsek discovered that recursively nested XML entities can lead to denial of service through resource exhaustion in rexml. Tanaka Akira discovered that the resolv module uses sequential transaction IDs and a fixed source port for DNS queries, which makes it more vulnerable to DNS spoofing attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libcdaudio It was discovered that a heap overflow in the CDDB retrieval code of libcdaudio, a library for controlling a CD-ROM when playing audio CDs, may result in the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libimager-perl It was discovered that libimager-perl, a Perl extension for generating 24-bit images, did not correctly handle 8-bit compressed images, which could allow the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 xml-security-c It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This update implements the proposed workaround in the C++ version of the Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the original HMAC output, whichever is greater. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 pdns Brian Dowling discovered that the PowerDNS authoritative name server does not respond to DNS queries which contain certain characters, increasing the risk of successful DNS spoofing (CVE-2008-3337). This update changes PowerDNS to respond with SERVFAIL responses instead. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 bind9 It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 elinks Jakub Wilk discovered an off-by-one buffer overflow in the charset handling of elinks, a feature-rich text-mode WWW browser, which might lead to the execution of arbitrary code if the user is tricked into opening a malformed HTML page. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ikiwiki It has been discovered that ikiwiki, a Wiki implementation, does not guard password and content changes against cross-site request forgery (CSRF) attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 enscript Several vulnerabilities have been discovered in Enscript, a converter from ASCII text to Postscript, HTML or RTF. The Common Vulnerabilities and Exposures project identifies the following problems: Ulf Harnhammer discovered that a buffer overflow may lead to the execution of arbitrary code. Kees Cook and Tomas Hoger discovered that several buffer overflows may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 phpmyadmin Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability in the PDF schema generator functionality allows remote attackers to execute arbitrary SQL commands. This issue does not apply to the version in Debian 4.0 Etch. Additionally, extra fortification has been added for the web based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user. See README.Debian for details on how to enable the setup.php script if and when you need it. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ruby1.9 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Joe Jin reported a local denial of service vulnerability that allows system users to trigger an oops due to an improperly initialized data structure. Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations. The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 dnsmasq Several remote vulnerabilities have been discovered in the TFTP component of dnsmasq. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in TFTP processing may enable arbitrary code execution to attackers which are permitted to use the TFTP service. Malicious TFTP clients may crash dnsmasq, leading to denial of service. The old stable distribution is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 evolution Ulf Haumlrnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libwmf Tavis Ormandy discovered that the embedded GD library copy in libwmf, a library to parse windows metafiles (WMF), makes use of a pointer after it was already freed. An attacker using a crafted WMF file can cause a denial of service or possibly the execute arbitrary code via applications using this library. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mysql-dfsg-5.0 Sergei Golubchik discovered that MySQL, a widely-deployed database server, did not properly validate optional data or index directory paths given in a CREATE TABLE statement, nor would it (under proper conditions) prevent two databases from using the same paths for data or index files. This permits an authenticated user with authorization to create tables in one database to read, write or delete data from tables subsequently created in other databases, regardless of other GRANT authorizations. The Common Vulnerabilities and Exposures project identifies this weakness as CVE-2008-2079. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 moodle Christian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn't check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Note that this doesn't affect installations that only use the mimetex environment. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 twiki It was discovered that twiki, a web based collaboration platform, didn't properly sanitize the image parameter in its configuration script. This could allow remote users to execute arbitrary commands upon the system, or read any files which were readable by the webserver user. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 icedove Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in JavaScript handling, which could allow privilege escalation. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure and potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (by disabling dialog elements until a timeout is reached) could be bypassed by window focus changes through JavaScript. The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 speex It was discovered that speex, the Speex codec command line tools, did not correctly deal with negative offsets in a particular header field. This could allow a malicious file to execute arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 smarty Several remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wget Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using HTTP(S) and FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. hong and Gregory Fleischer discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in JavaScript handling, which could allow privilege escalation. Justin Dolske discovered that the password storage mechanism could be abused by malicious web sites to corrupt existing saved passwords. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure and potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (by disabling dialog elements until a timeout is reached) could be bypassed by window focus changes through JavaScript. It was discovered that malformed content declarations of saved attachments could prevent a user from opening local files with a .txt file name, resulting in minor denial of service. Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with div elements. The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 dbus It was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 strongswan Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-dfsg-5.0 In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities in the dispatch_command() function in libmysqld/sql_parse.cc in mysqld allow remote authenticated users to cause a denial of service (daemon crash) and potentially the execution of arbitrary code via format string specifiers in a database name in a COM_CREATE_DB or COM_DROP_DB request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libsndfile Alan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 python2.4 Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: David Remahl discovered several integer overflows in the stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule modules. Justin Ferguson discovered that incorrect memory allocation in the unicode_resize() function can lead to buffer overflows. Several integer overflows were discovered in various Python core modules. Several integer overflows were discovered in the PyOS_vsnprintf() function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xterm Paul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences (CVE-2008-2383). As an additional precaution, this security update also disables font changing, user-defined keys, and X property changes through escape sequences. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openldap openldap2.3 It was discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, when OpenSSL is used, does not properly handle a "\0" character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer. Note that after installing these updates, you will need to restart any packages using xulrunner, typically iceweasel or epiphany. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 lighttpd Julien Cayzac discovered that under certain circumstances lighttpd, a fast webserver with minimal memory footprint, might allow the reading of arbitrary files from the system. This problem could only occur with a non-standard configuration. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 samba Several vulnerabilities have been discovered in samba, an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file and printer sharing with other operating systems and more. The Common Vulnerabilities and Exposures project identifies the following problems: The mount.cifs utility is missing proper checks for file permissions when used in verbose mode. This allows local users to partly disclose the content of arbitrary files by specifying the file as credentials file and attempting to mount a samba share. A reply to an oplock break notification which samba doesn't expect could lead to the service getting stuck in an infinite loop. An attacker can use this to perform denial of service attacks via a specially crafted SMB request. A lack of error handling in case no home directory was configured/specified for the user could lead to file disclosure. In case the automated [homes] share is enabled or an explicit share is created with that username, samba fails to enforce sharing restrictions which results in an attacker being able to access the file system from the root directory. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 php-xajax It was discovered that php-xajax, a library to develop Ajax applications, did not sufficiently sanitise URLs, which allows attackers to perform cross-site scripting attacks by using malicious URLs. For the stable distribution (etch) this problem has been fixed in version 0.2.4-2+etch1. For the testing (lenny) and unstable (sid) distributions this problem has been fixed in version 0.2.5-1. We recommend that you upgrade your php-xajax package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 exiv2 Meder Kydyraliev discovered an integer overflow in the thumbnail handling of libexif, the EXIF/IPTC metadata manipulation library, which could result in the execution of arbitrary code. The old stable distribution (sarge) doesn't contain exiv2 packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 wml Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to a local denial of service by overwriting files. The old stable distribution (sarge) is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 moin Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: A cross-site-scripting vulnerability has been discovered in attachment handling. Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. A cross-site-scripting vulnerability has been discovered in the login code. A cross-site-scripting vulnerability has been discovered in attachment handling. A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. The macro code validates access control lists insufficiently, which could lead to information disclosure. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php5 Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems: The following issues have been fixed in both the stable (lenny) and the oldstable (etch) distributions: CVE-2009-2687, CVE-2009-3292. The exif module did not properly handle malformed jpeg files, allowing an attacker to cause a segfault, resulting in a denial of service. The php_openssl_apply_verification_policy() function did not properly perform certificate validation. Bogdan Calin discovered that a remote attacker could cause a denial of service by uploading a large number of files in using multipart/ form-data requests, causing the creation of a large number of temporary files. To address this issue, the max_file_uploads option introduced in PHP 5.3.1 has been backported. This option limits the maximum number of files uploaded per request. The default value for this new option is 50. See NEWS.Debian for more information. The following issue has been fixed in the stable (lenny) distribution: A flaw in the ini_restore() function could lead to a memory disclosure, possibly leading to the disclosure of sensitive data. In the oldstable (etch) distribution, this update also fixes a regression introduced by the fix for CVE-2008-5658 in DSA-1789-1 (bug #527560). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 php5 Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter. Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier. Stack-based buffer overflow in the FastCGI SAPI. The escapeshellcmd API function could be attacked via incomplete multibyte chars. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gnutls13 Several remote vulnerabilities have been discovered in GNUTLS, an implementation of the SSL/TLS protocol suite. NOTE: The libgnutls13 package, which provides the GNUTLS library, does not contain logic to automatically restart potentially affected services. You must restart affected services manually (mainly Exim, using /etc/init.d/exim4 restart) after applying the update, to make the changes fully effective. Alternatively, you can reboot the system. The Common Vulnerabilities and Exposures project identifies the following problems: A pre-authentication heap overflow involving oversized session resumption data may lead to arbitrary code execution. Repeated client hellos may result in a pre-authentication denial of service condition due to a null pointer dereference. Decoding cipher padding with an invalid record length may cause GNUTLS to read memory beyond the end of the received record, leading to a pre-authentication denial of service condition. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 pcre3 It was discovered that specially crafted regular expressions involving codepoints greater than 255 could cause a buffer overflow in the PCRE library (CVE-2008-0674). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 nagios2 Several vulnerabilities have been found in nagios2, a host/service/network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: Several cross-site scripting issues via several parameters were discovered in the CGI scripts, allowing attackers to inject arbitrary HTML code. In order to cover the different attack vectors, these issues have been assigned CVE-2008-1360. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 amarok Tobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600). In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163). The old stable distribution (sarge) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 openafs A race condition in the OpenAFS fileserver allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock. For the old stable distribution (sarge), this problem has been fixed in version 1.3.81-3sarge3. For the stable distribution (etch), this problem has been fixed in version 1.4.2-6etch1. We recommend that you upgrade your openafs packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 moin It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks when renaming attachements or performing other sub-actions. The oldstable distribution (etch) is not vulnerable. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cyrus-imapd-2.2 kolab-cyrus-imapd It was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. The update introduced by DSA 1881-1 was incomplete and the issue has been given an additional CVE id due to its complexity. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 clamav Several denial-of-service vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Insufficient checking for out-of-memory conditions results in null pointer dereferences (CVE-2008-3912). Incorrect error handling logic leads to memory leaks (CVE-2008-3913) and file descriptor leaks (CVE-2008-3914). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-dfsg-5.0 Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application. The Common Vulnerabilities and Exposures project identifies the following two problems: Kay Roepke reported that the MySQL server would not properly handle an empty bit-string literal in an SQL statement, allowing an authenticated remote attacker to cause a denial of service (a crash) in mysqld. This issue affects the oldstable distribution (etch), but not the stable distribution (lenny). Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, "mysql --html ..."). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a web site. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 avahi Two denial of service conditions were discovered in avahi, a Multicast DNS implementation. Huge Dias discovered that the avahi daemon aborts with an assert error if it encounters a UDP packet with source port 0 (CVE-2008-5081). It was discovered that the avahi daemon aborts with an assert error if it receives an empty TXT record over D-Bus (CVE-2007-3372). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 fail2ban Daniel B. Cid discovered that fail2ban, a tool to block IP addresses that cause login failures, is too liberal about parsing SSH log files, allowing an attacker to block any IP address. The old stable distribution (sarge) doesn't contain fail2ban. For the stable distribution (etch), this problem has been fixed in version 0.7.5-2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.8.0-4. We recommend that you upgrade your fail2ban package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 qemu Several vulnerabilities have been discovered in the QEMU processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems: Ian Jackson discovered that range checks of file operations on emulated disk devices were insufficiently enforced. It was discovered that an error in the format auto detection of removable media could lead to the disclosure of files in the host system. A buffer overflow has been found in the emulation of the Cirrus graphics adaptor. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Several issues in the browser engine have been discovered, which can result in the execution of arbitrary code. (MFSA 2009-24) It is possible to execute arbitrary code via vectors involving "double frame construction." (MFSA 2009-24) Jesse Ruderman and Adam Hauner discovered a problem in the JavaScript engine, which could lead to the execution of arbitrary code. (MFSA 2009-24) Pavel Cvrcek discovered a potential issue leading to a spoofing attack on the location bar related to certain invalid unicode characters. (MFSA 2009-25) Gregory Fleischer discovered that it is possible to read arbitrary cookies via a crafted HTML document. (MFSA 2009-26) Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential man-in-the-middle attack, when using a proxy due to insufficient checks on a certain proxy response. (MFSA 2009-27) Jakob Balle and Carsten Eiram reported a race condition in the NPObjWrapper_NewResolve function that can be used to execute arbitrary code. (MFSA 2009-28) moz_bug_r_a4 discovered that it is possible to execute arbitrary JavaScript with chrome privileges due to an error in the garbage-collection implementation. (MFSA 2009-29) Adam Barth and Collin Jackson reported a potential privilege escalation when loading a file::resource via the location bar. (MFSA 2009-30) Wladimir Palant discovered that it is possible to bypass access restrictions due to a lack of content policy check, when loading a script file into a XUL document. (MFSA 2009-31) moz_bug_r_a4 reported that it is possible for scripts from page content to run with elevated privileges and thus potentially executing arbitrary code with the object's chrome privileges. (MFSA 2009-32) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ruby1.8 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mapserver Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems: Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages. A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages. Due to missing input validation when saving map files under certain conditions it is possible to perform directory traversal attacks and to create arbitrary files. NOTE: Unless the attacker is able to create directories in the image path or there is already a readable directory this doesn't affect installations on Linux as the fopen() syscall will fail in case a sub path is not readable. It was discovered that mapserver is vulnerable to a stack-based buffer overflow when processing certain GET parameters. An attacker can use this to execute arbitrary code on the server via crafted id parameters. An integer overflow leading to a heap-based buffer overflow when processing the Content-Length header of an HTTP request can be used by an attacker to execute arbitrary code via crafted POST requests containing negative Content-Length values. An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceape Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 git-core It was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 kdegraphics kpdf, a Portable Document Format (PDF) viewer for KDE, is based on the xpdf program and thus suffers from similar flaws to those described in DSA-1790. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple buffer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Multiple integer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Integer overflow in the JBIG2 decoder in kpdf has unspecified impact related to "g*allocn." The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Multiple "input validation flaws" in the JBIG2 decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. Integer overflow in the JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 MMR decoder in kpdf allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. The old stable distribution (etch), these problems have been fixed in version 3.5.5-3etch3. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openexr Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered integer overflows in the preview and compression code. Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. A buffer overflow was discovered in the compression code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ikiwiki Josh Triplett discovered that the blacklist for potentially harmful TeX code of the teximg module of the Ikiwiki wiki compiler was incomplete, resulting in information disclosure. The old stable distribution (etch) is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 koffice Several vulnerabilities have been discovered in xpdf code that is embedded in koffice, an integrated office suite for KDE. These flaws could allow an attacker to execute arbitrary code by inducing the user to import a specially crafted PDF document. The Common Vulnerabilities and Exposures project identifies the following problems: Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow. Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. Updates for the old stable distribution (sarge) will be made available as soon as possible. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drupal6 Multiple vulnerabilities have been discovered in drupal, a web content management system. The Common Vulnerabilities and Exposures project identifies the following problems: pod.Edge discovered a cross-site scripting vulnerability due that can be triggered when some browsers interpret UTF-8 strings as UTF-7 if they appear before the generated HTML document defines its Content-Type. This allows a malicious user to execute arbitrary javascript in the context of the web site if they're allowed to post content. Moritz Naumann discovered an information disclosure vulnerability. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a cross-site request forgery attack against the submitted form. The old stable distribution (etch) does not contain drupal and is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 request-tracker3.4 request-tracker3.6 Mikal Gule discovered that request-tracker, an extensible trouble-ticket tracking system, is prone to an attack, where an attacker with access to the same domain can hijack a user's RT session. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 horde3 It was discovered that the Horde web application framework permits arbitrary file inclusion by a remote attacker through the theme preference parameter. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ruby1.8 ruby1.9 Several vulnerabilities have been discovered in Ruby. The Common Vulnerabilities and Exposures project identifies the following problems: The return value from the OCSP_basic_verify function was not checked properly, allowing continued use of a revoked certificate. An issue in parsing BigDecimal numbers can result in a denial-of-service condition (crash). The following matrix identifies fixed versions: We recommend that you upgrade your Ruby packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mplayer It was discovered that the MPlayer movie player performs insufficient input sanitising on SDP session data, leading to potential execution of arbitrary code through a malformed multimedia stream. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 loop-aes-utils It was discovered that loop-aes-utils, tools for mounting and manipulating filesystems, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 nagios-plugins Several local/remote vulnerabilities have been discovered in two of the plugins for the Nagios network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow has been discovered in the parser for HTTP Location headers (present in the check_http module). A buffer overflow has been discovered in the check_snmp module. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 apt-listchanges Felipe Sateler discovered that apt-listchanges, a package change history notification tool, used unsafe paths when importing its python libraries. This could allow the execution of arbitrary shell commands if the root user executed the command in a directory which other local users may write to. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gforge Joseacute Ramoacuten Palanco discovered that a cross site scripting vulnerability in GForge, a collaborative development tool, allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user's session. The old stable distribution (sarge) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 wordpress Several remote vulnerabilities have been discovered in WordPress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: Insufficient input sanitising allowed for remote attackers to redirect visitors to external websites. Multiple cross-site scripting vulnerabilities allowed remote authenticated administrators to inject arbitrary web script or HTML. SQL injection vulnerability allowed allowed remote authenticated administrators to execute arbitrary SQL commands. WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data. Insufficient input sanitising caused an attacker with a normal user account to access the administrative interface. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 postgresql-8.1 Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at http://www.postgresql.org/about/news.905. The old stable distribution (sarge), doesn't contain postgresql-8.1. For the stable distribution (etch), these problems have been fixed in version postgresql-8.1 8.1.11-0etch1. For the unstable distribution (sid), these problems have been fixed in version 8.2.6-1 of postgresql-8.2. We recommend that you upgrade your postgresql-8.1 (8.1.11-0etch1) package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ffmpeg-debian Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that using a crafted STR file can lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libgd2 Multiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: Grayscale PNG files containing invalid tRNS chunk CRC values could cause a denial of service (crash), if a maliciously crafted image is loaded into an application using libgd. An array indexing error in libgd's GIF handling could induce a denial of service (crash with heap corruption) if exceptionally large color index values are supplied in a maliciously crafted GIF image file. The imagearc() and imagefilledarc() routines in libgd allow an attacker in control of the parameters used to specify the degrees of arc for those drawing functions to perform a denial of service attack (excessive CPU consumption). Multiple integer overflows exist in libgd's image resizing and creation routines; these weaknesses allow an attacker in control of the parameters passed to those routines to induce a crash or execute arbitrary code with the privileges of the user running an application or interpreter linked against libgd2. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 typo3 Several remote vulnerabilities have been discovered in the TYPO3 content management framework. Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user. User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks, which is exposed when specific plugins are in use. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 camlimages Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1 addressed the issue with PNG images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Martijn Wargers, Arno Renevier, Jesse Ruderman, Olli Pettay and Blake Kaplan disocvered several issues in the browser engine that could potentially lead to the execution of arbitrary code. (MFSA 2009-34) monarch2020 reported an integer overflow in a base64 decoding function. (MFSA 2009-34) Christophe Charron reported a possibly exploitable crash occuring when multiple RDF files were loaded in a XUL tree element. (MFSA 2009-34) Yongqian Li reported that an unsafe memory condition could be created by specially crafted document. (MFSA 2009-34) Peter Van der Beken, Mike Shaver, Jesse Ruderman, and Carsten Book discovered several issues in the JavaScript engine that could possibly lead to the execution of arbitrary JavaScript. (MFSA 2009-34) Attila Suszter discovered an issue related to a specially crafted Flash object, which could be used to run arbitrary code. (MFSA 2009-35) PenPal discovered that it is possible to execute arbitrary code via a specially crafted SVG element. (MFSA 2009-37) Blake Kaplan discovered a flaw in the JavaScript engine that might allow an attacker to execute arbitrary JavaScript with chrome privileges. (MFSA 2009-39) moz_bug_r_a4 discovered an issue in the JavaScript engine that could be used to perform cross-site scripting attacks. (MFSA 2009-40) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 camlimages Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 vlc Luigi Auriemma, Alin Rad Pop, Reacute mi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc. The Common Vulnerabilities and Exposures project identifies the following eight problems: A buffer overflow vulnerability in subtitle handling allows an attacker to execute arbitrary code through the opening of a maliciously crafted MicroDVD, SSA or Vplayer file. A format string vulnerability in the HTTP-based remote control facility of the vlc application allows a remote, unauthenticated attacker to execute arbitrary code. Insecure argument validation allows a remote attacker to overwrite arbitrary files writable by the user running vlc, if a maliciously crafted M3U playlist or MP3 audio file is opened. Heap buffer overflows in RTSP stream and session description protocol (SDP) handling allow an attacker to execute arbitrary code if a maliciously crafted RTSP stream is played. Insufficient integer bounds checking in SDP handling allows the execution of arbitrary code through a maliciously crafted SDP stream ID parameter in an RTSP stream. Insufficient integrity checking in the MP4 demuxer allows a remote attacker to overwrite arbitrary memory and execute arbitrary code if a maliciously crafted MP4 file is opened. An integer overflow vulnerability in MP4 handling allows a remote attacker to cause a heap buffer overflow, inducing a crash and possibly the execution of arbitrary code if a maliciously crafted MP4 file is opened. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 postgresql-7.4 postgresql-8.1 postgresql-8.3 postgresql-8.4 Several vulnerabilities have been discovered in PostgreSQL, an SQL database system. The Common Vulnerabilities and Exposures project identifies the following problems: Authenticated users can shut down the backend server by re-LOAD-ing libraries in $libdir/plugins, if any libraries are present there. (The old stable distribution (etch) is not affected by this issue.) Authenticated non-superusers can gain database superuser privileges if they can create functions and tables due to incorrect execution of functions in functional indexes. If PostgreSQL is configured with LDAP authentication, and the LDAP configuration allows anonymous binds, it is possible for a user to authenticate themselves with an empty password. (The old stable distribution (etch) is not affected by this issue.) In addition, this update contains reliability improvements which do not target security issues. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 squid3 It was discovered that squid3, a high-performance proxy caching server for web clients, is prone to several denial of service attacks. Due to incorrect bounds checking and insufficient validation while processing response and request data an attacker is able to crash the squid daemon via crafted requests or responses. The squid package in the oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libapache-mod-jk An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated requests very quickly, one client could obtain a response intended for another client. The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 tcpreen It was discovered that several buffer overflows in tcpreen, a tool for monitoring a TCP connection, may lead to denial of service. The old stable distribution (sarge) doesn't contain tcpreen. For the stable distribution (etch), this problem has been fixed in version 1.4.3-0.1etch1. For the unstable distribution (sid), this problem has been fixed in version 1.4.3-0.3. We recommend that you upgrade your tcpreen package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 bind9 It was discovered that the BIND DNS server terminates when processing a specially crafted dynamic DNS update. This vulnerability affects all BIND servers which serve at least one DNS zone authoritatively, as a master, even if dynamic updates are not enabled. The default Debian configuration for resolvers includes several authoritative zones, too, so resolvers are also affected by this issue unless these zones have been removed. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 postfix Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable: For a detailed treating of the issue, please refer to the upstream author's announcement. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 gforge It was discovered that GForge, a collaborative development tool, insufficiently sanitises some input allowing a remote attacker to perform SQL injection. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0. Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara It was discovered that mahara, an electronic portfolio, weblog, and resume builder is prone to several cross-site scripting attacks, which allow an attacker to inject arbitrary HTML or script code and steal potential sensitive data from other users. The oldstable distribution (etch) does not contain mahara. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ghostscript Two security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems: Jan Lieskovsky discovered multiple integer overflows in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. Jan Lieskovsky discovered insufficient upper-bounds checks on certain variable sizes in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 tk8.4 It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mysql-dfsg-5.0 Several local/remote vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the privilege validation for the source table of CREATE TABLE LIKE statements was insufficiently enforced, which might lead to information disclosure. This is only exploitable by authenticated users. It was discovered that symbolic links were handled insecurely during the creation of tables with DATA DIRECTORY or INDEX DIRECTORY statements, which might lead to denial of service by overwriting data. This is only exploitable by authenticated users. It was discovered that queries to data in a FEDERATED table can lead to a crash of the local database server, if the remote server returns information with less columns than expected, resulting in denial of service. The old stable distribution (sarge) doesn't contain mysql-dfsg-5.0. For the stable distribution (etch), these problems have been fixed in version 5.0.32-7etch4. For the unstable distribution (sid), these problems have been fixed in version 5.0.51-1. We recommend that you upgrade your mysql-dfsg-5.0 packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 yarssr Duncan Gilmore discovered that yarssr, an RSS aggregator and reader, performs insufficient input sanitising, which could result in the execution of arbitrary shell commands if a malformed feed is read. Due to a technical limitation of the archive management scripts, the fix for the old stable distribution (sarge) needs to be postponed by a few days. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 vnc4 It was discovered that xvnc4viewer, a virtual network computing client software for X, is prone to an integer overflow via a malicious encoding value that could lead to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libxml2 Several vulnerabilities have been discovered in the GNOME XML library. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that missing input sanitising in the xmlBufferResize() function may lead to an infinite loop, resulting in denial of service. Drew Yao discovered that an integer overflow in the xmlSAX2Characters() function may lead to denial of service or the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libspf2 Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (CVE-2008-2469). Note that the SPF configuration template in Debian's Exim configuration recommends to use libmail-spf-query-perl, which does not suffer from this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 shadow Paul Szabo discovered that login, the system login tool, did not correctly handle symlinks while setting up tty permissions. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 perl Paul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 rt2570 It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2570-source/README.Debian SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation, or information leak. The Common Vulnerabilities and Exposures project identifies the following problems: Bryn M. Reeves reported a denial of service in the NFS filesystem. Local users can trigger a kernel BUG() due to a race condition in the do_setlk function. Helge Deller discovered a denial of service condition that allows local users on PA-RISC to crash the system by attempting to unwind a stack containing userspace addresses. Vlad Malov reported an issue on 64-bit MIPS where a local user could cause a system crash by crafting a malicious binary which makes o32 syscalls with a number less than 4000. Zvonimir Rakamaric reported an off-by-one error in the ib700wdt watchdog driver which allows local users to cause a buffer underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl call. Flavio Leitner discovered that a local user can cause a denial of service by generating large amounts of traffic on a large SMP system, resulting in soft lockups. Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. Christian Borntraeger discovered an issue effecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all available kernel memory. Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users, permitting remote code execution. Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service (oops) by reading 0 bytes from a sysfs entry. Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. Jiri Olsa discovered that a local user can cause a denial of service (system hang) using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. Shaohua Li reported an issue in the AGP subsystem that may allow local users to read sensitive kernel memory due to a leak of uninitialized memory. Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data. Trond Myklebust reported an issue in the encode_lookup() function in the nfs server subsystem that allows local users to cause a denial of service (oops in encode_lookup()) by use of a long filename. Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 exiftags Christian Schmid and Meder Kydyraliev (Google Security) discovered a number of vulnerabilities in exiftags, a utility for extracting EXIF metadata from JPEG images. The Common Vulnerabilities and Exposures project identified the following three problems: Inadequate EXIF property validation could lead to invalid memory accesses if executed on a maliciously crafted image, potentially including heap corruption and the execution of arbitrary code. Flawed data validation could lead to integer overflows, causing other invalid memory accesses, also with the potential for memory corruption or arbitrary code execution. Cyclical EXIF image file directory (IFD) references could cause a denial of service (infinite loop). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 alsaplayer Erik Sjoumllund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application. Successful exploitation of this vulnerability through the opening of a maliciously crafted Vorbis file could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 sdl-image1.2 Several local/remote vulnerabilities have been discovered in the image loading library for the Simple DirectMedia Layer 1.2. The Common Vulnerabilities and Exposures project identifies the following problems: Gynvael Coldwind discovered a buffer overflow in GIF image parsing, which could result in denial of service and potentially the execution of arbitrary code. It was discovered that a buffer overflow in IFF ILBM image parsing could result in denial of service and potentially the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 clamav Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: Damian Put discovered that a buffer overflow in the handler for PeSpin binaries may lead to the execution of arbitrary code. Alin Rad Pop discovered that a buffer overflow in the handler for Upack PE binaries may lead to the execution of arbitrary code. Damian Put and Thomas Pollet discovered that a buffer overflow in the handler for WWPack-compressed PE binaries may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 smarty It was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 gs-esp gs-gpl Chris Evans discovered a buffer overflow in the color space handling code of the Ghostscript PostScript/PDF interpreter, which might result in the execution of arbitrary code if a user is tricked into processing a malformed file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 weechat Sebastien Helleu discovered that an error in the handling of color codes in the weechat IRC client could cause an out-of-bounds read of an internal color array. This can be used by an attacker to crash user clients via a crafted PRIVMSG command. The weechat version in the oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 systemtap Erik Sjoelund discovered that a race condition in the stap tool shipped by Systemtap, an instrumentation system for Linux 2.6, allows local privilege escalation for members of the stapusr group. The old stable distribution (etch) isn't affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 flac Sean de Regge and Greg Linares discovered multiple heap and stack based buffer overflows in FLAC, the Free Lossless Audio Codec, which could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman discovered crashes in the layout engine, which might allow the execution of arbitrary code. Daniel Holbert, Jesse Ruderman, Olli Pettay and "toshi" discovered crashes in the layout engine, which might allow the execution of arbitrary code. Josh Soref, Jesse Ruderman and Martin Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman discovered a crash in the Javascript engine, which might allow the execution of arbitrary code. Carsten Book and "Taral" discovered crashes in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman discovered that the user interface for installing/ removing PCKS #11 securiy modules wasn't informative enough, which might allow social engineering attacks. It was discovered that incorrect pointer handling in the XUL parser could lead to the execution of arbitrary code. Juan Pablo Lopez Yacubian discovered that incorrent rendering of some Unicode font characters could lead to spoofing attacks on the location bar. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 libxslt Chris Evans discovered that a buffer overflow in the RC4 functions of libexslt may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 rails Brian Mastenbrook discovered that rails, the MVC ruby based framework geared for web application development, is prone to cross-site scripting attacks via malformed strings in the form helper. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kvm Several vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Webb discovered an off-by-one bug limiting KVM's VNC passwords to 7 characters. This flaw might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. It was discovered that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. The oldstable distribution (etch) does not contain kvm. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 xine-lib Several local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content. The Common Vulnerabilities and Exposures project identifies the following problems: The DMO_VideoDecoder_Open function does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code (applies to sarge only). Array index error in the sdpplin_parse function allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter. Array index vulnerability in libmpdemux/demux_audio.c might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow (applies to etch only). Buffer overflow in the Matroska demuxer allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Matroska file with invalid frame sizes. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 xine-lib Luigi Auriemma discovered that the Xine media player library performed insufficient input sanitising during the handling of RTSP streams, which could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 python-dns Multiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery. The Common Vulnerabilities and Exposures project identifies this class of weakness as CVE-2008-1447 and this specific instance in PyDNS as CVE-2008-4099. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 xapian-omega It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 pcre3 Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular Expression library, may encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. "moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could by bypassed. "moz_bug_r_a4" discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling. Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. Gareth Heyes discovered that some Unicode surrogate characters are ignored by the HTML parser. Boris Zbarsky discovered that resource: URls allow directory traversal when using URL-encoded slashes. Georgi Guninski discovered that resource: URLs could bypass local access restrictions. Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory. Liu Die Yu discovered an information leak through local shortcut files. Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution. Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. It was discovered that crashes in the layout engine could lead to arbitrary code execution. It was discovered that crashes in the Javascript engine could lead to arbitrary code execution. Justin Schuh discovered that a buffer overflow in http-index-format parser could lead to arbitrary code execution. It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. "moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. Collin Jackson discovered that the -moz-binding property bypasses security checks on codebase principals. Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 openssl openssl097 It was discovered that OpenSSL does not properly verify DSA signatures on X.509 certificates due to an API misuse, potentially leading to the acceptance of incorrect X.509 certificates as genuine (CVE-2008-5077). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 cacti It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 scponly Joachim Breitner discovered that Subversion support in scponly is inherently insecure, allowing execution of arbitrary commands. Further investigation showed that rsync and Unison support suffer from similar issues. This set of issues has been assigned CVE-2007-6350. In addition, it was discovered that it was possible to invoke scp with certain options that may lead to the execution of arbitrary commands (CVE-2007-6415). This update removes Subversion, rsync and Unison support from the scponly package, and prevents scp from being invoked with the dangerous options. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 rt2500 It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2500-source/README.Debian SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 phppgadmin Several remote vulnerabilities have been discovered in phpPgAdmin, a tool to administrate PostgreSQL database over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via the server parameter. Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via PHP_SELF. Directory traversal vulnerability allows remote attackers to read arbitrary files via _language parameter. For the stable distribution (etch), these problems have been fixed in version 4.0.1-3.1etch2. For the unstable distribution (sid), these problems have been fixed in version 4.2.1-1.1. We recommend that you upgrade your phppgadmin package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 xpdf Several vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 serendipity Peter Huumlwe and Hanno Bouml ck discovered that Serendipity, a weblog manager, did not properly sanitise input to several scripts which allowed cross site scripting. The old stable distribution (sarge) does not contain a serendipity package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 typo3-src Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: The Backend subcomponent allows remote authenticated users to determine an encryption key via crafted input to a form field. Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent allow remote authenticated users to inject arbitrary web script or HTML. The Backend subcomponent allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters. The Backend subcomponent, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent allows remote authenticated users to execute arbitrary SQL commands. Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script. Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent allows remote attackers to inject arbitrary web script or HTML. The Install Tool subcomponent allows remote attackers to gain access by using only the password's md5 hash as a credential. Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent allows remote attackers to inject arbitrary web script or HTML. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 git-core It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality (CVE-2008-5916). Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server (CVE-2008-5516, CVE-2008-5517). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 ikiwiki Josh Triplett discovered that ikiwiki did not block Javascript in URLs, leading to cross-site scripting vulnerabilities (CVE-2008-0808, CVE-2008-0809). The old stable distribution (sarge) did not contain an ikiwiki package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openafs Two vulnerabilities were discovered in the client part of OpenAFS, a distributed file system. An attacker with control of a file server or the ability to forge RX packets may be able to execute arbitrary code in kernel mode on an OpenAFS client, due to a vulnerability in XDR array decoding. An attacker with control of a file server or the ability to forge RX packets may crash OpenAFS clients because of wrongly handled error return codes in the kernel module. Note that in order to apply this security update, you must rebuild the OpenAFS kernel module. Be sure to also upgrade openafs-modules-source, build a new kernel module for your system following the instructions in /usr/share/doc/openafs-client/README.modules.gz, and then either stop and restart openafs-client or reboot the system to reload the kernel module. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 proftpd-dfsg It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 kdelibs Dan Kaminsky and Moxie Marlinspike discovered that kdelibs, core libraries from the official KDE release, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 icedove Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 curl David Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and scp:// URLs - depending on the setup - an untrusted server could use that to expose local files, overwrite local files or even execute arbitrary code via a malicious URL redirect. This update introduces a new option called CURLOPT_REDIR_PROTOCOLS which by default does not include the scp and file protocol handlers. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nginx Chris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. An attacker can use this to execute arbitrary code with the rights of the worker process (www-data on Debian) or possibly perform denial of service attacks by repeatedly crashing worker processes via a specially crafted URL in an HTTP request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 backup-manager Micha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 refpolicy In DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard "domain" port (53). The incompatibility affects both the "targeted" and "strict" policy packages supplied by this version of refpolicy. This update to the refpolicy packages grants the ability to bind to arbitrary UDP ports to named_t processes. When installed, the updated packages will attempt to update the bind policy module on systems where it had been previously loaded and where the previous version of refpolicy was 0.0.20061018-5 or below. Because the Debian refpolicy packages are not yet designed with policy module upgradeability in mind, and because SELinux-enabled Debian systems often have some degree of site-specific policy customization, it is difficult to assure that the new bind policy can be successfully upgraded. To this end, the package upgrade will not abort if the bind policy update fails. The new policy module can be found at /usr/share/selinux/refpolicy-targeted/bind.pp after installation. Administrators wishing to use the bind service policy can reconcile any policy incompatibilities and install the upgrade manually thereafter. A more detailed discussion of the corrective procedure may be found on http://wiki.debian.org/SELinux/Issues/BindPortRandomization. For the stable distribution (etch), this problem has been fixed in version 0.0.20061018-5.1+etch1. The unstable distribution (sid) is not affected, as subsequent refpolicy releases have incorporated an analogous change. We recommend that you upgrade your refpolicy packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pulseaudio Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon does not drop privileges before re-executing itself, enabling local attackers to increase their privileges. The old stable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. moz_bug_r_a4 discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could by bypassed. moz_bug_r_a4 discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. moz_bug_r_a4 discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. moz_bug_r_a4 discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. Olli Pettay and moz_bug_r_a4 discovered a Chrome privilege escalation vulnerability in XSLT handling. Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. Gareth Heyes discovered that some Unicode surrogate characters are ignored by the HTML parser. Boris Zbarsky discovered that resource: URLs allow directory traversal when using URL-encoded slashes. Georgi Guninski discovered that resource: URLs could bypass local access restrictions. Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 linux-2.6 Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an "amd64" flavor kernel. Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. Bill Roman of Datalight noticed a coding error in the linux VFS subsystem that, under certain conditions, can allow local users to remove directories for which they should not have removal privileges. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-17etch1. We recommend that you upgrade your kernel packages immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Notice: Debian 5.0.4, the next point release of Debian "lenny", will include a new default value for the mmap_min_addr tunable. This change will add an additional safeguard against a class of security vulnerabilities known as "NULL pointer dereference" vulnerabilities, but it will need to be overridden when using certain applications. Additional information about this change, including instructions for making this change locally in advance of 5.0.4 (recommended), can be found at: http://wiki.debian.org/mmap_min_addr. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Eric Dumazet reported an instance of uninitialized kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. Linus Torvalds provided a change to the get_random_int() function to increase its randomness. Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. Jiri Pirko discovered a typo in the initialization of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. Ben Hutchings discovered an issue in the DRM manager for ATI Rage 128 graphics adapters. Local users may be able to exploit this vulnerability to cause a denial of service (NULL pointer dereference). Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang). David Wagner reported an overflow in the KVM subsystem on i386 systems. This issue is exploitable by local users with access to the /dev/kvm device file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Notice: Debian 5.0.4, the next point release of Debian "lenny", will include a new default value for the mmap_min_addr tunable. This change will add an additional safeguard against a class of security vulnerabilities known as "NULL pointer dereference" vulnerabilities, but it will need to be overridden when using certain applications. Additional information about this change, including instructions for making this change locally in advance of 5.0.4 (recommended), can be found at: http://wiki.debian.org/mmap_min_addr. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Eric Paris provided several fixes to increase the protection provided by the mmap_min_addr tunable against NULL pointer dereference vulnerabilities. Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp "N" device is found, remote attackers can cause a denial of service by consuming large amounts of system memory. Loic Minier discovered an issue in the eCryptfs filesystem. A local user can cause a denial of service (kernel oops) by causing a dentry value to go negative. Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops). Jan Beulich discovered the existence of a sensitive kernel memory leak. Systems running the "amd64" kernel do not properly sanitize registers for 32-bit processes. Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory. Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. Jan Kiszka noticed that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service (IOMMU space exhaustion and system crash) by transmitting a large amount of jumbo frames. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 postgresql-ocaml It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 znc It was discovered that znc, an IRC proxy, did not properly process certain DCC requests, allowing attackers to upload arbitrary files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 mysql-dfsg-5.0 A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access. The Common Vulnerabilities and Exposures project identifies this vulnerability as CVE-2008-4098. Note that a closely aligned issue, identified as CVE-2008-4097, was prevented by the update announced in DSA-1608-1. This new update supersedes that fix and mitigates both potential attack vectors. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED