The OVAL Repository5.62009-11-20T04:32:16.621-05:00Linux Kernel eflags Checking Privilege Escalation VulnerabilityRed Hat Enterprise Linux 3Linux kernelUnknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRHE3 InstallVersion.compareTo() DoS and Code Execution VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPEAR XML_RPC PHP Code Execution VulnerabilityRed Hat Enterprise Linux 3phpEval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 XBL Script Security Bypass VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox InstallTrigger Callback VulnerabilityRed Hat Enterprise Linux 3mozillaThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Javascript Dialog Box SpoofingRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla DOM Node SpoofingRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox External App Code Acceptance VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Fetchmail Buffer Overflow via Long UIDL ResponsesRed Hat Enterprise Linux 3fetchmailBuffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Shared Object Code ExecutionRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Mozilla top.focus() Cross-Site Scripting VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Improper Handling of Synthetic Events in MozillaRed Hat Enterprise Linux 3mozillaThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Framed Site Spoofing VulnerabilityRed Hat Enterprise Linux 3mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDsudo Symlink VulnerabilityRed Hat Enterprise Linux 3sudoRace condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIt appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp.bzip2 Arbitrary File Permission Modification VulnerabilityRed Hat Enterprise Linux 3bzip2Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDTelnet Client Information Disclosure VulnerabilityRed Hat Enterprise Linux 3telnetCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgzip Argument Sanitation VulnerabilityRed Hat Enterprise Linux 3zgrepzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMagick XWD Decoder DoSRed Hat Enterprise Linux 3ImageMagickThe XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDbzip2 Decompression BombRed Hat Enterprise Linux 3bzip2bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGaim DoS via Yahoo! MessageRed Hat Enterprise Linux 3GaimGaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDsysreport Plaintext Password LeakRed Hat Enterprise Linux 3sysreportsysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDcpio Race ConditionRed Hat Enterprise Linux 3cpioRace condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDshtool Race ConditionRed Hat Enterprise Linux 3phpRace condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGaim DoS via Malformed MSN MessageRed Hat Enterprise Linux 3GaimGaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow in libgd2Red Hat Enterprise Linux 3libgdInteger overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel shmctl() Memory Swap VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libgdRed Hat Enterprise Linux 3libgdMultiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libXML2Red Hat Enterprise Linux 3libxml2Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgzip Hard Link AttackRed Hat Enterprise Linux 3gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel elf_core_dump() Buffer OverflowRed Hat Enterprise Linux 3Linux kernelThe elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDmlock Memory Page Tracking VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgzip zgrep Sanitation VulnerabilityRed Hat Enterprise Linux 3gzipzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPostgreSQL tsearch2 "internal" Functions VulnerabilityRed Hat Enterprise Linux 3postgresqlThe tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDImageMagick Buffer Overflow in ReadPNMImage()Red Hat Enterprise Linux 3ImageMagickHeap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPostgreSQL Character Conversion VulnerabilityRed Hat Enterprise Linux 3postgresqlPostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDmikmod Long Filename Buffer OverflowRed Hat Enterprise Linux 3mikmodBuffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgzip Directory Traversal VulnerabilityRed Hat Enterprise Linux 3gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDTrustix Secure Linux der_chop Script Symlink Attack VulnerabilityRed Hat Enterprise Linux 3OpenSSLThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDFreeRADIUS Ascend-Send-Secret Server CrashRed Hat Enterprise Linux 3FreeRADIUSFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPortable Network Graphics Library Offset Calculation VulnerabilityRed Hat Enterprise Linux 3libpngPortable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMultiple Privilege Escalation Vulnerabilities in Linux KernelRed Hat Enterprise Linux 3Linux kernelMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel Denial of Service Vulnerability via fsave and frstor InstructionsRed Hat Enterprise Linux 3Linux kernelLinux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDDenial of Service Vulnerability in Linux Kernel do_fork Function via CLONE_VMRed Hat Enterprise Linux 3Linux kernelThe do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSquirrelMail SQL Injection VulnerabilityRed Hat Enterprise Linux 3SquirrelMailSQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.Jay BealeINTERIMACCEPTEDACCEPTEDSquirrelMail Cross-site Scripting Vulnerability IIRed Hat Enterprise Linux 3SquirrelMailCross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.Jay BealeINTERIMACCEPTEDACCEPTEDSquirrelMail Cross-site Scripting Vulnerability IRed Hat Enterprise Linux 3SquirrelMailMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.Jay BealeINTERIMACCEPTEDACCEPTEDCVS serve_notify Improper Handling of Empty Data LinesRed Hat Enterprise Linux 3CVSserve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.Jay BealeINTERIMACCEPTEDACCEPTEDInteger overflow in the "Max-dotdot" CVS protocol commandRed Hat Enterprise Linux 3CVSInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.Jay BealeINTERIMACCEPTEDACCEPTEDCVS Improper Handling of Malformed Entry LinesRed Hat Enterprise Linux 3CVSCVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal MMSE Dissector VulnerabilityRed Hat Enterprise Linux 3Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal SPNEGO Dissector VulnerabilityRed Hat Enterprise Linux 3The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal AIM Dissector VulnerabilityRed Hat Enterprise Linux 3The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal Denial of Service via SIP MessagesRed Hat Enterprise Linux 3Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients.Jay BealeINTERIMACCEPTEDACCEPTEDNTLM Authentication BO in Squid Web Proxy CacheRed Hat Enterprise Linux 3Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).Jay BealeINTERIMACCEPTEDACCEPTEDUtempter Directory Traversal VulnerabilityRed Hat Enterprise Linux 3Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple Directory Traversal Vulnerabilities in LHARed Hat Enterprise Linux 3Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").Jay BealeINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in LHA get_header FunctionRed Hat Enterprise Linux 3Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.Jay BealeINTERIMACCEPTEDACCEPTEDtcpdump Identification Payload in ISAKMP Packets VulnerabilityRed Hat Enterprise Linux 3Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.Jay BealeINTERIMACCEPTEDACCEPTEDtcpdump Delete Payload in ISAKMP Packets VulnerabilityRed Hat Enterprise Linux 3TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.Jay BealeINTERIMACCEPTEDACCEPTEDgedit Format String VulnerabilityRed Hat Enterprise Linux 3geditFormat string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.Jay BealeDRAFTINTERIMACCEPTEDBob TowbesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel Real Time Clock Data LeakageRed Hat Enterprise Linux 3Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel R128 DRI Limits Checking VulnerabilityRed Hat Enterprise Linux 3Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel ncp_lookup Function BORed Hat Enterprise Linux 3Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMalicious CVS Server RCS diff File Vulnerability in CVS ClientRed Hat Enterprise Linux 3The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDDirectory Traversal Vulnerability in CVS ServerRed Hat Enterprise Linux 3CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 netpbm File Overwrite VulnerabilityRed Hat Enterprise Linux 3netpbmnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Linux Kernel do_mremap Privilege Escalation VulnerabilityRed Hat Enterprise Linux 3mremapThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRedHat Enterprise 3 Code Execution and DoS Vulnerabilities in PWLibRed Hat Enterprise Linux 3PWLibMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDSamba mksmboasswd Disabled Account Creation VulnerabilityRed Hat Enterprise Linux 3Samba 3.0.0 and 3.0.1The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXFree86 Buffer Overflow in dirfileRed Hat Enterprise Linux 3XFree86Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Jay BealeMatt BusbyMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXFree86 Buffer Overflow in CopyISOLatin1Lowered FunctionRed Hat Enterprise Linux 3XFree86Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Jay BealeMatt BusbyMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXFree86 Improper Handling of Font FilesRed Hat Enterprise Linux 3XFree86Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 gdk-pixbuf Denial of ServiceRed Hat Enterprise Linux 3gdk-pixbufgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Jay BealeINTERIMMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRHE3 tcpdump DoS via ISAKMP PacketsRed Hat Enterprise Linux 3tcpdumptcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 tcpdump Denial of Service via print_attr_string FunctionRed Hat Enterprise Linux 3tcpdumpThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDrpc.mountd Denial of Service via NFS MountRed Hat Enterprise Linux 3nfs-utils packagesrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 sysstat port and trigger Scripts symlink Attack VulnerabilityRed Hat Enterprise Linux 3SysstatThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Multiple stack-based BO Vulnerabilities in ApacheRed Hat Enterprise Linux 3ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Jay BealeMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 kdepim VCF File Information Reader BORed Hat Enterprise Linux 3KDE Personal Information Management (kdepim)Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.Jay BealeINTERIMMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 CVS Server root Directory Access VulnerabilityRed Hat Enterprise Linux 3CVS serverCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.Jay BealeMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Linux Kernel do_mremap Denial of Service VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.Matt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDNet-SNMP MIB Information Disclosure VulnerabilityRed Hat Enterprise Linux 3Net-SNMPNet-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed.Matt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL do_change_cipher_spec Function Denial of ServiceRed Hat Enterprise Linux 3OpenSSLThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Matt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL Improper Unknown Message Handling VulnerabilityRed Hat Enterprise Linux 3OpenSSLOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.Matt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXMLSoft Libxml2 Code Execution VulnerabilityRed Hat Enterprise Linux 3libxml2Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Jay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDApache 2 Denial of Service due to Memory Leak in mod_sslRed Hat Enterprise Linux 3httpdMemory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.Jay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in Red Hat Enterprise 3 EtherealRed Hat Enterprise Linux 3Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Jay BealeJay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Ethereal Denial of Service via Malformed RADIUS PacketRed Hat Enterprise Linux 3The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.Jay BealeJay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Ethereal Denial of Service via 0-Length Presentation Protocol SelectorRed Hat Enterprise Linux 3Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.Jay BealeJay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 S/MIME Protocol Denial of Service VulnerabilityRed Hat Enterprise Linux 3Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Mozilla Bypass Cookie Access Restrictions VulnerabilityRed Hat Enterprise Linux 3Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL Kerberos Handshake VulnerabilityRed Hat Enterprise Linux 3OpenSSLThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.Matt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Mozilla Zombie Document VulnerabilityRed Hat Enterprise Linux 3Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel ip_setsockopt Integer OverflowRed Hat Enterprise Linux 3Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel ISO9660 File System Component BORed Hat Enterprise Linux 3Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Squid ACL Bypass VulnerabilityRed Hat Enterprise Linux 3The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRacoon IKE Daemon Unauthorized X.509 Certificate Connection VulnerabilityRed Hat Enterprise Linux 3The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKAME IKE Daemon Improper Hash Value HandlingRed Hat Enterprise Linux 3KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKonqueror URI Handler "-" Filter VulnerabilityRed Hat Enterprise Linux 3The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDrsync Path Sanitation VulnerabilityRed Hat Enterprise Linux 3rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDCVS pserver BORed Hat Enterprise Linux 3Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDlibpng Malformed PNG Image VulnerabilityRed Hat Enterprise Linux 3The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRacoon Denial of Service via Large Length FieldRed Hat Enterprise Linux 3Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMutliple BO Vulnerabilities in MIT Kerberos 5Red Hat Enterprise Linux 3MIT Kerberos 5 (krb5)Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise Linux 3 Kernel Serial Link Information Disclosure VulnerabilityRed Hat Enterprise Linux 3/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.Jay BealeINTERIMINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Mutt BO in Index MenuRed Hat Enterprise Linux 3MuttBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.Jay BealeACCEPTEDMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRHE3 tcpdump DoS via ISAKMP Packets IIRed Hat Enterprise Linux 3tcpdumpThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.Jay BealeACCEPTEDMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMultiple Format String Vulnerabilities in neon and Dependent ProductsRed Hat Enterprise Linux 3Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.Jay BealeINTERIMACCEPTEDMatthew WojcikMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDgftp Directory Traversal VulnerabilityRed Hat Enterprise Linux 3gftpDirectory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.Jay BealeDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDXMLSoft Libxml2 Code Execution VulnerabilityRed Hat Enterprise Linux 3XMLSoft Libxml2Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDRobert L. HollisDEPRECATEDDEPRECATEDSendmail setjmp longjmp bo (Red Hat Internal)Red Hat Linux 9Red Hat Enterprise Linux 3Red Hat Enterprise Linux 4SendmailSignal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.Robert L. HollisDRAFTINTERIMACCEPTEDVladimir GiszpencINTERIMACCEPTEDSudhir GandheINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 3 for x86Red Hat Enterprise Linux 3The operating system installed on the system is Red Hat Enterprise Linux 4 for x86.Sudhir GandheDRAFTINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 4 for x86Red Hat Enterprise Linux 4The operating system installed on the system is Red Hat Enterprise Linux 4 for x86.Mark VillanovaDRAFTINTERIMACCEPTEDACCEPTEDCVS error_prog_name Double-free VulnerabilityRed Hat Enterprise Linux 3CVSDouble free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs.Multiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs.The ImageMagick-* RPMs all require that the main ImageMagick RPM have the same version and release number.For "/tmp is readable by non-root users," use a compound test.The ImageMagick-devel, ImageMagick-c++-devel, and ImageMagick-c++ RPMs all require that the exact same version of the ImageMagick RPM is present. As such, we can test for a vulnerable version of the former alone, rather than testing for the presence of each of these RPMs in particular.