The OVAL Repository 5.9 2012-01-27T05:10:42.403-05:00 Red Hat Enterprise Linux 3 The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to cause a denial of service (crash) via a crafted FlateDecode stream that triggers a null dereference. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in the ProcDbeGetVisualInfo function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when net-snmp is using stream sockets such as TCP, allows remote attackers to cause a denial of service (daemon hang and CPU consumption) via a TCP packet of length 1, which triggers an infinite loop. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that (1) disable RIPv1 or (2) require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information (routing state) via REQUEST packets such as SEND UPDATE. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations". Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1, has unknown impact and attack vectors related to "missing sanity checks around exif processing." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in LHA 1.14 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to "command line processing," a different vulnerability than CVE-2004-0771. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unknown dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error) via an invalid protocol tree item length. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Jay Beale INTERIM INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small "maximum data bytes" value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer overflow in the WriteProlog function in texttops in CUPS 1.1.17 on Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2008-3640. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3; and Sun StarOffice 6, 7, and 8 Office Suite (StarSuite); allows remote attackers to execute arbitrary code via a TIFF file with crafted values of unspecified length fields, which triggers allocation of an incorrect amount of memory, resulting in a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces between the header name and the colon, which might not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP 1.0 proxy, which are ignored by the proxy but processed by the client. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to replace existing search plugins with malicious ones using sidebar.addSearchEngine and the same filename as the target engine, which may not be displayed in the GUI, which could then be used to execute malicious script, aka "Firesearching 2." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey before 1.1.12, allow user-assisted remote attackers to move a window during a mouse click, and possibly force a file download or unspecified other drag-and-drop action, via a crafted onmousedown action that calls window.moveBy, a variant of CVE-2003-0823. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/". Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitrary code via a certain XPM image file. NOTE: it is highly likely that this candidate will be SPLIT into other candidates in the future, per CVE's content decisions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple vulnerabilities in Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Javascript that leads to memory corruption, including (1) nsListControlFrame::FireMenuItemActiveEvent, (2) buffer overflows in the string class in out-of-memory conditions, (3) table row and column groups, (4) "anonymous box selectors outside of UA stylesheets," (5) stale references to "removed nodes," and (6) running the crypto.generateCRMFRequest callback on deleted context. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly earlier versions allows remote attackers to execute arbitrary code via a .PSD image file with a large number of layers. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman before 2.1.9rc1 allows remote attackers to cause a denial of service via unspecified vectors involving "standards-breaking RFC 2231 formatted headers". Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 MIT Kerberos 5 (krb5) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the protection mechanism for codebase principals and execute arbitrary script via the -moz-binding CSS property in a signed JAR file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Header.pm in Net::DNS before 0.60, a Perl module, (1) generates predictable sequence IDs with a fixed increment and (2) can use the same starting ID for all child processes of a forking server, which allows remote attackers to spoof DNS responses, as originally reported for qpsmtp and spamassassin. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The IPv6 flow label handling code (ip6_flowlabel.c) in Linux kernels 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a denial of service (crash) by triggering a free of non-allocated memory. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in ImageMagick before 6.2.9 allow user-assisted attackers to execute arbitrary code via crafted XCF images. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Array index error in the gst_qtp_trak_handler function in gst/qtdemux/qtdemux.c in GStreamer Plug-ins (aka gstreamer-plugins) 0.6.0 allows remote attackers to have an unknown impact via a crafted QuickTime media file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by "appending to a file from a bad address," which triggers a fault that prevents the unused memory from being cleared in the kernel buffer. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JavaScript engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via vectors related to "insufficient class checking" in the Date class. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unspecified vulnerability in the SCSI dissector in Wireshark (formerly Ethereal) 0.99.2 allows remote attackers to cause a denial of service (crash) via unspecified vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Unknown vulnerability in the sFlow dissector in Ethereal 0.9.14 through 0.10.9 allows remote attackers to cause a denial of service (application crash). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer (SASL) library 2.1.18, and possibly other versions before 2.1.21, allows remote unauthenticated attackers to cause a denial of service (segmentation fault) via malformed inputs in DIGEST-MD5 negotiation. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in racoon in ipsec-tools before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17) PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unspecified vulnerabilities in Ethereal 0.8.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via the (1) Sniffer capture or (2) SMB PIPE dissector. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Certain privileged UI code in Mozilla Firefox and Thunderbird before 1.5.0.4 calls content-defined setters on an object prototype, which allows remote attackers to execute code at a higher privilege than intended. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer signedness error in the DNP3 dissector in Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP3 packet. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple stack-based buffer overflows in the putstring function in find.c in Cscope before 15.6 allow user-assisted remote attackers to execute arbitrary code via a long (1) function name or (2) symbol in a source-code file. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple buffer overflows in Ethereal 0.10.12 and earlier might allow remote attackers to execute arbitrary code via unknown vectors in the (1) SLIMP3 and (2) AgentX dissector. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3) FibreChannel, (4) GSM_MAP, (5) SRVLOC, and (6) NTLMSSP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash). Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Off-by-one error in the OID printing routine in Ethereal 0.10.x up to 0.10.14 has unknown impact and remote attack vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsDOMClassInfo.cpp, (2) JS_HashTableRawLookup, and (3) MirrorWrappedNativeParent and js_LockGCThingRT. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain Cascading Style Sheets (CSS) that causes an out-of-bounds array write and buffer overflow. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to run arbitrary JavaScript with chrome privileges via unknown vectors in which "page content can pollute XPCNativeWrappers." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). Jay Beale INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED