Section: .. / 0710-advisories /
| /// File Name: |
MDKSA-2007-195.txt |
Description:
|
Mandriva Linux Security Advisory - A stack-based buffer overflow in the random number generator could allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size. The lcd_write function did not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption). The decode_choice function allowed remote attackers to cause a denial of service (crash) via an encoded out-of-range index value for a choice field which triggered a NULL pointer dereference. The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die which delivered an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer ioctl patch in aacraid did not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges. The IA32 system call emulation functionality, when running on the x86_64 architecture, did not zero extend the eax register after the 32bit entry path to ptrace is used, which could allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 8642 | | Related CVE(s): | CVE-2007-3105, CVE-2007-3513, CVE-2007-3642, CVE-2007-3848, CVE-2007-4308, CVE-2007-4573 | | Last Modified: | Oct 16 00:17:23 2007 |
| MD5 Checksum: | 5a12cf6638c61249c10bb2a042c483b3 |
|
| /// File Name: |
MDKSA-2007-196.txt |
Description:
|
Mandriva Linux Security Advisory - The compat_sys_mount function in fs/compat.c allowed local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode. The nf_conntrack function in netfilter did not set nfctinfo during reassembly of fragmented packets, which left the default value as IP_CT_ESTABLISHED and could allow remote attackers to bypass certain rulesets using IPv6 fragments. A typo in the Linux kernel caused RTA_MAX to be used as an array size instead of RTN_MAX, which lead to an out of bounds access by certain functions. The IPv6 protocol allowed remote attackers to cause a denial of service via crafted IPv6 type 0 route headers that create network amplification between two routers. The random number feature did not properly seed pools when there was no entropy, or used an incorrect cast when extracting entropy, which could cause the random number generator to provide the same values after reboots on systems without an entropy source. A memory leak in the PPPoE socket implementation allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. An integer underflow in the cpuset_tasks_read function, when the cpuset filesystem is mounted, allowed local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file. The sctp_new function in netfilter allowed remote attackers to cause a denial of service by causing certain invalid states that triggered a NULL pointer dereference. A stack-based buffer overflow in the random number generator could allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size. The lcd_write function did not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption). The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die which delivered an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer ioctl patch in aacraid did not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges. The IA32 system call emulation functionality, when running on the x86_64 architecture, did not zero extend the eax register after the 32bit entry path to ptrace is used, which could allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 8221 | | Related CVE(s): | CVE-2006-7203, CVE-2007-1497, CVE-2007-2172, CVE-2007-2242, CVE-2007-2453, CVE-2007-2525, CVE-2007-2875, CVE-2007-2876, CVE-2007-3105, CVE-2007-3513, CVE-2007-3848, CVE-2007-4308, CVE-2007-4573 | | Last Modified: | Oct 16 00:22:46 2007 |
| MD5 Checksum: | c9c788c8ab303f6c67b69c3510264278 |
|
| /// File Name: |
MDKSA-2007-197.txt |
Description:
|
Mandriva Linux Security Advisory - A buffer overflow in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 3610 | | Related CVE(s): | CVE-2007-4476 | | Last Modified: | Oct 16 00:24:48 2007 |
| MD5 Checksum: | 53159c4b18c20e0be46399d37d49bbfd |
|
| /// File Name: |
MDKSA-2007-198.txt |
Description:
|
Mandriva Linux Security Advisory - The mount and umount programs in util-linux called the setuid() and setgid() functions in the wrong order and did not check the return values, which could allow attackers to grain privileges via helper applications such as mount.nfs.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 6111 | | Related CVE(s): | CVE-2007-5191 | | Last Modified: | Oct 16 00:26:23 2007 |
| MD5 Checksum: | dd3bb8a621df79d81e88f389dec88ac1 |
|
| /// File Name: |
MDKSA-2007-200.txt |
Description:
|
Mandriva Linux Security Advisory - A vulnerablity in Tk was found that could be used to overrun a buffer when loading certain GIF images. If a user were tricked into opening a specially crafted GIF file, it could lead to a denial of service condition or possibly the execution of arbitrary code with the user's privileges.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 7166 | | Related CVE(s): | CVE-2007-5137, CVE-2007-5378 | | Last Modified: | Oct 18 18:44:35 2007 |
| MD5 Checksum: | 0e3f83e910e1f30abaa43c4df9dd66d7 |
|
| /// File Name: |
MDKSA-2007-201.txt |
Description:
|
Mandriva Linux Security Advisory - A vulnerability in the hpssd tool was discovered where it did not correctly handle shell meta-characters. A local attacker could use this flaw to execute arbitrary commands as the hplip user. As well, this update fixes a problem with some HP scanners on Mandriva Linux 2007.1, particularly HP PSC 1315, which wouldn't be detected and also fixes a problem with HP 1220 and possibly other models when scanning via the OpenOffice.org suite.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 8958 | | Related CVE(s): | CVE-2007-5208 | | Last Modified: | Oct 22 23:59:08 2007 |
| MD5 Checksum: | e3484f14d0e3a26c14c39da2fdf8ae28 |
|
| /// File Name: |
MDKSA-2007-202.txt |
Description:
|
Mandriva Linux Security Advisory - A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.8.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 55387 | | Related CVE(s): | CVE-2006-2894, CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-4841, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340 | | Last Modified: | Oct 23 19:20:30 2007 |
| MD5 Checksum: | e332e9bdd340b8956054f070addf1ba0 |
|
| /// File Name: |
mirandaim-overflows.txt |
Description:
|
Multiple buffer overflow vulnerabilities exist in Miranda IM, a popular open source instant messaging client. Versions 0.6.8 and 0.7.0 are vulnerable.
| | Author: | David Wharton | | Homepage: | http://secureworks.com/ | | File Size: | 3261 | | Related CVE(s): | CVE-2007-5542, CVE-2007-5543 | | Last Modified: | Oct 23 19:25:20 2007 |
| MD5 Checksum: | c17ee18def8641a947376f499d6789ba |
|
| /// File Name: |
NGS00419.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - It is possible to cause the Java Virtual Machine to overwrite an arbitrary memory location with an arbitrary value (repeatedly and in a stable manner) when parsing a malformed TrueType font. JDK and JRE versions 5.0 Update 9 and below as well as SDK and JRE versions 1.4.2_14 and below are affected.
| | Author: | John Heasman | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 4670 | | Last Modified: | Oct 29 20:39:02 2007 |
| MD5 Checksum: | c0cef6830fd8bb988ca43b15caf178dc |
|
| /// File Name: |
NGS00443.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - JDK and JRE versions 6 Update 1 and below, 5.0 Update 11 and below, and SDK and JRE versions 1.4.2_14 and below contain a vulnerability that allows an untrusted applet to violate the network access restrictions placed on it by the Java sandbox.
| | Author: | John Heasman | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 3849 | | Last Modified: | Oct 29 20:38:03 2007 |
| MD5 Checksum: | 294b79541b86bde15e4205357ff9f957 |
|
| /// File Name: |
NISR17102007A.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - The Intermedia application, owned by CTXSYS, contains a package called CTX_DOC. This package contains multiple SQL injection flaws.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2980 | | Last Modified: | Oct 18 18:15:19 2007 |
| MD5 Checksum: | 6391108725892efacb180aa8e5d0112b |
|
| /// File Name: |
NISR17102007B.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is vulnerable to SQL injection. The Workspace Manager, owned by SYS, contains a package called LT. This package is owned and defined by the SYS user and can be executed by PUBLIC. LT contains a procedure called FINDRICSET which calls the FINDRICSET package in the LTRIC package. This is vulnerable to SQL injection and can be abused by an attacker to gain SYS privileges.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 3107 | | Last Modified: | Oct 18 18:16:27 2007 |
| MD5 Checksum: | 69edd82fa8cac473f288d4f330ee5ac6 |
|
| /// File Name: |
NISR17102007C.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - The Oracle TNS Listener suffers from denial of service and/or remote memory inspection vulnerabilities. Systems affected include Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 3527 | | Last Modified: | Oct 18 18:17:51 2007 |
| MD5 Checksum: | 4b1d5b9c9a68052baf1d1b81653d3661 |
|
| /// File Name: |
NISR17102007D.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of the CPU's time introducing a denial of service condition.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 3280 | | Last Modified: | Oct 18 18:20:52 2007 |
| MD5 Checksum: | a370f981cb7f34a8094c806a8b0dfddf |
|
| /// File Name: |
NISR17102007E.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - The Oracle XML DB ftp service contains problems with auditing logins.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 3062 | | Last Modified: | Oct 18 18:21:43 2007 |
| MD5 Checksum: | 03a2b4d2ce1e0e61066c4236c2f3932c |
|
| /// File Name: |
nortelcs-dos.txt |
Description:
|
The Nortel Communication Server 1000 is susceptible to a denial of service condition when flooded with packets.
| | Author: | Cyrill Brunschwiler | | Homepage: | http://www.csnc.ch/ | | File Size: | 1374 | | Last Modified: | Oct 22 17:04:58 2007 |
| MD5 Checksum: | 28103785a4ec9a6dde8fa212733ee839 |
|
| /// File Name: |
nssboard-xss.txt |
Description:
|
Nssboard, formerly Simple PHP forum, is susceptible to HTML injection vulnerabilities.
| | Author: | Casey Fitzpatrick | | File Size: | 1135 | | Last Modified: | Oct 15 19:07:56 2007 |
| MD5 Checksum: | f64b8010de079f20c1ce5d48eaab58aa |
|
| /// File Name: |
OpenSSL-12-Oct-2007.txt |
Description:
|
OpenSSL Security Advisory - Andy Polyakov discovered a flaw in OpenSSL's DTLS implementation which could lead to the compromise of clients and servers with DTLS enabled. All versions of 0.9.8 prior to 0.9.8f are affected. Moritz Jodeit found an off-by-one error in SSL_get_shared_ciphers(), a function that should normally only be used for logging or debugging. All releases of 0.9.8 prior to 0.9.8f and all releases of 0.9.7 prior to 0.9.7m are affected.
| | Author: | Ben Laurie | | Homepage: | http://www.openssl.org/ | | File Size: | 2022 | | Related CVE(s): | CVE-2007-4995, CVE-2007-5135 | | Last Modified: | Oct 12 21:25:50 2007 |
| MD5 Checksum: | 930dc9a42ecda065f6b34cdb7909144f |
|
| /// File Name: |
oracle-dbms.txt |
Description:
|
Team SHATTER Security Alert - Oracle Database Server provides the SYS.DBMS_AQADM_SYS package that is used internally by the SYS.DBMS_AQADM package to provide procedures to manage Oracle Streams Advanced Queuing (AQ) configuration and administration information. This package contains the procedure DBLINK_INFO which is vulnerable to buffer overflow attacks. Affected versions include Oracle Database Server versions 9iR1, 9iR2 (9.2.0.7 and previous patchsets) and 10gR1.
| | Author: | Esteban Martinez Fayo | | Homepage: | http://www.appsecinc.com/ | | File Size: | 2614 | | Last Modified: | Oct 29 16:44:02 2007 |
| MD5 Checksum: | 11ee5bddc080a902b7e88e2b8bc4f72a |
|
| /// File Name: |
oracle-mdsys.txt |
Description:
|
Team SHATTER Security Alert - Oracle Database Server provides the MDSYS.SDO_CS package that contains subprograms for working with coordinate systems. This package contains the function TRANSFORM which is vulnerable to buffer overflow attacks. Affected versions include Oracle Database Server versions 8iR3, 9iR1, 9iR2 (9.2.0.6 and previous patchsets) and 10gR1 (10.1.0.4 and previous patchsets).
| | Author: | Esteban Martinez Fayo | | Homepage: | http://www.appsecinc.com/ | | File Size: | 2472 | | Last Modified: | Oct 29 16:42:01 2007 |
| MD5 Checksum: | b120d424ad08773ef44118fa184376a9 |
|
| /// File Name: |
pagemaker-overflow.txt |
Description:
|
Adobe Pagemaker versions 7.0.1 and 7.0.2 suffer from a buffer overflow vulnerability when handling long font names. Links to full advisory are provided however the author has removed the exploits related to the vulnerability.
| | Author: | Tan Chew Keong | | Homepage: | http://vuln.sg/ | | File Size: | 811 | | Last Modified: | Oct 10 02:24:24 2007 |
| MD5 Checksum: | 73b8a7f7fad4d36676f7002bbc0b0568 |
|
| /// File Name: |
realplayer-heap-corruption-adv.txt |
Description:
|
RealNetworks RealPlayer/RealOne Player/Helix Player all suffer from a heap corruption vulnerability in the handling of specially crafted .mov files. Successful exploitation may lead to code execution.
| | Author: | Piotr Bania | | Homepage: | http://piotrbania.com/ | | File Size: | 5213 | | Last Modified: | Oct 26 11:06:03 2007 |
| MD5 Checksum: | e2ef19fcac9143f960d0e4730c0cc729 |
|
| /// File Name: |
realplayer-heap.txt |
Description:
|
All versions of RealPlayer 10 and some builds of RealPlayer 10.5 suffer from a heap overflow in the ID3 tag parsing code.
| | Author: | John Heasman | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2669 | | Last Modified: | Oct 29 16:51:26 2007 |
| MD5 Checksum: | 3f95c0eb6dbfcedfad035ee38be0fe1e |
|
| /// File Name: |
realplayer-memory-corruption-adv.tx..> |
Description:
|
RealNetworks RealPlayer/RealOne Player/Helix Player all suffer from a memory corruption vulnerability in the handling of specially crafted .mov files. Successful exploitation may lead to code execution.
| | Author: | Piotr Bania | | Homepage: | http://piotrbania.com/ | | File Size: | 4159 | | Last Modified: | Oct 26 11:02:22 2007 |
| MD5 Checksum: | d5f7cd811f442f4d147649a824c696fc |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
