Summary of Security Items from December 1 through December 7, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Multiple vulnerabilities have been reported in Shopping Cart that could let remote malicious users conduct Cross-Site Scripting or execute arbitrary code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
An input validation vulnerability has been reported in Citrix MetaFrame Secure Access Manager that could let remote malicious users conduct Cross-Site Scripting.
Multiple vulnerabilities have been reported in IMail Server and Collaboration Suite that could let remote malicious users cause a Denial of Service or execute arbitrary code.
A vulnerability has been reported in Internet Explorer that could let remote malicious users disclose information. Specifically, importing CSS files may allow for cross domain security restriction bypassing.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published.
Microsoft Internet Explorer Information Disclosure
A vulnerability has been reported in Windows that could let local malicious users perform a Denial of Service. NOTE: This issue has been disputed by third parties.
No workaround or patch available at time of publishing.
An exploit has been published.
Microsoft Windows CreateRemote
Thread Denial of Service
A buffer overflow vulnerability has been reported in the 'APPFLUENT_HOME' environment variable when handling a malformed value, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15666, December 1, 2005
Daniel Stenberg
curl 7.12-7.15, 7.11.2
A buffer overflow vulnerability has been reported due to insufficient bounds checks on user-supplied data before using in a finite sized buffer, which could let a local/remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15756, December 7, 2005
Easy Search System
Easy Search System 1.1
A Cross-Site Scripting vulnerability has been reported in 'search.cgi' due to insufficient sanitization of the 'q' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15705, December 5, 2005
Edgewall Software
Trac 0.9
An SQL injection vulnerability has been reported in the ticket query module due to insufficient sanitization of the 'group' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Tracker Alert ID: 1015302, December 1, 2005
Edgewall Software
Trac 0.9.1, 0.9, 0.8.1- 0.8.4, 0.7.1
An SQL injection vulnerability has been reported in the search module due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Focus, Bugtraq ID: 15720, December 5, 2005
GNU
Mailman 2.1-2.1.5, 2.0-2.0.14
A remote Denial of Service vulnerability has been reported in 'Scrubber.py' due to a failure to handle exception conditions when Python fails to process an email file attachment that contains utf8 characters in its filename.
Revision 2: The binary files of HPSBUX01164 will resolve the issue for the core TCP/IP in B.11.11, B.11.22, and B.11.23. The binary files of HPSBUX01164 will resolve NOT resolve the issue for IPSec. B.11.00 and B.11.04 are NOT vulnerable. The recommended workaround is to modify /etc/rc.config.d/nddconf and reboot.
Hewlett Packard Company
Security Advisory, HPSBUX
01137,
April 24, 2005
Hewlett Packard Company
Security
Advisory,
HPSBUX
01137:
SSRT5954 rev.1, May 25, 2005
Hewlett Packard Company
Security Advisory,
HPSBUX
01137:
SSRT5954 rev.2, June 1, 2005
Avaya Security Bulletin,
ASA-2005-160, July 15, 2005
HP Security Bulletin, HPSBUX0
1137 rev 4,
July 19, 2005
HP Security Bulletin, HPSBUX0
1137 rev 6, December 5, 2005
IBM
AIX 5.1-5.3
A vulnerability has been reported in the 'umountall' command due to an unspecified error with regards to the absolute path. The impact was not specified.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
libpng
pnmtopng 2.38, 2.37.3-2.37.6
A buffer overflow vulnerability has been reported in 'Alphas_Of
_Color' due to insufficient bounds checking of user-supplied data prior to copying it to an insufficiently sized memory buffer, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15427, November 15, 2005
Debian Security Advisory, DSA 904-1, November 21, 2005
Ubuntu Security Notice, USN-218-1, November 21, 2005
Mandriva Linux Security Advisory, MDKSA-2005:217, November 30, 2005
SUSE Security Summary Report Announcement, SUSE-SR:2005:028, December 2, 2005
Mozilla.org
Firefox 0.x, 1.x
Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'Install
Trigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for a remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005
SUSE Security Announcement, SUSE-SA:2005:045, August 11, 2005
Debian Security Advisory, DSA 775-1, August 15, 2005
SGI Security Advisory, 20050802-01-U, August 15, 2005
Debian Security Advisory, DSA 777-1, August 17, 2005
Debian Security Advisory, DSA 779-1, August 20, 2005
Debian Security Advisory, DSA 781-1, August 23, 2005
Gentoo Linux Security Advisory, GLSA 200507-24, August 26, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:127-1, August 26, 2005
Slackware Security Advisory, SSA:2005-085-01, August 28, 2005
Debian Security Advisory, DSA 779-2, September 1, 2005
Debian Security Advisory, DSA 810-1, September 13, 2005
Fedora Legacy Update Advisory, FLSA:160202, September 14, 2005
HP Security Bulletin, HPSBOV01229, September 19, 2005
HP Security Bulletin,
HPSBUX01230, October 3, 2005
Ubuntu Security Notice, USN-155-3, October 04, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101952, October 17, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Multiple Vendors
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0, 1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0; Poppler poppler 0.4.2;
KDE kpdf 0.5, KOffice 1.4.2
; PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a heap-based buffer overflow vulnerability was reported in the 'DCTStream::read
BaselineSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'DCTStream::read
ProgressiveSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'StreamPredictor::
StreamPredictor()' function in 'xpdf/Stream.cc' when using the 'numComps' value to calculate the memory size, which could let a remote malicious user potentially execute arbitrary code; and a vulnerability was reported in the 'JPXStream:
:readCodestream()' function in 'xpdf/JPXStream.cc' when using the 'nXTiles' and 'nYTiles' values from a PDF file to copy data from the file into allocated memory, which could let a remote malicious user potentially execute arbitrary code.
Several vulnerabilities have been reported: a vulnerability was reported in the 'index.lok' lock file when indexing music files due to the insecure creation of temporary files, which could let a remote malicious user overwrite arbitrary files; and a Directory Traversal vulnerability was reported when processing certain CGI parameters and cookie values due to an input validation error, which could let a remote malicious user obtain sensitive information.
Cross-Site Scripting vulnerabilities have been reported in the 'HTTP_HOST' variable and certain scripts in the libraries directory due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisory, MDKSA-2005:220, November 30, 2005
Multiple Vendors
SuSE Linux Professional
9.3, x86_64,
9.2, x86_64, Linux Personal 9.3, x86_64; Linux kernel
2.6-2.6.12
A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code.
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Trustix Secure Linux 3.0, 2.2, Secure Enterprise Linux 2.0, SuSE Novell Linux Desktop 9.0, Linux Professional 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Enterprise Server for S/390 9.0, Linux Enterprise Server 9; 2.6-2.6.12 .4
A Denial of Service vulnerability has been reported due to a failure to handle malformed compressed files.
SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
TouchTunes Rhapsody,
TouchTunes Maestro;
SuSE UnitedLinux 1.0, Novell Linux Desktop 9.0, Linux Professional 10.0 OSS, 10.0, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Personal 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Enterprise Server 9, 8, Linux Desktop 1.0;
RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, 2.1 IA64, 2.1, AS 4, AS 3, AS 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; GTK+ 2.8.6, 2.6.4, 2.4.14, 2.4.13, 2.4.10, 2.4.9, 2.4.1, 2.2.4, 2.2.3;
GNOME GdkPixbuf 0.22;
Gentoo Linux ; Ardour 0.99
Multiple vulnerabilities have been reported: an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' due to the insufficient validation of the 'n_col' value before using to allocate memory, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when processing an XPM file that contains a large number of colors; and an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when performing calculations using the height, width, and colors of a XPM file, which could let a remote malicious user execute arbitrary code or cause a Denial of Service.
Security Focus Bugtraq IDs: 15226 & 15228, October 28, 2005
Debian Security Advisory DSA 877-1, October 28, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Gentoo Linux Security Advisory, GLSA 200511-05, November 6, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Multiple Vendors
GNU gnump3d 2.9-2.9.5;
Gentoo Linux
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
SUSE Security Announce-
ment,
SUSE-SA:
2005:
018, March 24, 2005
Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005
Conectiva Linux Security Announce-
ment,
CLA-2005:945,
March 31, 2005
Fedora Update Notification
FEDORA-2005-313, April 11, 2005
RedHat Security Advisory,
RHSA-2005:366-21, August 9, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218 & 219, November 30, 2005
Multiple Vendors
Linux Kernel
2.6 up to & including
2.6.12-rc4
Several vulnerabilities have been reported: a vulnerability was reported in raw character devices (raw.c) because the wrong function is called before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space; and a vulnerability was reported in the 'pkt_ioctl' function in the 'pktcdvd' block device ioctl handler
(pktcdvd.c) because the wrong function is called before passing an ioctl to the block device, which could let a malicious user execute arbitrary code.
Mandriva Linux Security Update Advisory, MDKSA-2005:110, July 1, 2005
RedHat Security Advisory,
RHSA-2005
:420-24,
Updated
August 9, 2005
Conectiva Linux Announcement, CLSA-2005:999, August 17, 2005
Mandriva Linux Security Advisory, MDKSA-2005:219, November 30, 2005
Multiple Vendors
Linux kernel
2.6-2.6.11
A vulnerability has been reported in the '/sys' file system due to a mismanagement of integer signedness, which could let a malicious user cause a Denial of Service and potentially execute arbitrary code.
RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Mandriva Linux Security Advisory, MDKSA-2005:218, November 30, 2005
Multiple Vendors
Linux Kernel 2.4.x, 2.6 prior to 2.6.11.11
A vulnerability has been reported in the Linux kernel in the Radionet Open Source Environment (ROSE) implementation in the 'rose_rt_ioctl()' function due to insufficient validation of a new routes' ndigis argument. The impact was not specified.
An integer overflow vulnerability has been reported in the 'scsi_ioctl.c' kernel driver due to insufficient sanitization of the 'sg_scsi_ioctl' function, which could let a malicious user execute arbitrary code.
Fedora Update Notifications,
FEDORA-2005-013 & 014, January 10, 2005
SUSE Security Announcement, SUSE-SA:2005:003, January 21, 2005
RedHat Security Advisory, RHSA-2005:092-14, February 18, 2005
SUSE Security Announcement, SUSE-SA:2005:010, February 25, 2005
Mandriva Linux Security Advisory, MDKSA-2005:218, November 30, 2005
Multiple Vendors
Linux kernel 2.6.10, 2.6
-test9-CVS,
2.6-test1-
test11, 2.6,
2.6.1-2.6.11; RedHat
Desktop 4.0, Enterprise
Linux WS 4,
ES 4, AS 4
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'shmctl' function, which could let a malicious user obtain sensitive information; a Denial of Service vulnerability was reported in 'nls_ascii.c' due to the use of incorrect table sizes; a race condition vulnerability was reported in the 'setsid()' function; and a vulnerability was reported in the OUTS instruction on the AMD64 and Intel EM64T architecture, which could let a malicious user obtain elevated privileges.
Security Focus, Bugtraq ID: 14791, September 9, 2005
Ubuntu Security Notice, USN-178-1, September 09, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6.8-2.6.10, 2.4.21
Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'msg_control' when copying 32 bit contents, which could let a malicious user obtain root privileges and execute arbitrary code; and a vulnerability was reported in the 'raw_sendmsg()' function, which could let a malicious user obtain sensitive information or cause a Denial of Service.
Ubuntu Security Notice, USN-178-1, September 09, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0049, September 16, 2005
Fedora Update Notifications,
FEDORA-2005-905 & 906, September 22, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6-2.6.12 .1
A vulnerability has been reported due to insufficient authorization before accessing a privileged function, which could let a malicious user bypass IPSEC policies.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6-2.6.13.1
A Denial of Service vulnerability has been reported due to an omitted call to the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' function.
Security Tracker Alert ID: 1014944, September 21, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219, 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/request_
key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
