Summary of Security Items from January 5 through January 11, 2006
The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities,
exploits, trends, and malicious code that have recently been openly reported. Information
in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability
information. As such, the Cyber Security Bulletin includes information published by sources
outside of US-CERT and should not be considered the result of US-CERT
analysis or as an official report of US-CERT. Although this
information does reflect open source reports, it is not an official description and should
be used for informational purposes only. The intention of the Cyber Security Bulletin is to
serve as a comprehensive directory of pertinent vulnerability reports, providing brief
summaries and additional sources for further investigation.
The tables below summarize vulnerabilities that have been reported by various open
source organizations or presented in newsgroups and on web sites. Items in
bold designate updates that have been made to past entries. Entries are
grouped by the operating system on which the reported software operates, and
vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are
included in the Multiple Operating
Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.
Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.
The Risk levels are defined below:
High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.
Windows Operating Systems Only
Vendor & Software Name
Description
Common Name
CVSS
Resources
Aquifer CMS
A vulnerability has been reported in Aquifer CMS that could let remote malicious users conduct Cross-Site Scripting.
No workaround or patch available at time of publishing.
Several buffer overflow vulnerabilities have been reported: a vulnerability was reported in bogofilter and bogolexer when character set conversion is performed on invalid input sequences, which could let a remote malicious user cause a Denial of Service; and a vulnerability was reported in bogofilter and bogolexer when processing input that contains overly long words, which could let a remote malicious user cause a Denial of Service.
A buffer overflow vulnerability has been reported when attempting to handle compressed UPX files due to an unspecified boundary error in "libclamav/upx.c, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported in incoming print jobs due to a failure to properly apply ACLs (Access Control List), which could let a remote malicious user bypass ACLs.
Multiple vulnerabilities exist: remote Denial of Service vulnerabilities exist in the COPS, DLSw, DNP, Gnutella, and MMSE dissectors; and a buffer overflow vulnerability exists in the X11 dissector, which could let a remote malicious user execute arbitrary code.
FreeBSD Security Advisory, FreeBSD-SA-06:04.ipfw, January 11, 2006
FreeBSD
FreeBSD 4.x
FreeBSD 5.x
FreeBSD 6.x
A vulnerability has been reported in the 'EE' editor when executing a spell check operation due to the insecure creation of temporary files, which could let a malicious user obtain elevated privileges.
FreeBSD Security Advisory, FreeBSD-SA-06:02.ee, January 11, 2006
GNU
cpio 1.0-1.3, 2.4.2, 2.5, 2.5.90, 2.6
A vulnerability has been reported when an archive is extracted into a world or group writeable directory because non-atomic procedures are used, which could let a malicious user modify file permissions.
Trustix Secure Linux Security Advisory, TSLSA-2005-0030, June 24, 2005
Mandriva
Linux Security Update Advisory, MDKSA2005:
116, July 12,
2005
RedHat Security Advisory, RHSA-2005:378-17, July 21, 2005
SGI Security Advisory, 20050802-01-U, August 15, 2005
SCO Security Advisory, SCOSA-2005.32, August 18, 2005
Avaya Security Advisory, ASA-2005-191, September 6, 2005
Conectiva Linux Announcement, CLSA-2005:1002, September 13, 2005
Ubuntu Security Notice, USN-189-1, September 29, 2005
Debian Security Advisory, DSA 846-1, October 7, 2005
RedHat Security Advisory, RHSA-2005:806-8, November 10, 2005
SCO Security Advisory, SCOSA-2006.2, January 3, 2006
FreeBSD Security Advisory, FreeBSD-SA-06:03.cpio, January 11, 2006
GNU
cpio 2.6
A Directory Traversal vulnerability has been reported when invoking cpio on a malicious archive, which could let a remote malicious user obtain sensitive information.
Mandriva Linux Security Advisory MDKSA-2005:237, December 23, 2005
Ubuntu Security Notice, USN-234-1, January 02, 2006
FreeBSD Security Advisory, FreeBSD-SA-06:03.cpio, January 11, 2006
GNU
Texinfo 4.7
A vulnerability has been reported in 'textindex.c' due to insecure creation of temporary files by the 'sort_offline()' function, which could let a malicious user create/ overwrite arbitrary files.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
Gentoo Linux Security Advisory, GLSA 200512-04, December 12, 2005
SUSE Security Announcement, SUSE-SA:2005:070, December 20, 2005
Conectiva Linux Announcement, CLSA-2006:1058, January 2, 2006
Multiple Vendors
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0, 1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0; Poppler poppler 0.4.2;
KDE kpdf 0.5, KOffice 1.4.2 ; PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a heap-based buffer overflow vulnerability was reported in the 'DCTStream::read
BaselineSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'DCTStream::read
ProgressiveSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'StreamPredictor::
StreamPredictor()' function in 'xpdf/Stream.cc' when using the 'numComps' value to calculate the memory size, which could let a remote malicious user potentially execute arbitrary code; and a vulnerability was reported in the 'JPXStream:
:readCodestream()' function in 'xpdf/JPXStream.cc' when using the 'nXTiles' and 'nYTiles' values from a PDF file to copy data from the file into allocated memory, which could let a remote malicious user potentially execute arbitrary code.
A Cross-Site Scripting vulnerability exists due to insufficient filtering of HTML code from the 'config' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
SUSE Security Summary Report, SUSE-SR:2005:003, February 4, 2005
Debian Security Advisory, DSA 680-1, February 14, 2005
Gentoo Linux Security Advisory, GLSA 200502-16,
February 14, 2005
Mandrakelinux Security Update Advisory,
MDKSA-2005:063, March 31, 2005
Fedora Update Notification,
FEDORA-2005-367, April 19, 2005
SCO Security Advisory, SCOSA-2005.46, November 2, 2005
Fedora Legacy Update Advisory, FLSA:152907, January 9, 2006
Multiple Vendors
Hylafax 4.2-4.2.3;
Gentoo Linux
Several vulnerabilities have been reported: a vulnerability was reported in 'hfaxd' when compiled with PAM support disabled, which could let a remote malicious user obtain unauthorized access; a vulnerability was reported due to insufficient sanitization of the 'notify' script, which could let a remote malicious user execute arbitrary commands; and a vulnerability was reported in the 'faxrcvd' script due to insufficient sanitization, which could let a remote malicious user execute arbitrary commands.
A vulnerability has been reported in the 'rmtree()' function in the 'File::Path.pm' module when handling directory permissions while cleaning up directories, which could let a malicious user obtain elevated privileges.
Gentoo Linux Security Advisory [UPDATE], GLSA 200501-38:03, March 15, 2005
Debian Security Advisory, DSA 696-1 , March 22, 2005
Turbolinux Security Advisory, TLSA-2005-45, April 19, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:079, April 29, 2005
HP Security Bulletin, HPSBUX01208, June 16, 2005
Secunia, Advisory: SA16193, July 25, 2005
Avaya Security Advisory, ASA-2005-196, September 13, 2005
RedHat Security Advisory, RHSA-2005:674-10, October 5, 2005
Conectiva Linux Announcement, CLSA-2006:1056, January 2, 2006
Multiple Vendors
NetBSD 2.1, 2.0-2.0.3, 1.6-1.6.2, NetBSD Current
Linux kernel 2.6-2.6.15 -rc3
A vulnerability has been reported because the system clock can be set to an arbitrary value, which could let malicious user bypass security restrictions.
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
SuSE Linux Professional
9.3, x86_64,
9.2, x86_64, Linux Personal 9.3, x86_64; Linux kernel
2.6-2.6.12
A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code.
Ubuntu Security Notice, USN-169-1, August 19, 2005
SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 200
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Trustix Secure Linux 3.0, 2.2, Secure Enterprise Linux 2.0, SuSE Novell Linux Desktop 9.0, Linux Professional 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Enterprise Server for S/390 9.0, Linux Enterprise Server 9; 2.6-2.6.12 .4
A Denial of Service vulnerability has been reported due to a failure to handle malformed compressed files.
SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Todd Miller Sudo 1.6-1.6.8, 1.5.6-1.5.9
A vulnerability has been reported in the 'PYTHONINSPECT' variable, which could let a malicious user bypass security restrictions and obtain elevated privileges.
Security Focus, Bugtraq ID: 16184, January 9, 2006
Multiple Vendors
zlib 1.2.2, 1.2.1, 1.2 .0.7, 1.1-1.1.4, 1.0-1.0.9; Ubuntu Linux 5.0 4, powerpc, i386, amd64, 4.1 ppc, ia64, ia32; SuSE Open-Enterprise-Server 9.0, Novell Linux Desktop 9.0, Linux Professional 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Personal 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Enterprise Server 9; Gentoo Linux;
FreeBSD 5.4, -RELENG, -RELEASE, -PRERELEASE, 5.3, -STABLE, -RELENG, -RELEASE;
Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; zsync 0.4, 0.3-0.3.3, 0.2-0.2.3, 0.1-0.1.6 1, 0.0.1-0.0.6
A buffer overflow vulnerability has been reported due to insufficient validation of input data prior to utilizing it in a memory copy operation, which could let a remote malicious user execute arbitrary code.
Gentoo Linux Security Advisory GLSA 200601-02, January 5, 2006
Ubuntu Security Notice, USN-236-1, January 05, 2006
Fedora Update Notifications,
FEDORA-2005-000, January 5, 2006
Mandriva Linux Security Advisories MDKSA-2006:003-003-006 & 008, January 6 & 7, 2006
Ubuntu Security Notice, USN-236-2, January 09, 2006
Debian Security Advisory DSA 931-1, January 9, 2006
Debian Security Advisory,
DSA-936-1, January 11, 2006
Multiple Vendors
Larry Wall Perl 5.8, 5.8.1, 5.8.3, 5.8.4, 5.8.4 -1-5.8.4-5; Ubuntu Linux 4.1 ppc, ia64, ia32
Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'PERLIO_DEBUG' SuidPerl environment variable, which could let a malicious user execute arbitrary code; and a vulnerability exists due to an error when handling debug message output, which could let a malicious user corrupt arbitrary files.
Ubuntu Security Notice, USN-72-1, February 2, 2005
MandrakeSoft Security Advisory, MDKSA-2005:031, February 9, 2005
RedHat Security Advisory, RHSA-2005:105-11, February 7, 2005
SGI Security Advisory, 20050202-01-U, February 9, 2005
SUSE Security Summary Report, SUSE-SR:2005:004, February 11, 2005
Gentoo Linux Security Advisory, GLSA 200502-13, February 11, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0003,February 11, 2005
IBM SECURITY ADVISORY, February 28, 2005
Fedora Update Notification,
FEDORA-2005-353, May 2, 2005
Conectiva Linux Announcement, CLSA-2006:1056, January 2, 2006
Multiple Vendors
Linux kernel
2.6 prior to 2.6.12.1
A vulnerability has been reported in the 'restore_sigcontext()' function due to a failure to restrict access to the 'ar.rsc' register, which could let a malicious user cause a Denial of Service or obtain elevated privileges.
Security Focus, Bugtraq ID: 14791, September 9, 2005
Ubuntu Security Notice, USN-178-1, September 09, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux kernel 2.6.8-2.6.10, 2.4.21
Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'msg_control' when copying 32 bit contents, which could let a malicious user obtain root privileges and execute arbitrary code; and a vulnerability was reported in the 'raw_sendmsg()' function, which could let a malicious user obtain sensitive information or cause a Denial of Service.
Ubuntu Security Notice, USN-178-1, September 09, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0049, September 16, 2005
Fedora Update Notifications,
FEDORA-2005-905 & 906, September 22, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux kernel 2.6-2.6.12 .1
A vulnerability has been reported due to insufficient authorization before accessing a privileged function, which could let a malicious user bypass IPSEC policies.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux kernel 2.6-2.6.13.1
A Denial of Service vulnerability has been reported due to an omitted call to the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' function.
Security Tracker Alert ID: 1014944, September 21, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219, 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/request_
key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
Trustix Secure Linux Security Advisory, TSLSA-2005-0057, October 14, 2005
Fedora Update Notifications,
FEDORA-2005-1013, October 20, 2005
RedHat Security Advisory, RHSA-2005:808-14, October 27, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported when handling asynchronous USB access via usbdevio; and a Denial of Service vulnerability was reported in the 'ipt_recent.c' netfilter module due to an error in jiffies comparison.
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux Kernel 2.6-2.6.14
Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in the 'sys_set_
mempolicy' function when a malicious user submits a negative first argument; a Denial of Service vulnerability was reported when threads are sharing memory mapping via 'CLONE_VM'; a Denial of Service vulnerability was reported in 'fs/exec.c' when one thread is tracing another thread that shares the same memory map; a Denial of Service vulnerability was reported in 'mm/ioremap.c' when performing a lookup of a non-existent page; a Denial of Service vulnerability was reported in the HFS and HFS+ (hfsplus) modules; and a remote Denial of Service vulnerability was reported due to a race condition in 'ebtables.c' when running on a SMP system that is operating under a heavy load.
A vulnerability has been reported due to the way console keyboard mapping is handled, which could let a malicious user modify the console keymap to include scripted macro commands.
Security Focus, Bugtraq ID: 15122, October 17, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
Fedora Update Notification,
FEDORA-2005-1138, December 13, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
Multiple Vendors
Linux kernel
2.6-2.6.12 .1
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to an error when handling key rings; and a Denial of Service vulnerability was reported in the 'KE YCTL_JOIN_SESSION
_KEYRING' operation due to an error when attempting to join a key management session.
A buffer overflow vulnerability has been reported in the 'nbd-server' when handling specially crafted requests, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 16029, December 21, 2005
Debian Security Advisory, DSA 924-1, December 21, 2005
Gentoo Linux Security Advisory, GLSA 200512-14, December 23, 2006
Ubuntu Security Notice, USN-237-1, January 06, 2006
Multiple Vendors
petris 1.0.1
A buffer overflow vulnerability has been reported when handling environment variables when processing highscores, which could let a malicious user execute arbitrary code.
Debian Security Advisory, DSA-929-1, January 9, 2006
Multiple Vendors
RedHat Enterprise Linux WS 4, WS 3, ES 4, ES 3, AS 4, AS 3, Desktop 4.0, 3.0; mod_auth_pgsql 2.0.1
A format string vulnerability has been reported in 'mod_auth_pgsql' when logging information, which could let a remote malicious user execute arbitrary code.
