Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240397
Summary: CVE-2007-2721: jasper DoS, heap corruption
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: jasper
AssignedTo: rdieter(a)math.unl.edu
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721
"The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000
library (libjasper) before 1.900 allows remote user-assisted attackers to cause
a denial of service (crash) and possibly corrupt the heap via malformed image
files, as originally demonstrated using imagemagick convert."
Appears to affect 1.900.1 too.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: high
Priority: high
Component: proftpd
AssignedTo: matthias(a)rpmforge.net
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165http://bugs.proftpd.org/show_bug.cgi?id=2922
"The Auth API in ProFTPD before 20070417, when multiple simultaneous
authentication modules are configured, does not require that the module that
checks authentication is the same as the module that retrieves authentication
data, which might allow remote attackers to bypass authentication, as
demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved
from /etc/passwd."
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=307471
Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple
vulnerabilities
Product: Fedora
Version: fc6
Platform: All
URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-
000e0c6d38a9.html
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: qemu
AssignedTo: dwmw2(a)infradead.org
ReportedBy: clalance(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,j.w.r.degoede@hhs.nl
+++ This bug was initially created as a clone of Bug #238723 +++
Not sure if these affect any qemu versions in Fedora, but here goes:
http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html
"Several vulnerabilities have been discovered in the QEMU processor emulator,
which may lead to the execution of arbitrary code or denial of service. The
Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1320
Tavis Ormandy discovered that a memory management routine of the Cirrus video
driver performs insufficient bounds checking, which might allow the execution of
arbitrary code through a heap overflow.
CVE-2007-1321
Tavis Ormandy discovered that the NE2000 network driver and the socket code
perform insufficient input validation, which might allow the execution of
arbitrary code through a heap overflow.
CVE-2007-1322
Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate
the emulation, resulting in denial of service.
CVE-2007-1323
Tavis Ormandy discovered that the NE2000 network driver and the socket code
perform insufficient input validation, which might allow the execution of
arbitrary code through a heap overflow.
CVE-2007-1366
Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu
through a division by zero, resulting in denial of service."
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705
Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: xmms
AssignedTo: paul(a)all-the-johnsons.co.uk
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
Cloning RHEL bug for FE[56].
+++ This bug was initially created as a clone of Bug #228013 +++
Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files. Here are the technical details provided by Sven:
--- Details ---
CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.
The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;
ncols = offset - headSize - 14; <-- [2]
if (headSize == 12)
{
ncols = MIN(ncols / 3, 256);
for (i = 0; i < ncols; i++)
fread(&rgb_quads[i], 3, 1, file);
}
else
{
ncols = MIN(ncols / 4, 256);
fread(rgb_quads, 4, ncols, file); <-- [3]
[...]
-----
"offset" [1] is not properly verified before being used to calculate
"ncols" [2]. "bitcount" has to be set to a different value than 24, 16
or 32 (but can also be user controlled).
This can be exploited to cause a integer underflow,
resulting in a stack based buffer overflow, which can be used to
overwrite the return address of "read_bmp()" [3].
Successful exploitation allows execution of arbitrary code.
CVE-2007-0653
2) An integer overflow error exists when loading skin bitmap images.
This can be exploited to cause a memory corruption via specially crafted
skin images containing manipulated header information.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
else if (headSize == 40) /* BITMAPINFO */
{
guint16 tmp;
read_le_long(file, &w); <-- [4]
read_le_long(file, &h); <-- [4]
[...]
fseek(file, offset, SEEK_SET);
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
fclose(file);
data = g_malloc0((w * 3 * h) + 3); <-- [5]
if (bitcount == 1)
----
-- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST --
These flaws also affect RHEL2.1 and RHEL3
-- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST --
Are there patches for these yet?
-- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST --
There are no patches yet. I'm still trying to contact someone upstream about
this. If you have any upstream contacts, please let me know.
-- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST --
Lifting embargo
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990
Summary: CVE-2007-1030: libevent < 1.3 DoS
Product: Fedora Extras
Version: devel
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: libevent
AssignedTo: redhat-bugzilla(a)camperquake.de
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,steved@redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030
"Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of
service (infinite loop) via a DNS response containing a label pointer that
references its own offset."
FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was
updated to 1.2a a few days ago, however (unlike the changelog says) the latest
upstream is 1.3a, not 1.2a.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238723
Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple
vulnerabilities
Product: Fedora Extras
Version: fc6
Platform: All
URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-
000e0c6d38a9.html
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: qemu
AssignedTo: dwmw2(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,j.w.r.degoede@hhs.nl
Not sure if these affect any qemu versions in Fedora, but here goes:
http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html
"Several vulnerabilities have been discovered in the QEMU processor emulator,
which may lead to the execution of arbitrary code or denial of service. The
Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1320
Tavis Ormandy discovered that a memory management routine of the Cirrus video
driver performs insufficient bounds checking, which might allow the execution of
arbitrary code through a heap overflow.
CVE-2007-1321
Tavis Ormandy discovered that the NE2000 network driver and the socket code
perform insufficient input validation, which might allow the execution of
arbitrary code through a heap overflow.
CVE-2007-1322
Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate
the emulation, resulting in denial of service.
CVE-2007-1323
Tavis Ormandy discovered that the NE2000 network driver and the socket code
perform insufficient input validation, which might allow the execution of
arbitrary code through a heap overflow.
CVE-2007-1366
Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu
through a division by zero, resulting in denial of service."
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=357051
Summary: Django 0.96 i18n DoS
Product: Fedora
Version: f7
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: low
Component: Django
AssignedTo: michel.sylvan(a)gmail.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://www.djangoproject.com/weblog/2007/oct/26/security-fix/
"A per-process cache used by Django's internationalization ("i18n") system to
store the results of translation lookups for particular values of the HTTP
Accept-Language header used the full value of that header as a key. An attacker
could take advantage of this by sending repeated requests with extremely large
strings in the Accept-Language header, potentially causing a denial of service
by filling available memory.
Due to limitations imposed by Web server software on the size of HTTP header
fields, combined with reasonable limits on the number of requests which may be
handled by a single server process over its lifetime, this vulnerability may be
difficult to exploit. Additionally, it is only present when the "USE_I18N"
setting in Django is "True" and the i18n middleware component is enabled*.
Nonetheless, all users of affected versions of Django are encouraged to update."
All Fedora and EPEL branches are at 0.96 (which is vulnerable) at the moment.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694
Summary: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information
disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: phpMyAdmin
AssignedTo: imlinux(a)gmail.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com,redhat-
bugzilla(a)linuxnetz.de
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0095
"phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via
a direct request for themes/darkblue_orange/layout.inc.php, which reveals the
path in an error message."
FC5+ apparently affected, even though I'm not sure if this is an issue at all.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237882
Summary: CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: phpMyAdmin
AssignedTo: mmcgrath(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com,redhat-
bugzilla(a)linuxnetz.de
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2245
"Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
2.10.1.0 allow remote attackers to inject arbitrary web script or HTML via (1)
the fieldkey parameter to browse_foreigners.php or (2) certain input to the
PMA_sanitize function."
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.