April 2007 - security - Fedora Mailing-Lists

[Bug 237533] New: CVE-2007-2165: proftpd auth bypass vulnerability

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533 Summary: CVE-2007-2165: proftpd auth bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: proftpd AssignedTo: matthias(a)rpmforge.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165 http://bugs.proftpd.org/show_bug.cgi?id=2922 "The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

14 years, 10 months

1
19
0 / 0

[Bug 233705] New: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705 Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: normal Component: xmms AssignedTo: paul(a)all-the-johnsons.co.uk ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com Cloning RHEL bug for FE[56]. +++ This bug was initially created as a clone of Bug #228013 +++ Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles skin files. Here are the technical details provided by Sven: --- Details --- CVE-2007-0654 1) An integer underflow error exists when loading skin bitmap images, which can be exploited to cause a stack-based buffer overflow via specially crafted skin images containing manipulated header information. The vulnerability is caused due to errors within "read_bmp()" in xmms/bmp.c when loading skin bitmap images. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] fseek(file, 8, SEEK_CUR); read_le_long(file, &offset); <-- [1] read_le_long(file, &headSize); [...] else if (bitcount != 24 && bitcount != 16 && bitcount != 32) { gint ncols, i; ncols = offset - headSize - 14; <-- [2] if (headSize == 12) { ncols = MIN(ncols / 3, 256); for (i = 0; i < ncols; i++) fread(&rgb_quads[i], 3, 1, file); } else { ncols = MIN(ncols / 4, 256); fread(rgb_quads, 4, ncols, file); <-- [3] [...] ----- "offset" [1] is not properly verified before being used to calculate "ncols" [2]. "bitcount" has to be set to a different value than 24, 16 or 32 (but can also be user controlled). This can be exploited to cause a integer underflow, resulting in a stack based buffer overflow, which can be used to overwrite the return address of "read_bmp()" [3]. Successful exploitation allows execution of arbitrary code. CVE-2007-0653 2) An integer overflow error exists when loading skin bitmap images. This can be exploited to cause a memory corruption via specially crafted skin images containing manipulated header information. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] else if (headSize == 40) /* BITMAPINFO */ { guint16 tmp; read_le_long(file, &w); <-- [4] read_le_long(file, &h); <-- [4] [...] fseek(file, offset, SEEK_SET); buffer = g_malloc(imgsize); fread(buffer, imgsize, 1, file); fclose(file); data = g_malloc0((w * 3 * h) + 3); <-- [5] if (bitcount == 1) ---- -- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST -- These flaws also affect RHEL2.1 and RHEL3 -- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST -- Are there patches for these yet? -- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST -- There are no patches yet. I'm still trying to contact someone upstream about this. If you have any upstream contacts, please let me know. -- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST -- Lifting embargo -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 2 months

1
7
0 / 0

[Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990 Summary: CVE-2007-1030: libevent < 1.3 DoS Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: libevent AssignedTo: redhat-bugzilla(a)camperquake.de ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,steved(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030 "Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset." FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was updated to 1.2a a few days ago, however (unlike the changelog says) the latest upstream is 1.3a, not 1.2a. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 2 months

1
7
0 / 0

[Bug 221694] New: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694 Summary: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: normal Component: phpMyAdmin AssignedTo: imlinux(a)gmail.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com,redhat- bugzilla(a)linuxnetz.de http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0095 "phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message." FC5+ apparently affected, even though I'm not sure if this is an issue at all. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 5 months

1
13
0 / 0

[Bug 237882] New: CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237882 Summary: CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: phpMyAdmin AssignedTo: mmcgrath(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com,redhat- bugzilla(a)linuxnetz.de http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2245 "Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.10.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the fieldkey parameter to browse_foreigners.php or (2) certain input to the PMA_sanitize function." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 7 months

1
3
0 / 0

[Bug 230927] New: CVE-2007-1103: tor information disclosure

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230927 Summary: CVE-2007-1103: tor information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: medium Component: tor AssignedTo: enrico.scholz(a)informatik.tu-chemnitz.de ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1103 "Tor does not verify a node's uptime and bandwidth advertisements, which allows remote attackers who operate a low resource node to make false claims of greater resources, which places the node into use for many circuits and compromises the anonymity of traffic sources and destinations." All <= 0.1.1.26 versions reportedly affected. Upstream statement: http://blogs.law.harvard.edu/anonymous/2007/02/26/the-rumors-of-our-demise/ -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 7 months

1
1
0 / 0

[Bug 235013] New: CVE-2007-1804: pulseaudio 0.9.5 DoS

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235013 Summary: CVE-2007-1804: pulseaudio 0.9.5 DoS Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: pulseaudio AssignedTo: drzeus-bugzilla(a)drzeus.cx ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1804 "PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file." FC5, FC6, devel have 0.9.5 at the moment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 9 months

1
4
0 / 0

[Bug 192830] New: CVE-2006-2453 Additional dia format string flaws

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 Summary: CVE-2006-2453 Additional dia format string flaws Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: dia AssignedTo: j.w.r.degoede(a)hhs.nl ReportedBy: bressers(a)redhat.com QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com A number of additional format string issues were discovered by Hans de Goede and has been assigned the CVE id CVE-2006-2453. The fix is attachment 129852 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 9 months

1
13
0 / 0

[Bug 215136] New: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: gv AssignedTo: orion(a)cora.nwra.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 "Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 9 months

1
5
0 / 0

Fedora 7 and the Security Response Team

by Josh Bressers

As everybody is no doubt aware, Fedora 7 is bringing a number of changes, one of which will be putting the burden of security on the Fedora Security Response Team. Right now it's basically the Red Hat Security Response Team working on Core, and not much of anything happening for Extras. This is going to change. I'm going to be filing a request for some resources sometime this week. I have an IRC bot and an xmlrpc server that will initially run from there. The long term goal is to host the various security related tools that don't yet exist. In the meantime, the task at hand should be to start tracking flaws for Fedora 7. What we usually would do at this point for core, is copy the fc6 file into fc7 in CVS. We then pour over the entries looking for questionable items. I'm thinking what we should do for Fedora 7, is merge the fe6 and fc6 files into a f7 (a better name is welcome) file, then start working through this file. We've never done this in a distributed manner before, so ideas are welcome. -- JB

15 years, 11 months

7
16
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security April 2007