Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.6.2-1mores1
• Unaffected: 1.6.3-1mores1

Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1. An error related to an uninitialised variable within the CSN.1 dissector can be exploited to cause a crash.
2. A NULL pointer dereference error within the Infiniband dissector can be exploited to cause a crash.
3. An error within the ERF file parser can be exploited to cause a heap-based buffer overflow. Successful exploitation of this vulnerability may allow execution of arbitrary code.

• Bug Tracker URL: https://bugs.frugalware.org/ticket/4633

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4100
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4101
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4102

• Author: Miklos Vajna
• Vulnerable: 3.4.2.3-1
• Unaffected: 3.4.3.2-1mores1

Red Hat, Inc. security researcher Huzaifa Sidhpurwala reported multiple vulnerabilities in the binary Microsoft Word (doc) file format importer where custom crafted documents trigger out of bounds behaviour. Thanks to Huzaifa Sidhpurwala of Red Hat Security Team for reporting this vulnerability.

• Bug Tracker URL: http://bugs.frugalware.org/task/4609

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713

• Author: Miklos Vajna
• Vulnerable: 1.3-2
• Unaffected: 1.3.1-1mores1

Some vulnerabilities have been reported in Django, which can be exploited by malicious people to disclose certain system information, manipulate certain data, conduct cache poisoning attacks, and cause a DoS (Denial of Service).

1. An error within the handling of sessions within django.contrib.sessions when using the caching backend can be exploited to manipulate session information. Successful exploitation requires that the session key is known and the application allows attackers to store dictionary-like objects with a valid session key in the cache.
2. An error when verifying if URLs provided to the “URLField” field type correctly resolve can be exploited to exhaust all of the server’s processes and memory by providing an URL to a malicious server.
3. An error within the handling of redirect responses when verifying URLs provided to the “URLField” field type can be exploited to e.g. determine the existence of local files on the server by returning a redirect response to a “file://” URL.
4. An error within the handling of the “X-Forwarded-Host” HTTP header when e.g. generating full URLs for redirect responses can be exploited to conduct cache poisoning attacks.

• Bug Tracker URL: http://bugs.frugalware.org/task/4590

CVEs:

• No CVE, see https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

• Author: Miklos Vajna
• Vulnerable: 2.34.0-1
• Unaffected: 2.34.1-1mores1

A vulnerability has been reported in librsvg, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. The vulnerability is caused due to an error within the handling of node types, which can be exploited to dereference invalid memory via specially crafted SVG images.

• Bug Tracker URL: http://bugs.frugalware.org/task/4582

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3146

• Author: Miklos Vajna
• Vulnerable: 1.2.7-1mores1
• Unaffected: 1.2.8-1mores1

Some vulnerabilities have been reported in MantisBT, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information and by malicious users to compromise a vulnerable system.

1. Certain input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Author: Miklos Vajna
• Vulnerable: 2.2.19-2mores1
• Unaffected: 2.2.20-1mores1

Kingcope has discovered a vulnerability in Apache HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the ByteRange filter when processing requests containing a large amount of ranges, which can be exploited to exhaust memory via specially crafted HTTP requests sent to the server.

• Bug Tracker URL: http://bugs.frugalware.org/task/4571

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

• Author: Miklos Vajna
• Vulnerable: 4.0.1-5
• Unaffected: 4.0.1-6mores1

It was found that foomatic-rip filter used insecurely created temporary file for storage of PostScript data by rendering the data, intended to be sent to the PostScript filter, when the debug mode was enabled. A local attacker could use this flaw to conduct symlink attacks (overwrite arbitrary file accessible with the privileges of the user running the foomatic-rip universal print filter).

• Bug Tracker URL: http://bugs.frugalware.org/task/4556

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924

• Author: Miklos Vajna
• Vulnerable: 3.4.3.2-1
• Unaffected: 3.4.4-1mores1

Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks. Certain input passed to table, column, and index names is not properly sanitised before being used in the Tracking feature. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.

• Author: Miklos Vajna
• Vulnerable: 4.39-1
• Unaffected: 4.42-1mores1

A vulnerability has been reported in Stunnel, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vulnerability is caused due to an unspecified error and can be exploited to corrupt heap memory.

• Bug Tracker URL: http://bugs.frugalware.org/task/4552

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2940

• Author: Miklos Vajna
• Vulnerable: 1.7-6
• Unaffected: 1.7.2-1mores1

1. A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an assertion error within the “spnego_gss_accept_sec_context()” function in src/lib/gssapi/spnego/spnego_mech.c when receiving an invalid packet, which can be exploited to e.g. crash an application using the library by sending a specially crafted packet.
2. Joel Johnson has reported a vulnerability in Kerberos, which can be exploited by malicious users to potentially compromise a vulnerable system. The vulnerability is caused due to an error in KDC within the “process_tgs_req()” function in kdc/do_tgs_req.c when validating or renewing tickets and can be exploited to trigger a double-free condition. Successful exploitation may allow execution of arbitrary code.
3. A vulnerability has been reported in Kerberos, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference error when processing certain Kerberos AP-REQ authenticators, which can be exploited to cause a crash in e.g. kadmind or other applications linked against the GSS-API library by sending an AP-REQ authenticator with a missing checksum field.

• Bug Tracker URL: http://bugs.frugalware.org/task/4256

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0628
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1320
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321