Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.2.5-1
• Unaffected: 1.2.7-1mores1

A vulnerability has been discovered in MantisBT, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the “project_id” parameter to search.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/4553

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2938

• Author: Miklos Vajna
• Vulnerable: 0.3-2
• Unaffected: 0.5.4-1mores1

A vulnerability has been reported in RoundCube Webmail, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the “_mbox” parameter to various scripts is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/4554

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2937

• Author: Miklos Vajna
• Vulnerable: 3.02-6
• Unaffected: 3.02-7mores1

Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user’s system.

1. Multiple integer overflows in “SplashBitmap::SplashBitmap()” can be exploited to cause heap-based buffer overflows.
2. An integer overflow error in “ObjectStream::ObjectStream()” can be exploited to cause a heap-based buffer overflow.
3. Multiple integer overflows in “Splash::drawImage()” can be exploited to cause heap-based buffer overflows.
4. An integer overflow error in “PSOutputDev::doImageL1Sep()” can be exploited to cause a heap-based buffer overflow when converting a PDF document to a PS file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code by tricking a user into opening a specially crafted PDF file.

• Bug Tracker URL: http://bugs.frugalware.org/task/4236

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1188
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609

• Author: Miklos Vajna
• Vulnerable: 10.3.181.34-1
• Unaffected: 10.3.183.5-1mores1

Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to disclose sensitive information and compromise a user’s system.

1. An unspecified error can be exploited to cause a buffer overflow and potentially execute arbitrary code.
2. An unspecified error can be exploited to cause a buffer overflow and potentially execute arbitrary code.
3. An error exists within a certain ActionScript function in the “flash.display” class when parsing certain parameters and can be exploited to corrupt memory and potentially execute arbitrary code.
4. An integer overflow error within a certain ActionScript function can be exploited to corrupt memory and potentially execute arbitrary code.
5. An unspecified error can be exploited to cause a buffer overflow and potentially execute arbitrary code.
6. An integer overflow error when handling the “scroll” method of the ActionScript Bitmap class can be exploited to corrupt memory.
7. An unspecified error can be exploited to disclose certain information from another domain.
8. An unspecified error can be exploited to corrupt memory and potentially execute arbitrary code.
9. An unspecified error can be exploited to cause a buffer overflow and potentially execute arbitrary code.
10. An error within the “Setslot()” method when parsing a certain field from an SWF file can be exploited to cause a buffer overflow and potentially execute arbitrary code.
11. An integer overflow error within a certain ActionScript function can be exploited to corrupt memory and potentially execute arbitrary code.
12. An unspecified error can be exploited to corrupt memory and potentially execute arbitrary code.
13. An error within the “Bitmapdata” class when parsing a certain field from an SWF file can be exploited to corrupt memory and potentially execute arbitrary code.
14. 80 unspecified errors of various types when parsing SWF file content may be exploited to corrupt memory.

• Bug Tracker URL: http://bugs.frugalware.org/task/4545

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2130
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2134
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2135
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2136
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2137
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2138
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2139
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2140
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2414
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2415
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2416
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2417
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2424
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2425

• Author: Miklos Vajna
• Vulnerable: 7.4-1nexon1
• Unaffected: 7.7-1nexon1

A vulnerability has been reported in Drupal, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to the application not properly restricting access to files attached to a comment when access to the comment is restricted, which can be exploited to e.g. download the files.

• Bug Tracker URL: http://bugs.frugalware.org/task/4538

CVEs:

• No CVE references, see http://drupal.org/node/1231510

• Author: Miklos Vajna
• Vulnerable: 6.x_1.23-1
• Unaffected: 6.x_1.25-1nexon1

A vulnerability has been reported in the Devel module for Drupal, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions in the Switch User block via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions by tricking a logged in user into visiting a malicious web site.

• Author: Miklos Vajna
• Vulnerable: 3.4.3.1-1nexon1
• Unaffected: 3.4.3.2-1nexon1

Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct cross-site scripting attacks and potentially compromise a vulnerable system and by malicious people to disclose potentially sensitive information and potentially compromise a vulnerable system.

1. Certain input passed to the table name in the table print view script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation of this vulnerability requires that a specially crafted table name exists.
2. Certain input passed to the MIME-type transformation parameter is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. Successful exploitation of this vulnerability requires that the configuration storage mechanism is configured.
3. Certain input passed to an unspecified parameter in the ‘relational schema’ code is not properly sanitised before being used to concatenate a class name. This can be exploited to include arbitrary files from local resources.
4. An unspecified error within the Swekey authentication can be exploited to overwrite session variables.

• Bug Tracker URL: http://bugs.frugalware.org/task/4536

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2642
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2643

• Author: Miklos Vajna
• Vulnerable: 1.4.7-1nexon1
• Unaffected: 1.6.1-1nexon1

Two vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. An error in the Lucent/Ascend file parser can be exploited to cause an infinite loop via specially crafted packets.
2. An infinite recursion error in the “elem_cell_id_list()” function in epan/dissectors/packet-ansi_a.c can be exploited to cause a stack overflow e.g. via a specially crafted MAP packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/4532

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2597

• Author: Miklos Vajna
• Vulnerable: 3.3.9.2-1nexon1
• Unaffected: 3.4.3.1-1nexon1

Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to disclose sensitive information and by malicious users and malicious people to compromise a vulnerable system.

1. An error within the “Swekey_login()” function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
2. Input passed to the “PMA_createTargetTables()” function in libraries/server_synchronize.lib.php is not properly sanitised before calling the “preg_replace()” function with the “e” modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
3. Input passed to the “PMA_displayTableBody()” function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences. NOTE: A weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten has also been reported.

• Bug Tracker URL: http://bugs.frugalware.org/task/4525

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2507
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2508

• Author: Miklos Vajna
• Vulnerable: 7.2-1nexon1
• Unaffected: 7.4-1nexon1

A vulnerability has been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the node_access system restrictions not being enforced and can be exploited to view otherwise restricted nodes. NOTE: This affects the taxonomy and forum subsystems.

• Bug Tracker URL: http://bugs.frugalware.org/task/4521

CVEs:

• No CVE, see http://drupal.org/node/1204582