Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.4.4-1nexon1
• Unaffected: 1.4.6-1nexon1

Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1. A use-after-free error within the X.509if dissector can be exploited to cause a crash via specially crafted packets.
2. An error in the DECT dissector can be exploited to cause a buffer overflow via specially crafted packets. Successful exploitation of this vulnerability may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/4472

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1590
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1591

• Author: Miklos Vajna
• Vulnerable: 3.3.9-1
• Unaffected: 3.3.9.2-1nexon1

A security issue has been reported in phpMyAdmin, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to an error within the handling of bookmarked SQL queries, which can be exploited to e.g. trick other users into executing unintended bookmarked SQL queries. Successful exploitation requires that the bookmarks functionality is enabled and the configuration storage is set up and enabled.

• Author: Miklos Vajna
• Vulnerable: 1.4.3-1
• Unaffected: 1.4.4-1nexon1

Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1. An error when processing certain pcap-ng files can be exploited to free an uninitialised pointer.
2. An error when handling certain packet lengths can be exploited to cause a crash via a specially crafted pcap-ng file.
3. An error when processing Nokia DCT3 trace files can be exploited to cause a buffer overflow via a specially crafted file. Successful exploitation of this vulnerability may allow execution of arbitrary code.
4. An error in the “dissect_ms_compressed_string()” (SMB dissector) and “dissect_mscldap_string()” (LDAP dissector) functions can be exploited to cause a crash due to an infinite recursive function call.
5. An error when processing LDAP Filter strings can be exploited to cause a crash by consuming memory resources via large filter strings.
6. A validation error in the “dissect_6lowpan_iphc()” function (epan/dissectors/packet-6lowpan.c) in the 6LoWPAN dissector when processing certain lengths can be exploited to cause a heap-based buffer overflow of a single byte resulting in a crash.
7. A NULL pointer dereference error within the “dissect_ntlmssp_string()” function in epan/dissectors/packet-ntlmssp.c when parsing a pcap file can be exploited to cause a crash.

• Bug Tracker URL: http://bugs.frugalware.org/task/4443

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0538
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0713
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1138
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1139
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1140
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1141
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1142
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1143

• Author: Miklos Vajna
• Vulnerable: 3.0.4-1
• Unaffected: 3.0.5-1nexon1

Multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to conduct script insertion attacks and disclose potentially sensitive information and by malicious people to conduct cross-site scripting attacks.

1. Input passed via the post title when performing a “Quick Edit” or “Bulk Edit” action and via the “post_status”, “comment_status”, and “ping_status” parameters is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.
2. Certain input passed via tags in the tags meta-box is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation of these vulnerabilities requires the “Author” or “Contributor” role.
3. The application incorrectly enforces user access restrictions when accessing posts via the media uploader and can be exploited to disclose the contents of e.g. private or draft posts. Successful exploitation of this vulnerability requires the “Author” role.

• Bug Tracker URL: http://bugs.frugalware.org/task/4427

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0700
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0701

• Author: Miklos Vajna
• Vulnerable: 3.0.5-1nexon1
• Unaffected: 3.1.1-1nexon1

Two vulnerabilities have been reported in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service).

1. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. The “make_clickable()” function in wp-includes/formatting.php does not properly check the URL length in comments before passing it to the PCRE library, which can be exploited to cause a crash.

• Bug Tracker URL: http://bugs.frugalware.org/task/4464

CVEs:

• No CVE, see http://wordpress.org/news/2011/04/wordpress-3-1-1/

• Author: Miklos Vajna
• Vulnerable: 6.x_1.13-1
• Unaffected: 6.x_1.14-1haven1

A security issue has been reported in the Mollom module for Drupal, which may lead to exposure of sensitive information. The security issue is caused due to an error in the module which can lead to certain sensitive user data e.g. a user’s password in clear text being logged via calls to Drupal’s watchdog API. Successful exploitation requires that an attacker has “access site reports” permissions or has access to system syslog files.

• Author: Miklos Vajna
• Vulnerable: 10.10-1
• Unaffected: 11.01-1haven1

Two weaknesses and some vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and compromise a user’s system.

1. An integer truncation error when processing certain specially crafted HTML pages can be exploited by e.g. tricking a user into visiting a malicious website.
2. The application allows users to perform certain actions via “opera:” URLs. This can be exploited to e.g. change certain configuration settings by tricking a user into clicking a specially crafted link via clickjacking.
3. An error when processing certain HTTP responses or redirects can be exploited to bypass certain security restrictions and e.g. disclose the content of local files by loading them as a web resource.
4. An error can cause Opera to launch the wrong executable in order to open a folder containing a downloaded file, which can lead to a malicious executable being launched. Successful exploitation of this weakness requires significant user interaction and only affects the Windows platform.
5. The “Clear all email account passwords” option does not clear the email passwords unless the application is restarted, which can be exploited to gain access to the email accounts.

• Bug Tracker URL: http://bugs.frugalware.org/task/4417

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0450
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0681
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0682
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0683
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0684
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0685
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0686
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0687

• Author: Miklos Vajna
• Vulnerable: 5.x_1.9-1
• Unaffected: 5.x_2.0-1haven1

A vulnerability has been reported in the Image module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in the context of an affected site when the malicious data is being viewed.

• Author: Miklos Vajna
• Vulnerable: 6.x_1.0_alpha4-1
• Unaffected: 6.x_1.1-1haven1

See FSA706.

• Bug Tracker URL: http://bugs.frugalware.org/task/4396

CVEs:

• No CVE references, see
• http://drupal.org/node/1005578

• Author: Miklos Vajna
• Vulnerable: 6.x_2.11-1
• Unaffected: 6.x_2.12-1haven1

Multiple vulnerabilities have been reported in the Views module for Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/4390

CVEs:

• No CVE references, see
• http://drupal.org/node/999380.