Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.2.4-1
• Unaffected: 1.2.9-1haven1

A vulnerability has been reported in various Horde products, which can be exploited by malicious people to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being displayed to the user while viewing a vCard. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious vCard is being viewed.

• Author: Miklos Vajna
• Vulnerable: 1.2.3-1haven1
• Unaffected: 1.2.4-1haven1

Gjoko Krstic has reported some vulnerabilities in MantisBT, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information.

1. Input passed via the “db_type” parameter to admin/upgrade_unattended.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. Input passed via the “db_type” parameter to admin/upgrade_unattended.php is not properly verified before being used to include files. This can be exploited to include arbitrary file from local resources via directory traversal sequences and URL-encoded NULL bytes. NOTE: Successful exploitation requires that installation best-practices have not been followed and the “admin” directory has not been deleted after a successful installation.

• Bug Tracker URL: http://bugs.frugalware.org/task/4389

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4348
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4349
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4350

• Author: Miklos Vajna
• Vulnerable: 1.4.2-1haven1
• Unaffected: 1.4.3-1haven1

Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1. A boundary error in the “dissect_enttec_dmx_data()” function (epan/dissectors/packet-enttec.c) when processing RLE Compressed DMX data of the ENTTEC protocol can be exploited to cause a buffer overflow via a specially crafted packet sent to UDP port 3333.
2. A boundary error in the MAC-LTE dissector (epan/dissectors/packet-mac-lte.c) can be exploited to cause a stack-based buffer overflow.
3. A boundary error in the “snmp_usm_password_to_key_sha1()” function (asn1/snmp/packet-snmp-template.c) can be exploited to cause a stack-based buffer overflow. Successful exploitation of vulnerabilities #1, #2, and #3 may allow execution of arbitrary code.
4. An error in the ASN.1 BER dissector can be exploited to corrupt memory and cause the process to terminate.

• Bug Tracker URL: http://bugs.frugalware.org/task/4410

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4538
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0444
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0445

• Author: Miklos Vajna
• Vulnerable: 3.0.2-1haven1
• Unaffected: 3.0.3-1haven1

A security issue has been reported in WordPress, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to the XML-RPC remote publishing interface not properly enforcing access control restrictions for editing, publishing, or deleting posts. Successful exploitation of this security issue requires “Author level” or “Contributor level” permissions and that remote publishing is enabled.

• Author: Miklos Vajna
• Vulnerable: 3.0.3-1haven1
• Unaffected: 3.0.4-1haven1

A vulnerability has been reported in WordPress, which can be exploited by malicious users to conduct script insertion attacks. Certain input containing protocol strings (e.g. the HREF attribute of the “A” HTML tag) is not properly sanitised in the KSES library before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in the context of an affected site when the malicious data is being viewed.

• Author: Miklos Vajna
• Vulnerable: 2.6.35-1
• Unaffected: 2.6.35-2haven1

Multiple vulnerabilities have been reported in the Linux kernel:

1. The do_anonymous_page function in mm/memory.c does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.
2. The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount.
3. drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.
4. The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

• Bug Tracker URL: http://bugs.frugalware.org/task/4304

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2803
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2963
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904

• Author: Miklos Vajna
• Vulnerable: 2.6.35-1
• Unaffected: 2.6.35-2haven1

This fixes multiple vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

• Bug Tracker URL: http://bugs.frugalware.org/task/4384

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3849
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850

• Author: Miklos Vajna
• Vulnerable: 3.0.1-1
• Unaffected: 3.0.2-1haven1

A vulnerability has been reported in WordPress, which can be exploited by malicious users to conduct SQL injection attacks. Input passed via the “Send Trackbacks” field when creating a new post is not properly sanitised in wp-includes/comment.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires “Author-level” permissions.

• Author: Miklos Vajna
• Vulnerable: 6.x_1.9-1
• Unaffected: 6.x_1.10-1haven1

Two vulnerabilities have been reported in Lightbox2 module for Drupal, which can be exploited by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks.

1. A vulnerability exists in the access control mechanism for video content and can be exploited to get access to restricted video content.
2. Input passed via unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/4326

CVEs:

• No CVE, see http://drupal.org/node/919610.

• Author: Miklos Vajna
• Vulnerable: 1.2.2-1
• Unaffected: 1.2.3-1haven1

Some vulnerabilities have been reported in MantisBT, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.

1. The application bundles a vulnerable version of NuSOAP.
2. Certain Input passed via custom field types is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires “Manage Custom Fields” permissions.
3. Certain input passed via project and category names is not properly sanitised before being displayed to the user in print_all_bug_page_word.php. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires “Project Manager” permissions.
4. Input passed via the Summary field when creating an issue is not properly sanitised before being used in core/summary_api.php. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires “Reporter” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4318

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3070
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3303
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3763