Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 3.3.7-1haven1
• Unaffected: 3.3.8.1-1haven1

A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input passed to the setup script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. NOTE: Successful exploitation requires that installation best-practices have not been followed and the setup scripts have not been deleted after a successful installation.

• Author: Miklos Vajna
• Vulnerable: 3.3.7-1haven1
• Unaffected: 3.3.8.1-1haven1

A vulnerability has been reported in Phpmyadmin, which can be exploited by malicious people to perform an XSS attack. See http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php for details.

• Bug Tracker URL: http://bugs.frugalware.org/task/4381

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4329

• Author: Miklos Vajna
• Vulnerable: 1.4.1-1haven1
• Unaffected: 1.4.2-1haven1

A vulnerability has been discovered in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an infinite recursion error in the “dissect_unknown_ber()” function in epan/dissectors/packet-ber.c and can be exploited to cause a stack overflow e.g. via a specially crafted SNMP packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/4380

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3445

• Author: Miklos Vajna
• Vulnerable: 1.4.1-1haven1
• Unaffected: 1.4.2-1haven1

Two vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. A boundary error in “dissect_ldss_transfer()” in epan/dissectors/packet-ldss.c can be exploited to cause a heap-based buffer overflow.
2. An error in the ZigBee ZCL Discover Attribute Response dissector can be exploited to cause an infinite loop.

• Bug Tracker URL: http://bugs.frugalware.org/task/4380

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4300
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4301

• Author: Miklos Vajna
• Vulnerable: 3.2.1-4
• Unaffected: 3.2.1-5haven1

Charlie Miller has discovered two vulnerabilities in OpenOffice.org Impress, which can be exploited by malicious people to compromise a user’s system.

1. An integer truncation error when parsing certain content can be exploited to cause a heap-based buffer overflow via a specially crafted file.
2. A short integer overflow error when parsing certain content can be exploited to cause a heap-based buffer overflow via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/4296

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2935
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2936

• Author: Miklos Vajna
• Vulnerable: 3.3.5-1
• Unaffected: 3.3.5.1-1haven1

Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

1. Input passed via the “field_str” parameter to db_search.php , the “delimiter” parameter to db_sql.php, the “sort” parameter to db_structure.php, the “db” parameter to js/messages.php, the “sort_by” parameter to server_databases.php, the “checkprivs”, “dbname”, “pred_tablename”, “selected_usr[]”, “tablename”, and “username” parameters to server_privileges.php, the “DefaultLang” parameter to setup/config.php, the “cpurge”, “goto”, “purge”, “purgekey”, “table”, and “zero_rows” parameters to sql.php, and the “fields[multi_edit][]” parameter to tbl_replace.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

• Bug Tracker URL: http://bugs.frugalware.org/task/4294

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056

• Author: Miklos Vajna
• Vulnerable: 5.22-2locris1
• Unaffected: 5.23-1locris1

A weakness and a vulnerability have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks, and by malicious users and malicious people to bypass certain security restrictions.

1. The weakness is caused due to an error in the upload module, which does not properly check uploaded file names for case sensitivity and grants access to the earlier uploaded file. This can be exploited to download otherwise restricted files by uploading similarly named file with different letter casing.
2. An error in the comment module does not properly check for access permissions before republishing previously unpublished comments. Successful exploitation of this vulnerability requires “post comments without approval” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4285

CVEs:

• No CVE, see http://drupal.org/node/880476.

• Author: Miklos Vajna
• Vulnerable: 5.x_2.3-1
• Unaffected: 5.x_2.4-1locris1

Some vulnerabilities have been reported in the Pathauto module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed via the “[bookpathalias]”, “[catalias]”, and “[termalias]” tokens is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires “create url aliases” permissions and that the tokens are used in an HTML page e.g. when displaying a message using an action from the token_actions.module.

• Author: Miklos Vajna
• Vulnerable: 6.16-1locris1
• Unaffected: 6.19-1locris1

A weakness and some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks, and by malicious users and malicious people to bypass certain security restrictions.

1. A vulnerability in the OpenID module is caused due to incorrect protocol implementation. This can be exploited to harvest positive assertions from OpenID providers and e.g. bypass the login mechanism by replaying intercepted assertions.
2. The weakness is caused due to an error in the upload module, which does not properly check uploaded file names for case sensitivity and grants access to the earlier uploaded file. This can be exploited to download otherwise restricted files by uploading similarly named file with different letter casing.
3. An error in the comment module does not properly check for access permissions before republishing previously unpublished comments. Successful exploitation of this vulnerability requires “post comments without approval” permissions.
4. Input passed via descriptions and messages while using the actions feature is not properly sanitised before being displayed to the user via nodes and taxonomy terms. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires “administer actions” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4286

CVEs:

• No CVE, see http://drupal.org/node/880476.

• Author: Miklos Vajna
• Vulnerable: 6.x_2.7-1locris1
• Unaffected: 6.x_2.8-1locris1

A vulnerability has been reported in the Drupal Content Construction Kit (CCK), which can be exploited by malicious users to disclose sensitive information. The vulnerability is caused due to the CCK “Node Reference” not properly validating field access levels on the source field of the backend URL, which can be exploited to view node titles and IDs of otherwise restricted nodes.

• Bug Tracker URL: http://bugs.frugalware.org/task/4289

CVEs:

• No CVE, see http://drupal.org/node/880736.