Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 8.01-1
• Unaffected: 8.02-1locris1

Michael Santos has discovered a vulnerability in PCRE, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerability is caused due to a boundary error within the “compile_branch()” function pcre_compile.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted regular expression. Successful exploitation may allow execution of arbitrary code.

• Author: Miklos Vajna
• Vulnerable: 1.1.8-1
• Unaffected: 1.2.2-1locris1

A vulnerability has been discovered in Mantis, which can be exploited by malicious users to conduct script insertion attacks. Input passed in uploaded attachments is not properly verified before being used. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site when a malicious file with e.g. a “gif” extension is viewed with the Microsoft Internet Explorer browser. Successful exploitation requires permissions to upload attachments.

• Author: Miklos Vajna
• Vulnerable: 1.2.9-1locris1
• Unaffected: 1.2.10-1locris1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1. An off-by-one error exists within the SigComp Universal Decompressor Virtual Machine.
2. An error in within the “ASN.1 BER” dissector can be exploited to cause a stack overflow.
3. A NULL pointer dereference error in the “GSM A RR” dissector can be exploited to cause a crash.
4. An error in the “IPMI” dissector can be exploited to trigger an infinite loop.

• Bug Tracker URL: http://bugs.frugalware.org/task/4280

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2284
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2287

• Author: Miklos Vajna
• Vulnerable: 5.x_1.18-1
• Unaffected: 5.x_1.19-1locris1

A vulnerability has been reported in the Scheduler module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed via titles of unpublished nodes is not properly sanitised before being displayed to the users in the scheduled nodes overview list. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires “schedule (un)publishing of nodes” permissions.

• Author: Miklos Vajna
• Vulnerable: 1.2.6-2
• Unaffected: 1.2.8-1locris1

A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the DOCSIS (Data Over Cable Service Interface Specifications) dissector and can be exploited to e.g. cause a crash via specially crafted DOCSIS traffic.

• Bug Tracker URL: http://bugs.frugalware.org/task/4222

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1455

• Author: Miklos Vajna
• Vulnerable: 5.x_3.2-1
• Unaffected: 5.x_3.3-1locris1

A vulnerability has been reported in the CAPTCHA module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain input passed via the CAPTCHA description is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires “administer CAPTCHA settings” permissions.

• Author: Miklos Vajna
• Vulnerable: 6.x_3.2-1
• Unaffected: 6.x_3.3-1locris1

A security issue has been reported in the FileField module for Drupal, which potentially can be exploited by malicious users to compromise a vulnerable system. The security issue exists due to improper creation of a default extension for a new file field when the field configuration page is not saved and can be exploited to upload arbitrary files to a directory inside the webroot. Successful exploitation may allow execution of arbitrary PHP code but requires “create” or “edit” permission for the file field.

• Author: Miklos Vajna
• Vulnerable: 6.x_3.2-1
• Unaffected: 6.x_3.3-1locris1

A security issue has been reported in the ImageField module for Drupal, which can be exploited by malicious people to disclose potentially sensitive information. The security issue exists due to improper access permission checks for thumbnails of restricted images when the Private Downloads setting is used and can be exploited to view the thumbnail.

• Bug Tracker URL: http://bugs.frugalware.org/task/4208

CVEs:

• No CVE references, see http://drupal.org/node/791054

• Author: Miklos Vajna
• Vulnerable: 1.18.0-1
• Unaffected: 1.18.0-2locris1

Two vulnerabilities have been reported in GNUStep Base, which can be exploited by malicious, local users to potentially gain escalated privileges or disclose sensitive information.

1. The “gdomap” application includes the content of files in error messages when parsing a configuration file specified via the “-c” command line option. This can be exploited to disclose sensitive information by passing an arbitrary file as configuration file to the application.
2. An integer overflow error exists in the “gdomap” application when parsing configuration files. This can be exploited to cause a heap-based buffer overflow when a specially crafted configuration file containing a large number lines is being processed. Successful exploitation of the vulnerabilities requires that the “gdomap” binary has the “setuid” bit set and is owned by e.g. root.

• Bug Tracker URL: http://bugs.frugalware.org/task/4210

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1457
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1620

• Author: Miklos Vajna
• Vulnerable: 6.3.13-1
• Unaffected: 6.3.16-1locris1

Fetchmail did not properly sanitize external input (mail headers and UID). When a multi-character locale (such as UTF-8) was in use, this could cause memory exhaustion and thus a denial of service, because fetchmail’s report.c functions assumed that non-success of [v]snprintf was due to insufficient buffer size allocation. It would then repeatedly reallocate a larger buffer and fail formatting again.

• Bug Tracker URL: http://bugs.frugalware.org/task/4195

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1167