Frugalware Security Announcements (FSAs)

• Author: voroskoi
• Vulnerable: 1.2.7-1
• Unaffected: 1.2.7-2terminus1

Some vulnerabilities have been reported in X.Org X11, which potentially can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and gain escalated privileges.

1. An integer overflow exists within the parsing of BDF fonts. This can be exploited to cause a heap-based buffer overflow via a specially crafted BDF font. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
2. An integer overflow exists within the parsing of the “fonts.dir” fonts information file. This can be exploited to cause a heap-based buffer overflow via a specially crafted fonts information file that specifies an element count of more than 1,073,741,824 in the first line. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
3. An input validation error exists within the “ProcXCMiscGetXIDList()” function of the XC-MISC extension. This can be exploited to cause a stack-based (if the “alloca()” function is available) or heap-based memory corruption by passing specially crafted parameters to the function. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
4. An integer overflow exists within the “XGetPixel()” function in ImUtil.c. This can be exploited to cause a crash or disclose potentially sensitive information by passing specially crafted parameters to the function.

• Bug Tracker URL: http://bugs.frugalware.org/task/1912

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667

• Author: voroskoi
• Vulnerable: 4.2a-7terminus1
• Unaffected: 4.3-1terminus1

A security issue has been reported in TrueCrypt, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The problem is that users are able to dismount volumes mounted by other users when the set-euid mode in Linux is used. Tim Rees has discovered a security issue in TrueCrypt, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The security issue is caused if the “truecrypt” binary is installed setuid root. This can be exploited to cause a DoS or gain escalated privileges by e.g. mounting a malicious TrueCrypt disk into /usr/bin or another user’s home directory. Successful exploitation requires that TrueCrypt is installed setuid root (not default setting).

• Author: voroskoi
• Vulnerable: 1.1.4-2
• Unaffected: 1.1.4-3terminus1

Some vulnerabilities have been reported in xine-lib, which can potentially be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are caused due to boundary errors in the “DMO_VideoDecoder_Open()” function in src/libw32dll/dmo/DMO_VideoDecoder.c and in the “DS_VideoDecoder_Open()” function in src/libw32dll/DirectShow/DS_VideoDecoder.c. These can be exploited to cause heap based buffer overflows and may allow execution of arbitrary code via a specially crafted media file.

• Author: voroskoi
• Vulnerable: 1.2.0-1
• Unaffected: 1.2.0-2terminus1

Some vulnerabilities have been reported in X.Org X11, which potentially can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and gain escalated privileges.

1. An integer overflow exists within the parsing of BDF fonts. This can be exploited to cause a heap-based buffer overflow via a specially crafted BDF font. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
2. An integer overflow exists within the parsing of the “fonts.dir” fonts information file. This can be exploited to cause a heap-based buffer overflow via a specially crafted fonts information file that specifies an element count of more than 1,073,741,824 in the first line. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
3. An input validation error exists within the “ProcXCMiscGetXIDList()” function of the XC-MISC extension. This can be exploited to cause a stack-based (if the “alloca()” function is available) or heap-based memory corruption by passing specially crafted parameters to the function. Successful exploitation may allow the execution of arbitrary code with escalated privileges.
4. An integer overflow exists within the “XGetPixel()” function in ImUtil.c. This can be exploited to cause a crash or disclose potentially sensitive information by passing specially crafted parameters to the function.

• Bug Tracker URL: http://bugs.frugalware.org/task/1910

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667

• Author: voroskoi
• Vulnerable: 2.1.0-5
• Unaffected: 2.1.0-6terminus1

Some vulnerabilities have been reported in OpenOffice.org, which potentially can be exploited by malicious people to compromise a user’s system.

1. Several vulnerabilities within the libwpd library used by OpenOffice.org can be exploited to cause heap-based buffer overflows and may allow the execution of arbitrary code by e.g. tricking a user into opening a specially crafted WordPerfect document.
2. A boundary error within the StarCalc parser can be exploited to cause a stack-based buffer overflow and may allow execution of arbitrary code by e.g. tricking a user into opening a specially crafted document.
3. Shell meta characters are not correctly escaped, which can be exploited to inject and execute arbitrary shell commands by e.g. tricking a user into opening a specially crafted document and clicking a malicious link.

• Bug Tracker URL: http://bugs.frugalware.org/task/1856

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0002
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0238
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0239

• Author: voroskoi
• Vulnerable: 0.45-1
• Unaffected: 0.45.1-1terminus1

Some vulnerabilities have been reported in Inkscape, which potentially can be exploited by malicious people to compromise a user’s system.

1. A format string error exists in certain dialogs. This can be exploited to execute arbitrary code by tricking the user into opening a specially crafted URI containing format string specifiers.
2. A format string error exists in the Whiteboard Jabber client, which potentially can be exploited to execute arbitrary code. Successful exploitation requires that the user is logged in to a Jabber server.

• Bug Tracker URL: http://bugs.frugalware.org/task/1857

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1463
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1464

• Author: voroskoi
• Vulnerable: 2.6.20-4
• Unaffected: 2.6.20-5terminus1

Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

1. Listening IPv6 TCP sockets are incorrectly sharing the “ipv6_fl_socklist” IPv6 flowlist with child sockets. This can be exploited to e.g. cause a kernel crash by performing certain actions on IPv6 TCP sockets.
2. The “hrtimer_forward()” does not correctly check for “timer->expires” overflows on 64bit machines. This can be exploited to cause a DoS by using very large timer values. Successful exploitation may require a 64bit machine and that high resolution timers are enabled.
3. A NULL pointer dereference within the “do_ipv6_setsockopt()” function in net/ipv6/ipv6_sockglue.c can be exploited to cause a kernel crash by calling “setsockopt()” with malicious parameters.

• Bug Tracker URL: http://bugs.frugalware.org/task/1858

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1592

• Author: voroskoi
• Vulnerable: 1.8-1
• Unaffected: 1.8-2terminus1

Luigi Auriemma has reported some vulnerabilities in Network Audio System, which potentially can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service).

1. A boundary error within “accept_att_local()” in server/os/connection.c can be exploited to cause a stack-based buffer overflow via an overly long (greater than 64 bytes) slave name in a USL connection. Successful exploitation may allow malicious, local users to gain root privileges.
2. An input validation error within “AddResource()” in server/dia/resource.c can be exploited to cause the service to crash via a specially crafted packet with an invalid client ID.
3. An integer-overflow error within “ProcAuWriteElement()” in server/dia/audispatch.c can be exploited to cause the service to crash via a specially crafted packet with an overly large max_samples value.
4. A boundary error within “ProcAuSetElements()” in server/dia/audispatch.c can be exploited to cause the service to crash via a specially crafted packet with an overly large num_actions or numElements value.
5. An input validation error within “compileInputs()” in server/dia/auutil.c can be exploited to cause the service to crash via a specially crafted packet with an invalid element number.
6. A NULL-pointer dereference error when processing simultaneous connections can be exploited to cause the service to crash.

• Bug Tracker URL: http://bugs.frugalware.org/task/1843

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1543
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1544
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1545
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1546
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1547

• Author: voroskoi
• Vulnerable: 2.0.0.2-1
• Unaffected: 2.0.0.3-1terminus1

The FTP protocol includes the PASV (passive) command which is used by Firefox to request an alternate data port. The specification of the FTP protocol allows the server response to include an alternate server address as well, although this is rarely used in practice. mark@bindshell.net reported that a malicious web page hosted on a specially-coded FTP server could use this feature to perform a rudimentary port-scan of machines inside the firewall of the victim. By itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network.

• Author: voroskoi
• Vulnerable: 2.6.STABLE10-1
• Unaffected: 2.6.STABLE12-1terminus1

A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the processing of TRACE requests in squid/src/client_side.c. This can be exploited to crash the service via a specially crafted TRACE request.

• Bug Tracker URL: http://bugs.frugalware.org/task/1855

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1560