December 2007 - security [ARCHIVED]

[Bug 240397] New: CVE-2007-2721: jasper DoS, heap corruption

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240397 Summary: CVE-2007-2721: jasper DoS, heap corruption Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: jasper AssignedTo: rdieter(a)math.unl.edu ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721 "The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert." Appears to affect 1.900.1 too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 7 months

1
3
0 / 0

[Bug 237533] New: CVE-2007-2165: proftpd auth bypass vulnerability

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533 Summary: CVE-2007-2165: proftpd auth bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: proftpd AssignedTo: matthias(a)rpmforge.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165 http://bugs.proftpd.org/show_bug.cgi?id=2922 "The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 9 months

1
19
0 / 0

[Bug 245211] New: Wordpress 2.2: SQL injection, XSS vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245211 Summary: Wordpress 2.2: SQL injection, XSS vulnerabilities Product: Fedora Version: f7 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: low Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com XML-RPC SQL injection: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3140 Cross site scripting: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3239 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3240 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3241 Note: these have been reported against Wordpress 2.2, I haven't investigated whether 2.1.3 currently in Fedora is affected. Also, 2.2.1 seems to have been released today, fixing at least some of these issues. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 11 months

1
10
0 / 0

[Bug 307471] New: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/show_bug.cgi?id=307471 Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities Product: Fedora Version: fc6 Platform: All URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c- 000e0c6d38a9.html OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: qemu AssignedTo: dwmw2(a)infradead.org ReportedBy: clalance(a)redhat.com QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,j.w.r.degoede(a)hhs.nl +++ This bug was initially created as a clone of Bug #238723 +++ Not sure if these affect any qemu versions in Fedora, but here goes: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html "Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320 Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1321 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1322 Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service. CVE-2007-1323 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1366 Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service." -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

15 years, 11 months

1
4
0 / 0

[Bug 233705] New: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705 Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: normal Component: xmms AssignedTo: paul(a)all-the-johnsons.co.uk ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com Cloning RHEL bug for FE[56]. +++ This bug was initially created as a clone of Bug #228013 +++ Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles skin files. Here are the technical details provided by Sven: --- Details --- CVE-2007-0654 1) An integer underflow error exists when loading skin bitmap images, which can be exploited to cause a stack-based buffer overflow via specially crafted skin images containing manipulated header information. The vulnerability is caused due to errors within "read_bmp()" in xmms/bmp.c when loading skin bitmap images. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] fseek(file, 8, SEEK_CUR); read_le_long(file, &offset); <-- [1] read_le_long(file, &headSize); [...] else if (bitcount != 24 && bitcount != 16 && bitcount != 32) { gint ncols, i; ncols = offset - headSize - 14; <-- [2] if (headSize == 12) { ncols = MIN(ncols / 3, 256); for (i = 0; i < ncols; i++) fread(&rgb_quads[i], 3, 1, file); } else { ncols = MIN(ncols / 4, 256); fread(rgb_quads, 4, ncols, file); <-- [3] [...] ----- "offset" [1] is not properly verified before being used to calculate "ncols" [2]. "bitcount" has to be set to a different value than 24, 16 or 32 (but can also be user controlled). This can be exploited to cause a integer underflow, resulting in a stack based buffer overflow, which can be used to overwrite the return address of "read_bmp()" [3]. Successful exploitation allows execution of arbitrary code. CVE-2007-0653 2) An integer overflow error exists when loading skin bitmap images. This can be exploited to cause a memory corruption via specially crafted skin images containing manipulated header information. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] else if (headSize == 40) /* BITMAPINFO */ { guint16 tmp; read_le_long(file, &w); <-- [4] read_le_long(file, &h); <-- [4] [...] fseek(file, offset, SEEK_SET); buffer = g_malloc(imgsize); fread(buffer, imgsize, 1, file); fclose(file); data = g_malloc0((w * 3 * h) + 3); <-- [5] if (bitcount == 1) ---- -- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST -- These flaws also affect RHEL2.1 and RHEL3 -- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST -- Are there patches for these yet? -- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST -- There are no patches yet. I'm still trying to contact someone upstream about this. If you have any upstream contacts, please let me know. -- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST -- Lifting embargo -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years

1
7
0 / 0

[Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990 Summary: CVE-2007-1030: libevent < 1.3 DoS Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: libevent AssignedTo: redhat-bugzilla(a)camperquake.de ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,steved(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030 "Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset." FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was updated to 1.2a a few days ago, however (unlike the changelog says) the latest upstream is 1.3a, not 1.2a. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years

1
7
0 / 0

[Bug 238723] New: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238723 Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c- 000e0c6d38a9.html OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: qemu AssignedTo: dwmw2(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,j.w.r.degoede(a)hhs.nl Not sure if these affect any qemu versions in Fedora, but here goes: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html "Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320 Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1321 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1322 Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service. CVE-2007-1323 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1366 Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 1 month

1
5
0 / 0

Security Changes For Fedora 9

by riley.marquis＠tcsresearch.org

Security Updates For Fedora 9 Greetings! I had several ideas for Fedora 9 in regards to improving the security of a default installation. 1: Disable root account / Use Sudo 2: /etc/ssh/sshd_config changes -PermitRootLogin no (currently 'yes') -LoginGraceTime 1m (currently 2m) -Banner /etc/issue.net (currently not set) -AllowGroups wheel (currently not set) We should also see if the OpenSSH developers would be willing to make these changes the default on Portable OpenSSH. 3: Add wheel group if not present If there is no wheel group by default, we should include one in Fedora 9. This means deciding on what Group ID (GID) to use. Anaconda would need to force creation of a user account that is a part of this group. 4: GCC Lockdowns With the new GCC-4.3.0 recently built for Fedora 9, we should forbid ordinary users access to the programs it contains, incl. rpmbuild, mock, etc. Only members of the wheel, koji, and mock groups should have access to software development tools. Did I miss any groups that should be allowed access? 5: Bastille Be sure to incorporate the most important Bastille fixes (www.bastille-linux.org). This project appears to have stalled and requires an older version of Fedora to run, unless you're a Perl ninja =) Maybe we should contact the developer (Jay Beale), and ask him what he needs to revive the project? Perhaps the Fedora community can be of assistance. 6: Make Packages for PortSentry & LogCheck Can we add PortSentry & LogCheck to the list of available Fedora Packages? I know the project appears to have stalled since late 2003. 7: Password Protect Single User Mode (Runlevel 1) 8: USB Key Authentication / Dual Factor Authentication Should we use PGP or another tool to allow people to login/logout with a USB drive? This would have to work for KDE and Gnome at the very least, and while we are at it, we might as well support XFCE. Inserting/Removing the USB drive could automatically login/logout the user, with or without a password as a second form of authentication, depending on how Joe Admin wants his security set up. 9: Can we include TrueCrypt as a new package, provided it meets the requirements, such as having an open source license, no patents or copyrights, etc? Hope these ideas prove useful to the community. Regards, Riley F. Marquis III Senior Analyst - TCS Research

16 years, 3 months

11
16
0 / 0

Re: Security Changes For Fedora 9

by Bj=?ISO-8859-1?B?+A==?=rn Tore Sund

On 22/12/07 18:00, "fedora-security-list-request(a)redhat.com" <fedora-security-list-request(a)redhat.com> wrote: > Message: 1 > Date: Fri, 21 Dec 2007 10:13:21 -0700 > From: Kevin Fenzi <kevin(a)tummy.com> > Subject: Re: Security Changes For Fedora 9 > To: fedora-security-list(a)redhat.com > Message-ID: <20071221101321.1fd1d3aa(a)ghistelwchlohm.scrye.com> > Content-Type: text/plain; charset="us-ascii" > > On Thu, 20 Dec 2007 19:29:29 -0800 (PST) > riley.marquis(a)tcsresearch.org wrote: > >> Security Updates For Fedora 9 >> >> Greetings! > > Greetings. Greetings, indeed. >> 1: Disable root account / Use Sudo > > There are tradeoffs here. I personally would like to see it continue to > be enabled until we can figure out more of the issues around disabling > it. As long as enabling root is as simple as setting a root password or some other simple and automatable procedure I don't care. But for large scale remote administration you need direct root access via key-based ssh. >> 4: GCC Lockdowns >> With the new GCC-4.3.0 recently built for Fedora 9, we should forbid >> ordinary users access to the programs it contains, incl. rpmbuild, >> mock, etc. Only members of the wheel, koji, and mock groups should >> have access to software development tools. Did I miss any groups >> that should be allowed access? > > I would also say this is a bad idea. We want people to use the tools on > the machine, don't we? We do indeed. In general, limiting access to tools which don't affect the system you're working on causes issues. There are always users arguing for root access or against centralised admin setups, often the very users who shouldn't have any sort of access to anything. Limiting access to stuff simply because it can be done is one of the things that triggers them, and the more tools this happens to the more likely it is that someone will forget to open up what should have been open in the first place. Bjørn -- Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund(a)it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout.

16 years, 4 months

1
0
0 / 0

[Bug 367471] New: CVE-2007-5197: mono Math.BigInteger buffer overflow

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/show_bug.cgi?id=367471 Summary: CVE-2007-5197: mono Math.BigInteger buffer overflow Product: Fedora Version: f7 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5197 OS/Version: Linux Status: NEW Severity: low Priority: low Component: mono AssignedTo: alexl(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,paul(a)all-the- johnsons.co.uk http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5197 "Buffer overflow in the Mono.Math.BigInteger class in Mono allows context-dependent attackers to execute arbitrary code via unspecified vectors." Patch extracted from Debian's 1.2.2.1-1etch1 patchkit (attached) seems to apply to 1.2.5.1 in devel with some line offsets, I have done no further analysis. ------- Additional Comments From ville.skytta(a)iki.fi 2007-11-05 16:08 EST ------- Created an attachment (id=248611) --> (https://bugzilla.redhat.com/attachment.cgi?id=248611&action=view) Patch from Debian -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 4 months

1
17
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] December 2007