[Bug 187353] Possible security issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
jonstanley(a)gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|lmacken(a)redhat.com |security-response-
| |team(a)redhat.com
QAContact|extras-qa(a)fedoraproject.org |
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 187353] Possible security issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
jonstanley(a)gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jonstanley(a)gmail.com
Component|nethack |vulnerability
Product|Fedora |Security Response
Version|rawhide |unspecified
------- Additional Comments From jonstanley(a)gmail.com 2008-04-04 08:16 EST -------
Changing product to Security Response
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 187353] Possible security issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
------- Additional Comments From j.w.r.degoede(a)hhs.nl 2008-04-04 07:30 EST -------
>From me (repeating myself from comment #3):
Although users are not in the games group on Fedora this is still a problem,
this hole allows the following scenario:
- find a sgid game which is exploitable to get games gid rights
- use the games gid rights to drop a crafted file which will
exploit nethack when opened by nethack.
- once another users runs nethack and opens the crafted file
unwanted things get done with the rights of the other user.
So although low priority this needs fixing never the less.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 187353] Possible security issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
------- Additional Comments From lmacken(a)redhat.com 2008-04-04 07:23 EST -------
>From upstream:
" We could probably extract the relevant changes, but I don't
think that you actually need them. The real security bug is
being caused by gentoo's policy of giving users full access to
the same group as nethack's setgid setting. They shot themselves
in the foot here, by allowing users to modify the score file
outside of nethack. The lax buffer handling has been (or will
be, from a 3.4.3 perspective...) fixed, but it is not exploitable
in a standard installation where nethack runs in a group whose
files can't be manipulated by arbitrary users.
I assume that redhat/fedora doesn't have the same config
issue as gentoo. If I'm wrong, then you should change nethack
to run in a distinct group rather than--or in addition to--
patching its score file parsing code."
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 187353] Possible security issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
j.w.r.degoede(a)hhs.nl changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard| bzcl34nup |bzcl34nup
Flag| |needinfo?
------- Additional Comments From j.w.r.degoede(a)hhs.nl 2008-04-04 05:33 EST -------
AFAIK (might have get fixed through upstream) this bug is still present in
rawhide, gentoo has a patch for this here:
http://bugs.gentoo.org/attachment.cgi?id=139487&action=view
Worth fixing, not sure if its worth marking the fix security though IMHO.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 233705] New: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705
Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: xmms
AssignedTo: paul(a)all-the-johnsons.co.uk
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
Cloning RHEL bug for FE[56].
+++ This bug was initially created as a clone of Bug #228013 +++
Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files. Here are the technical details provided by Sven:
--- Details ---
CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.
The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;
ncols = offset - headSize - 14; <-- [2]
if (headSize == 12)
{
ncols = MIN(ncols / 3, 256);
for (i = 0; i < ncols; i++)
fread(&rgb_quads[i], 3, 1, file);
}
else
{
ncols = MIN(ncols / 4, 256);
fread(rgb_quads, 4, ncols, file); <-- [3]
[...]
-----
"offset" [1] is not properly verified before being used to calculate
"ncols" [2]. "bitcount" has to be set to a different value than 24, 16
or 32 (but can also be user controlled).
This can be exploited to cause a integer underflow,
resulting in a stack based buffer overflow, which can be used to
overwrite the return address of "read_bmp()" [3].
Successful exploitation allows execution of arbitrary code.
CVE-2007-0653
2) An integer overflow error exists when loading skin bitmap images.
This can be exploited to cause a memory corruption via specially crafted
skin images containing manipulated header information.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
else if (headSize == 40) /* BITMAPINFO */
{
guint16 tmp;
read_le_long(file, &w); <-- [4]
read_le_long(file, &h); <-- [4]
[...]
fseek(file, offset, SEEK_SET);
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
fclose(file);
data = g_malloc0((w * 3 * h) + 3); <-- [5]
if (bitcount == 1)
----
-- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST --
These flaws also affect RHEL2.1 and RHEL3
-- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST --
Are there patches for these yet?
-- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST --
There are no patches yet. I'm still trying to contact someone upstream about
this. If you have any upstream contacts, please let me know.
-- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST --
Lifting embargo
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990
Summary: CVE-2007-1030: libevent < 1.3 DoS
Product: Fedora Extras
Version: devel
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: libevent
AssignedTo: redhat-bugzilla(a)camperquake.de
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,steved(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030
"Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of
service (infinite loop) via a DNS response containing a label pointer that
references its own offset."
FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was
updated to 1.2a a few days ago, however (unlike the changelog says) the latest
upstream is 1.3a, not 1.2a.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months
[Bug 187353] Possible security issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
------- Additional Comments From fedora-triage-list(a)redhat.com 2008-04-03 13:11 EST -------
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.
If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 12 months