Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.2.1-1
• Unaffected: 1.2.2-1getorin1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. An error in the “OpcUa” dissector can be exploited to exhaust CPU and memory resources via a specially crafted “Service CallRequest” packet.
2. An assertion error in the “GSM A RR” dissector can be exploited to cause a crash.
3. An error in the TLS dissector can be exploited to cause a crash on certain platforms (e.g. Windows) via specially crafted TLS 1.2 network packets.

• Bug Tracker URL: http://bugs.frugalware.org/task/3957

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3241
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3242
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3243

• Author: Miklos Vajna
• Vulnerable: 2.6.28-6anacreon1
• Unaffected: 2.6.28-6anacreon2

1. The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).
2. Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.
3. Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/3881

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407

• Author: Miklos Vajna
• Vulnerable: 2.6.28-6anacreon2
• Unaffected: 2.6.28-6anacreon3

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. The vulnerability is caused due to the incorrect initialisation of the proto_ops structure for certain protocols (e.g. PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25 families, PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX, and PF_ISDN), which can be exploited to cause a NULL pointer dereference when triggering the “sock_sendpage()” function for an incorrectly initialised socket.

• Author: Miklos Vajna
• Vulnerable: 6.x_1.0-1
• Unaffected: 6.x_1.1-1anacreon1

Some vulnerabilities have been reported in the Image Assist module for Drupal, which can be exploited by malicious users to conduct script insertion attacks or to disclose potentially sensitive information.

1. Input passed to the node title is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed.
2. Certain pages do not properly check the required access permissions, which can be exploited to view the title and body of arbitrary nodes.

• Bug Tracker URL: http://bugs.frugalware.org/task/3876

CVEs:

• No CVE references, see http://drupal.org/node/520564

• Author: Miklos Vajna
• Vulnerable: 3.1.3.2-1anacreon1
• Unaffected: 3.2.0.1-1anacreon1

A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks. Certain input to SQL bookmarks is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed.

• Author: Miklos Vajna
• Vulnerable: 1.0.8-1anacreon1
• Unaffected: 1.2.1-1anacreon1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. An array indexing error in the IPMI dissector can be exploited to cause a crash via a specially crafted network packet.
2. Errors in the Bluetooth L2CAP, RADIUS, MIOP, and sFlow dissectors can be exploited to cause crashes or hangs via specially crafted network packets.
3. An error in the AFS dissector can be exploited to cause a crash via a specially crafted network packet.
4. An error in the Infiniband dissector can be exploited to cause a crash on certain platforms via a specially crafted network packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/3872

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2559
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2561
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2562
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2563

• Author: Miklos Vajna
• Vulnerable: 2.8.1-1anacreon1
• Unaffected: 2.8.2-1anacreon1

A vulnerability has been reported in WordPress, which can be exploited by malicious people to conduct script insertion attacks. Input passed via the comment author URL is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected website when the malicious data is viewed.

• Author: Miklos Vajna
• Vulnerable: 6.x_2.3-1
• Unaffected: 6.x_2.6-1anacreon1

Some vulnerabilities and security issues have been reported in the Views Module for Drupal, which can be exploited by malicious users to conduct script insertion attacks, and by malicious users and malicious people to bypass certain security restrictions.

1. Input passed e.g. when configuring exposed filters is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed.
2. Input passed in view names when adding views is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires “administer views” permissions.
3. A security issue exists due to unpublished content owned by the anonymous user being accessible by anonymous users.
4. An error in the generation of queries can result in users being able to access private content.

• Bug Tracker URL: http://bugs.frugalware.org/task/3816

CVEs:

• No CVE references, see http://drupal.org/node/488068.

• Author: Miklos Vajna
• Vulnerable: 5.x_2.6-1
• Unaffected: 5.x_2.7-1anacreon1

A vulnerability has been reported in the Webform module for Drupal, which can be exploited by malicious people to conduct script insertion attacks. Input passed via unspecified parameters to e.g. questionnaires, contact, request, or registration forms, surveys, or polls is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed.

• Author: Miklos Vajna
• Vulnerable: 1.4.17-2anacreon1
• Unaffected: 1.4.17-3anacreon1

The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.

• Bug Tracker URL: http://bugs.frugalware.org/task/3779

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381