Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 4.2.4p6-1
• Unaffected: 4.2.4p7-1anacreon1

A vulnerability has been reported in NTP, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. The vulnerability is caused due to a boundary error within the “crypto_recv()” function in ntpd/ntp_crypto.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to the “ntpd”. Successful exploitation allows execution of arbitrary code, but requires that Autokey Authentication is configured via “crypto pw [password]” in ntp.conf.

• Author: Miklos Vajna
• Vulnerable: 1.0.7-1anacreon1
• Unaffected: 1.0.8-1anacreon1

A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the PCNFSD dissector and can be exploited to cause a crash via a specially crafted PCNFSD packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/3787

CVEs:

• No CVE reference, see http://www.wireshark.org/security/wnpa-sec-2009-03.html.

• Author: Miklos Vajna
• Vulnerable: 3.02-5
• Unaffected: 3.02-6anacreon1

Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user’s system.

1. A boundary error exists when decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code.
2. Multiple integer overflows in the JBIG2 decoder can be exploited to potentially execute arbitrary code.
3. Multiple boundary errors in the JBIG2 decoder can be exploited to cause buffer overflows and potentially execute arbitrary code.
4. Multiple errors in the JBIG2 decoder can be exploited can be exploited to free arbitrary memory and potentially execute arbitrary code.
5. Multiple unspecified input validation errors in the JBIG2 decoder can be exploited to potentially execute arbitrary code. NOTE: Additionally, various other JBIG2 processing errors can be exploited to cause crashes.

• Bug Tracker URL: http://bugs.frugalware.org/task/3770

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0195
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183

• Author: Miklos Vajna
• Vulnerable: 5.17-1anacreon1
• Unaffected: 5.18-1anacreon1

A vulnerability has been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks. User provided input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed and interpreted as UTF-7. Successful exploitation requires valid user credentials and privileges to edit pages for HTML exports or “administer taxonomy” permissions.

• Author: Miklos Vajna
• Vulnerable: 6.11-1anacreon1
• Unaffected: 6.12-1anacreon1

See FSA603.

• Bug Tracker URL: http://bugs.frugalware.org/task/3777

CVEs:

• No CVE for this issue, see http://drupal.org/node/461882

• Author: Miklos Vajna
• Vulnerable: 2.6.28-5
• Unaffected: 2.6.28-6anacreon1

1. The exit_notify function in kernel/exit.c does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
2. drivers/char/agp/generic.c in the agp subsystem does not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.
3. Integer overflow in rose_sendmsg (sys/net/af_rose.c) might allow remote attackers to obtain sensitive information via a large length value, which causes “garbage” memory to be sent (DoS from local network).
4. The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.
5. The sock_getsockopt function in net/core/sock.c does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request (local privilege escalation).

• Bug Tracker URL: http://bugs.frugalware.org/task/3767

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1265
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676

• Author: Miklos Vajna
• Vulnerable: 5.00-1
• Unaffected: 5.02-1anacreon1

A vulnerability has been reported in file, which can be exploited by malicious people to potentially compromise a user’s system. The vulnerability is caused due to a boundary error within the “cdf_read_sat()” function in src/cdf.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted compound document file. Successful exploitation may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/3763

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0947
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0948

• Author: Miklos Vajna
• Vulnerable: 1.2.2-1
• Unaffected: 1.2.3-1anacreon1

A vulnerability has been reported in Horde IMP and Horde Groupware Webmail Edition, which can be exploited by malicious users to conduct spoofing attacks. The vulnerability is caused due to the application caching PGP keys from local address books. This can be exploited to insert manipulated public PGP keys to the cache, which can result e.g. in incorrectly signed incoming messages being displayed as valid. Successful exploitation requires a valid user account and that caching and PGP support is enabled.

• Author: Miklos Vajna
• Vulnerable: 2.48a-1
• Unaffected: 2.48a-2anacreon1

A vulnerability has been reported in Blender, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to Blender using the current working directory as part of the module search path, which can be exploited to e.g. execute arbitrary Python code with the privileges of another user by tricking the user into executing Blender in a directory containing a Python file named like one of the modules Blender uses.

• Author: Miklos Vajna
• Vulnerable: 5.16-1
• Unaffected: 5.17-1anacreon1

Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to conduct script insertion attacks or to disclose potentially sensitive information.

1. User provided input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed and interpreted as UTF-7. Successful exploitation requires the ability to post content.
2. An unspecified error can be exploited to disclose information about form submissions when a user is tricked into submitting a form after following a specially crafted link to the site. This can further be exploited to conduct e.g. cross-site request forgery attacks.

• Bug Tracker URL: http://bugs.frugalware.org/task/3759

CVEs:

• No CVE, see http://drupal.org/node/449078.