Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705
Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: xmms
AssignedTo: paul(a)all-the-johnsons.co.uk
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
Cloning RHEL bug for FE[56].
+++ This bug was initially created as a clone of Bug #228013 +++
Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files. Here are the technical details provided by Sven:
--- Details ---
CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.
The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;
ncols = offset - headSize - 14; <-- [2]
if (headSize == 12)
{
ncols = MIN(ncols / 3, 256);
for (i = 0; i < ncols; i++)
fread(&rgb_quads[i], 3, 1, file);
}
else
{
ncols = MIN(ncols / 4, 256);
fread(rgb_quads, 4, ncols, file); <-- [3]
[...]
-----
"offset" [1] is not properly verified before being used to calculate
"ncols" [2]. "bitcount" has to be set to a different value than 24, 16
or 32 (but can also be user controlled).
This can be exploited to cause a integer underflow,
resulting in a stack based buffer overflow, which can be used to
overwrite the return address of "read_bmp()" [3].
Successful exploitation allows execution of arbitrary code.
CVE-2007-0653
2) An integer overflow error exists when loading skin bitmap images.
This can be exploited to cause a memory corruption via specially crafted
skin images containing manipulated header information.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
else if (headSize == 40) /* BITMAPINFO */
{
guint16 tmp;
read_le_long(file, &w); <-- [4]
read_le_long(file, &h); <-- [4]
[...]
fseek(file, offset, SEEK_SET);
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
fclose(file);
data = g_malloc0((w * 3 * h) + 3); <-- [5]
if (bitcount == 1)
----
-- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST --
These flaws also affect RHEL2.1 and RHEL3
-- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST --
Are there patches for these yet?
-- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST --
There are no patches yet. I'm still trying to contact someone upstream about
this. If you have any upstream contacts, please let me know.
-- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST --
Lifting embargo
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990
Summary: CVE-2007-1030: libevent < 1.3 DoS
Product: Fedora Extras
Version: devel
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: libevent
AssignedTo: redhat-bugzilla(a)camperquake.de
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,steved@redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030
"Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of
service (infinite loop) via a DNS response containing a label pointer that
references its own offset."
FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was
updated to 1.2a a few days ago, however (unlike the changelog says) the latest
upstream is 1.3a, not 1.2a.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694
Summary: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information
disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: phpMyAdmin
AssignedTo: imlinux(a)gmail.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com,redhat-
bugzilla(a)linuxnetz.de
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0095
"phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via
a direct request for themes/darkblue_orange/layout.inc.php, which reveals the
path in an error message."
FC5+ apparently affected, even though I'm not sure if this is an issue at all.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230927
Summary: CVE-2007-1103: tor information disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: medium
Component: tor
AssignedTo: enrico.scholz(a)informatik.tu-chemnitz.de
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1103
"Tor does not verify a node's uptime and bandwidth advertisements, which allows
remote attackers who operate a low resource node to make false claims of greater
resources, which places the node into use for many circuits and compromises the
anonymity of traffic sources and destinations."
All <= 0.1.1.26 versions reportedly affected. Upstream statement:
http://blogs.law.harvard.edu/anonymous/2007/02/26/the-rumors-of-our-demise/
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
Summary: CVE-2006-2453 Additional dia format string flaws
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: dia
AssignedTo: j.w.r.degoede(a)hhs.nl
ReportedBy: bressers(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
A number of additional format string issues were discovered by Hans de Goede and
has been assigned the CVE id CVE-2006-2453.
The fix is attachment 129852
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136
Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
Product: Fedora Extras
Version: fc6
Platform: All
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: gv
AssignedTo: orion(a)cora.nwra.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864
"Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to execute
arbitrary code via a PostScript (PS) file with certain headers that contain long
comments, as demonstrated using the DocumentMedia header."
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231734
Summary: CVE-2007-1246: xine-lib buffer overflow
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: xine-lib
AssignedTo: gauret(a)free.fr
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,ville.skytta@iki.fi
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1246
Originally reported against MPlayer, but it turns out xine-lib is vulnerable
too. Upstream fix pushed to FC6+ (1.1.4-3 currently building), but FC5 is still
at 1.1.2, probably already lacking "several bug and security fixes" as put by
upstream in the 1.1.3 release announcement. No FC5 system here to test with, so
leaving up to Aurelien to decide whether to update while at it or just to
possibly apply the patch for this issue from FC6+ (if it applies, unchecked).
------- Additional Comments From ville.skytta(a)iki.fi 2007-03-10 17:29 EST -------
Created an attachment (id=149781)
--> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=149781&action=view)
Fix from upstream CVS
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228764
Summary: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS,
information disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: moin
AssignedTo: matthias(a)rpmforge.net
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
CVE's against moin 1.5.7, with little useful information available at the moment:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0901http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0902
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253
Summary: CVE-2007-0981: seamonkey cookie setting / same-domain
bypass vulnerability
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: seamonkey
AssignedTo: kengert(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981
"Mozilla based browsers allows remote attackers to bypass the same origin
policy, steal cookies, and conduct other attacks by writing a URI with a null
byte to the hostname (location.hostname) DOM property, due to interactions with
DNS resolver code."
Seamonkey seems vulnerable. See also
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232103
Summary: CVE-2007-1429: moodle 1.7.1 remote file inclusion
Product: Fedora Extras
Version: devel
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: moodle
AssignedTo: mmcgrath(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1429
"Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote
attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1)
admin/utfdbmigrate.php or (2) filter.php."
Reported against 1.7.1 which is not currently in any FE repo; reporting here in
order to track/ask for confirmation whether 1.6.x in FC-5 and FC-6, and 1.7 in
devel are affected.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.