security March 2007

security@lists.fedoraproject.org

6 participants
32 discussions

[Bug 233705] New: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
by Red Hat Bugzilla 04 Apr '08

04 Apr '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705 Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: normal Component: xmms AssignedTo: paul(a)all-the-johnsons.co.uk ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com Cloning RHEL bug for FE[56]. +++ This bug was initially created as a clone of Bug #228013 +++ Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles skin files. Here are the technical details provided by Sven: --- Details --- CVE-2007-0654 1) An integer underflow error exists when loading skin bitmap images, which can be exploited to cause a stack-based buffer overflow via specially crafted skin images containing manipulated header information. The vulnerability is caused due to errors within "read_bmp()" in xmms/bmp.c when loading skin bitmap images. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] fseek(file, 8, SEEK_CUR); read_le_long(file, &offset); <-- [1] read_le_long(file, &headSize); [...] else if (bitcount != 24 && bitcount != 16 && bitcount != 32) { gint ncols, i; ncols = offset - headSize - 14; <-- [2] if (headSize == 12) { ncols = MIN(ncols / 3, 256); for (i = 0; i < ncols; i++) fread(&rgb_quads[i], 3, 1, file); } else { ncols = MIN(ncols / 4, 256); fread(rgb_quads, 4, ncols, file); <-- [3] [...] ----- "offset" [1] is not properly verified before being used to calculate "ncols" [2]. "bitcount" has to be set to a different value than 24, 16 or 32 (but can also be user controlled). This can be exploited to cause a integer underflow, resulting in a stack based buffer overflow, which can be used to overwrite the return address of "read_bmp()" [3]. Successful exploitation allows execution of arbitrary code. CVE-2007-0653 2) An integer overflow error exists when loading skin bitmap images. This can be exploited to cause a memory corruption via specially crafted skin images containing manipulated header information. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] else if (headSize == 40) /* BITMAPINFO */ { guint16 tmp; read_le_long(file, &w); <-- [4] read_le_long(file, &h); <-- [4] [...] fseek(file, offset, SEEK_SET); buffer = g_malloc(imgsize); fread(buffer, imgsize, 1, file); fclose(file); data = g_malloc0((w * 3 * h) + 3); <-- [5] if (bitcount == 1) ---- -- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST -- These flaws also affect RHEL2.1 and RHEL3 -- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST -- Are there patches for these yet? -- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST -- There are no patches yet. I'm still trying to contact someone upstream about this. If you have any upstream contacts, please let me know. -- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST -- Lifting embargo -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 7

[Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS
by Red Hat Bugzilla 04 Apr '08

04 Apr '08

1 7

[Bug 221694] New: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure
by Red Hat Bugzilla 10 Dec '07

10 Dec '07

1 13

[Bug 230927] New: CVE-2007-1103: tor information disclosure
by Red Hat Bugzilla 01 Nov '07

01 Nov '07

1 1

[Bug 192830] New: CVE-2006-2453 Additional dia format string flaws
by Red Hat Bugzilla 30 Aug '07

30 Aug '07

1 13

[Bug 215136] New: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
by Red Hat Bugzilla 30 Aug '07

30 Aug '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: gv AssignedTo: orion(a)cora.nwra.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 "Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 5

[Bug 231734] New: CVE-2007-1246: xine-lib buffer overflow
by Red Hat Bugzilla 17 Jun '07

17 Jun '07

1 2

[Bug 228764] New: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS, information disclosure
by Red Hat Bugzilla 07 May '07

07 May '07

1 3

[Bug 229253] New: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability
by Red Hat Bugzilla 17 Apr '07

17 Apr '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253 Summary: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: seamonkey AssignedTo: kengert(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981 "Mozilla based browsers allows remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code." Seamonkey seems vulnerable. See also https://bugzilla.mozilla.org/show_bug.cgi?id=370445 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

3 3

[Bug 232103] New: CVE-2007-1429: moodle 1.7.1 remote file inclusion
by Red Hat Bugzilla 15 Apr '07

15 Apr '07

1 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security March 2007