security February 2008

security@lists.fedoraproject.org

8 participants
10 discussions

Start a nNew thread

[Bug 240397] New: CVE-2007-2721: jasper DoS, heap corruption
by Red Hat Bugzilla 08 Sep '08

08 Sep '08

1 3

[Bug 237533] New: CVE-2007-2165: proftpd auth bypass vulnerability
by Red Hat Bugzilla 30 Jul '08

30 Jul '08

1 19

[Bug 245211] New: Wordpress 2.2: SQL injection, XSS vulnerabilities
by Red Hat Bugzilla 07 May '08

07 May '08

1 10

[Bug 307471] New: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities
by Red Hat Bugzilla 06 May '08

06 May '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/show_bug.cgi?id=307471 Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities Product: Fedora Version: fc6 Platform: All URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c- 000e0c6d38a9.html OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: qemu AssignedTo: dwmw2(a)infradead.org ReportedBy: clalance(a)redhat.com QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,j.w.r.degoede@hhs.nl +++ This bug was initially created as a clone of Bug #238723 +++ Not sure if these affect any qemu versions in Fedora, but here goes: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html "Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320 Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1321 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1322 Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service. CVE-2007-1323 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1366 Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service." -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 4

[Bug 233705] New: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
by Red Hat Bugzilla 04 Apr '08

04 Apr '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705 Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: normal Component: xmms AssignedTo: paul(a)all-the-johnsons.co.uk ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com Cloning RHEL bug for FE[56]. +++ This bug was initially created as a clone of Bug #228013 +++ Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles skin files. Here are the technical details provided by Sven: --- Details --- CVE-2007-0654 1) An integer underflow error exists when loading skin bitmap images, which can be exploited to cause a stack-based buffer overflow via specially crafted skin images containing manipulated header information. The vulnerability is caused due to errors within "read_bmp()" in xmms/bmp.c when loading skin bitmap images. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] fseek(file, 8, SEEK_CUR); read_le_long(file, &offset); <-- [1] read_le_long(file, &headSize); [...] else if (bitcount != 24 && bitcount != 16 && bitcount != 32) { gint ncols, i; ncols = offset - headSize - 14; <-- [2] if (headSize == 12) { ncols = MIN(ncols / 3, 256); for (i = 0; i < ncols; i++) fread(&rgb_quads[i], 3, 1, file); } else { ncols = MIN(ncols / 4, 256); fread(rgb_quads, 4, ncols, file); <-- [3] [...] ----- "offset" [1] is not properly verified before being used to calculate "ncols" [2]. "bitcount" has to be set to a different value than 24, 16 or 32 (but can also be user controlled). This can be exploited to cause a integer underflow, resulting in a stack based buffer overflow, which can be used to overwrite the return address of "read_bmp()" [3]. Successful exploitation allows execution of arbitrary code. CVE-2007-0653 2) An integer overflow error exists when loading skin bitmap images. This can be exploited to cause a memory corruption via specially crafted skin images containing manipulated header information. -- xmms/bmp.c -- GdkPixmap *read_bmp(gchar * filename) [...] else if (headSize == 40) /* BITMAPINFO */ { guint16 tmp; read_le_long(file, &w); <-- [4] read_le_long(file, &h); <-- [4] [...] fseek(file, offset, SEEK_SET); buffer = g_malloc(imgsize); fread(buffer, imgsize, 1, file); fclose(file); data = g_malloc0((w * 3 * h) + 3); <-- [5] if (bitcount == 1) ---- -- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST -- These flaws also affect RHEL2.1 and RHEL3 -- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST -- Are there patches for these yet? -- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST -- There are no patches yet. I'm still trying to contact someone upstream about this. If you have any upstream contacts, please let me know. -- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST -- Lifting embargo -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 7

[Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS
by Red Hat Bugzilla 04 Apr '08

04 Apr '08

1 7

[Bug 238723] New: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities
by Red Hat Bugzilla 19 Mar '08

19 Mar '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238723 Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c- 000e0c6d38a9.html OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: qemu AssignedTo: dwmw2(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,j.w.r.degoede@hhs.nl Not sure if these affect any qemu versions in Fedora, but here goes: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html "Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320 Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1321 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1322 Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service. CVE-2007-1323 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1366 Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 5

whole pile o' updates
by Jake Edge 26 Feb '08

26 Feb '08

(Josh Bressers suggested I send my questions here rather than asking him or someone else directly) Yesterday you folks released an enormous number of security updates. While I could selfishly complain about it being done on a Wednesday, my real issues are the following: - it seems deliberate that the same alert ID tag was reused (FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit confusing to refer to multiple alerts with the same ID, take a peek at: http://lwn.net/Alerts/Fedora/ to see what I mean. - those were all related to the same gecko vulnerabilites, which is what (I presume) motivated reusing the same IDs, but at least one (perhaps two, I can't remember for sure) of those, ruby-gnome2 also fixed a separate CVE that was unrelated to the mozilla pile - How is it that so many packages were affected by these mozilla vulns? Are they statically linked? Reusing the code? Have very restrictive dynamic library version numbers? It just seems that a vulnerability in a component shouldn't necessarily have this kind of cascading effect. - Overall, we have been noticing a decline in the quality of Fedora security alerts. They are often missing basic information about what bug they are fixing (other than perhaps a reference to bugzilla, sometimes a link to the CVE). I think if you read a lot of those alerts as if you were just a plain old user, you would find that some provide very little useful information to try and determine what problem is being fixed. I can provide examples if necessary. Is there something that can be done to standardize the format a bit? thanks! jake -- Jake Edge - LWN - jake(a)lwn.net - http://lwn.net

6 12

Re: whole pile o' updates
by Jake Edge 24 Feb '08

24 Feb '08

(sorry if this starts a new thread, you folks answered before I had a chance to subscribe :) Jesse wrote: > As for ruby-gnome2's other CVE fix, that was released earlier in a > different update, > https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4216 So this getting into our system is an artifact of how we process the alerts. Our program looks for CVE references anywhere in the alert and believes the alert fixes those CVEs. In this case (and presumably others), that CVE was fixed in an earlier release and only appeared in the Changelog in the message. I have sometimes wondered about those changelogs. It would seem to me that unless they only refer to the changes since the last release, they are fairly confusing to someone reading them. Is there a way for a human (or program) to determine which of those changelog entries actually correspond to the changes in the release that goes with the alert? jake -- Jake Edge - LWN - jake(a)lwn.net - http://lwn.net

3 2

Reading DRAM modules after loss of power
by Lubomir Kundrak 22 Feb '08

22 Feb '08

Is this a hoax? http://citp.princeton.edu/memory/exp/ I thought there was a good reason for DRAM memory cells to be refreshed every 64ms. Anyone tried that? -- Lubomir Kundrak (Red Hat Security Response Team)

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security February 2008