Author: Kelley Greenman
This week, Mandriva issued a fix for a vulnerability in Mozilla Thunderbird versions 1.0.7 and earlier. The vulnerability was initially discovered by nono2357, and Renaud Lifchitz issued an advisory for the vulnerability on February 22nd advisory. Lifchitz and nono2357 are employees of Sysdream IT Security Services.
The initial advisory warned that the vulnerability could be exploited to effect the execution of arbitrary JavaScript, remote user access via network, and the disclosure and/or modification of sensitive user information such as the user’s preferences, the user’s email messages, and information about the application version and platform.
The vulnerability is located in Mozilla Thunderbird’s WYSIWYG rendering engine, which does not correctly filter JavaScript from HTML tags. Consequently, a remote user can send a malicious HTML-based email message containing arbitrary JavaScript in the SRC attribute of the IFRAME tag.
Even if JavaScript is disabled in Mozilla Thunderbird’s preferences, when a recipient of a maliciously crafted email message replies to or in any way edits the message, arbitrary JavaScript could be executed on the target user’s machine.
Sysdream’s advisory included a proof of concept:
* Javascript execution :
<html>
<body>
<iframe src="JavaScript:alert('Found by www.sysdream.com !')"></iframe>
</body>
</html>
* Denial of service (application crash) :
<html>
<body>
<iframe src="JavaScript:parent.document.write('Found by www.sysdream.com
!')"></iframe>
</body>
</html>
Mozilla Thunderbird 1.0.7 and earlier versions need to be updated. Mandriva has issued updates for Mandrivalinux 2006 and Mandrivalinux 2006/X86_64.
Debian: bmv — integer overflow
February 26, 2006
An integer overflow in BMV, a PostScript viewer for SVGAlib, was discovered by felinemalice. By crafting special PostScript files, it may be possible to execute arbitrary code according to last week’s advisory from Debian. The problems has been fixed in the following: the old stable distribution (woody), version 1.2-14.3; the stable distribution (sarge), version 1.2-17sarge1; and the unstable distribution (sid), version 1.2-18.
Debian: gpdf — several vulnerabilities
February 27, 2006
Derek Noonburg has fixed several vulnerabilities in Xpdf, necessitating updates to GPdf, the Portable Document Format (PDF) viewer with Gtk bindings. Fixes have been issued for the stable distribution (sarge), version 2.8.2-1.2sarge4. A fix for the unstable distribution (sid) will be available soon.
Debian: pdftohtml — several vulnerabilities
February 28, 2006
Debian also released upgrades addressing the Xpdf-related vulnerabilities in pdftohtml, which converts Portable Document Format (PDF) files to HTML. While the old stable distribution (woody) does not contain pdftohtml packages, fixes have been issued for the stable distribution (sarge), version 0.36-11sarge2, and the unstable distribution (sid), version 0.36-12.
Debian: xpdf — several vulnerabilities
March 2, 2006
Several potential vulnerabilities in the Portable Document Format (PDF) suite, xpdf, have been fixed by Derek Noonburg. While the old stable distribution (woody) is not affected, Debian advises users to upgrade their xpdf packages for the stable distribution (sarge), version 3.00-13.6, and the unstable distribution (sid), version 3.01-7.
Fedora: kernel — update
March 2, 2006
Fedora announced that several kernel security issues were fixed this week with the latest stable release (2.6.15.5). The security issues include:
- A potential local Denial of Service attack when sys_mbind failed to check its arguments;
- Intel EM64T machines could crash with a specially crafted ELF executable; and
- Normal users could panic NFS clients with direct I/O.
FreeBSD: openssh — denial of service
March 1, 2006
An advisory issued by FreeBSD warned of a potential Denial of Service vulnerability. Due to conflicting designs in OpenSSH and OpenPAM, an attacker may cause OpenSSH to stop accepting client connections by repeatedly connecting to a vulnerable server, waiting for the password prompt, and closing the connection.
FreeBSD: nfs — denial of service
March 1, 2006
An upgrade from FreeBSD addresses an error in the NFS server code that handles incoming RPC messages via TCP. According to the advisory, an incoming RPC message “with a zero-length payload could cause a NULL pointer dereference which results in a kernel panic.”
Mandriva: mplayer — multiple integer overflows
February 24, 2006
Mandriva issued a fix addressing multiple integer overflow vulnerabilities in the new_demux_packet function in demuxer.h and the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier. By crafting an ASF file with a large packet length value, a remote attacker could execute arbitrary code. Updates are available for the following packages: Corporate Server 3.0, Corporate Server 3.0/X86_64, Mandrivalinux 2006, and Mandrivalinux 2006/X86_64.
Mandriva: unzip — buffer overflow
February 26, 2006
Mandriva’s advisory included a fix for a buffer overflow vulnerability. If a user is tricked into unzipping a specially crafted file with a long file name, a remote attacker could launch arbitrary code with the privileges of that user. Updated packages include Corporate Server 3.0, Corporate Server 3.0/X86_64, Multi Network Firewall 2.0, Mandrivalinux LE2005, Mandrivalinux LE2005/X86_64, Mandrivalinux 2006, and Mandrivalinux 2006/X86_64.
Mandriva: mozilla-thunderbird — vulnerability
March 2, 2006
Mandriva issued an update for Mozilla Thunderbird 1.0.7 and earlier. Thunderbird’s WYSIWYG rendering engine does not correctly filter JavaScript code. The vulnerability could allow an attacker to override JavaScript security settings and obtain sensitive information or cause a system crash when a user edits an email containing a JavaScript URI in the SRC attribute of an IFRAME tag. The update fixes vulnerabilities in Mandrivalinux 2006 and Mandrivalinux 2006/X86_64.
Red Hat: tar — buffer overflow
March 1, 2006
Red Hat issued an update addressing the buffer overflow bug reported by Jim Meyering. A remote attacker could trick a user into extracting a specially crafted tar archive, enabling the attacker to run arbitrary code with the privileges of that user.
SUSE: heimdal — denial of service
February 24, 2006
SUSE released an update addressing a two vulnerabilities in Heimdal, an implementation of Kerberos 5. A bug in the rsh daemon could allowed a malicious user to obtain access to files that belong to other users. In the telnet server, a vulnerability could be exploited in order to crash a server before authentication is successful. The bug leaves the machine open to a potential Denial of Service attack when inetd turns off telnetd because it forks too fast.
SUSE: kernel — various security updates
February 27, 2006
A SUSE advisory includes a Linux kernel update that fixes various kernel security problems.
SUSE: gpg, liby2util — remote code execution
March 1, 2006
SUSE also reissued an earlier advisory when it was discovered that gpg versions prior to 1.4.x were also affected. Remote code could possibly be executed when using the command-line option –verify, which could report valid signatures when the file contains a specially crafted signature.
Ubuntu: postgresql — vulnerability
February 27, 2006
This week, Ubuntu issued a fix for a vulnerability reported by Akio Ishida. Ishida found that, when the server has been compiled with assertions enabled, an authenticated user could crash the server by exploiting a security vulnerability in the SET SESSION AUTHORIZATION command which does not properly verify the validity of its argument. This does not affect official Ubuntu packages, which are compiled with assertions enabled — Users should only be vulnerable if the packages have been rebuilt with this option enabled.
Ubuntu: irssi-text — denial of service
March 1, 2006
In irssi-text, a vulnerability in the DCC ACCEPT command handler, which does not correctly verify remotely specified arguments, could be exploited when specially crafted DCC commands are issued by a remote attacker.
Category:
- Security
