March 10, 2006 weekly security advisory - March 10, 2006

Author: Kelley Greenman

Debian, Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu released several advisories. SquirrelMail, WordPress, Zoph, Mplayer, app-text/tetex, Freeciv, kdegraphics, and Zoo are some of the packages that have vulnerabilities.

This week, Debian and Fedora released advisories addressing several security vulnerabilities in SquirrelMail. Users are urged to update their packages since there are several vulnerabilities that could compromise user privacy.

The first flaw, which affects webmail.php, was reported by Martijn Brinkers and Ben Maurer. They were working independently on the issue. The problem affects webmail.php in SquirrelMail 1.4.0 to 1.4.5. Attack vectors could affect all major Web browsers. However, some flaws can only be exploited in Microsoft Internet Explorer.

The flaw leaves SquirrelMail open to a remote attack because input to webmail.php is not properly sanitized. When working with the SquirrelMail interface, if a user opens an externally hosted page, a malicious attacker may be able to inject arbitrary Web pages into the right frame via an URL in the right_frame parameter. While this vulnerability has been reported as a cross-site scripting (XSS) vulnerability, the problem is different from a typical cross-site scripting issue.

A second flaw, an interpretation conflict in MagicHTML filter, was discovered by Martijn Brinkers and Scott Hughes. The vulnerability affects SquirrelMail 1.4.0 through 1.4.5, leaving the program open to remote attack in two circumstances. In one case, the attack is conducted when style sheet specifiers containing (/* */) are not correctly disregarded in comments. In the second case, an attack is possible when an invalid newline in an “URL” specifier is processed by a Web browser. This vulnerability leaves SquirrelMail open to a malicious attacker who may be able to compromise the privacy of legitimate users, manipulate data, or conduct cross-site scripting (XSS) attacks.

The third flaw affects SquirrelMail 1.4.0 through 1.4.5. Vicente Aguilera discovered a CRLF injection vulnerability occurs when input that is passed to the “mailbox” parameter in “read_body.php” is not correctly sanitized for an IMAP query.

According to a SquirrelMail security advisory, the flaw could enable a remote attacker to “inject arbitrary IMAP commands with newline characters in the mailbox parameter of the sqimap_mailbox_select command,” which is also known as an IMAP injection.

In addition to the SquirrelMail fixes, Fedora's advisory includes updates that improve usability for non-English distributions of SquirrelMail. Fedora asks that, if users notice regression in the language behavior of non-English packages, they should report them under Bug #162852.

Debian: libtasn1-2 -- buffer overflows
March 6, 2006

Debian reported that several buffer overflow vulnerabilities were discovered by Evgeny Legerov. Legerov found out-of-bounds memory accesses in the DER decoding component of the Tiny ASN.1 Library. Remote attackers could exploit the security hole, possibly crashing the DER decoder or executing arbitrary code. While the old stable distribution, woody, is not affected, the problem has been fixed in the stable distribution, sarge, version 2_0.2.10-3sarge1. Users should look for a fix for sid soon.

Debian: gnutls11 -- buffer overflows
March 6, 2006

Several out-of-bounds memory accesses are present in the DER decoding component of the Tiny ASN.1 Library affect GnuTLS, the GNU implementation for Transport Layer Security (TLS) 1.0 and Secure Sockets Layer (SSL) 3.0 protocols. The vulnerabilities could allow remote attackers to crash the DER decoder and possibly execute arbitrary code. Updates are available for sarge and the problem should be fixed soon in sid.

Debian: tar -- buffer overflow
March 7, 2006

Jim Meyering reported several buffer overflow vulnerabilities in GNU tar. If a user is tricked into executing a maliciously crafted tar archive it could cause the execution of arbitrary code. The problem has been fixed for the stable distribution (sarge), version 1.14-2.1, and in the unstable distribution (sid), version 1.15.1-3. Woody is not affected.

Debian: squirrelmail -- several vulnerabilities

March 8, 2006

The popular Web-based email system, SquirrelMail, is vulnerable to several problems:

  • According to Martijn Brinkers and Ben Maurer, webmail.php, which does not correctly validate the right_main parameter, is vulnerable to attack which could cause a user's browser to launch malicious scripting code. (CVE-2006-0188)

  • Martijn Brinkers and Scott Hughes discovered an interpretation conflict in the MagicHTML filter. Remote attackers conducting cross-site scripting (XSS) attacks could exploit the flaw. (CVE-2006-0195)

  • Vicente Aguilera of Internet Security Auditors, S.L. discovered a CRLF injection vulnerability. When processing the sqimap_mailbox_select mailbox parameter, an input validation error could be exploited by a malicious attacker to inject arbitrary IMAP commands.(CVE-2006-0377)

The problems have been fixed in woody, version 1.2.6-5, sarge, version 2:1.4.4-8, and sid, version 2:1.4.6-1.

Debian: zoph -- SQL injection vulnerability
March 9, 2006

Neil McBride discovered an SQL injection vulnerability in the Web-based photo management system, Zoph. It's possible for a remote attacker to execute SQL commands via an SQL injection attack by taking advantage of the flaw when Zoph insufficiently sanitizes photo search input. The problem has been fixed for the stable distribution (sarge) in version 0.3.3-12sarge1 and for the unstable distribution (sid) in version 0.5-1.

Fedora: squirrelmail -- several vulnerabilities
March 3, 2006

Fedora's security advisory recommended that users update SquirrelMail, a popular Web-based email program. The update fixes several vulnerabilities, which could leave legitimate users open to cross-site scripting attacks crafted by a remote attacker.

Gentoo: wordpress -- SQL injection vulnerability
March 4, 2006

Gentoo warned of an SQL injection vulnerability in Wordpress 1.5.2 discovered by Patrik Karlsson. Due to insufficient filtering of User Agent strings, a malicious user could issue a comment containing a specially crafted User Agent parameter. The SQL injection attack could subvert the WordPress database.

Gentoo: app-text/tetex -- several heap overflow vulnerabilities

March 4, 2006

XPdf contains heap overflow, buffer overflow, and integer overflow vulnerabilities in the code which handles PDF files. The flaw renders CSTeTeX, pTeX, and teTeX vulnerable to the execution of arbitrary code when a remote attacker tricks a user into opening a specially crafted PDF file. According to Chris Evans, who discovered the flaws, the attacker could gain the privileges of the compromised user.

Gentoo: mplayer -- integer overflow
March 4, 2006

Simon Kilvington reported that MPlayer media player is vulnerable to attack due to a heap overflow vulnerability in the FFmpeg library. An attacker could trick a user into opening a specially crafted media file which could result in the execution of arbitrary code with the privileges of the compromised user.

Gentoo: netmail/up-imapproxy -- format string vulnerabilities
March 4, 2006

Steve Kemp warned of format string vulnerabilities in IMAP Proxy, which handles transactions between an IMAP server and an IMAP client. By creating a malicious IMAP server, a remote attacker could lure a user into connecting to the server. Consequently, the attack could result in the execution of arbitrary code with the rights of that user.

Gentoo: app-arch/zoo -- stack-based buffer overflow

March 6, 2006

The file archiving utility Zoo is vulnerable to a stack-based overflow vulnerability discovered by Jean-Sebastien Guay-Leroux. A remote attacker could trick a user into opening a malicious Zoo archive. Once opened, the vulnerability could trigger the execution of arbitrary code with the privileges of the targeted user.

Mandriva: freeciv -- denial of service
March 7, 2006

Luigi Auriemma located a denial of service vulnerability in the civserver component of the popular game, Freeciv. Specially crafted packets could be used to crash the Freeciv server.

Mandriva: kdegraphics -- overflow vulnerabilities
February 27, 2006

Marcelo Ricardo Leitner discovered that specially crafted PDF files could be used to exploit several overflow vulnerabilities in Kpdf that were not fixed in an earlier patch issued for Xpdf.

Red Hat: python -- integer overflow vulnerability

March 9, 2006

Red Hat warned of a flaw in Python's PCRE library which renders systems vulnerable when a user is tricked into opening a specially crafted regular expression from an untrusted user. Theinteger overflow vulnerability could allow a malicious attacker to execute arbitrary code with the privileges of an application that uses the PCRE library.

Red Hat: kdegraphics -- privilege escalation vulnerability
March 9, 2006

A kpdf security fix was incomplete, according Marcelo Ricardo Leitner who discovered the problem. If an attacker tricks a user into opening a specially crafted PDF file, it could execute arbitrary code with the privileges of that user or cause Kpdf to crash. For more information about the earlier, incomplete, fix, see CVE-2005-3627.

Ubuntu: flex -- buffer overflow vulnerability
March 6, 2006

Ubuntu's advisory warned of a buffer overflow in a class of lexicographical scanners generated by flex. Chris Moore, who discovered the vulnerability, warned that the flaw could allow a remote attacker to execute arbitrary code with maliciously crafted user data parsed by a flex scanner. The GNU Pascal Compiler is also vulnerable to attack when a user or automated system is tricked into compiling a malicious Pascal source code file.


  • Security
Click Here!