Author: Joe 'Zonker' Brockmeier
Firefox 1.5.0.1 update
The Firefox 1.5.0.1 release addresses eight separate security vulnerabilities, including a critical XML injection vulnerability in the XULDocument.persist() function.
The XULDocument.persist() vulnerability also threatens Thunderbird users if JavaScript is turned on. This is not the default, but users can enable JavaScript in Thunderbird if they wish. Until the Mozilla Foundation issues an update, users with JavaScript enabled in Thunderbird should disable it immediately.
Firefox 1.5 and Thunderbird 1.5 include an update feature that removes the need for users to download a new version of the application each time a security update is released. The default in 1.5 is to automatically download and install updates. This can be verified in the Advanced -> Update preferences tab.
Beta testers received the update earlier than users who installed Firefox from the final 1.5 release. According to the Mozilla development blog, beta users have a different update “channel” than users with the final 1.5 release.
If you’d prefer not to receive beta updates, enter about:config in the location bar, and search for app.update.channel. This can be changed to release in order to receive updates only when a new release has finished its beta period. Alternatively, if you’d like to receive beta releases, change the value to beta.
Debian: unalz — buffer overflow
January 30, 2006
Debian’s advisory states:
Ulf Härnhammer from the Debian Security Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive.
Debian: libmail-audit-perl — insecure temporary file creation
January 31, 2006
Debian’s advisory states:
Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on, which is not the case by default.
Debian: pdfkit.framework — buffer overflows
February 1, 2006
Debian’s advisory states:
“infamous41md” and Chris Evans discovered several heap based buffer overflows in xpdf which are also present in pdfkit.framework, the GNUstep framework for rendering PDF content, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.
Debian: pdftohtml — buffer overflows
February 1, 2006
Debian’s advisory states:
“infamous41md” and Chris Evans discovered several heap based buffer overflows in xpdf which are also present in pdftohtml, a utility that translates PDF documents into HTML format, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.
Debian: mydns — missing input sanitising
February 2, 2006
Debian’s advisory states:
NISCC reported that MyDNS, a DNS server using an SQL database for data storage, can be tricked into an infinite loop by a remote attacker and hence cause a denial of service condition.
Fedora: firefox — multiple vulnerabilities
February 2, 2006
Fedora’s advisory states:
Igor Bukanov discovered a bug in the way Firefox’s JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue.
Fedora: mozilla — multiple vulnerabilities
February 2, 2006
Fedora’s advisory states:
Igor Bukanov discovered a bug in the way Mozilla’s JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue.
FreeBSD: Infinite loop in SACK handling
February 1, 2006
The FreeBSD advisory states:
When insufficient memory is available to handle an incoming selective acknowledgement, the TCP/IP stack may enter an infinite loop. … By opening a TCP connection and sending a carefully crafted series of packets, an attacker may be able to cause a denial of service.
Gentoo: LibAST — privilege escalation
January 29, 2006
Gentoo’s advisory states:
A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges.
Gentoo: Paros — default administrator password
January 29, 2006
Gentoo’s advisory states:
Paros’s database component is installed without a password, allowing execution of arbitrary system commands.
Gentoo: MyDNS — denial of Service
January 30, 2006
Gentoo’s advisory states:
MyDNS contains a vulnerability that may lead to a Denial of Service attack.
Gentoo: Xpdf, Poppler, GPdf, libextractor, pdftohtml — heap overflows
January 30, 2006
Gentoo’s advisory states:
Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code.
Mandriva: Updated bzip2 packages fix bzgrep vulnerabilities
January 30, 2006
Mandriva’s advisory states:
A bug was found in the way that bzgrep processed file names. If a user could be tricked into running bzgrep on a file with a special file name, it would be possible to execute arbitrary code with the privileges of the user running bzgrep. As well, the bzip2 package provided with Mandriva Linux 2006 did not the patch applied to correct CVE-2005-0953 which was previously fixed by MDKSA-2005:091; those packages are now properly patched. The updated packages have been patched to correct these problems.
Mandriva: Updated gzip packages fix zgrep vulnerabilities
January 30, 2006
Mandriva’s advisory states:
Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. This was previously corrected in MDKSA-2005:092, however the fix was incomplete. These updated packages provide a more comprehensive fix to the problem.
Mandriva: Updated php packages fix XSS and response splitting vulnerabilities
February 1, 2006
Mandriva’s advisory states:
Multiple response splitting vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers via unknown attack vectors, possibly involving a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. (CVE-2006-0207) Multiple cross-site scripting (XSS) vulnerabilities in PHP allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in “certain error conditions.” (CVE-2006-0208).
Mandriva: Updated libast packages fixes buffer overflow vulnerability
February 2, 2006
Mandriva’s advisory states:
Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue.
Mandriva: Updated poppler packages fixes heap-based buffer overflow vulnerability
February 2, 2006
Mandriva’s advisory states:
Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Poppler uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue.
Mandriva: Updated kdegraphics packages fixes heap-based buffer overflow vulnerability
February 2, 2006
Mandriva’s advisory states:
Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue.
Mandriva: Updated xpdf packages fixes heap-based buffer overflow vulnerability
February 2, 2006
Mandriva’s advisory states:
Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue.
Mandriva: Updated OpenOffice.org packages fix issue with disabled hyperlinks
February 2, 2006
Mandriva’s advisory states:
OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue.
Red Hat: gd security update
February 1, 2006
Red Hat’s advisory states:
Several buffer overflow flaws were found in the way gd allocates memory. An attacker could create a carefully crafted image that could execute arbitrary code if opened by a victim using a program linked against the gd library. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0941 to these issues.
Red Hat: kernel security update
February 1, 2006
Red Hat’s advisory states:
These new kernel packages contain fixes for the security issues described below:– a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate)
– a race condition that allowed local users to read the environment variables of another process (CVE-2004-1058, low)
– a flaw in the open_exec function of execve that allowed a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073, moderate). Red Hat originally reported this flaw as being fixed by RHSA-2004:504, but a patch for this issue was missing from that update. (More…)
Red Hat: firefox security update
February 2, 2006
Red Hat’s advisory states:
moz_bug_r_a4 discovered a bug in Firefox’s XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user’s localstore.rdf file, which can cause Firefox to execute arbitrary javascript when a user runs Firefox. (CVE-2006-0296)
Red Hat: mozilla security update
February 2, 2006
Red Hat’s advisory states:
moz_bug_r_a4 discovered a bug in Mozilla’s XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user’s localstore.rdf file, which can cause Mozilla to execute arbitrary javascript when a user runs Mozilla. (CVE-2006-0296)
Please send security advisories and notices to editors@ostg.com for inclusion in the Linux.com weekly security update.
Category:
- Linux
