[Bug 245769] [NEW] [CVE-2008-2955, -2956, -2957] Pidgin denial of service vulnerabilities

2008-07-05 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: pidgin

CVE-2008-2955 description:

"Pidgin 2.4.1 allows remote attackers to cause a denial of service
(crash) via a long filename that contains certain characters, as
demonstrated using an MSN message that triggers the crash in the
msn_slplink_process_msg function."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2955

CVE-2008-2956 description:

"Memory leak in Pidgin 2.0.0, and possibly other versions, allows remote
attackers to cause a denial of service (memory consumption) via
malformed XML documents."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2956

CVE-2008-2957 description:

"The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
allows remote attackers to trigger the download of arbitrary files and
cause a denial of service (memory or disk consumption) via a UDP packet
that specifies an arbitrary URL."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2957

** Affects: pidgin (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2955

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2956

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2957

-- 
[CVE-2008-2955, -2956, -2957] Pidgin denial of service vulnerabilities
https://bugs.launchpad.net/bugs/245769
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245769] Re: [CVE-2008-2955, -2956, -2957] Pidgin denial of service vulnerabilities

2008-07-05 Thread Alexander Konovalenko 
Adding CVE links: CVE-2008-2955, CVE-2008-2956, CVE-2008-2957

-- 
[CVE-2008-2955, -2956, -2957] Pidgin denial of service vulnerabilities
https://bugs.launchpad.net/bugs/245769
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245770] [NEW] [CVE-2008-2927] MSN integer overflow in Pidgin

2008-07-05 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: pidgin

CVE-2008-2927 is a remote buffer overflow vulnerability in the MSN
protocol handler. Apparently it can lead to arbitrary code execution.
It's not yet in the public vulnerability databases, so please see the
Debian bug for reference: . I think it is the same issue as described
in this Bugtraq post
.

** Affects: pidgin (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: pidgin (Debian)
 Importance: Unknown
 Status: New

** Affects: pidgin (Fedora)
 Importance: Unknown
 Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #488632
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488632

** Also affects: pidgin (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488632
   Importance: Unknown
   Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2927

-- 
[CVE-2008-2927] MSN integer overflow in Pidgin
https://bugs.launchpad.net/bugs/245770
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245770] Re: [CVE-2008-2927] MSN integer overflow in Pidgin

2008-07-05 Thread Alexander Konovalenko 
Adding a CVE reference: CVE-2008-2927

-- 
[CVE-2008-2927] MSN integer overflow in Pidgin
https://bugs.launchpad.net/bugs/245770
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245770] Re: [CVE-2008-2927] MSN integer overflow in Pidgin

2008-07-05 Thread Alexander Konovalenko 
Here is a description from the Red Hat bug:

"An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting.  The default setting is to only allow
messages from users in the buddy list."

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2927

** Also affects: pidgin (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2927
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-2927] MSN integer overflow in Pidgin
https://bugs.launchpad.net/bugs/245770
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245774] [NEW] Wireshark 1.0.1 fixes multiple vulnerabilities

2008-07-05 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: wireshark

Wireshark 1.0.1 fixes multiple security issues in the previous releases.

* The GSM SMS dissector could crash
* The PANA and KISMET dissectors could force Wireshark to quit unexpectedly
* The RTMPT dissector could crash
* The RMI dissector could disclose system memory
* The syslog dissector could crash

See the upstream advisory wnpa-sec-2008-03 at
.

I couldn't find any CVE numbers for these problems. Please add them to
this bug if you know them.

** Affects: wireshark (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

-- 
Wireshark 1.0.1 fixes multiple vulnerabilities
https://bugs.launchpad.net/bugs/245774
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235829] Security implications of this crash

2008-07-05 Thread Alexander Konovalenko 
On Fri, Jun 27, 2008 at 23:08, Kees Cook wrote:
>
> Thanks for the bug report.  This is actually not a security problem, but
> rather an unusual looking crash in the heap, and has already been
> reported.  I am marking this as a duplicate.  Please feel free to report
> any other issues you might find.

Kees, thanks for your comment.

Do you mean it is not exploitable so that arbitrary code execution is
impossible?

If a user opens a malicious playlist file, the worst that can happen
is that her Rhythmbox would just crash. Is that correct?

References:
https://bugs.launchpad.net/ubuntu/+source/rhythmbox/+bug/243488 (duplicate)
https://bugs.launchpad.net/ubuntu/+source/rhythmbox/+bug/235829

-- 
Rhythmbox crashed with SIGSEGV importing PLS file exported by Rhythmbox
https://bugs.launchpad.net/bugs/235829
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245934] [NEW] [CVE-2008-2371] Heap overflow in PCRE leading to arbitrary code execution

2008-07-05 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2371 description from Debian security advisory DSA-1602-1:

"Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular
Expression library, may encounter a heap overflow condition when
compiling certain regular expressions involving in-pattern options and
branches, potentially leading to arbitrary code execution."

http://www.debian.org/security/2008/dsa-1602

** Affects: pcre3 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: pcre3 (Debian)
 Importance: Unknown
 Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #488919
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488919

** Also affects: pcre3 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488919
   Importance: Unknown
   Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2371

-- 
[CVE-2008-2371] Heap overflow in PCRE leading to arbitrary code execution
https://bugs.launchpad.net/bugs/245934
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253767] [NEW] [CVE-2008-3230] ffmpeg crash in lavf demuxer via a crafted GIF file

2008-07-31 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: ffmpeg

CVE-2008-3230 description:

"The ffmpeg lavf demuxer allows user-assisted attackers to cause a
denial of service (application crash) via a crafted GIF file, possibly
related to gstreamer, as demonstrated by lol-giftopnm.gif."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3230

More information is available in the referenced bugs (see).

** Affects: ffmpeg
 Importance: Unknown
 Status: Incomplete

** Affects: ffmpeg (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Bug watch added: roundup.mplayerhq.hu/roundup/ffmpeg/ #530
   https://roundup.mplayerhq.hu/roundup/ffmpeg/issue530

** Also affects: ffmpeg via
   https://roundup.mplayerhq.hu/roundup/ffmpeg/issue530
   Importance: Unknown
   Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3230

-- 
[CVE-2008-3230] ffmpeg crash in lavf demuxer via a crafted GIF file
https://bugs.launchpad.net/bugs/253767
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253767] Re: [CVE-2008-3230] ffmpeg crash in lavf demuxer via a crafted GIF file

2008-07-31 Thread Alexander Konovalenko 
Hmm, I can't add a reference to the Gnome bug, so I'll paste it here
along with another link:

http://bugzilla.gnome.org/show_bug.cgi?id=542643
http://www.openwall.com/lists/oss-security/2008/07/13/3

-- 
[CVE-2008-3230] ffmpeg crash in lavf demuxer via a crafted GIF file
https://bugs.launchpad.net/bugs/253767
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253782] [NEW] [CVE-2008-3215] ClamAV Petite DoS not fixed until 0.93.3

2008-07-31 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: clamav

CVE-2008-3215 description:

"libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to
cause a denial of service via a malformed Petite file that triggers an
out-of-bounds memory access. NOTE: this issue exists because of an
incomplete fix for CVE-2008-2713."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3215

** Affects: clamav (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3215

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2713

-- 
[CVE-2008-3215] ClamAV Petite DoS not fixed until 0.93.3
https://bugs.launchpad.net/bugs/253782
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 224945] Re: [SRU] memory leaks in apache2 when running mod_ssl

2008-07-31 Thread Alexander Konovalenko 
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1678

-- 
[SRU] memory leaks in apache2 when running mod_ssl
https://bugs.launchpad.net/bugs/224945
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253787] [NEW] [CVE-2008-2931] Local privilege escalation in Linux (do_change_type() in fs/namespace.c)

2008-07-31 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: linux-source-2.6.20

CVE-2008-2931 description:

"The do_change_type function in fs/namespace.c in the Linux kernel
before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN
capability, which allows local users to gain privileges or cause a
denial of service by modifying the properties of a mountpoint."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2931

Dapper and Feisty might be affected.

** Affects: linux-source-2.6.15 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.20 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Also affects: linux-source-2.6.15 (Ubuntu)
   Importance: Undecided
   Status: New

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2931

-- 
[CVE-2008-2931] Local privilege escalation in Linux (do_change_type() in 
fs/namespace.c)
https://bugs.launchpad.net/bugs/253787
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 245774] Re: Wireshark 1.0.1 fixes multiple vulnerabilities

2008-07-31 Thread Alexander Konovalenko 
Here are the CVE numbers for the vulnerabilities fixed in Wireshark 1.0.1:
CVE-2008-3137 (GSM SMS dissector)
CVE-2008-3138 (PANA and KISMET dissectors)
CVE-2008-3139 (RTMPT dissector)
CVE-2008-3141 (RMI dissector)
CVE-2008-3140 (syslog dissector)

Wireshark 1.0.2 fixes another vulnerability:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3145
http://www.wireshark.org/security/wnpa-sec-2008-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2470

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3137

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3138

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3139

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3140

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3141

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3145

** Summary changed:

- Wireshark 1.0.1 fixes multiple vulnerabilities
+ Wireshark 1.0.2 fixes multiple vulnerabilities

** Description changed:

  Binary package hint: wireshark
  
  Wireshark 1.0.1 fixes multiple security issues in the previous releases.
  
  * The GSM SMS dissector could crash
  * The PANA and KISMET dissectors could force Wireshark to quit unexpectedly
  * The RTMPT dissector could crash
  * The RMI dissector could disclose system memory
  * The syslog dissector could crash
  
  See the upstream advisory wnpa-sec-2008-03 at
  .
  
- I couldn't find any CVE numbers for these problems. Please add them to
- this bug if you know them.
+ Please see the update in the comments.

-- 
Wireshark 1.0.2 fixes multiple vulnerabilities
https://bugs.launchpad.net/bugs/245774
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253804] [NEW] Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more

2008-07-31 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

There's an exploit published on July 8, 2008 at
http://www.milw0rm.com/exploits/6029 that says:

"Malicious SVG file DoS

The following applications were tested in their latest revisions:
Firefox's "browse for file, preview" object on linux: affected
evince on linux: affected
eog on linux: affected
gimp on linux: affected
inkscape on linux: unaffected
Microsoft Visio on windows: unaffected

It is unknown at this time whether code execution is possible..."

Unfortunately I currently lack the resources to verify the existence of
the vulnerability.

WARNING: the .zip file might harm your computer. Don't open it on your
normal machine.

A more or less safe way to test it would be to physically disconnect any
important devices (all hard disks, network connections to any networks
that trust your machine, etc.) and to boot from a live CD. But you
should still know what you're doing.

** Affects: eog (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: evince (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: firefox (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: firefox-3.0 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: gimp (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Changed in: firefox-3.0 (Ubuntu)
Sourcepackagename: None => firefox-3.0

** Also affects: firefox (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: evince (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: eog (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: gimp (Ubuntu)
   Importance: Undecided
   Status: New

-- 
Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more
https://bugs.launchpad.net/bugs/253804
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 253804] Re: Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more

2008-07-31 Thread Alexander Konovalenko 
On Fri, Aug 1, 2008 at 05:01, Kees Cook wrote:
> I cannot reproduce this on any of the linked packages.  Have you seen
> actual crashes?

No, I didn't test it at all because I've got only one machine and it's
in production use right now. I will post an update if I can reproduce
it. I've also posted the link to oss-security in case anybody is
interested to check whether it is a fake or not.

-- 
Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more
https://bugs.launchpad.net/bugs/253804
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253804] Re: Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more

2008-07-31 Thread Alexander Konovalenko 
** Description changed:

- There's an exploit published on July 8, 2008 at
+ There's an proof-of-concept exploit published on July 8, 2008 at
  http://www.milw0rm.com/exploits/6029 that says:
  
  "Malicious SVG file DoS
  
  The following applications were tested in their latest revisions:
  Firefox's "browse for file, preview" object on linux: affected
  evince on linux: affected
  eog on linux: affected
  gimp on linux: affected
  inkscape on linux: unaffected
  Microsoft Visio on windows: unaffected
  
  It is unknown at this time whether code execution is possible..."
  
  Unfortunately I currently lack the resources to verify the existence of
  the vulnerability.
  
  WARNING: the .zip file might harm your computer. Don't open it on your
  normal machine.
  
  A more or less safe way to test it would be to physically disconnect any
  important devices (all hard disks, network connections to any networks
  that trust your machine, etc.) and to boot from a live CD. But you
  should still know what you're doing.

-- 
Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more
https://bugs.launchpad.net/bugs/253804
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253804] Re: Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more

2008-07-31 Thread Alexander Konovalenko 
** Description changed:

- There's an proof-of-concept exploit published on July 8, 2008 at
+ There's an alleged proof-of-concept exploit published on July 8, 2008 at
  http://www.milw0rm.com/exploits/6029 that says:
  
  "Malicious SVG file DoS
  
  The following applications were tested in their latest revisions:
  Firefox's "browse for file, preview" object on linux: affected
  evince on linux: affected
  eog on linux: affected
  gimp on linux: affected
  inkscape on linux: unaffected
  Microsoft Visio on windows: unaffected
  
  It is unknown at this time whether code execution is possible..."
  
  Unfortunately I currently lack the resources to verify the existence of
  the vulnerability.
  
  WARNING: the .zip file might harm your computer. Don't open it on your
  normal machine.
  
  A more or less safe way to test it would be to physically disconnect any
  important devices (all hard disks, network connections to any networks
  that trust your machine, etc.) and to boot from a live CD. But you
  should still know what you're doing.

-- 
Possible SVG vulnerability affecting Firefox, evince, eog, Gimp and more
https://bugs.launchpad.net/bugs/253804
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 322196] [NEW] Untrusted search path vulnerability in Python and multiple other programs

2009-01-27 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: python2.5

There's an interesting bug (or feature?) in Python 2.5 and earlier that
affects multiple applications using Python. The bug allows local or
user-assisted remote arbitrary code execution. Here is the description
of the Python CVE:

"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."

Affected packages are, at least:

CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) 
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric

I'm not sure which versions of these packages and which Ubuntu releases
are actually affected, though.

Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2

** Affects: csound (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: dia (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: eog (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: epiphany (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: gedit (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: gnumeric (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: nautilus (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: python2.4 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: python2.5 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: vim (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: xchat (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5983

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5984

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5985

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5986

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5987

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0314

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0315

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0316

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0317

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0318

-- 
Untrusted search path vulnerability in Python and multiple other programs
https://bugs.launchpad.net/bugs/322196
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs

2009-01-27 Thread Alexander Konovalenko 
Adding CVE references: CVE-2008-5983, CVE-2008-5984, CVE-2008-5985, 
CVE-2008-5986, CVE-2008-5987, 
CVE-2009-0314, CVE-2009-0315, CVE-2009-0316, CVE-2009-0317, CVE-2009-0318

** Also affects: python2.4 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: dia (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: epiphany (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: csound (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: eog (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: gedit (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: xchat (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: vim (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: nautilus (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: gnumeric (Ubuntu)
   Importance: Undecided
   Status: New

-- 
Untrusted search path vulnerability in Python and multiple other programs
https://bugs.launchpad.net/bugs/322196
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs

2009-01-30 Thread Alexander Konovalenko 
According to these links (provided by Jan Lieskovsky in the thread referenced 
above), Python 2.6 is affected as well.
http://www.openwall.com/lists/oss-security/2009/01/28/5
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

** Description changed:

- Binary package hint: python2.5
- 
- There's an interesting bug (or feature?) in Python 2.5 and earlier that
+ There's an interesting bug (or feature?) in Python 2.6 and earlier that
  affects multiple applications using Python. The bug allows local or
  user-assisted remote arbitrary code execution. Here is the description
  of the Python CVE:
  
  "Untrusted search path vulnerability in the PySys_SetArgv API function
  in Python before 2.6 prepends an empty string to sys.path when the
  argv[0] argument does not contain a path separator, which might allow
  local users to execute arbitrary code via a Trojan horse Python file
  in the current working directory."
+ 
+ (Python 2.6 is vulnerable, too. See the comments.)
  
  Affected packages are, at least:
  
  CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) 
  CVE-2008-5983 - Python
  CVE-2008-5984 - Dia
  CVE-2008-5985 - Epiphany
  CVE-2008-5986 - Csound
  CVE-2008-5987 - eog
  CVE-2009-0314 - gedit
  CVE-2009-0315 - xchat
  CVE-2009-0316 - vim
  CVE-2009-0317 - Nautilus
  CVE-2009-0318 - Gnumeric
  
  I'm not sure which versions of these packages and which Ubuntu releases
  are actually affected, though.
  
  Source and more information:
  oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2

-- 
Untrusted search path vulnerability in Python and multiple other programs
https://bugs.launchpad.net/bugs/322196
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 321460] Re: alacarte crashed with SIGSEGV in g_closure_invoke()

2009-01-30 Thread Alexander Konovalenko 
I failed to reproduce this crash on my Hardy, so there's little point in
testing it on Intrepid.

-- 
alacarte crashed with SIGSEGV in g_closure_invoke()
https://bugs.launchpad.net/bugs/321460
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 339834] [NEW] CVE-2009-0653: OpenSSL does not verify the Basic Constraints for an intermediate CA-signed certificate

2009-03-09 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: openssl

CVE-2009-0653 description from the NVD:

"OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an
intermediate CA-signed certificate, which allows remote attackers to
spoof the certificates of trusted sites via a man-in-the-middle attack,
a related issue to CVE-2002-0970."

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0653

Ubuntu security tracker:
http://people.ubuntu.com/~ubuntu-security/cve/2009/CVE-2009-0653.html

** Affects: openssl (Ubuntu)
 Importance: Undecided
 Status: New

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0653

** Visibility changed to: Public

-- 
CVE-2009-0653: OpenSSL does not verify the Basic Constraints for an 
intermediate CA-signed certificate
https://bugs.launchpad.net/bugs/339834
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 128932] Re: Google Suggest drop-down list too narrow in Firefox

2008-10-18 Thread Alexander Konovalenko 
In Firefox 3.0 this bug is alleviated by the feature that allows you to
change the width of the search field manually. However, there is no
reason why you should expand the search field manually every time you
enter a query that triggers long suggestions, and then revert its size
to leave room for the page URL.

This bug should be fixed the same way as was suggested for Firefox 2,
namely make the suggestions drop-down accommodate to its content width
dynamically.

** Also affects: firefox-3.0 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
Google Suggest drop-down list too narrow in Firefox
https://bugs.launchpad.net/bugs/128932
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 275560] [NEW] Gnome Screensaver should optionally disable audio input and output

2008-09-28 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: gnome-screensaver

This is an enhancement request related to a low-risk security
vulnerability. Nothing serious but still would be nice to have this
implemented.

Currently you can password-protect your screen and input devices like
keyboard and mouse using the Gnome Screensaver. This is useful when you
need to leave the computer unattended for a while in a moderately
insecure environment. But the audio input/output is not locked by the
screensaver and that opens up a vulnerability.

Here is a use case.

You talk with Bob using Ekiga Softphone (an Internet telephony client).
Then you lock your computer's screen and go out for a short while. If
someone approaches your computer while you're out, they can use your
headphones and microphone and may be able to impersonate you to Bob or
hear some confidential talk that Bob intended only for you to hear.

Gnome Screensaver should have an option to control whether audio input
and output are enabled while your screen is locked.

If you are aware of the risk, an easy (albeit often inconvenient) work-
around exists: disconnect your Ekiga call before leaving — and generally
make sure that running programs neither use the audio input from the
microphone nor emit any confidential sounds. If the user doesn't have a
security mindset, however, there is a chance that she won't think of
this risk at all and will remain exposed.

Although technically it is true that if the attacker can physically
access your machine you're lost from the security point of view,
actually there are many environments (like your home or maybe your
workplace) where a screensaver lock is enough to stop casual
eavesdroppers because they are not technically competent or because they
wouldn't risk to mount a more serious attack which might involve opening
up the case, connecting suspicious devices to it, etc. After all, nobody
says that the screensaver password locking feature is _useless_. If it
is useful to some extent, so will be the feature suggested here.

Feel free to copy this suggestion to the upstream bug tracker. I just
wanted to collect some feedback here first.

** Affects: gnome-screensaver (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Description changed:

  Binary package hint: gnome-screensaver
  
  This is an enhancement request related to a low-risk security
  vulnerability. Nothing serious but still would be nice to have this
  implemented.
  
  Currently you can password-protect your screen and input devices like
  keyboard and mouse using the Gnome Screensaver. This is useful when you
  need to leave the computer unattended for a while in a moderately
  insecure environment. But the audio input/output is not locked by the
  screensaver and that opens up a vulnerability.
  
  Here is a use case.
  
  You talk with Bob using Ekiga Softphone (an Internet telephony client).
  Then you lock your computer's screen and go out for a short while. If
  someone approaches your computer while you're out, they can use your
  headphones and microphone and may be able to impersonate you to Bob or
- hear some confidential talk that Bob intended only you to hear.
+ hear some confidential talk that Bob intended only for you to hear.
  
  Gnome Screensaver should have an option to control whether audio input
  and output are enabled while your screen is locked.
  
  If you are aware of the risk, an easy (albeit often inconvenient) work-
  around exists: disconnect your Ekiga call before leaving — and generally
  make sure that running programs neither use the audio input from the
  microphone nor emit any confidential sounds. If the user doesn't have a
- security mindset, there is a chance that she won't think of this risk at
- all and will be leaving Ekiga running.
+ security mindset, however, there is a chance that she won't think of
+ this risk at all and will remain exposed.
  
  Although technically it is true that if the attacker can physically
  access your machine you're lost from the security point of view,
  actually there are many environments (like your home or maybe your
  workplace) where a screensaver lock is enough to stop casual
  eavesdroppers because they are not technically competent or because they
  wouldn't risk to mount a more serious attack which might involve opening
  up the case, connecting suspicious devices to it, etc. After all, nobody
  says that the screensaver password locking feature is _useless_. If it
  is useful to some extent, so will be the feature suggested here.
  
  Feel free to copy this suggestion to the upstream bug tracker. I just
  wanted to collect some feedback here first.

-- 
Gnome Screensaver should optionally disable audio input and output
https://bugs.launchpad.net/bugs/275560
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mai

[Bug 246292] [NEW] [CVE-2008-2950] libpoppler uninitialized pointer leads to arbitrary code execution

2008-07-07 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2950 description from the oCERT advisory #2008-007:

"The poppler PDF rendering library suffers a memory management bug which
leads to arbitrary code execution.

The vulnerability is present in the Page class constructor/destructor.
The pageWidgets object is not initialized in the Page constructor if
specific conditions are met, but it is deleted afterwards in the
destructor regardless of its initialization.

Specific PDF files can be crafted which allocate arbitrary memory to
trigger the vulnerability."

http://www.ocert.org/advisories/ocert-2008-007.html

A patch is included in the advisory.

** Affects: poppler (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2950

-- 
[CVE-2008-2950] libpoppler uninitialized pointer leads to arbitrary code 
execution
https://bugs.launchpad.net/bugs/246292
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 246292] Re: [CVE-2008-2950] libpoppler uninitialized pointer leads to arbitrary code execution

2008-07-07 Thread Alexander Konovalenko 
Adding a CVE reference: CVE-2008-2950

-- 
[CVE-2008-2950] libpoppler uninitialized pointer leads to arbitrary code 
execution
https://bugs.launchpad.net/bugs/246292
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 246702] [NEW] [CVE-2008-1447] Randomize DNS query source ports to prevent cache poisoning

2008-07-08 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: bind9

Debian issued three security advisories related to the possibility of
DNS cache poisoning in Bind 9 (DSA-1603), Bind 8 (DSA-1604) and the libc
stub resolver (DSA-1605).

Here is the description of the problem with Bind 9 from DSA-1603-1:

"Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks.  Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.

This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization.  This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult."

[...]

"Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
Unbound) already employ source port randomization, and no updated
packages are needed.  BIND 9.5 up to and including version
1:9.5.0.dfsg-4 only implements a weak form of source port
randomization and needs to be updated as well.  For information on
BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
see DSA-1605-1."

As described in DSA-1605-1, glibc stub resolver hasn't been updated yet
and is still vulnerable. The advisory suggests to install a local Bind 9
resolver, possibly in forward-only mode, as a work-around. So this bug
in package glibc is a request to make the stub resolver randomize source
ports as well because non-technical Ubuntu users can't be expected to
configure Bind 9 on their own.

References

DSA-1603-1:
http://lists.debian.org/debian-security-announce/2008/msg00184.html
http://www.debian.org/security/2008/dsa-1603

DSA-1604-1:
http://lists.debian.org/debian-security-announce/2008/msg00185.html
http://www.debian.org/security/2008/dsa-1604

DSA-1605-1:
http://lists.debian.org/debian-security-announce/2008/msg00186.html
http://www.debian.org/security/2008/dsa-1605

** Affects: bind9 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: glibc (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1447

** Also affects: glibc (Ubuntu)
   Importance: Undecided
   Status: New

-- 
[CVE-2008-1447] Randomize DNS query source ports to prevent cache poisoning
https://bugs.launchpad.net/bugs/246702
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 246818] [NEW] [CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby

2008-07-08 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: ruby1.8

CVE-2008-2376 description:

"Integer overflow in the rb_ary_fill function in array.c in Ruby before
revision 17756 allows context-dependent attackers to cause a denial of
service (crash) or possibly have unspecified other impact via a call to
the Array#fill method with a start (aka beg) argument greater than
ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for
other closely related integer overflows."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2376

** Affects: ruby1.8 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2376

-- 
[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby
https://bugs.launchpad.net/bugs/246818
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 246819] [NEW] [CVE-2008-2374] Vulnerability in the SDP client functionality in BlueZ

2008-07-08 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2374 description:

"src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34
and bluez-utils before 3.34 versions, does not validate string length
fields in SDP packets, which allows remote SDP servers to cause a denial
of service or possibly have unspecified other impact via a crafted
length field that triggers excessive memory allocation or a buffer over-
read."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2374

** Affects: bluez-libs (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: bluez-utils (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Also affects: bluez-utils (Ubuntu)
   Importance: Undecided
   Status: New

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2374

-- 
[CVE-2008-2374] Vulnerability in the SDP client functionality in BlueZ
https://bugs.launchpad.net/bugs/246819
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 247438] [NEW] Possible vulnerability in libavformat

2008-07-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: ffmpeg

There is a possible security vulnerability in file psxstr.c of the libavformat 
library.
Please see http://www.openwall.com/lists/oss-security/2008/07/09/9 for the 
details.

** Affects: ffmpeg
 Importance: Unknown
 Status: Unknown

** Affects: ffmpeg (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: ffmpeg-free (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: ffmpeg-debian (Debian)
 Importance: Unknown
 Status: Fix Committed

** Visibility changed to: Public

** Also affects: ffmpeg-free (Ubuntu)
   Importance: Undecided
   Status: New

** Bug watch added: Debian Bug tracker #489965
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489965

** Also affects: ffmpeg-debian (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489965
   Importance: Unknown
   Status: Unknown

-- 
Possible vulnerability in libavformat
https://bugs.launchpad.net/bugs/247438
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 247438] Re: Possible vulnerability in libavformat

2008-07-10 Thread Alexander Konovalenko 
** Bug watch added: roundup.mplayerhq.hu/roundup/ffmpeg/ #311
   https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311

** Also affects: ffmpeg via
   https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
   Importance: Unknown
   Status: Unknown

-- 
Possible vulnerability in libavformat
https://bugs.launchpad.net/bugs/247438
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 247445] [NEW] Package managers vulnerable to replay and endless data attacks

2008-07-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: apt

apt and possibly other Ubuntu package managers capable of downloading
packages are vulnerable to two kinds of attacks.

1. Replay attack, where an attacker, by operating a malicious mirror or by 
spoofing the address of a valid mirror, serves correctly signed but outdated 
packages lists. As new vulnerabilities are discovered and patched, the users 
who are using the malicious mirror won't be receiving any updates and will 
continue running vulnerable software.
See 
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

2. Endless data attack, where an attacker serves very long files to a package 
manager that uses his malicious mirror. That might prevent the package manager 
from ever completing, leading to the same problem as described above. It might 
also consume all disk space preventing logging, mail delivery and other system 
services from running properly.
See 
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata

There is also an entry on Ubuntu and Debian in the FAQ at
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html

** Affects: apt (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: aptitude (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: synaptic (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Also affects: aptitude (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: synaptic (Ubuntu)
   Importance: Undecided
   Status: New

** Description changed:

  Binary package hint: apt
  
  apt and possibly other Ubuntu package managers capable of downloading
  packages are vulnerable to two kinds of attacks.
  
- 1. Replay attack, where an attacker, by operating a malicious mirror or by 
spoofing the address of a valid mirror, serves outdated packages lists which 
are correctly signed. As new vulnerabilities are discovered and patched, the 
users who are using the malicious mirror won't be receiving any updates and 
will continue running vulnerable software.
+ 1. Replay attack, where an attacker, by operating a malicious mirror or by 
spoofing the address of a valid mirror, serves correctly signed but outdated 
packages lists. As new vulnerabilities are discovered and patched, the users 
who are using the malicious mirror won't be receiving any updates and will 
continue running vulnerable software.
  See 
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
  
- 2. Endless data attacks, where an attacker serves very long files to a 
package manager that uses his malicious mirror. That might prevent the package 
manager from ever completing, leading to the same problem as described above. 
That might also consume all disk space preventing logging, mail delivery and 
other system services from running properly.
+ 2. Endless data attack, where an attacker serves very long files to a package 
manager that uses his malicious mirror. That might prevent the package manager 
from ever completing, leading to the same problem as described above. It might 
also consume all disk space preventing logging, mail delivery and other system 
services from running properly.
  See 
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata
  
  There is also an entry on Ubuntu and Debian in the FAQ at
  http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html

-- 
Package managers vulnerable to replay and endless data attacks
https://bugs.launchpad.net/bugs/247445
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 247445] Re: Package managers vulnerable to replay and endless data attacks

2008-07-10 Thread Alexander Konovalenko 
See also this post in the CERT vulnerability analysis blog: 
http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html
They have assigned a vulnerability number to this issue (VU#230187) but it 
doesn't seem to be public yet.

-- 
Package managers vulnerable to replay and endless data attacks
https://bugs.launchpad.net/bugs/247445
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235912] Re: [CVE-2008-1105] Samba: boundary failure when parsing SMB responses

2008-05-31 Thread Alexander Konovalenko 
DSA 1590-1: http://www.debian.org/security/2008/dsa-1590 (link not
functioning yet)

** Bug watch added: Debian Bug tracker #483410
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483410

** Also affects: samba (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483410
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-1105] Samba: boundary failure when parsing SMB responses
https://bugs.launchpad.net/bugs/235912
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 236762] [NEW] [CVE-2008-2419] Firefox JSframe heap corruption vulnerability

2008-06-02 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: firefox

CVE-2008-2419 description:

"Mozilla Firefox 2.0.0.14 allows remote attackers to cause a denial of
service (heap corruption and application crash) or possibly execute
arbitrary code by triggering an error condition during certain Iframe
operations between a JSframe write and a JSframe close, as demonstrated
by an error in loading an empty Java applet defined by a
'src="javascript:"' sequence."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2419

Are Firefox 3.0 beta 5 and rc1 also affected by this?

** Affects: firefox (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: firefox-3.0 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2419

** Also affects: firefox-3.0 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
[CVE-2008-2419] Firefox JSframe heap corruption vulnerability
https://bugs.launchpad.net/bugs/236762
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 236769] [NEW] [CVE-2008-1922] Multiple buffer overflows in sarg

2008-06-02 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: sarg

CVE-2008-1922 description:

"Multiple stack-based buffer overflows in Sarg might allow attackers to
execute arbitrary code via unknown vectors, probably a crafted Squid log
file."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1922
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg0.html

** Affects: sarg (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1922

-- 
[CVE-2008-1922] Multiple buffer overflows in sarg
https://bugs.launchpad.net/bugs/236769
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 232150] Re: Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, CVE-2008-1423]

2008-06-03 Thread Alexander Konovalenko 
Debian advisory: http://www.debian.org/security/2008/dsa-1591

** Bug watch added: Debian Bug tracker #482518
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482518

** Also affects: libvorbis (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482518
   Importance: Unknown
   Status: Unknown

-- 
Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, 
CVE-2008-1423]
https://bugs.launchpad.net/bugs/232150
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 237229] [NEW] [CVE-2008-2119] Remote Crash Vulnerability in SIP channel driver when run in pedantic mode

2008-06-03 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: asterisk

CVE-2008-2119 description from the upstream advisory AST-2008-008:

"During pedantic SIP processing the From header value is
passed to the ast_uri_decode function to be decoded. In
two instances it is possible for the code to cause a
crash as the From header value is not checked to be
non-NULL before being passed to the function."

http://www.securityfocus.com/archive/1/493020

Links for future reference:
http://www.asterisk.org/security (advisory not available yet)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2119 (details hidden as 
of now)

** Affects: asterisk (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2119

-- 
[CVE-2008-2119] Remote Crash Vulnerability in SIP channel driver when run in 
pedantic mode
https://bugs.launchpad.net/bugs/237229
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 275560] Re: Gnome Screensaver should optionally disable audio input and output

2008-09-30 Thread Alexander Konovalenko 
** Bug watch added: GNOME Bug Tracker #554438
   http://bugzilla.gnome.org/show_bug.cgi?id=554438

** Also affects: gnome-screensaver via
   http://bugzilla.gnome.org/show_bug.cgi?id=554438
   Importance: Unknown
   Status: Unknown

** Description changed:

  Binary package hint: gnome-screensaver
  
  This is an enhancement request related to a low-risk security
  vulnerability. Nothing serious but still would be nice to have this
  implemented.
  
  Currently you can password-protect your screen and input devices like
  keyboard and mouse using the Gnome Screensaver. This is useful when you
  need to leave the computer unattended for a while in a moderately
  insecure environment. But the audio input/output is not locked by the
  screensaver and that opens up a vulnerability.
  
  Here is a use case.
  
  You talk with Bob using Ekiga Softphone (an Internet telephony client).
  Then you lock your computer's screen and go out for a short while. If
  someone approaches your computer while you're out, they can use your
  headphones and microphone and may be able to impersonate you to Bob or
  hear some confidential talk that Bob intended only for you to hear.
  
  Gnome Screensaver should have an option to control whether audio input
  and output are enabled while your screen is locked.
  
  If you are aware of the risk, an easy (albeit often inconvenient) work-
  around exists: disconnect your Ekiga call before leaving — and generally
  make sure that running programs neither use the audio input from the
  microphone nor emit any confidential sounds. If the user doesn't have a
  security mindset, however, there is a chance that she won't think of
  this risk at all and will remain exposed.
  
  Although technically it is true that if the attacker can physically
  access your machine you're lost from the security point of view,
  actually there are many environments (like your home or maybe your
  workplace) where a screensaver lock is enough to stop casual
  eavesdroppers because they are not technically competent or because they
  wouldn't risk to mount a more serious attack which might involve opening
  up the case, connecting suspicious devices to it, etc. After all, nobody
  says that the screensaver password locking feature is _useless_. If it
  is useful to some extent, so will be the feature suggested here.
- 
- Feel free to copy this suggestion to the upstream bug tracker. I just
- wanted to collect some feedback here first.

-- 
Gnome Screensaver should optionally disable audio input and output
https://bugs.launchpad.net/bugs/275560
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack

2008-08-08 Thread Alexander Konovalenko 
On Fri, Aug 8, 2008 at 02:11, Steven M. Christey  
wrote:
>
> On Tue, 5 Aug 2008, Josh Bressers wrote:
>
>> http://developer.pidgin.im/ticket/6500
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
>
> Use CVE-2008-3532, to be updated later.
>
> - Steve

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3532

-- 
Pidgin XMPP TLS/SSL Man in the Middle attack
https://bugs.launchpad.net/bugs/251304
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256617] [NEW] [CVE-2008-3546] PATH buffer overflow in diff_addremove(), diff_change functions() in git leading to arbitrary code execution

2008-08-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: git-core

CVE-2008-3546 description:

"Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 1.5.6.4 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or git-
grep."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3546
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt

** Affects: git-core (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

-- 
[CVE-2008-3546] PATH buffer overflow in diff_addremove(), diff_change 
functions() in git leading to arbitrary code execution
https://bugs.launchpad.net/bugs/256617
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256621] [NEW] [CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration

2008-08-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: openvpn

CVE-2008-3459 description:

"Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8, when
running on non-Windows systems, allows remote servers to execute
arbitrary commands via crafted (1) "lladdr" and (2) "iproute"
configuration directives, probably related to shell metacharacters."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3459

More information:
http://openvpn.net/index.php/documentation/change-log/changelog-21.html

Ubuntu Hardy might be affected.

** Affects: openvpn (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3459

-- 
[CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via 
crafted configuration
https://bugs.launchpad.net/bugs/256621
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256621] Re: [CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration

2008-08-10 Thread Alexander Konovalenko 
Adding CVE reference: CVE-2008-3459

-- 
[CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via 
crafted configuration
https://bugs.launchpad.net/bugs/256621
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256617] Re: [CVE-2008-3546] PATH buffer overflow in diff_addremove(), diff_change functions() in git leading to arbitrary code execution

2008-08-10 Thread Alexander Konovalenko 
Adding CVE reference: CVE-2008-3546

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3546

** Summary changed:

- [CVE-2008-3546] PATH buffer overflow in diff_addremove(), diff_change 
functions() in git leading to arbitrary code execution
+ [CVE-2008-3546] PATH buffer overflow in diff_addremove(), diff_change() in 
git leading to arbitrary code execution

-- 
[CVE-2008-3546] PATH buffer overflow in diff_addremove(), diff_change() in git 
leading to arbitrary code execution
https://bugs.launchpad.net/bugs/256617
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256624] [NEW] [CVE-2008-3444] Firefox 3.0.1 crash via a crafted but well-formed web page

2008-08-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: firefox-3.0

CVE-2008-3444 description:

"The content layout component in Mozilla Firefox 3.0 and 3.0.1 allows
remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted but well-formed web page that
contains "a simple set of legitimate HTML tags." "

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3444

More information:
http://blog.mozilla.com/security/2008/07/30/low-risk-denial-of-service-in-firefox/
https://bugzilla.mozilla.org/show_bug.cgi?id=448564 (private bug)

** Affects: firefox
 Importance: Unknown
 Status: Unknown

** Affects: firefox-3.0 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3444

-- 
[CVE-2008-3444] Firefox 3.0.1 crash via a crafted but well-formed web page
https://bugs.launchpad.net/bugs/256624
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256624] Re: [CVE-2008-3444] Firefox 3.0.1 crash via a crafted but well-formed web page

2008-08-10 Thread Alexander Konovalenko 
Adding CVE reference: CVE-2008-3444

** Bug watch added: Mozilla Bugzilla #448564
   https://bugzilla.mozilla.org/show_bug.cgi?id=448564

** Also affects: firefox via
   https://bugzilla.mozilla.org/show_bug.cgi?id=448564
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-3444] Firefox 3.0.1 crash via a crafted but well-formed web page
https://bugs.launchpad.net/bugs/256624
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253787] Re: [CVE-2008-2931] Local privilege escalation in Linux (do_change_type() in fs/namespace.c)

2008-08-10 Thread Alexander Konovalenko 
Changed affected package from linux-source-2.6.20 to linux as per
.

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: linux-source-2.6.20 (Ubuntu)
   Status: New => Invalid

-- 
[CVE-2008-2931] Local privilege escalation in Linux (do_change_type() in 
fs/namespace.c)
https://bugs.launchpad.net/bugs/253787
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256632] [NEW] [CVE-2008-3272, -3496, -3534, -3535] Multiple vulnerabilities in the Linux kernel

2008-08-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-3272 preliminary description:

"The snd_seq_oss_synth_make_info function in
sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux
kernel before 2.6.27-rc2 does not verify that the device number is
within the range defined by max_synthdev before returning certain data
to the caller, which allows local users to obtain sensitive
information."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3272

CVE-2008-3496 description:

"Buffer overflow in format descriptor parsing in the uvc_parse_format
function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the
video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has
unknown impact and attack vectors."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3496

CVE-2008-3534 description:

"The shmem_delete_inode function in mm/shmem.c in the tmpfs
implementation in the Linux kernel before 2.6.26.1 allows local users to
cause a denial of service (system crash) via a certain sequence of file
create, remove, and overwrite operations, as demonstrated by the insserv
program, related to allocation of "useless pages" and improper
maintenance of the i_blocks count."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3534

CVE-2008-3535 description:

"Off-by-one error in the iov_iter_advance function in mm/filemap.c in
the Linux kernel before 2.6.27-rc2 allows local users to cause a denial
of service (system crash) via a certain sequence of file I/O operations
with readv and writev, as demonstrated by
testcases/kernel/fs/ftest/ftest03 from the Linux Test Project."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3535

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.15 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3272

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3496

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3534

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3535

-- 
[CVE-2008-3272, -3496, -3534, -3535] Multiple vulnerabilities in the Linux 
kernel
https://bugs.launchpad.net/bugs/256632
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256632] Re: [CVE-2008-3272, -3496, -3534, -3535] Multiple vulnerabilities in the Linux kernel

2008-08-10 Thread Alexander Konovalenko 
Adding CVE references: CVE-2008-3272, CVE-2008-3496, CVE-2008-3534,
CVE-2008-3535

** Also affects: linux-source-2.6.15 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
[CVE-2008-3272, -3496, -3534, -3535] Multiple vulnerabilities in the Linux 
kernel
https://bugs.launchpad.net/bugs/256632
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 256621] Re: [CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration

2008-08-11 Thread Alexander Konovalenko 
** Also affects: openvpn (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493488
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via 
crafted configuration
https://bugs.launchpad.net/bugs/256621
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 253787] Re: [CVE-2008-2931] Local privilege escalation in Linux (do_change_type() in fs/namespace.c)

2008-08-11 Thread Alexander Konovalenko 
On Mon, Aug 11, 2008 at 21:38, Leann Ogasawara  wrote:
>
> [...]  Also, you had correctly
> opened this against the 2.6.20 kernel source.  It's only for bugs
> against 2.6.24 or later that they will target the "linux" package.

If so, please update the wiki page at
.
It currently suggests that the bugs in Feisty and Gutsy kernels
(2.6.20 and 2.6.22) should be reported against the "linux" package.

Thanks for the clarification.

-- 
[CVE-2008-2931] Local privilege escalation in Linux (do_change_type() in 
fs/namespace.c)
https://bugs.launchpad.net/bugs/253787
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 243481] [NEW] [CVE-2008-2827] rmtree() in Perl 5.10 vulnerable to symlink attacks

2008-06-27 Thread Alexander Konovalenko 
Public bug reported:

Binary package hint: perl

CVE-2008-2827 description:

"The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly
check permissions before performing a chmod, which allows local users to
modify the permissions of arbitrary files via a symlink attack, a
different vulnerability than CVE-2005-0448 and CVE-2004-0452."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2827

** Affects: perl (Ubuntu)
 Importance: Undecided
 Status: New

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2827

-- 
[CVE-2008-2827] rmtree() in Perl 5.10 vulnerable to symlink attacks
https://bugs.launchpad.net/bugs/243481
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 243487] [NEW] Evolution vulnerability via HTML frames

2008-06-27 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: evolution

Juan Pablo Lopez Yacubian reported the following vulnerability to Bugtraq:
http://www.securityfocus.com/archive/1/493686/30/0/threaded

** Affects: evolution (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: libgtkhtml2 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Also affects: libgtkhtml2 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
Evolution vulnerability via HTML frames
https://bugs.launchpad.net/bugs/243487
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 243488] [NEW] Rhythmbox vulnerability via a crafted playlist file

2008-06-27 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: rhythmbox

Juan Pablo Lopez Yacubian reported the following vulnerability to Bugtraq:
http://www.securityfocus.com/archive/1/493683/30/0/threaded

** Affects: rhythmbox (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

-- 
Rhythmbox vulnerability via a crafted playlist file
https://bugs.launchpad.net/bugs/243488
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 241419] [NEW] [CVE-2008-2750] Remote vulnerability in pppol2tp_recvmsg() in Linux

2008-06-19 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2750 description:

"The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux
kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial
of service (kernel heap memory corruption and system crash) and possibly
have unspecified other impact via a crafted PPPOL2TP packet that results
in a large value for a certain length variable."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2750

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.15 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.20 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.22 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** Also affects: linux-source-2.6.22 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-source-2.6.20 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-source-2.6.15 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
[CVE-2008-2750] Remote vulnerability in pppol2tp_recvmsg() in Linux
https://bugs.launchpad.net/bugs/241419
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 241421] [NEW] [CVE-2008-2719] nasm vulnerability (DoS and possible arbitrary code execution)

2008-06-19 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: nasm

CVE-2008-2719 description:

"Off-by-one error in the ppscan function (preproc.c) in Netwide
Assembler (NASM) 2.02 allows context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
crafted file that triggers a stack-based buffer overflow."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2719

** Affects: nasm (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: nasm (Debian)
 Importance: Unknown
 Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #486715
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486715

** Also affects: nasm (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486715
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-2719] nasm vulnerability (DoS and possible arbitrary code execution)
https://bugs.launchpad.net/bugs/241421
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 240549] Re: fetchmail denial of service CVE-2008-2711

2008-06-19 Thread Alexander Konovalenko 
Trying to link this bug to CVE-2008-2711 (the web UI for that doesn't
seem to work).

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2711

-- 
fetchmail denial of service CVE-2008-2711
https://bugs.launchpad.net/bugs/240549
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 241419] Re: [CVE-2008-2750] Remote vulnerability in pppol2tp_recvmsg() in Linux

2008-06-19 Thread Alexander Konovalenko 
CVE-2008-2750

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2750

-- 
[CVE-2008-2750] Remote vulnerability in pppol2tp_recvmsg() in Linux
https://bugs.launchpad.net/bugs/241419
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 241421] Re: [CVE-2008-2719] nasm vulnerability (DoS and possible arbitrary code execution)

2008-06-19 Thread Alexander Konovalenko 
CVE-2008-2719

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2719

-- 
[CVE-2008-2719] nasm vulnerability (DoS and possible arbitrary code execution)
https://bugs.launchpad.net/bugs/241421
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 240549] Re: fetchmail denial of service CVE-2008-2711

2008-06-19 Thread Alexander Konovalenko 
On Fri, Jun 20, 2008 at 03:18, Emanuele Gentili wrote:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2711

I meant using the link "Link to CVE" in the Actions menu on the left
which adds an appropriate reference to this bug's metadata and makes
it findable in the Launchpad CVE tracker
.

See bug 241435 in Launchpad.

-- 
fetchmail denial of service CVE-2008-2711
https://bugs.launchpad.net/bugs/240549
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 134370] Re: [Gutsy, Hardy] Video doesn't play in XV video players

2008-06-19 Thread Alexander Konovalenko 
I also experience this bug. ATI RV350 AP [Radeon 9600], free driver
(radeon), Ubuntu 8.04 with latest recommended and security updates.
Tested using totem and gst-launch.

If you (the developers) need more information from the testers to
investigate and fix this bug, I'll try to help. Just let me know.

-- 
[Gutsy, Hardy] Video doesn't play in XV video players
https://bugs.launchpad.net/bugs/134370
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 239129] Re: [CVE-2008-0960] Multiple SNMP implementations HMAC authentication spoofing

2008-06-21 Thread Alexander Konovalenko 
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0960

-- 
[CVE-2008-0960] Multiple SNMP implementations HMAC authentication spoofing
https://bugs.launchpad.net/bugs/239129
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 192745] Re: Net-SNMP tries to read the obsolete /etc/sensors.conf

2008-06-21 Thread Alexander Konovalenko 
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0960

-- 
Net-SNMP tries to read the obsolete /etc/sensors.conf
https://bugs.launchpad.net/bugs/192745
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 239129] Re: [CVE-2008-0960] Multiple SNMP implementations HMAC authentication spoofing

2008-06-21 Thread Alexander Konovalenko 
A fix for net-snmp is in Intrepid:

net-snmp (5.4.1~dfsg-7.1ubuntu2) intrepid; urgency=low

  * SECURITY UPDATE: HMAC authentication spoofing.
  * debian/patches/51_CVE-2008-0960.patch: fixes HMAC authentication spoofing.
  * debian/patches/52_use_right_config_file.patch: Use the right configuration
file for lmsensors. (LP: #192745)

 -- Chuck Short < [EMAIL PROTECTED]>   Mon, 16 Jun 2008 15:47:18 +

I intended to nominate this bug for the Dapper-Hardy releases only in
net-snmp but I now can't figure out how to remove the nominations from
ecos and ucd-snmp.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0960

** Changed in: net-snmp (Ubuntu)
   Status: New => Fix Released

-- 
[CVE-2008-0960] Multiple SNMP implementations HMAC authentication spoofing
https://bugs.launchpad.net/bugs/239129
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 241892] [NEW] [CVE-2008-2292] Buffer overflow in __snprint_value() in snmp_get

2008-06-21 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2292 description:

"Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP
5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a large OCTETSTRING in an attribute value pair
(AVP)."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2292

** Affects: net-snmp (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

  CVE-2008-2292 description:
  
  "Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP
  5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a large OCTETSTRING in an attribute value pair
  (AVP)."
+ 
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2292

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2292

-- 
[CVE-2008-2292] Buffer overflow in __snprint_value() in snmp_get
https://bugs.launchpad.net/bugs/241892
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 232150] [NEW] Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, CVE-2008-1423]

2008-05-20 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-1419 description:

"Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero
value for codebook.dim, which allows remote attackers to cause a denial
of service (crash or infinite loop) or trigger an integer overflow."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1419

CVE-2008-1420:

"Integer overflow in residue partition value (aka partvals) evaluation
in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to
execute arbitrary code via a crafted OGG file, which triggers a heap
overflow."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1420

CVE-2008-1423:

"Integer overflow in a certain quantvals and quantlist calculation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a crafted OGG
file with a large virtual space for its codebook, which triggers a heap
overflow."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1423

** Affects: libvorbis (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1419

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1420

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1423

-- 
Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, 
CVE-2008-1423]
https://bugs.launchpad.net/bugs/232150
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 190218] Re: Please sync netpbm-free 2:10.0-11.1 (main) from Debian unstable (main)

2008-05-20 Thread Alexander Konovalenko 
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0554

-- 
Please sync netpbm-free 2:10.0-11.1 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/190218
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 232156] [NEW] [CVE-2008-0554] Buffer overflow in readImageData() in giftopnm.c leads to arbitrary code execution

2008-05-20 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-0554 description:

"Buffer overflow in the readImageData function in giftopnm.c in netpbm
before 10.27 in netpbm before 10.27 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted GIF image, a similar issue to
CVE-2006-4484."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0554

Debian advisory DSA 1579-1:
http://www.debian.org/security/2008/dsa-1579

This has been fixed in Hardy but previous releases seem to be
vulnerable.

** Affects: netpbm-free (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: netpbm-free (Debian)
 Importance: Unknown
 Status: Fix Released

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0554

** Bug watch added: Debian Bug tracker #464056
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056

** Also affects: netpbm-free (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-0554] Buffer overflow in readImageData() in giftopnm.c leads to 
arbitrary code execution
https://bugs.launchpad.net/bugs/232156
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 217682] Re: Partitioner hangs at 47% when creating encrypted swap partition

2008-05-20 Thread Alexander Konovalenko 
*** This bug is a duplicate of bug 148560 ***
https://bugs.launchpad.net/bugs/148560

** This bug is no longer a duplicate of bug 154502
   partitioner crashes with random encryption key.

** This bug has been marked a duplicate of bug 148560
   installer hangs with encryption and random password

-- 
Partitioner hangs at 47% when creating encrypted swap partition
https://bugs.launchpad.net/bugs/217682
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 154502] Re: partitioner crashes with random encryption key.

2008-05-20 Thread Alexander Konovalenko 
*** This bug is a duplicate of bug 148560 ***
https://bugs.launchpad.net/bugs/148560

I think this is not related to partman-md. It's more likely to be
related to partman-crypto, partman-crypto-dm and debian-installer. I'll
leave the bug as New in partman-md because I'm not sure what partman-md
really does.

** Also affects: debian-installer (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: partman-crypto (Ubuntu)
   Importance: Undecided
   Status: New

** This bug has been marked a duplicate of bug 148560
   installer hangs with encryption and random password

-- 
partitioner crashes with random encryption key.
https://bugs.launchpad.net/bugs/154502
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 229953] [NEW] [CVE-2008-2142] Emacs 21 will automatically execute .flc (fast lock) files

2008-05-13 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: emacs21

CVE-2008-2142 description:

"Emacs 21 and XEmacs automatically load and execute .flc (fast lock)
files that are associated with other files are edited within Emacs,
which allows user-assisted attackers to execute arbitrary code."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2142

** Affects: emacs21 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: gentoo
 Importance: Unknown
 Status: Unknown

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2142

** Bug watch added: Gentoo Bugzilla #221197
   http://bugs.gentoo.org/show_bug.cgi?id=221197

** Also affects: gentoo via
   http://bugs.gentoo.org/show_bug.cgi?id=221197
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-2142] Emacs 21 will automatically execute .flc (fast lock) files
https://bugs.launchpad.net/bugs/229953
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 229964] [NEW] [CVE-2008-0166] Predictable random number generator in openssl

2008-05-13 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: openssl

CVE-2008-0166 description from Debian security advisory DSA 1571-1:

"Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable.  This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166).  As a
result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian.  However, other systems
can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch.  Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions.  The old stable distribution
(sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections.  Keys generated with GnuPG or GNUTLS are not affected,
though.

A detector for known weak key material will be published at:

  
  
(OpenPGP signature)

Instructions how to implement key rollover for various packages will be
published at:

  

This web site will be continously updated to reflect new and updated
instructions on key rollovers for packages using SSL certificates.
Popular packages not affected will also be listed."

See:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
http://www.debian.org/security/2008/dsa-1571
http://www.debian.org/security/key-rollover/
(some links are broken yet)

** Affects: openssl (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0166

** Description changed:

  Binary package hint: openssl
  
- CVE-2008-0166 from Debian security advisory DSA 1571-1:
+ CVE-2008-0166 description from Debian security advisory DSA 1571-1:
  
  "Luciano Bello discovered that the random number generator in Debian's
  openssl package is predictable.  This is caused by an incorrect
  Debian-specific change to the openssl package (CVE-2008-0166).  As a
  result, cryptographic key material may be guessable.
  
  This is a Debian-specific vulnerability which does not affect other
  operating systems which are not based on Debian.  However, other systems
  can be indirectly affected if weak keys are imported into them.
  
  It is strongly recommended that all cryptographic key material which has
  been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
  systems is recreated from scratch.  Furthermore, all DSA keys ever used
  on affected Debian systems for signing or authentication purposes should
  be considered compromised; the Digital Signature Algorithm relies on a
  secret random value used during signature generation.
  
  The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
  distribution on 2006-09-17, and has since propagated to the testing and
  current stable (etch) distributions.  The old stable distribution
  (sarge) is not affected.
  
  Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
  material for use in X.509 certificates and session keys used in SSL/TLS
  connections.  Keys generated with GnuPG or GNUTLS are not affected,
  though.
  
  A detector for known weak key material will be published at:
  


  (OpenPGP signature)
  
  Instructions how to implement key rollover for various packages will be
  published at:
  

  
  This web site will be continously updated to reflect new and updated
  instructions on key rollovers for packages using SSL certificates.
  Popular packages not affected will also be listed."
  
+ See:
  http://lists.debian.org/debian-security-announce/2008/msg00152.html
  http://www.debian.org/security/2008/dsa-1571
+ http://www.debian.org/security/key-rollover/
+ (some links are broken yet)

-- 
[CVE-2008-0166] Predictable random number generator in openssl
https://bugs.launchpad.net/bugs/229964
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mai

[Bug 229951] Re: CVE-2008-0166: predictable random number generator

2008-05-13 Thread Alexander Konovalenko 
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0166

-- 
CVE-2008-0166: predictable random number generator
https://bugs.launchpad.net/bugs/229951
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow

2008-05-13 Thread Alexander Konovalenko 
** Bug watch added: Gentoo Bugzilla #219008
   http://bugs.gentoo.org/show_bug.cgi?id=219008

** Also affects: gentoo via
   http://bugs.gentoo.org/show_bug.cgi?id=219008
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-1102] Blender imb_loadhdr() buffer overflow
https://bugs.launchpad.net/bugs/222592
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 227345] Re: [CVE-2008-1103] Multiple temporary files vulnerabilities

2008-05-13 Thread Alexander Konovalenko 
Fixed by Gentoo in GLSA 200805-12
.

-- 
[CVE-2008-1103] Multiple temporary files vulnerabilities
https://bugs.launchpad.net/bugs/227345
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 229964] Re: [CVE-2008-0166] Predictable random number generator in openssl

2008-05-13 Thread Alexander Konovalenko 
*** This bug is a duplicate of bug 229951 ***
https://bugs.launchpad.net/bugs/229951

This has been fixed by USN-612-1, I think.
http://www.ubuntu.com/usn/usn-612-1

-- 
[CVE-2008-0166] Predictable random number generator in openssl
https://bugs.launchpad.net/bugs/229964
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 230620] [NEW] [CVE-2008-2109] Denial of service via the ID3_FIELD_TYPE_STRINGLIST field

2008-05-15 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2109 description:

"field.c in the libid3tag 0.15.0b library allows context-dependent
attackers to cause a denial of service (CPU consumption) via an
ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an
infinite loop."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2109
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2109

Despite its version number, libid3tag0 version 0.15.1b-10 from Hardy
does contain the vulnerable code. So do the versions from previous
releases, I guess.

** Affects: libid3tag (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2109

-- 
[CVE-2008-2109] Denial of service via the ID3_FIELD_TYPE_STRINGLIST field
https://bugs.launchpad.net/bugs/230620
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 127960] Re: Unresponsive script dialog usability problems

2008-08-11 Thread Alexander Konovalenko 
I can reproduce this in Firefox 3.0.1 from Hardy (package version
3.0.1+build1+nobinonly-0ubuntu0.8.04.3) with the above test case.

** Also affects: firefox-3.0 (Ubuntu)
   Importance: Undecided
   Status: New

** Attachment added: "Firefox 3.0.1 screenshot"
   http://launchpadlibrarian.net/16716744/Warning%3A%20Unresponsive%20script.png

-- 
Unresponsive script dialog usability problems
https://bugs.launchpad.net/bugs/127960
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 257949] [NEW] [CVE-2008-2420] stunnel incorrect OCSP validation vulnerability

2008-08-14 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: stunnel4

CVE-2008-2420 description:

"The OCSP functionality in stunnel before 4.24 does not properly search
certificate revocation lists (CRL), which allows remote attackers to
bypass intended access restrictions by using revoked certificates. "

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2420

The bug has been already fixed in Intrepid. This is a request to
backport the fix to Hardy.

** Affects: stunnel4 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2420

-- 
[CVE-2008-2420] stunnel incorrect OCSP validation vulnerability
https://bugs.launchpad.net/bugs/257949
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 258162] [NEW] Postfix local privilege escalation via hardlinked symlinks

2008-08-15 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: postfix

Wietse Venema posted an advisory about this to Bugtraq. Excerpt:

"Sebastian Krahmer of SuSE has found a privilege escalation problem.
On some systems an attacker can hardlink a root-owned symlink to
for example /var/mail, and cause Postfix to append mail to existing
files that are owned by root or non-root accounts."

http://www.securityfocus.com/archive/1/495474/30/0/threaded

No CVE number has been assigned to this problem yet, to the best of my
knowledge.

** Affects: postfix (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

-- 
Postfix local privilege escalation via hardlinked symlinks
https://bugs.launchpad.net/bugs/258162
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 258172] [NEW] mktemp-generated filenames insufficiently random when too short

2008-08-15 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: mktemp

mktemp produces filenames that are partly not random, possibly allowing to 
mount a local attack.
Please see the discussion in Debian bug 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495193

** Affects: mktemp (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: mktemp (Debian)
 Importance: Unknown
 Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #495193
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495193

** Also affects: mktemp (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495193
   Importance: Unknown
   Status: Unknown

-- 
mktemp-generated filenames insufficiently random when too short
https://bugs.launchpad.net/bugs/258172
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 258180] [NEW] [CVE-2008-3276] Linux kernel dccp_setsockopt_change() integer overflow

2008-08-15 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Eugene Teo of Red Hat Security Response Team wrote:

"An integer overflow flaw was found in the Linux kernel
dccp_setsockopt_change() function. The vulnerability exists due to a
lack of sanitisation performed on a user-controlled integer value before
the value is employed as the size argument of a memory allocation
operation. An attacker may leverage this vulnerability to trigger a
kernel panic on a victim's machine remotely.

This affects kernel versions since 2.6.17-rc1. The proposed upstream
commit is: 3e8a0a559c66ee9e7468195691a56fefc3589740

I have allocated this CVE-2008-3276."

http://www.openwall.com/lists/oss-security/2008/08/15/3

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.20 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.22 (Ubuntu)
 Importance: Undecided
 Status: New

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3276

** Visibility changed to: Public

** Also affects: linux-source-2.6.20 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-source-2.6.22 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
[CVE-2008-3276] Linux kernel dccp_setsockopt_change() integer overflow
https://bugs.launchpad.net/bugs/258180
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 206071] Re: overflow in reports with long DNS names

2008-05-23 Thread Alexander Konovalenko 
Is this CVE-2008-2357?
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2357

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2357

** This bug has been flagged as a security issue

-- 
overflow in reports with long DNS names
https://bugs.launchpad.net/bugs/206071
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 228193] Re: rdesktop 1.5.0 multiple remote vulnerabilities [CVE-2008-1801, -1802, -1803]

2008-05-29 Thread Alexander Konovalenko 
What about the releases before Intrepid?

** Changed in: rdesktop (Ubuntu)
   Status: Fix Released => Fix Committed

-- 
rdesktop 1.5.0 multiple remote vulnerabilities [CVE-2008-1801, -1802, -1803]
https://bugs.launchpad.net/bugs/228193
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235901] [NEW] [CVE-2008-1804] Snort IP fragment TTL evasion vulnerability

2008-05-29 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: snort

CVE-2008-1804 description:

"Remote exploitation of a design error vulnerability in Snort [...]
could allow an attacker to bypass filter rules.

Due to a design error vulnerability, Snort does not properly reassemble 
fragmented IP packets. When receiving incoming fragments, Snort checks the Time 
To Live (TTL) value of the fragment, and compares it to the TTL of the initial 
fragment. If the difference between the initial fragment and the following 
fragments is more than a configured amount, the fragments will be silently 
discard. This results in valid traffic not being examined and/or filtered by 
Snort."
[...]
"iDefense has confirmed the existence of this vulnerability in Snort 2.8 and 
2.6. Snort 2.4 is not vulnerable. "

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701

"preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not
properly identify packet fragments that have dissimilar TTL values,
which allows remote attackers to bypass detection rules by using a
different TTL for each fragment."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1804

** Affects: snort (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1804

-- 
[CVE-2008-1804] Snort IP fragment TTL evasion vulnerability
https://bugs.launchpad.net/bugs/235901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235904] [NEW] [CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer

2008-05-29 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-1878 description:

"Stack-based buffer overflow in the demux_nsf_send_chunk function in
src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a long NSF title."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1878
http://www.debian.org/security/2008/dsa-1586

** Affects: xine-lib (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1878

-- 
[CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer
https://bugs.launchpad.net/bugs/235904
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235909] [NEW] [CVE-2008-1767] Buffer overflow in libxslt

2008-05-29 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-1767 description:

"It was discovered that libxslt, an XSLT processing runtime library,
could be coerced into executing arbitrary code via a buffer overflow
when an XSL style sheet file with a long XSLT "transformation match"
condition triggered a large number of steps."

http://www.debian.org/security/2008/dsa-1589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1767

** Affects: libxslt (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: libxslt (Debian)
 Importance: Unknown
 Status: Fix Released

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1767

** Bug watch added: Debian Bug tracker #482664
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482664

** Also affects: libxslt (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482664
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-1767] Buffer overflow in libxslt
https://bugs.launchpad.net/bugs/235909
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235912] [NEW] [CVE-2008-1105] Samba: boundary failure when parsing SMB responses

2008-05-29 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: samba

CVE-2008-1105 description:

"Heap-based buffer overflow in the receive_smb_raw function in
util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to
execute arbitrary code via a crafted SMB response."

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1105
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1105

"Boundary failure when parsing SMB responses can result in a buffer
overrun

Specifically crafted SMB responses can result in a heap overflow in the Samba 
client code.
Because the server process, smbd, can itself act as a client during operations 
such as
printer notification and domain authentication, this issue affects both Samba 
client and 
server installations."

http://www.samba.org/samba/security/CVE-2008-1105.html

Patch:
http://www.samba.org/samba/ftp/patches/security/samba-3.0.29-CVE-2008-1105.patch

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1105

-- 
[CVE-2008-1105] Samba: boundary failure when parsing SMB responses
https://bugs.launchpad.net/bugs/235912
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235913] [NEW] [CVE-2008-0891, CVE-2008-1672] OpenSSL denial of service vulnerabilities (crashes)

2008-05-29 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: openssl

CVE-2008-0891 description:

"Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS
server name extensions are enabled, allows remote attackers to cause a
denial of service (crash) via a crafted packet. NOTE: some of these
details are obtained from third party information."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891

CVE-2008-1672 description:

"OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of
service (crash) via a TLS handshake that omits the Server Key Exchange
message and uses "particular cipher suites." "

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672

Upstream advisory: http://www.openssl.org/news/secadv_20080528.txt

Does this apply to Hardy?

** Affects: openssl (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0891

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1672

-- 
[CVE-2008-0891, CVE-2008-1672] OpenSSL denial of service vulnerabilities 
(crashes)
https://bugs.launchpad.net/bugs/235913
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235913] Re: [CVE-2008-0891, CVE-2008-1672] OpenSSL denial of service vulnerabilities (crashes)

2008-05-29 Thread Alexander Konovalenko 
See also: http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html

-- 
[CVE-2008-0891, CVE-2008-1672] OpenSSL denial of service vulnerabilities 
(crashes)
https://bugs.launchpad.net/bugs/235913
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235915] [NEW] [CVE-2008-2426] imlib2 PNM and XPM buffer overflows

2008-05-29 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-2426 description:

"1) A boundary error exists within the "load()" function in
src/modules/loaders/loader_pnm.c when processing the header of a
PNM image file. This can be exploited to cause a stack-based buffer
overflow by e.g. tricking a user into opening a specially crafted
PNM image in an application using the imlib2 library.

[...]

2) A boundary error exists within the "load()" function in
src/modules/loader_xpm.c when processing an XPM image file. This can
be exploited to cause a stack-based buffer overflow by e.g. tricking
a user into opening a specially crafted XPM image with an application
using the imlib2 library."

http://secunia.com/secunia_research/2008-25/advisory/

** Affects: imlib2 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

-- 
[CVE-2008-2426] imlib2 PNM and XPM buffer overflows
https://bugs.launchpad.net/bugs/235915
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack

2008-08-05 Thread Alexander Konovalenko 
** Bug watch added: Debian Bug tracker #492434
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434

** Also affects: pidgin (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
   Importance: Unknown
   Status: Unknown

-- 
Pidgin XMPP TLS/SSL Man in the Middle attack
https://bugs.launchpad.net/bugs/251304
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 247445] Re: Package managers vulnerable to replay and endless data attacks

2008-08-22 Thread Alexander Konovalenko 
** Bug watch added: Debian Bug tracker #491374
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491374

** Also affects: debian via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491374
   Importance: Unknown
   Status: Unknown

-- 
Package managers vulnerable to replay and endless data attacks
https://bugs.launchpad.net/bugs/247445
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 237956] [NEW] [CVE-2008-1108, CVE-2008-1109] Evolution iCalendar buffer overflows

2008-06-06 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: evolution

CVE-2008-1108 description:

"Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is
disabled, allows remote attackers to execute arbitrary code via a long
timezone string in an iCalendar attachment."

CVE-2008-1109 description:

"Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted
remote attackers to execute arbitrary code via a long DESCRIPTION
property in an iCalendar attachment, which is not properly handled
during a reply in the calendar view (aka the Calendars window)."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1109
http://secunia.com/advisories/30298

** Affects: evolution (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1108

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1109

-- 
[CVE-2008-1108, CVE-2008-1109] Evolution iCalendar buffer overflows
https://bugs.launchpad.net/bugs/237956
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 235915] Re: [CVE-2008-2426] imlib2 PNM and XPM buffer overflows

2008-06-06 Thread Alexander Konovalenko 
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2426

-- 
[CVE-2008-2426] imlib2 PNM and XPM buffer overflows
https://bugs.launchpad.net/bugs/235915
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 238089] [NEW] [CVE-2008-2363] Heap overflow in PartsBatch class via .nzb files

2008-06-07 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: pan

CVE-2008-2363 description:

"The PartsBatch class in Pan 0.132 and earlier does not properly manage
the data structures for Parts batches, which allows remote attackers to
cause a denial of service (application crash) and possibly execute
arbitrary code via a crafted .nzb file that triggers a heap-based buffer
overflow."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2363

** Affects: pan
 Importance: Unknown
 Status: Unknown

** Affects: pan (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: pan (Fedora)
 Importance: Unknown
 Status: Confirmed

** Affects: pan (Gentoo Linux)
 Importance: Unknown
 Status: In Progress

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2363

** Bug watch added: GNOME Bug Tracker #535413
   http://bugzilla.gnome.org/show_bug.cgi?id=535413

** Also affects: pan via
   http://bugzilla.gnome.org/show_bug.cgi?id=535413
   Importance: Unknown
   Status: Unknown

** Bug watch added: Gentoo Bugzilla #224051
   http://bugs.gentoo.org/show_bug.cgi?id=224051

** Also affects: pan (Gentoo Linux) via
   http://bugs.gentoo.org/show_bug.cgi?id=224051
   Importance: Unknown
   Status: Unknown

** Bug watch added: Red Hat Bugzilla #446902
   https://bugzilla.redhat.com/show_bug.cgi?id=446902

** Also affects: pan (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=446902
   Importance: Unknown
   Status: Unknown

-- 
[CVE-2008-2363] Heap overflow in PartsBatch class via .nzb files
https://bugs.launchpad.net/bugs/238089
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 238524] [NEW] [CVE-2008-1673, CVE-2008-2358] Linux heap overflows potentially leading to remote arbitrary code execution

2008-06-09 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

CVE-2008-1673 description:

"Wei Wang from McAfee reported a potential heap overflow in the
ASN.1 decode code that is used by the SNMP NAT and CIFS
subsystem. Exploitation of this issue may lead to arbitrary code
execution."

CVE-2008-2358 description:

"Brandon Edwards of McAfee Avert labs discovered an issue in the
DCCP subsystem. Due to missing feature length checks it is possible
to cause an overflow they may result in remote arbitrary code
execution."

http://lists.debian.org/debian-security-announce/2008/msg00172.html
http://www.debian.org/security/2008/dsa-1592 (not yet available)

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.15 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.20 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: linux-source-2.6.22 (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1673

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2358

** Also affects: linux-source-2.6.15 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-source-2.6.20 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-source-2.6.22 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
[CVE-2008-1673, CVE-2008-2358] Linux heap overflows potentially leading to 
remote arbitrary code execution
https://bugs.launchpad.net/bugs/238524
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 238524] Re: [CVE-2008-1673, CVE-2008-2358] Linux heap overflows potentially leading to remote arbitrary code execution

2008-06-10 Thread Alexander Konovalenko 
More information is being published:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1673
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2358

-- 
[CVE-2008-1673, CVE-2008-2358] Linux heap overflows potentially leading to 
remote arbitrary code execution
https://bugs.launchpad.net/bugs/238524
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 238925] [NEW] [CVE-2008-2152] Integer overflow in rtl_allocateMemory() in OpenOffice.org

2008-06-10 Thread Alexander Konovalenko 
*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: openoffice.org

CVE-2008-2152 description:

"A security vulnerability in the custom memory allocation function from
OpenOffice.org may lead to heap overflows and allow a remote
unprivileged user who provides a OpenOffice.org document that is opened
by a local user to execute arbitrary commands on the system with the
privileges of the user running OpenOffice.org. [...]

Affected releases
All versions between OpenOffice.org 2.0 and 2.4 inclusive."

http://www.openoffice.org/security/cves/CVE-2008-2152.html

See also:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=714

** Affects: openoffice.org (Ubuntu)
 Importance: Undecided
 Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2152

-- 
[CVE-2008-2152] Integer overflow in rtl_allocateMemory() in OpenOffice.org
https://bugs.launchpad.net/bugs/238925
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

  1   2   3   4   >