headers
Nico Golde | 1 Jul 2008 10:58
Picon
Favicon

Re: CVE id request mercurial:Insufficient input validation

Hi Steve,
* Steven M. Christey <coley@...> [2008-06-30 21:41]:
> Out of curiosity, what attack scenarios exist for this issue?  If an
> attacker has control over the patch already, then code execution on the
> system already seems likely.  Or is the impact mostly limited to "compile
> farms" and limited-access user accounts?

Yes I agree, the attack scenarios are really limited to 
systems/people blindly importing patches for example if 
received via mail.

Cheers
Nico
--

-- 
Nico Golde - http://www.ngolde.de - nion@... - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Permalink | Reply | 0 comments |
headers
Josh Bressers | 1 Jul 2008 17:05
Picon
Favicon
Gravatar

Re: openldap DoS

On 30 June 2008, Josh Bressers wrote:
> On 30 June 2008, Ludwig Nussel wrote:
> > Hi,
> > 
> > Remote unauthenticated attackers can trigger an assertion in the ASN.1 BER
> > decoding of openlap and crash the server:
> > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580
> > 
> 
> The patch is here it seems:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0
> 

So It seems from my testing, this flaw does not trigger the assertion on
OpenLDAP version 2.0.27, but does on at least 2.2.13.

As upstream suggested this was added in version 1.88 of the io.c file, that
would suggest this flaw should affect OpenLDAP versions after 2.1.20 (don't
quote me on this, as I'm not completely sure, it could affect a few older
versions around 2.1.20).

Thanks.

--

-- 
    JB
Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Jul 2008 22:54
Picon

Re: openldap DoS


======================================================
Name: CVE-2008-2952
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952
Reference: CONFIRM:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions
allows remote attackers to cause a denial of service (program
termination) via crafted ASN.1 BER datagrams, which triggers an
assertion error.
Permalink | Reply | 1 comment |
headers
Steven M. Christey | 1 Jul 2008 23:10
Picon

Re: Two remote DoS issues in linuxdcpp


======================================================
Name: CVE-2008-2953
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2953
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=608612&group_id=40287
Reference: CONFIRM:http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/ShareManager.cpp.diff?r1=1.14&r2=1.15&sortby=date
Reference: SECUNIA:30812
Reference: URL:http://secunia.com/advisories/30812

Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a
denial of service (crash) via "partial file list requests" that
trigger a NULL pointer dereference.

======================================================
Name: CVE-2008-2954
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2954
Reference: CONFIRM:http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/Changelog.txt
Reference: CONFIRM:http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/NmdcHub.cpp.diff?r1=1.14&r2=1.15&sortby=date

client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows
remote attackers to cause a denial of service (crash) via an empty
private message, which triggers an out-of-bounds read.
Permalink | Reply | 1 comment |
headers
Steven M. Christey | 1 Jul 2008 23:25
Picon

Re: CVE Request (pidgin)


Note that the UPnP functionality is characterized by the researchers as a
bandwidth/disk DoS.  I don't know much about UPnP or Pidgin, but it might
be reasonable to investigate what Pidgin does with the file once it's
downloaded the contents.

- Steve

======================================================
Name: CVE-2008-2955
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
Reference: BUGTRAQ:20080626 Pidgin 2.4.1 Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493682/100/0/threaded
Reference: FRSIRT:ADV-2008-1947
Reference: URL:http://www.frsirt.com/english/advisories/2008/1947
Reference: SECUNIA:30881
Reference: URL:http://secunia.com/advisories/30881

Pidgin 2.4.1 allows remote attackers to cause a denial of service
(crash) via a long filename that contains certain characters, as
demonstrated using an MSN message that triggers the crash in the
msn_slplink_process_msg function.

======================================================
Name: CVE-2008-2956
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2956
Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1
Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin)
(Continue reading)

Permalink | Reply | 7 comments |
headers
Steven M. Christey | 1 Jul 2008 23:33
Picon

Re: CVE id request: checkinstall


======================================================
Name: CVE-2008-2958
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958
Reference: MISC:http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-June/001672.html
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488140
Reference: SECUNIA:30873
Reference: URL:http://secunia.com/advisories/30873
Reference: XF:checkinstall-multiple-symlink(43440)
Reference: URL:http://xforce.iss.net/xforce/xfdb/43440

Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows
local users to overwrite arbitrary files and have other impacts via
symlink and possibly other attacks on temporary working directories.
Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Jul 2008 23:46
Picon

Re: CVE request: php 5.2.6 ext/imap buffer overflows


On Tue, 24 Jun 2008, Christian Hoffmann wrote:

> On 2008-06-23 21:20, Steven M. Christey wrote:
> > ======================================================
> > Name: CVE-2008-2829
> > Status: Candidate
> >
> > ...
> > ...
>
> So, according to the information from the bug, this issue might not only
> allow for DoS but possibly for code execution as well, at least this is
> what it looks like to me.

Changed the description to account for this possibility.

> Also, I'm not quote sure why you are explicitily mentioning 5.2.5. To me
> it looks like all versions of php are affected, so in my opinion this
> looks a bit confusing. Only a cosmetic thing though.

5.2.5 was mentioned since http://bugs.php.net/bug.php?id=42862 supplied a
patch against 5.2.5.  We don't always provide exhaustive lists of versions
in CVE descriptions, but we do include those that seem to be most likely
reported by others.  These serve as "correlators" across distinct sources.

For example, a milw0rm post might say "1.6 is affected" and the vendor
might later say "1.4 through 1.9."  If we exclude the version as reported
in the milw0rm post, then it produces more work for people who have to
figure out whether the milw0rm post and vendor announcement are really the
(Continue reading)

Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Jul 2008 23:57
Picon

Re: CVE request for dnsmasq DoS


On Mon, 30 Jun 2008, Jamie Strandboge wrote:

> Hi,
>
> There is a remote DoS in dnsmasq 2.25 (and presumably earlier) that is
> fixed in 2.26. Details can be found at [1]. Can we get a CVE assigned
> for this?

I'm not sure I fully understand Thierry Carrez' comment about the security
implications of this issue.  It seems like an exploit would require a
malicious DHCP server, in which case isn't DHCP service already
compromised?  If so, then a crash of dnsmasq (null dereference?) doesn't
seem to be any worse than the loss of DHCP itself.

- Steve
Permalink | Reply | 7 comments |
headers
Robert Buchholz | 2 Jul 2008 02:03
Picon
Favicon

Re: Two remote DoS issues in linuxdcpp

On Tuesday 01 July 2008, Steven M. Christey wrote:
> ======================================================
> Name: CVE-2008-2953
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2953
> Reference:
> CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=60861
>2&group_id=40287 Reference:
> CONFIRM:http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp
>/client/ShareManager.cpp.diff?r1=1.14&r2=1.15&sortby=date Reference:
> SECUNIA:30812
> Reference: URL:http://secunia.com/advisories/30812
>
> Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause
> a denial of service (crash) via "partial file list requests" that
> trigger a NULL pointer dereference.

That Secunia advisory is actually for the Windows version of DC++, which 
has a different versioning. I think you might want to expand that in 
the description.

Robert
Permalink | Reply | 0 comments |
headers
Ludwig Nussel | 2 Jul 2008 08:48
Picon
Gravatar

Re: openldap DoS

Josh Bressers wrote:
> On 30 June 2008, Ludwig Nussel wrote:
> > Remote unauthenticated attackers can trigger an assertion in the ASN.1 BER
> > decoding of openlap and crash the server:
> > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580
> > 
> 
> The patch is here it seems:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0

Looks like the change was broken. Citing our maintainer from bugzilla:

--- Comment #7 from Ralf Haferkamp <rhafer@...>  2008-07-02
00:38:08 MDT ---
The OpenLDAP commit log just turned up this:

-------------8<-----------------------------
Update of /repo/OpenLDAP/pkg/ldap/libraries/liblber

Modified Files:
        io.c  1.121 -> 1.122

Log Message:
ITS#5580: Revert prev commit, failed on byte-at-a-time input. Different
approach used here.

CVS Web URLs:
  http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/
    http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c
------------->8-----------------------------
(Continue reading)

Permalink | Reply | 0 comments |

Gmane