headers
Jan Lieskovsky | 1 Dec 2008 13:25
Picon
Favicon

(sort of urgent) CVE Request -- cups (repost)

Hello Steve,

  could you please allocate a new CVE id for the following vulnerability
(we need to have the patch backported till December the 3-rd due some
 internal policies).

cups  -- buffer overflow in the PNG image read
      -- incomplete fix for CVE-2008-1722
(http://www.cups.org/strfiles/2790/str2790.patch)
      -- advisory: http://www.cups.org/str.php?L2974
      -- patch: http://www.cups.org/strfiles/2974/str2974.patch
      -- affects: cups-1.1.17 <= x <= cups-1.3.9
      -- references: http://www.cups.org/str.php?L2974
                     http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt (Part "- SECURITY:")

Many thanks!
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Permalink | Reply | 1 comment |
headers
Hanno Böck | 1 Dec 2008 13:29
Picon
Gravatar

CVE request: tikiwiki < 2.2

http://info.tikiwiki.org/tiki-read_article.php?articleId=41

"
Updating to version 2.2 is highly recommended. In addition to several minor 
fixes and enhancements, the update provides two undisclosed security fixes.

Special thanks to Emanuele Gentili for reporting one of the security issues.
"

Further information is not easy to get, the changelog lists a vast number of 
[sec]-marked fixes, though it's not easy to see if they are "just" 
improvements to prevent potential issues or real security issues.

--

-- 
Hanno Böck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@...

http://waldbesetzung.blogsport.de/ Waldbesetzung gegen Flughafenausbau 
Frankfurt, 28. - 30.11.
http://www.jukss.de/ Jugemdumweltkongress, 27.12.-4.1.
Permalink | Reply | 1 comment |
headers
Steven M. Christey | 1 Dec 2008 15:25
Picon

Re: (sort of urgent) CVE Request -- cups (repost)


======================================================
Name: CVE-2008-5286
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286
Reference: CONFIRM:http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt
Reference: CONFIRM:http://www.cups.org/str.php?L2974
Reference: MLIST:[oss-security] 20081201 (sort of urgent) CVE Request -- cups (repost)
Reference: URL:http://www.openwall.com/lists/oss-security/2008/12/01/1
Reference: BID:32518
Reference: URL:http://www.securityfocus.com/bid/32518

Integer overflow in the _cupsImageReadPNG function in CUPS 1.1.17
through 1.3.9 allows remote attackers to execute arbitrary code via a
PNG image with a large height value, which bypasses a validation check
and triggers a buffer overflow.
Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Dec 2008 15:52
Picon

Re: CVE request: no-ip DUC buffer overflow


======================================================
Name: CVE-2008-5297
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5297
Reference: MILW0RM:7151
Reference: URL:http://www.milw0rm.com/exploits/7151
Reference: MISC:http://xenomuta.tuxfamily.org/exploits/noIPwn3r.c
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506179
Reference: CONFIRM:http://git.debian.org/?p=collab-maint/no-ip.git;a=commit;h=60ed93621ff36d9731ba5d9f9336d6eb91122302
Reference: MLIST:[oss-security] 20081120 CVE request: no-ip DUC buffer overflow
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/21/15

Buffer overflow in No-IP DUC 2.1.7 and earlier allows remote DNS
servers to execute arbitrary code via a crafted DNS response, related
to a missing length check in the GetNextLine function.
Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Dec 2008 15:59
Picon

Re: CVE id request: chm2pdf insecure temporary files usage


The symlink attack and the static directory names were given separate CVE
IDs, although arguably they both fall under "incomplete control of
temporary files."

- Steve

======================================================
Name: CVE-2008-5298
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5298
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501959

chm2pdf 0.9 uses temporary files in directories with fixed names,
which allows local users to cause a denial of service (chm2pdf
failure) of other users by creating those directories ahead of time.

======================================================
Name: CVE-2008-5299
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5299
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501959

chm2pdf 0.9 allows user-assisted local users to delete arbitrary files
via a symlink attack on .chm files in the (1) /tmp/chm2pdf/work or (2)
/tmp/chm2pdf/orig temporary directories.
Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Dec 2008 17:05
Picon

Re: CVE request: kernel: fix soft lockups/OOM issues with unix garbage collector


======================================================
Name: CVE-2008-5300
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300
Reference: MLIST:[linux-netdev] 20081120 soft lockups/OOM after unix socket fixes
Reference: URL:http://marc.info/?l=linux-netdev&m=122721862313564&w=2
Reference: MLIST:[linux-netdev] 20081125 [PATCH] Fix soft lockups/OOM issues w/ unix garbage collector
Reference: URL:http://marc.info/?l=linux-netdev&m=122765505415944&w=2
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=470201

Linux kernel 2.6.28 allows local users to cause a denial of service
("soft lockup" and process loss) via a large number of sendmsg
function calls, which does not block during AF_UNIX garbage collection
and triggers an OOM condition, a different vulnerability than
CVE-2008-5029.
Permalink | Reply | 0 comments |
headers
Steven M. Christey | 1 Dec 2008 17:36
Picon

Re: CVE Request - cups, dovecot-managesieve, perl, wireshark


CVE-2008-5286 - CUPS PNG overflow

CVE-2008-5301 - dovecot-managesieve directory traversal

CVE-2008-5302, CVE-2008-5303 - Perl issues (read details below)

CVE-2008-5285 - Wireshark SMTP DoS

Regarding the Perl issues: as seen in this list and elsewhere, there seems
to be a ton of confusion about which CVE's were originally fixed (or not),
and which CVE's have since reappeared (or not), and which versions of Perl
and File::Path are or are not affected, plus Eygene's commentary on other
race conditions.

I've chosen to anchor the CVE descriptions based on Niko Tyni's commentary
in http://www.gossamer-threads.com/lists/perl/porters/233695#233695 and
have blended in some other comments, so hopefully we have a reasonable
place to start from.

- Steve

======================================================
Name: CVE-2008-5285
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5285
Reference: BUGTRAQ:20081122 [SVRT-04-08] Vulnerability in WireShark 1.0.4 for DoS Attack
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/498562/100/0/threaded
Reference: FULLDISC:20081122 [SVRT-04-08] Vulnerability in WireShark 1.0.4 for DoS Attack
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065840.html
(Continue reading)

Permalink | Reply | 1 comment |
headers
Marcus Meissner | 1 Dec 2008 17:46
Picon
Gravatar

CVE request: clamav 0.94.2

Hi,

the Clamav folks released 0.94.2 and it seems to contain one security
relevant bugfix "recursive stack overflow in jpeg parsing code":

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266

So this probably needs a CVE, Steven?

Ciao, Marcus
Permalink | Reply | 1 comment |
headers
Eugene Teo | 2 Dec 2008 02:15
Picon
Favicon

Re: CVE request: kernel: Unix sockets kernel panic

dann frazier wrote:
> On Tue, Nov 11, 2008 at 05:41:44PM +0800, Eugene Teo wrote:
>> Eugene Teo wrote:
>>> We need a CVE name for this issue. This was reported in netdev today.
>>>
>>> "The following code causes a kernel panic on Linux 2.6.26:
>>> http://darkircop.org/unix.c
>>>
>>> I haven't investigated the bug so I'm not sure what is causing it, and
>>> don't know if it's exploitable.  The code passes unix sockets from one
>>> process to another using unix sockets.  The bug probably has to do
>>> with closing file descriptors."
>>>
>>> http://marc.info/?l=linux-netdev&m=122593044330973&w=2
>>> https://bugzilla.redhat.com/show_bug.cgi?id=470201
>>>
>>> There isn't a fix yet. Dave is working on it.
>> There's a fix now.
>>
>> Upstream commits: f8d570a, 3b53fbf, and 6209344.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=470201#c10
>> https://bugzilla.redhat.com/show_bug.cgi?id=470201#c14
>> https://bugzilla.redhat.com/show_bug.cgi?id=470201#c9
>> https://bugzilla.redhat.com/show_bug.cgi?id=470201#c13
> 
> Thanks for following up.
> 
> fyi, our testing of this fix has uncovered additional issues.
> Local/unprivileged users can cause soft lockups and take out system
(Continue reading)

Permalink | Reply | 1 comment |
headers
Eygene Ryabinkin | 2 Dec 2008 11:51
Picon
Favicon

Re: CVE Request - cups, dovecot-managesieve, perl, wireshark

Steven, *, good day.

Mon, Dec 01, 2008 at 11:36:45AM -0500, Steven M. Christey wrote:
> Regarding the Perl issues: as seen in this list and elsewhere, there seems
> to be a ton of confusion about which CVE's were originally fixed (or not),
> and which CVE's have since reappeared (or not), and which versions of Perl
> and File::Path are or are not affected, plus Eygene's commentary on other
> race conditions.

It seems to me that the original issue for the 'setuid' stuff was
not completely fixed in Perl 5.8.4: it misses the stanza 'if
$force_writable' at the second chmod (this is from virgin perl-5.8.5):
-----
            chmod 0777, $root
              or carp "Can't make directory $root writeable: $!"
                if $force_writeable;
            print "rmdir $root\n" if $verbose;
            if (rmdir $root) {
                ++$count;
            }
            else {
                carp "Can't remove directory $root: $!";
                chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
                    or carp("and can't restore permissions to "
                            . sprintf("0%o",$rp) . "\n");
            }
-----
This is in line with the Niko Tyni's patch:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=36;filename=sid_fix_file_path;att=2;bug=286922
(Continue reading)

Permalink | Reply | 0 comments |

Gmane