Paul Aurich | 2 Jan 22:56 2010

CVE request - pidgin MSN arbitrary file upload

http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html

In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not
validate the filename received in a request for Pidgin to upload a custom
emoticon to a third-party, allowing an attacker to download arbitrary files
on the system via directory traversal.

This is fixed in source, but no release yet:
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

--
Paul Aurich

Giuseppe Iuculano | 6 Jan 11:38 2010
Picon

CVE request - uzbl remote code execution

Hi,

uzbl upstream reported a remote code execution vulnerability:
http://www.uzbl.org/news.php?id=22

References:
http://lists.uzbl.org/pipermail/uzbl-dev-uzbl.org/2010-January/000586.html
http://users.edpnet.be/dieter/exploit.html

Cheers,
Giuseppe.

Jamie Strandboge | 6 Jan 17:02 2010

CVE Request: Transmission

Transmission 1.77 was released to address a directory traversal
vulnerability that allowed file overwrites when processing crafted
torrent files. References:

http://trac.transmissionbt.com/wiki/Changes#version-1.77
http://trac.transmissionbt.com/changeset/9829/
https://launchpad.net/bugs/500625
http://www.mail-archive.com/debian-devel-changes-0aAXYlwwYIJuHlm7Suoebg <at> public.gmane.org/msg264483.html

Jamie

--

-- 
Jamie Strandboge             | http://www.canonical.com
Josh Bressers | 6 Jan 22:22 2010
Picon

Re: CVE request - uzbl remote code execution

----- "Giuseppe Iuculano" <iuculano@...> wrote:
> 
> uzbl upstream reported a remote code execution vulnerability:
> http://www.uzbl.org/news.php?id=22
> 
> References:
> http://lists.uzbl.org/pipermail/uzbl-dev-uzbl.org/2010-January/000586.html
> http://users.edpnet.be/dieter/exploit.html
> 

Plesae use CVE-2010-0011 for this.

Thanks.

--

-- 
    JB

Josh Bressers | 6 Jan 22:23 2010
Picon

Re: CVE Request: Transmission


----- "Jamie Strandboge" <jamie@...> wrote:

> Transmission 1.77 was released to address a directory traversal
> vulnerability that allowed file overwrites when processing crafted
> torrent files. References:
> 
> http://trac.transmissionbt.com/wiki/Changes#version-1.77
> http://trac.transmissionbt.com/changeset/9829/
> https://launchpad.net/bugs/500625
> http://www.mail-archive.com/debian-devel-changes-0aAXYlwwYIJuHlm7Suoebg <at> public.gmane.org/msg264483.html
> 

Please use CVE-2010-0012 for this.

Thanks.

--

-- 
    JB

Josh Bressers | 7 Jan 16:16 2010
Picon

Re: CVE request - pidgin MSN arbitrary file upload

----- "Paul Aurich" <paul@...> wrote:

> http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
> 
> In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not
> validate the filename received in a request for Pidgin to upload a custom
> emoticon to a third-party, allowing an attacker to download arbitrary
> files on the system via directory traversal.
> 
> This is fixed in source, but no release yet:
> http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

As this really needs an ID, please use CVE-2010-0013.

Thanks.

--

-- 
    JB

Nico Golde | 7 Jan 17:51 2010
Picon

Re: CVE request - pidgin MSN arbitrary file upload

Hi,
* Josh Bressers <bressers@...> [2010-01-07 16:19]:
> ----- "Paul Aurich" <paul@...> wrote:
> > http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
> > 
> > In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not
> > validate the filename received in a request for Pidgin to upload a custom
> > emoticon to a third-party, allowing an attacker to download arbitrary
> > files on the system via directory traversal.
> > 
> > This is fixed in source, but no release yet:
> > http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
> 
> As this really needs an ID, please use CVE-2010-0013.

While everyone is talking about the file inclusion vulnerability which is 
really important, has anyone investigated the SLP memory corruption issue yet?
Page 24: http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf

I had no time to investigate this yet myself but both issues should be fixed 
probably at once ;)

Cheers
Nico
--

-- 
Nico Golde - http://www.ngolde.de - nion@... - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Aurelien Jarno | 7 Jan 23:05 2010
Picon

CVE id request: GNU libc: NIS shadow password leakage

Hi oss-sec,

Christoph Pleger has reported through the Debian bug tracker [1] that
non-priviledged users can read NIS shadow password entries simply
using getpwnam() when nscd is in use.

The issue has already been reported upstream [2], and a proposed patch
is available on [3].

It seems that all GNU libc versions are affected, including derivatives
like EGLIBC.

Could we please get a CVE id for this issue?

Thanks,
Aurelien

[1] http://bugs.debian.org/560333
[2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134
[3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup

--

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@...                 http://www.aurel32.net
Josh Bressers | 8 Jan 23:11 2010
Picon

Re: CVE id request: GNU libc: NIS shadow password leakage

----- "Aurelien Jarno" <aurelien@...> wrote:

> Hi oss-sec,
> 
> Christoph Pleger has reported through the Debian bug tracker [1] that
> non-priviledged users can read NIS shadow password entries simply using
> getpwnam() when nscd is in use.
> 
> The issue has already been reported upstream [2], and a proposed patch is
> available on [3].
> 
> It seems that all GNU libc versions are affected, including derivatives
> like EGLIBC.
> 
> Could we please get a CVE id for this issue?
> 
> Thanks,
> Aurelien
> 
> [1] http://bugs.debian.org/560333
> [2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134
> [3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup

I may be missing something here, or perhaps I'm not remembering correctly,
but NIS basically doesn't have any security in this respect. This bug
implies that a user has some sort of access to the NIS client, but the NIS
server would happily hand out the same data if the malicious user asked for
it (not using glibc let's say). While this may be a glibc bug (I doubt it,
as it would just be a false sense of security), I this this is a non issue.

(Continue reading)

Christoph Pleger | 9 Jan 00:09 2010
Picon

Re: CVE id request: GNU libc: NIS shadow password leakage

Hello,

On Friday 08 January 2010 23:11:50, Josh Bressers wrote:

> I may be missing something here, or perhaps I'm not remembering correctly,
> but NIS basically doesn't have any security in this respect. This bug
> implies that a user has some sort of access to the NIS client, but the NIS
> server would happily hand out the same data if the malicious user asked for
> it (not using glibc let's say). While this may be a glibc bug (I doubt it,
> as it would just be a false sense of security), I this this is a non issue.

No, that's not true. I have no experience with Linux NIS servers, but when the 
NIS server runs on Solaris (Sun Microsystems is the inventor of NIS), the 
shadow password information, which is in the passwd.adjunct.byname map, on 
the NIS clients can only be seen by root. When other users call for 
example "ypcat passwd.adjunct.byname", they get an error message that the map 
does not exist. Also, on Solaris NIS clients, the shadow password cannot be 
seen with getpwnam. 

Regards
  Christoph 


Gmane