Open Source Software security discussions, including joint development and review of security patches ()

Paul Aurich | 2 Jan 2010 22:56

CVE request - pidgin MSN arbitrary file upload

http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html

In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not
validate the filename received in a request for Pidgin to upload a custom
emoticon to a third-party, allowing an attacker to download arbitrary files
on the system via directory traversal.

This is fixed in source, but no release yet:
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

--
Paul Aurich

Giuseppe Iuculano | 6 Jan 2010 11:38

Picon

CVE request - uzbl remote code execution

Hi,

uzbl upstream reported a remote code execution vulnerability:
http://www.uzbl.org/news.php?id=22

References:
http://lists.uzbl.org/pipermail/uzbl-dev-uzbl.org/2010-January/000586.html
http://users.edpnet.be/dieter/exploit.html

Cheers,
Giuseppe.

Jamie Strandboge | 6 Jan 2010 17:02

CVE Request: Transmission

Transmission 1.77 was released to address a directory traversal
vulnerability that allowed file overwrites when processing crafted
torrent files. References:

http://trac.transmissionbt.com/wiki/Changes#version-1.77
http://trac.transmissionbt.com/changeset/9829/
https://launchpad.net/bugs/500625
http://www.mail-archive.com/debian-devel-changes-0aAXYlwwYIJuHlm7Suoebg <at> public.gmane.org/msg264483.html

Jamie

--

-- 
Jamie Strandboge             | http://www.canonical.com

Josh Bressers | 6 Jan 2010 22:22

Picon

Re: CVE request - uzbl remote code execution

----- "Giuseppe Iuculano" <iuculano@...> wrote:
> 
> uzbl upstream reported a remote code execution vulnerability:
> http://www.uzbl.org/news.php?id=22
> 
> References:
> http://lists.uzbl.org/pipermail/uzbl-dev-uzbl.org/2010-January/000586.html
> http://users.edpnet.be/dieter/exploit.html
> 

Plesae use CVE-2010-0011 for this.

Thanks.

--

-- 
    JB

Josh Bressers | 6 Jan 2010 22:23

Picon

Re: CVE Request: Transmission


----- "Jamie Strandboge" <jamie@...> wrote:

> Transmission 1.77 was released to address a directory traversal
> vulnerability that allowed file overwrites when processing crafted
> torrent files. References:
> 
> http://trac.transmissionbt.com/wiki/Changes#version-1.77
> http://trac.transmissionbt.com/changeset/9829/
> https://launchpad.net/bugs/500625
> http://www.mail-archive.com/debian-devel-changes-0aAXYlwwYIJuHlm7Suoebg <at> public.gmane.org/msg264483.html
> 

Please use CVE-2010-0012 for this.

Thanks.

--

-- 
    JB

Josh Bressers | 7 Jan 2010 16:16

Picon

Re: CVE request - pidgin MSN arbitrary file upload

----- "Paul Aurich" <paul@...> wrote:

> http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
> 
> In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not
> validate the filename received in a request for Pidgin to upload a custom
> emoticon to a third-party, allowing an attacker to download arbitrary
> files on the system via directory traversal.
> 
> This is fixed in source, but no release yet:
> http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

As this really needs an ID, please use CVE-2010-0013.

Thanks.

--

-- 
    JB

Nico Golde | 7 Jan 2010 17:51

Picon

Re: CVE request - pidgin MSN arbitrary file upload

Hi,
* Josh Bressers <bressers@...> [2010-01-07 16:19]:
> ----- "Paul Aurich" <paul@...> wrote:
> > http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
> > 
> > In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not
> > validate the filename received in a request for Pidgin to upload a custom
> > emoticon to a third-party, allowing an attacker to download arbitrary
> > files on the system via directory traversal.
> > 
> > This is fixed in source, but no release yet:
> > http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
> 
> As this really needs an ID, please use CVE-2010-0013.

While everyone is talking about the file inclusion vulnerability which is 
really important, has anyone investigated the SLP memory corruption issue yet?
Page 24: http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf

I had no time to investigate this yet myself but both issues should be fixed 
probably at once ;)

Cheers
Nico
--

-- 
Nico Golde - http://www.ngolde.de - nion@... - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Aurelien Jarno | 7 Jan 2010 23:05

CVE id request: GNU libc: NIS shadow password leakage

Hi oss-sec,

Christoph Pleger has reported through the Debian bug tracker [1] that
non-priviledged users can read NIS shadow password entries simply
using getpwnam() when nscd is in use.

The issue has already been reported upstream [2], and a proposed patch
is available on [3].

It seems that all GNU libc versions are affected, including derivatives
like EGLIBC.

Could we please get a CVE id for this issue?

Thanks,
Aurelien

[1] http://bugs.debian.org/560333
[2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134
[3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup

--

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@...                 http://www.aurel32.net

Josh Bressers | 8 Jan 2010 23:11

Picon

Re: CVE id request: GNU libc: NIS shadow password leakage

----- "Aurelien Jarno" <aurelien@...> wrote:

> Hi oss-sec,
> 
> Christoph Pleger has reported through the Debian bug tracker [1] that
> non-priviledged users can read NIS shadow password entries simply using
> getpwnam() when nscd is in use.
> 
> The issue has already been reported upstream [2], and a proposed patch is
> available on [3].
> 
> It seems that all GNU libc versions are affected, including derivatives
> like EGLIBC.
> 
> Could we please get a CVE id for this issue?
> 
> Thanks,
> Aurelien
> 
> [1] http://bugs.debian.org/560333
> [2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134
> [3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup

I may be missing something here, or perhaps I'm not remembering correctly,
but NIS basically doesn't have any security in this respect. This bug
implies that a user has some sort of access to the NIS client, but the NIS
server would happily hand out the same data if the malicious user asked for
it (not using glibc let's say). While this may be a glibc bug (I doubt it,
as it would just be a false sense of security), I this this is a non issue.

(Continue reading)

Christoph Pleger | 9 Jan 2010 00:09

Picon

Re: CVE id request: GNU libc: NIS shadow password leakage

Hello,

On Friday 08 January 2010 23:11:50, Josh Bressers wrote:

> I may be missing something here, or perhaps I'm not remembering correctly,
> but NIS basically doesn't have any security in this respect. This bug
> implies that a user has some sort of access to the NIS client, but the NIS
> server would happily hand out the same data if the malicious user asked for
> it (not using glibc let's say). While this may be a glibc bug (I doubt it,
> as it would just be a false sense of security), I this this is a non issue.

No, that's not true. I have no experience with Linux NIS servers, but when the 
NIS server runs on Solaris (Sun Microsystems is the inventor of NIS), the 
shadow password information, which is in the passwd.adjunct.byname map, on 
the NIS clients can only be seen by root. When other users call for 
example "ypcat passwd.adjunct.byname", they get an error message that the map 
does not exist. Also, on Solaris NIS clients, the shadow password cannot be 
seen with getpwnam. 

Regards
  Christoph

Group

gmane.comp.security.oss.general.

Project Web Page

Open Source Software security discussions, including joint development and review of security patches ()

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8

Articles in period: 72

January 2010

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

More zPanel security flaws? Trying to sort them out (19 May 2013)
Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability (17 May 2013)
Xen Security Advisory 56 (CVE-2013-2072) - Buffer overflow in xencontr (17 May 2013)
CVE Request: WebAuth: Authentication credential disclosure (16 May 2013)
CVE request: WordPress plugin wp-cleanfix CSRF (16 May 2013)
CVE-2013-1962 libvirt: DoS (max count of open files exhaustion) due so (16 May 2013)
CVE request: WordPress plugin mail-on-update CSRF (16 May 2013)
[OSSA 2013-012] Nova fails to verify image virtual size (CVE-2013-2096 (16 May 2013)
CVE-2013-2097: zPanel themes remote command execution as root (16 May 2013)
CVE request for a Drupal contributed module (15 May 2013)
CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of (15 May 2013)
CVE Request: Man in the middle on Gentoo Portage binary package instal (15 May 2013)
Remote command Injection in Creme Fraiche 0.6 Ruby Gem (14 May 2013)
ownCloud Security Advisories oC-SA-0{19-27} (14 May 2013)
CVE Request: linux kernel perf out-of-bounds access (14 May 2013)
CVE-2002-2443: Kerberos kpasswd UDP ping-pong vulnerability (13 May 2013)
nginx security advisory (CVE-2013-2070) (13 May 2013)
CVE request: Gallery multiple XSS vulnerabilities (13 May 2013)
CVE Request: Storable::thaw called on cookie data in multiple CPAN mod (13 May 2013)
CVE request: MoinMoin Wiki (remote code execution vulnerability) (12 May 2013)
CVE request: MoinMoin Wiki (remote code execution vulnerability) (12 May 2013)

Archives

122	May 2013
244	April 2013
237	March 2013
322	February 2013
214	January 2013
157	December 2012
186	November 2012
185	October 2012
232	September 2012
207	August 2012
150	July 2012
127	June 2012
235	May 2012
209	April 2012
292	March 2012
188	February 2012
333	January 2012
144	December 2011
239	November 2011
204	October 2011
133	September 2011
162	August 2011
258	July 2011
224	June 2011
155	May 2011
354	April 2011
319	March 2011
168	February 2011
149	January 2011
136	December 2010
187	November 2010
84	October 2010
175	September 2010
137	August 2010
117	July 2010
141	June 2010
115	May 2010
118	April 2010
122	March 2010
94	February 2010
72	January 2010
74	December 2009
105	November 2009
122	October 2009
102	September 2009
98	August 2009
84	July 2009
59	June 2009
96	May 2009
114	April 2009
75	March 2009
81	February 2009
89	January 2009
108	December 2008
127	November 2008
123	October 2008
127	September 2008
126	August 2008
149	July 2008
112	June 2008
136	May 2008
143	April 2008
103	March 2008
103	February 2008

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template