Showing all newswire headlines

A vulnerability was discovered in all 8.12.x versions of sendmail up to and including 8.12.8. Due to wrong initialization of RESOURCE_RECORD_T structures, if sendmail receives a bad DNS reply it will call free() on random addresses which usually causes sendmail to crash.

A directory traversal vulnerability in UnZip 5.50 allows attackers to bypass a check for relative pathnames ("../") by placing certain invalid characters between the two "." characters. The fix which was implemented in DSA-344-1 may not have protected against all methods of exploiting this vulnerability.

Upgraded infozip packages are available for Slackware 9.0 and -current. These fix a security issue where a specially crafted archive may overwrite files (including system files anywhere on the filesystem) upon extraction by a user with sufficient permissions.

Updated iptables packages which are fully compatible with recent kernel updates are now available.

Upgraded gdm packages are available for Slackware 9.0 and -current. These fix a security issue where a local user may use GDM to read any file on the system.

Several vulnerabilities were discovered in versions of gdm prior to 2.4.1.6. The first vulnerability is that any user can read any text file on the system due to code originally written to be run as the user logging in was in fact being run as the root user. This code is what allows the examination of the ~/.xsession-errors file. If a user makes a symlink from this file to any other file on the system during the session and ensures that the session lasts less than ten seconds, the user can read the file provided it was readable as a text file.

Updated GDM packages are available which correct a bug allowing local users to read any text files on the system, and a denial of service issue if XDMCP is enabled.

Eye on Security found a cross-site scripting vulnerability in the start_form() function in CGI.pm. This vulnerability allows a remote attacker to place a web script in a URL which feeds into a form's action parameter and allows execution by the browser as if it was coming from the site.

A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two "." characters. These invalid characters are filtered which results in a ".." sequence.

A previous man-db update (DSA-364-1) fixed buffer overruns in ult_src, a part of the "mandb" command that finds the canonical source file for each man page. However, this update introduced an error in the routine that resolves hardlinks: depending on the filenames of hardlinked man pages, that routine might itself overrun allocated memory, causing a segmentation fault.

Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.

Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.

Updated unzip packages resolving a vulnerability allowing arbitrary files to be overwritten are now available. [Updated 15 August 2003] Ben Laurie found that the original patch to fix this issue missed a case where the path component included a quoted slash. These updated packages contain a new patch that corrects this issue.

This advisory provides a correction to the previous kernel updates, which contained an error introduced in kernel-source-2.4.18 version 2.4.18-10. This error could result in a kernel "oops" under certain circumstances involving POSIX locks and multithreaded programs.

A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CAN-2003-0442).

During the last weeks a couple of security relevant fixes have been accumulated for the kernel. These fix local vulnerabilities and remote DoS conditions. The list of the fixed vulnerabilities is as follows:

A cross-site scripting vulnerability exists in the start_form() function in CGI.pm. This function outputs user-controlled data into the action attribute of a form element without sanitizing it, allowing a remote user to execute arbitrary web script within the context of the generated page. Any program which uses this function in the CGI.pm module may be affected.

This erratum provides updated KDE packages that resolve a security issue in Konquerer.

Updated ddskk packages which fix a temporary file security issue are now available.