Date: Thu, 21 Jan 2021 13:18:50 +0000 (UTC) From: Baptiste Daroussin <bapt@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r562203 - head/security/vuxml Message-ID: <202101211318.10LDIoap057289@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bapt Date: Thu Jan 21 13:18:49 2021 New Revision: 562203 URL: https://svnweb.freebsd.org/changeset/ports/562203 Log: Split vuln.xml file [1/2] The vuln.xml file has grown a lot since 2003. To avoid having to unlock the svn size limitation, the file is now split into 1 file per year up to the current year + previous one. The split is made based on the date when the entry has been added. In order to achieve the split without breaking any consumer we use a standard XML mechanism via the definition of entities. While here add a new target make vuln-flat.xml which will expand the entities in order to be able to regenerate a one uniq file if needed. This useful to for example allow to test with pkg audit directly given the XML parser used in pkg does not support custom entities. The vuxml web site generator has been modified to ensure the vuln.xml file it provides is the expanded version, so for consumers it is still only one single file to download. Added: head/security/vuxml/vuln-2003.xml (contents, props changed) head/security/vuxml/vuln-2004.xml (contents, props changed) head/security/vuxml/vuln-2005.xml (contents, props changed) head/security/vuxml/vuln-2006.xml (contents, props changed) head/security/vuxml/vuln-2007.xml (contents, props changed) head/security/vuxml/vuln-2008.xml (contents, props changed) head/security/vuxml/vuln-2009.xml (contents, props changed) head/security/vuxml/vuln-2010.xml (contents, props changed) head/security/vuxml/vuln-2011.xml (contents, props changed) head/security/vuxml/vuln-2012.xml (contents, props changed) head/security/vuxml/vuln-2013.xml (contents, props changed) head/security/vuxml/vuln-2014.xml (contents, props changed) head/security/vuxml/vuln-2015.xml (contents, props changed) head/security/vuxml/vuln-2016.xml (contents, props changed) head/security/vuxml/vuln-2017.xml (contents, props changed) head/security/vuxml/vuln-2018.xml (contents, props changed) head/security/vuxml/vuln-2019.xml (contents, props changed) Modified: head/security/vuxml/Makefile Modified: head/security/vuxml/Makefile ============================================================================== --- head/security/vuxml/Makefile Thu Jan 21 13:16:29 2021 (r562202) +++ head/security/vuxml/Makefile Thu Jan 21 13:18:49 2021 (r562203) @@ -50,6 +50,9 @@ do-test: @${CP} ${.CURDIR}/vuln.xml ${WRKDIR}/test @cd ${.CURDIR} && make validate PKGDIR=${WRKDIR}/test +vuln-flat.xml: vuln.xml + xmllint -noent ${.ALLSRC} > ${.TARGET} + validate: tidy @${SH} ${FILESDIR}/validate.sh "${VUXML_FILE}" @${ECHO_MSG} Checking if tidy differs... Added: head/security/vuxml/vuln-2003.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/vuxml/vuln-2003.xml Thu Jan 21 13:18:49 2021 (r562203) @@ -0,0 +1,282 @@ +<!-- +Copyright 2003-2021 Jacques Vidrine and contributors + +Redistribution and use in source (VuXML) and 'compiled' forms (SGML, +HTML, PDF, PostScript, RTF and so forth) with or without modification, +are permitted provided that the following conditions are met: +1. Redistributions of source code (VuXML) must retain the above + copyright notice, this list of conditions and the following + disclaimer as the first lines of this file unmodified. +2. Redistributions in compiled form (transformed to other DTDs, + published online in any format, converted to PDF, PostScript, + RTF and other formats) must reproduce the above copyright + notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + +THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS +BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + $FreeBSD$ +--> + + <vuln vid="81313647-2d03-11d8-9355-0020ed76ef5a"> + <topic>ElGamal sign+encrypt keys created by GnuPG can be compromised</topic> + <affects> + <package> + <name>gnupg</name> + <range><ge>1.0.2</ge><lt>1.2.3_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Any ElGamal sign+encrypt keys created by GnuPG contain a + cryptographic weakness that may allow someone to obtain + the private key. <strong>These keys should be considered + unusable and should be revoked.</strong></p> + <p>The following summary was written by Werner Koch, GnuPG + author:</p> + <blockquote cite="http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html">; + <p>Phong Nguyen identified a severe bug in the way GnuPG + creates and uses ElGamal keys for signing. This is + a significant security failure which can lead to a + compromise of almost all ElGamal keys used for signing. + Note that this is a real world vulnerability which will + reveal your private key within a few seconds.</p> + <p>...</p> + <p>Please <em>take immediate action and revoke your ElGamal + signing keys</em>. Furthermore you should take whatever + measures necessary to limit the damage done for signed or + encrypted documents using that key.</p> + <p>Note that the standard keys as generated by GnuPG (DSA + and ElGamal encryption) as well as RSA keys are NOT + vulnerable. Note also that ElGamal signing keys cannot + be generated without the use of a special flag to enable + hidden options and even then overriding a warning message + about this key type. See below for details on how to + identify vulnerable keys.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2003-0971</cvename> + <mlist>http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html</mlist>; + </references> + <dates> + <discovery>2003-11-27</discovery> + <entry>2003-12-12</entry> + </dates> + </vuln> + + <vuln vid="f04cc5cb-2d0b-11d8-beaf-000a95c4d922"> + <topic>bind8 negative cache poison attack</topic> + <affects> + <package> + <name>bind</name> + <range><ge>8.3</ge><lt>8.3.7</lt></range> + <range><ge>8.4</ge><lt>8.4.3</lt></range> + </package> + <package> + <name>FreeBSD</name> + <range><ge>5.1</ge><lt>5.1_11</lt></range> + <range><ge>5.0</ge><lt>5.0_19</lt></range> + <range><ge>4.9</ge><lt>4.9_1</lt></range> + <range><ge>4.8</ge><lt>4.8_14</lt></range> + <range><ge>4.7</ge><lt>4.7_24</lt></range> + <range><ge>4.6</ge><lt>4.6.2_27</lt></range> + <range><ge>4.5</ge><lt>4.5_37</lt></range> + <range><lt>4.4_47</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A programming error in BIND 8 named can result in a DNS + message being incorrectly cached as a negative response. As + a result, an attacker may arrange for malicious DNS messages + to be delivered to a target name server, and cause that name + server to cache a negative response for some target domain + name. The name server would thereafter respond negatively + to legitimate queries for that domain name, resulting in a + denial-of-service for applications that require DNS.</p> + </body> + </description> + <references> + <cvename>CVE-2003-0914</cvename> + <freebsdsa>SA-03:19.bind</freebsdsa> + <certvu>734644</certvu> + </references> + <dates> + <discovery>2003-11-28</discovery> + <entry>2003-12-12</entry> + <modified>2004-05-05</modified> + </dates> + </vuln> + + <vuln vid="96fdbf5b-2cfd-11d8-9355-0020ed76ef5a"> + <topic>Mathopd buffer overflow</topic> + <affects> + <package> + <name>mathopd</name> + <range><lt>1.4p2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mathopd contains a buffer overflow in the prepare_reply() + function that may be remotely exploitable.</p> + </body> + </description> + <references> + <url>http://www.mail-archive.com/mathopd%40mathopd.org/msg00136.html</url>; + </references> + <dates> + <discovery>2003-12-04</discovery> + <entry>2003-12-12</entry> + </dates> + </vuln> + + <vuln vid="d7af61c8-2cc0-11d8-9355-0020ed76ef5a"> + <topic>lftp HTML parsing vulnerability</topic> + <affects> + <package> + <name>lftp</name> + <range><le>2.6.10</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A buffer overflow exists in lftp which may be triggered when + requesting a directory listing from a malicious server over + HTTP.</p> + </body> + </description> + <references> + <cvename>CVE-2003-0963</cvename> + <url>http://lftp.yar.ru/news.html#2.6.10</url>; + </references> + <dates> + <discovery>2003-12-11</discovery> + <entry>2003-12-12</entry> + </dates> + </vuln> + + <vuln vid="ebdf65c7-2ca6-11d8-9355-0020ed76ef5a"> + <topic>qpopper format string vulnerability</topic> + <affects> + <package> + <name>qpopper</name> + <range><lt>2.53_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>An authenticated user may trigger a format string + vulnerability present in qpopper's UIDL code, resulting + in arbitrary code execution with group ID `mail' + privileges.</p> + </body> + </description> + <references> + <bid>1241</bid> + <cvename>CVE-2000-0442</cvename> + <url>http://www.netsys.com/suse-linux-security/2000-May/att-0137/01-b0f5-Qpopper.txt</url>; + </references> + <dates> + <discovery>2000-05-23</discovery> + <entry>2003-12-12</entry> + </dates> + </vuln> + + <vuln vid="af0296be-2455-11d8-82e5-0020ed76ef5a"> + <topic>fetchmail -- address parsing vulnerability</topic> + <affects> + <package> + <name>fetchmail</name> + <range><le>6.2.0</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Fetchmail can be crashed by a malicious email message.</p> + </body> + </description> + <references> + <url>http://security.e-matters.de/advisories/052002.html</url>; + </references> + <dates> + <discovery>2003-10-25</discovery> + <entry>2003-10-25</entry> + <modified>2012-09-04</modified> + </dates> + </vuln> + + <vuln vid="2bcd2d24-24ca-11d8-82e5-0020ed76ef5a"> + <topic>Buffer overflow in pam_smb password handling</topic> + <affects> + <package> + <name>pam_smb</name> + <range><lt>1.9.9_3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Applications utilizing pam_smb can be compromised by + any user who can enter a password. In many cases, + this is a remote root compromise.</p> + </body> + </description> + <references> + <url>http://www.skynet.ie/~airlied/pam_smb/</url>; + <cvename>CVE-2003-0686</cvename> + </references> + <dates> + <discovery>2003-10-25</discovery> + <entry>2003-10-25</entry> + <modified>2003-10-25</modified> + </dates> + </vuln> + + <vuln vid="c4b7badf-24ca-11d8-82e5-0020ed76ef5a"> + <topic>Buffer overflows in libmcrypt</topic> + <affects> + <package> + <name>libmcrypt</name> + <range><lt>2.5.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>libmcrypt does incomplete input validation, leading to + several buffer overflows. Additionally, + a memory leak is present. Both of these problems may be + exploited in a denial-of-service attack.</p> + </body> + </description> + <references> + <mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=104162752401212&w=2</mlist>; + <cvename>CVE-2003-0031</cvename> + <cvename>CVE-2003-0032</cvename> + </references> + <dates> + <discovery>2003-10-25</discovery> + <entry>2003-10-25</entry> + <modified>2003-10-25</modified> + </dates> + </vuln> + + <vuln vid="6fd9a1e9-efd3-11d8-9837-000c41e2cdad"> + <cancelled/> + </vuln> + + <vuln vid="3362f2c1-8344-11d8-a41f-0020ed76ef5a"> + <cancelled/> + </vuln> Added: head/security/vuxml/vuln-2004.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/vuxml/vuln-2004.xml Thu Jan 21 13:18:49 2021 (r562203) @@ -0,0 +1,10144 @@ +<!-- +Copyright 2003-2021 Jacques Vidrine and contributors + +Redistribution and use in source (VuXML) and 'compiled' forms (SGML, +HTML, PDF, PostScript, RTF and so forth) with or without modification, +are permitted provided that the following conditions are met: +1. Redistributions of source code (VuXML) must retain the above + copyright notice, this list of conditions and the following + disclaimer as the first lines of this file unmodified. +2. Redistributions in compiled form (transformed to other DTDs, + published online in any format, converted to PDF, PostScript, + RTF and other formats) must reproduce the above copyright + notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + +THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS +BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + $FreeBSD$ +--> + + <vuln vid="9168253c-5a6d-11d9-a9e7-0001020eed82"> + <topic>a2ps -- insecure temporary file creation</topic> + <affects> + <package> + <name>a2ps-a4</name> + <name>a2ps-letter</name> + <name>a2ps-letterdj</name> + <range><lt>4.13b_3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A Secunia Security Advisory reports that Javier + Fernández-Sanguino Peña has found temporary file + creation vulnerabilities in the fixps and psmandup scripts + which are part of a2ps. These vulnerabilities could lead to + an attacker overwriting arbitrary files with the credentials + of the user running the vulnerable scripts.</p> + </body> + </description> + <references> + <cvename>CVE-2004-1377</cvename> + <bid>12108</bid> + <bid>12109</bid> + <url>http://secunia.com/advisories/13641/</url>; + </references> + <dates> + <discovery>2004-12-27</discovery> + <entry>2004-12-30</entry> + <modified>2005-01-19</modified> + </dates> + </vuln> + + <vuln vid="64c8cc2a-59b1-11d9-8a99-000c6e8f12ef"> + <topic>libxine -- buffer-overflow vulnerability in aiff support</topic> + <affects> + <package> + <name>libxine</name> + <range><le>1.0.r5_3</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Due to a buffer overflow in the open_aiff_file function in + demux_aiff.c, a remote attacker is able to execute arbitrary + code via a modified AIFF file.</p></body> + </description> + <references> + <cvename>CVE-2004-1300</cvename> + <url>http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt</url>; + <url>http://xinehq.de/index.php/security/XSA-2004-7</url>; + </references> + <dates> + <discovery>2004-12-15</discovery> + <entry>2004-12-29</entry> + <modified>2005-01-12</modified> + </dates> + </vuln> + + <vuln vid="2e25d38b-54d1-11d9-b612-000c6e8f12ef"> + <topic>jabberd -- denial-of-service vulnerability</topic> + <affects> + <package> + <name>jabber</name> + <range><lt>1.4.3.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>José Antonio Calvo discovered a bug in the Jabber 1.x server. + According to Matthias Wimmer:</p> + <blockquote cite="http://devel.amessage.info/jabberd14/README.html">; + <p>Without this patch, it is possible to remotly crash + jabberd14, if there is access to one of the following types + of network sockets:</p> + <ul> + <li>Socket accepting client connections</li> + <li>Socket accepting connections from other servers</li> + <li>Socket connecting to an other Jabber server</li> + <li>Socket accepting connections from server components</li> + <li>Socket connecting to server components</li> + </ul> + <p>This is any socket on which the jabberd server parses + XML!</p> + <p>The problem existed in the included expat XML parser code. + This patch removes the included expat code from jabberd14 + and links jabberd against an installed version of expat.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-1378</cvename> + <url>http://devel.amessage.info/jabberd14/README.html</url>; + <url>http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html</url>; + </references> + <dates> + <discovery>2004-09-19</discovery> + <entry>2004-12-26</entry> + <modified>2005-01-19</modified> + </dates> + </vuln> + + <vuln vid="a30e5e44-5440-11d9-9e1e-c296ac722cb3"> + <topic>squid -- confusing results on empty acl declarations</topic> + <affects> + <package> + <name>squid</name> + <range><lt>2.5.7_5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Applying an empty ACL list results in unexpected behavior: + anything will match an empty ACL list. For example,</p> + <blockquote cite="http://www.squid-cache.org/bugs/show_bug.cgi?id=1166">; + <p>The meaning of the configuration gets very confusing when + we encounter empty ACLs such as</p> + <p><code>acl something src "/path/to/empty_file.txt"<br/> + http_access allow something somewhere</code></p> + <p>gets parsed (with warnings) as</p> + <p><code>http_access allow somewhere</code></p> + <p>And similarily if you are using proxy_auth acls without + having any auth schemes defined.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2005-0194</cvename> + <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url>; + <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1166</url>; + </references> + <dates> + <discovery>2004-12-21</discovery> + <entry>2004-12-23</entry> + <modified>2005-02-08</modified> + </dates> + </vuln> + + <vuln vid="efa1344b-5477-11d9-a9e7-0001020eed82"> + <topic>ethereal -- multiple vulnerabilities</topic> + <affects> + <package> + <name>ethereal</name> + <name>ethereal-lite</name> + <name>tethereal</name> + <name>tethereal-lite</name> + <range><lt>0.10.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>An Ethreal Security Advisories reports:</p> + <blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00016.html">; + <p>Issues have been discovered in the following protocol + dissectors:</p> + <ul> + <li>Matthew Bing discovered a bug in DICOM dissection that + could make Ethereal crash.</li> + <li>An invalid RTP timestamp could make Ethereal hang and + create a large temporary file, possibly filling + available disk space.</li> + <li>The HTTP dissector could access previously-freed + memory, causing a crash.</li> + <li>Brian Caswell discovered that an improperly formatted + SMB packet could make Ethereal hang, maximizing CPU + utilization.</li> + </ul> + <p>Impact: It may be possible to make Ethereal crash or run + arbitrary code by injecting a purposefully malformed + packet onto the wire or by convincing someone to read a + malformed packet trace file.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-1139</cvename> + <cvename>CVE-2004-1140</cvename> + <cvename>CVE-2004-1141</cvename> + <cvename>CVE-2004-1142</cvename> + <url>http://www.ethereal.com/appnotes/enpa-sa-00016.html</url>; + </references> + <dates> + <discovery>2004-12-14</discovery> + <entry>2004-12-23</entry> + </dates> + </vuln> + + <vuln vid="e3e266e9-5473-11d9-a9e7-0001020eed82"> + <topic>xpdf -- buffer overflow vulnerability</topic> + <affects> + <package> + <name>xpdf</name> + <range><lt>3.00_5</lt></range> + </package> + <package> + <name>kdegraphics</name> + <range><lt>3.3.2_1</lt></range> + </package> + <package> + <name>gpdf</name> + <range><le>2.8.1</le></range> + </package> + <package> + <name>teTeX-base</name> + <range><le>2.0.2_6</le></range> + </package> + <package> + <name>cups-base</name> + <range><le>1.1.22.0</le></range> + </package> + <package> + <name>koffice</name> + <range><le>1.3.5,1</le></range> + </package> + <package> + <name>pdftohtml</name> + <range><lt>0.36_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>An iDEFENSE Security Advisory reports:</p> + <blockquote cite="http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities">; + <p>Remote exploitation of a buffer overflow vulnerability in + the xpdf PDF viewer, as included in multiple Linux + distributions, could allow attackers to execute arbitrary + code as the user viewing a PDF file. The offending code + can be found in the Gfx::doImage() function in the source + file xpdf/Gfx.cc.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-1125</cvename> + <url>http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities</url>; + </references> + <dates> + <discovery>2004-11-23</discovery> + <entry>2004-12-23</entry> + <modified>2005-01-13</modified> + </dates> + </vuln> + + <vuln vid="28e93883-539f-11d9-a9e7-0001020eed82"> + <topic>acroread5 -- mailListIsPdf() buffer overflow vulnerability</topic> + <affects> + <package> + <name>acroread</name> + <name>acroread4</name> + <name>acroread5</name> + <range><lt>5.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>An iDEFENSE Security Advisory reports:</p> + <blockquote cite="http://www.idefense.com/application/poi/display?id=161&type=vulnerabilities">; + <p>Remote exploitation of a buffer overflow in version 5.09 + of Adobe Acrobat Reader for Unix could allow for execution + of arbitrary code.</p> + <p>The vulnerability specifically exists in a the function + mailListIsPdf(). This function checks if the input file + is an email message containing a PDF. It unsafely copies + user supplied data using strcat into a fixed sized + buffer.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-1152</cvename> + <certvu>253024</certvu> + <url>http://www.adobe.com/support/techdocs/331153.html</url>; + <url>http://www.idefense.com/application/poi/display?id=161&type=vulnerabilities</url>; + </references> + <dates> + <discovery>2004-10-14</discovery> + <entry>2004-12-21</entry> + <modified>2005-01-06</modified> + </dates> + </vuln> + + <vuln vid="be543d74-539a-11d9-a9e7-0001020eed82"> + <topic>ecartis -- unauthorised access to admin interface</topic> + <affects> + <package> + <name>ecartis</name> + <range><lt>1.0.0.s20031228_2,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A Debian security advisory reports:</p> + <blockquote cite="http://www.debian.org/security/2004/dsa-572">; + <p>A problem has been discovered in ecartis, a mailing-list + manager, which allows an attacker in the same domain as + the list admin to gain administrator privileges and alter + list settings.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-0913</cvename> + <url>http://www.debian.org/security/2004/dsa-572</url>; + <url>http://secunia.com/advisories/12918/</url>; + </references> + <dates> + <discovery>2004-10-12</discovery> + <entry>2004-12-21</entry> + </dates> + </vuln> + + <vuln vid="85d76f02-5380-11d9-a9e7-0001020eed82"> + <topic>mplayer -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mplayer</name> + <name>mplayer-gtk</name> + <name>mplayer-gtk2</name> + <name>mplayer-esound</name> + <name>mplayer-gtk-esound</name> + <name>mplayer-gtk2-esound</name> + <range><lt>0.99.5_5</lt></range> + </package> + <package> + <name>libxine</name> + <range><le>1.0.r5_3</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>iDEFENSE and the MPlayer Team have found multiple + vulnerabilities in MPlayer:</p> + <ul> + <li>Potential heap overflow in Real RTSP streaming code</li> + <li>Potential stack overflow in MMST streaming code</li> + <li>Multiple buffer overflows in BMP demuxer</li> + <li>Potential heap overflow in pnm streaming code</li> + <li>Potential buffer overflow in mp3lib</li> + </ul> + <p>These vulnerabilities could allow a remote attacker to + execute arbitrary code as the user running MPlayer. The + problem in the pnm streaming code also affects xine.</p> + </body> + </description> + <references> + <cvename>CVE-2004-1187</cvename> + <cvename>CVE-2004-1188</cvename> + <url>http://mplayerhq.hu/homepage/design7/news.html#mplayer10pre5try2</url>; + <mlist msgid="IDSERV04yz5b6KZmcK80000000c@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110322526210300</mlist>; + <url>http://www.idefense.com/application/poi/display?id=166</url>; + <mlist msgid="IDSERV04FVjCRGryWtI0000000f@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110322829807443</mlist>; + <url>http://www.idefense.com/application/poi/display?id=167</url>; + <mlist msgid="IDSERV046beUzmRf6Ci00000012@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110323022605345</mlist>; + <url>http://www.idefense.com/application/poi/display?id=168</url>; + <url>http://xinehq.de/index.php/security/XSA-2004-6</url>; + </references> + <dates> + <discovery>2004-12-10</discovery> + <entry>2004-12-21</entry> + <modified>2005-01-12</modified> + </dates> + </vuln> + + <vuln vid="0bb7677d-52f3-11d9-a9e7-0001020eed82"> + <topic>krb5 -- heap buffer overflow vulnerability in libkadm5srv</topic> + <affects> + <package> + <name>krb5</name> + <name>krb5-beta</name> + <range><lt>1.3.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A MIT krb5 Security Advisory reports:</p> + <blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt">; + <p>The MIT Kerberos 5 administration library (libkadm5srv) + contains a heap buffer overflow in password history + handling code which could be exploited to execute + arbitrary code on a Key Distribution Center (KDC) + host. The overflow occurs during a password change of a + principal with a certain password history state. An + administrator must have performed a certain password + policy change in order to create the vulnerable state.</p> + <p>An authenticated user, not necessarily one with + administrative privileges, could execute arbitrary code on + the KDC host, compromising an entire Kerberos realm.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-1189</cvename> + <url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt</url>; + </references> + <dates> + <discovery>2004-12-06</discovery> + <entry>2004-12-21</entry> + </dates> + </vuln> + + <vuln vid="3b3676be-52e1-11d9-a9e7-0001020eed82"> + <topic>samba -- integer overflow vulnerability</topic> + <affects> + <package> + <name>samba</name> + <range><lt>3.0.10</lt></range> + <range><gt>*,1</gt><lt>3.0.10,1</lt></range> + </package> + <package> + <name>ja-samba</name> + <range><lt>2.2.12.j1.0beta1_2</lt></range> + <range><gt>3.*</gt><lt>3.0.10</lt></range> + <range><gt>3.*,1</gt><lt>3.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Greg MacManus, iDEFENSE Labs reports:</p> + <blockquote cite="http://www.samba.org/samba/security/CAN-2004-1154.html">; + <p>Remote exploitation of an integer overflow vulnerability + in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, + and Samba 3.0.x prior to and including 3.0.9 could allow + an attacker to cause controllable heap corruption, leading + to execution of arbitrary commands with root + privileges.</p> + <p>Successful remote exploitation allows an attacker to gain + root privileges on a vulnerable system. In order to + exploit this vulnerability an attacker must possess + credentials that allow access to a share on the Samba + server. Unsuccessful exploitation attempts will cause the + process serving the request to crash with signal 11, and + may leave evidence of an attack in logs.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-1154</cvename> + <url>http://www.idefense.com/application/poi/display?id=165&type=vulnerabilities</url>; + <url>http://www.samba.org/samba/security/CAN-2004-1154.html</url>; + </references> + <dates> + <discovery>2004-12-02</discovery> + <entry>2004-12-21</entry> + <modified>2008-09-26</modified> + </dates> + </vuln> + + <vuln vid="d47e9d19-5016-11d9-9b5f-0050569f0001"> + <topic>php -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mod_php4-twig</name> + <name>php4-cgi</name> + <name>php4-cli</name> + <name>php4-dtc</name> + <name>php4-horde</name> + <name>php4-nms</name> + <name>php4</name> + <range><lt>4.3.10</lt></range> + </package> + <package> + <name>mod_php</name> + <name>mod_php4</name> + <range><ge>4</ge><lt>4.3.10,1</lt></range> + </package> + <package> + <name>php5</name> + <name>php5-cgi</name> + <name>php5-cli</name> + <range><lt>5.0.3</lt></range> + </package> + <package> + <name>mod_php5</name> + <range><lt>5.0.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Secunia reports:</p> + <blockquote cite="http://secunia.com/advisories/13481/">; + <p>Multiple vulnerabilities have been reported in PHP, + which can be exploited to gain escalated privileges, + bypass certain security restrictions, gain knowledge + of sensitive information, or compromise a vulnerable + system.</p> + </blockquote> + </body> + </description> + <references> + <url>http://secunia.com/advisories/13481/</url>; + <cvename>CVE-2004-1019</cvename> + <cvename>CVE-2004-1065</cvename> + <url>http://www.php.net/release_4_3_10.php</url>; + <url>http://www.hardened-php.net/advisories/012004.txt</url>; + </references> + <dates> + <discovery>2004-12-16</discovery> + <entry>2004-12-17</entry> + <modified>2004-12-18</modified> + </dates> + </vuln> + + <vuln vid="01c231cd-4393-11d9-8bb9-00065be4b5b6"> + <topic>mysql -- GRANT access restriction problem</topic> + <affects> + <package> + <name>mysql-server</name> + <range><le>3.23.58_3</le></range> + <range><ge>4.*</ge><lt>4.0.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>When a user is granted access to a database with a name containing + an underscore and the underscore is not escaped then that user might + also be able to access other, similarly named, databases on the + affected system.</p> + <p>The problem is that the underscore is seen as a wildcard by MySQL + and therefore it is possible that an admin might accidently GRANT a + user access to multiple databases.</p> + </body> + </description> + <references> + <cvename>CVE-2004-0957</cvename> + <bid>11435</bid> + <url>http://bugs.mysql.com/bug.php?id=3933</url>; + <url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>; + <url>http://www.openpkg.org/security/OpenPKG-SA-2004.045-mysql.html</url>; + </references> + <dates> + <discovery>2004-03-29</discovery> + <entry>2004-12-16</entry> + <modified>2005-03-15</modified> + </dates> + </vuln> + + <vuln vid="06a6b2cf-484b-11d9-813c-00065be4b5b6"> + <topic>mysql -- ALTER MERGE denial of service vulnerability</topic> + <affects> + <package> + <name>mysql-server</name> + <range><le>3.23.58_3</le></range> + <range><ge>4.*</ge><lt>4.0.21</lt></range> + <range><ge>4.1.*</ge><lt>4.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Dean Ellis reported a denial of service vulnerability in the MySQL + server:</p> + <blockquote cite="http://bugs.mysql.com/bug.php?id=4017">; + <p> Multiple threads ALTERing the same (or different) MERGE tables to + change the UNION eventually crash the server or hang the individual + threads.</p> + </blockquote> + <p>Note that a script demonstrating the problem is included in the + MySQL bug report. Attackers that have control of a MySQL account can + easily use a modified version of that script during an attack.</p> + </body> + </description> + <references> + <cvename>CVE-2004-0837</cvename> + <bid>11357</bid> + <url>http://bugs.mysql.com/bug.php?id=2408</url>; + <url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>; + </references> + <dates> + <discovery>2004-01-15</discovery> + <entry>2004-12-16</entry> + <modified>2005-03-15</modified> + </dates> + </vuln> + + <vuln vid="29edd807-438d-11d9-8bb9-00065be4b5b6"> + <topic>mysql -- FTS request denial of service vulnerability</topic> + <affects> + <package> + <name>mysql-server</name> + <range><ge>4.*</ge><lt>4.0.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A special crafted MySQL FTS request can cause the server to crash. + Malicious MySQL users can abuse this bug in a denial of service + attack against systems running an affected MySQL daemon.</p> + <p>Note that because this bug is related to the parsing of requests, + it may happen that this bug is triggered accidently by a user when he + or she makes a typo.</p> + </body> + </description> + <references> + <url>http://bugs.mysql.com/bug.php?id=3870</url>; + <cvename>CVE-2004-0956</cvename> + <bid>11432</bid> + </references> + <dates> + <discovery>2004-03-23</discovery> + <entry>2004-12-16</entry> + </dates> + </vuln> + + <vuln vid="835256b8-46ed-11d9-8ce0-00065be4b5b6"> + <topic>mysql -- mysql_real_connect buffer overflow vulnerability</topic> + <affects> + <package> + <name>mysql-server</name> + <range><le>3.23.58_3</le></range> + <range><ge>4.*</ge><lt>4.0.21</lt></range> + </package> + <package> + <name>mysql-client</name> + <range><le>3.23.58_3</le></range> + <range><ge>4.*</ge><lt>4.0.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The mysql_real_connect function doesn't properly handle DNS replies + by copying the IP address into a buffer without any length checking. + A specially crafted DNS reply may therefore be used to cause a buffer + overflow on affected systems.</p> + <p>Note that whether this issue can be exploitable depends on the + system library responsible for the gethostbyname function. The bug + finder, Lukasz Wojtow, explaines this with the following words:</p> + <blockquote cite="http://bugs.mysql.com/bug.php?id=4017">; + <p>In glibc there is a limitation for an IP address to have only 4 + bytes (obviously), but generally speaking the length of the address + comes with a response for dns query (i know it sounds funny but + read rfc1035 if you don't believe). This bug can occur on libraries + where gethostbyname function takes length from dns's response</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2004-0836</cvename> + <bid>10981</bid> + <url>http://bugs.mysql.com/bug.php?id=4017</url>; + <url>http://lists.mysql.com/internals/14726</url>; + <url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>; + <url>http://www.osvdb.org/displayvuln.php?osvdb_id=10658</url>; + </references> + <dates> + <discovery>2004-06-04</discovery> + <entry>2004-12-16</entry> + <modified>2005-03-15</modified> + </dates> + </vuln> + + <vuln vid="035d17b2-484a-11d9-813c-00065be4b5b6"> + <topic>mysql -- erroneous access restrictions applied to table renames</topic> + <affects> + <package> + <name>mysql-server</name> + <range><le>3.23.58_3</le></range> + <range><ge>4.*</ge><lt>4.0.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A Red Hat advisory reports:</p> + <blockquote cite="http://rhn.redhat.com/errata/RHSA-2004-611.html">; + <p>Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked + the CREATE/INSERT rights of the old table instead of the new + one.</p> + </blockquote> + <p>Table access restrictions, on the affected MySQL servers, may + accidently or intentially be bypassed due to this bug.</p> + </body> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101211318.10LDIoap057289>