VARIoT IoT vulnerabilities database

Java 2 Micro Edition is a Java technology implementation that supports mobile devices.  Java 2 Micro Edition has security issues. Remote attackers can use this vulnerability to build Java code to bypass the Java security mechanism.  Adam Gowdiak reports a flaw in the implementation of the Connected Limited Device Configuration (CLDC) in the K virtual machine bytecode checker. Remote users can bypass JAVA KVM 'sandbox' security mechanisms to access operating system functions and data.  For example, a remote attacker can establish a malicious JAVA code to obtain data (such as phone books and SMS messages) from a mobile phone, establish an Internet connection, write FLASH to the phone's memory, install software, and modify internal process communications of the operating system.  Nokia, Siemens, Panasonic, Samsung, Motorola and other phones are affected by this vulnerability.  For details, please refer to the following articles:  http://media.corporate-ir.net/media_files/NYS/NOK/Beijing/mestaranta.pdf

Nortel Contivity VPN Client 2.1.7, 3.00, 3.01, 4.91, and 5.01, when opening a VPN tunnel, does not check the gateway certificate until after a dialog box has been displayed to the user, which creates a race condition that allows remote attackers to perform a man-in-the-middle (MITM) attack. Nortel Contivity VPN Client is reported prone to a certificate check failure. The vulnerability is present because the VPN connection is established before the user permits the connection. This may allow the attacker to launch further attacks against the vulnerable computer. Nortel Contivity VPN Client is a VPN client. Remote attackers can exploit this vulnerability to further attack the target system. No detailed vulnerability details are currently available. Successful exploitation requires that an attacker is able to conduct a man-in-the-middle attack, thereby making the client connect to a malicious gateway. The vulnerability has been reported in version 4.91. Other versions may also be vulnerable. SOLUTION: Reportedly, this will be fixed in version 5.1 (expected to be released in the beginning of 2005). The vendor has not replied to any requests for comments on this issue. PROVIDED AND/OR DISCOVERED BY: Roger Sylvain from Solucom ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3. The problem occurs due to insufficient sanitization of user-supplied data. This vulnerability may be exploited in order to have arbitrary code executed with superuser privileges

Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux 3 and 4, when running on 64-bit platforms, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this issue is due to an incomplete fix for CVE-2004-0888. The pdftops utility is reported prone to multiple integer-overflow vulnerabilities because it fails to properly ensure that user-supplied input doesn't result in the overflowing of integer values. This may result in data being copied past the end of a memory buffer. These overflows cause the application to allocate memory regions that are smaller than expected. Subsequent operations are likely to overwrite memory regions past the end of the allocated buffer, allowing attackers to overwrite critical memory control structures. This may allow attackers to control the flow of execution and potentially execute attacker-supplied code in the context of the affected application. Applications using embedded xpdf code may be vulnerable to these issues as well. Xpdf is an open source program for viewing PDF files. The \'\'pdftops/XRef.cc\'\' contained in Xpdf has a problem in processing the pageSize value. A remote attacker can use this vulnerability to construct a malicious PDF file, lure users to access it, and trigger an integer buffer overflow. CUPS contains a call to Xpdf and is therefore also affected by this vulnerability. No detailed vulnerability details are currently available. The vulnerability is caused due to an incomplete fix of CVE-2004-0888 on 64bit architectures. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Red Hat update for cups SECUNIA ADVISORY ID: SA29630 VERIFY ADVISORY: http://secunia.com/advisories/29630/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network OPERATING SYSTEM: RedHat Enterprise Linux AS 3 http://secunia.com/product/2534/ RedHat Enterprise Linux AS 4 http://secunia.com/product/4669/ RedHat Enterprise Linux WS 3 http://secunia.com/product/2536/ RedHat Enterprise Linux WS 4 http://secunia.com/product/4670/ RedHat Enterprise Linux ES 3 http://secunia.com/product/2535/ RedHat Enterprise Linux ES 4 http://secunia.com/product/4668/ DESCRIPTION: Red Hat has issued an update for cups. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. For more information: SA29431 SOLUTION: Updated packages are available via Red Hat Network. http://rhn.redhat.com ORIGINAL ADVISORY: http://rhn.redhat.com/errata/RHSA-2008-0206.html OTHER REFERENCES: SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the "Dialog Box Spoofing Vulnerability," a different vulnerability than CVE-2004-1314. This issue may allow a remote attacker to carry out phishing style attacks as an attacker may exploit this vulnerability to spoof an interface of a trusted web site. Apple Safari 1.2.3 (v125.9) is reported vulnerable to this issue. It is likely that other versions are affected as well

3Com OfficeConnect ADSL Wireless 11g Firewall Router is affected by an authentication bypass vulnerability; This issue is due to a failure of the device to properly validate an authenticated administrator. An attacker could leverage this issue to gain administrative access to the affective device facilitating disclosure of administrator passwords, WEP encryption keys, configuration manipulation and denial of service. It should be noted that this issue was originally reported in vulnerability report '3Com OfficeConnect ADSL Wireless 11g Firewall Router Multiple Unspecified Vulnerabilities' (BID 11422). It has been assigned its own BID as more information has been made available.

Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Many anti-virus vendors have problems when processing .zip files. Remote attackers can use this vulnerability to embed malicious code to bypass the inspection of anti-virus software. The problem lies in the analysis of the header field of the .zip file. The information stored in the compressed file in the .zip file format is divided into two parts, one is the local (local) header field, and the other is the global (global) header field. Local header field data exists before the compressed data file, while global fields exist at the end of the .zip file. Attackers can modify the uncompressed byte size value of the archive file in the local and global header field information without affecting the function, but many antivirus vendors' software cannot handle such archive files well. If the compressed payload contains malicious code, it cannot be detected

McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. A remote attacker can craft a malicious zip archive and send it a vulnerable user. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. McAfee Anti-Virus is an antivirus software

Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. A remote attacker can craft a malicious zip archive and send it a vulnerable user. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue

3Com OfficeConnect ADSL Wireless 11g Firewall Router is reported prone to multiple unspecified vulnerabilities. The following issues were reported: An unspecified issue affects the DHCP service. Another issue is related to displaying two duplicate login IPs. An unspecified denial of service vulnerability may allow remote attackers to restart the device. This issue occurs due to insufficient boundary checks performed by the application. 3Com OfficeConnect ADSL Wireless 11g Firewall Router firmware versions prior to 1.27 are vulnerable to these issues. **UPDATE: it should be noted that the issue described as an error in displaying two duplicate IPs has been assigned it own BID as more information has become available. Please see '3Com OfficeConnect ADSL Wireless 11g Firewall Router Authentication Bypass Vulnerability' (BID 11438) for more information.

Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Eset Anti-Virus is an anti-virus software

Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Kaspersky is a well-known antivirus software. Kaspersky 3.x and 4.x versions have issues when processing .zip files, resulting in a vulnerability to bypass antivirus checks. II. DESCRIPTION Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows attackers to bypass security protections by evading virus detection. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero. III. ANALYSIS Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected. Most anti-virus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus. IV. The Vendor Responses section of this advisory contains details on the status of specific vendor fixes for this issue. V. WORKAROUND Filter all compressed file archives (.zip) at border gateways, regardless of content. VI. VENDOR RESPONSES McAfee "The McAfee scan engine has always been a market leader in detection of viruses, worms and Trojans within compressed and archived file formats. As such the mechanism used for the detection of such payloads has been designed to ensure all archive files are thoroughly scanned at each nested level in the file to ensure that all appropriate parts of the file are scanned. McAfee is aware of a proof of concept exploitation in Zip archive payloads where information in the local header part of the archive is modified. The local header exists just before the compressed data of each file. It is possible to modify the uncompressed size of archived files in the local header without affecting functionality. Consequently there is the potential for a malicious payload to be hidden and avoid anti-virus detection by modifying the uncompressed size within the local headers to zero. The techniques used by McAfee to analyze Zip archives have allowed a comprehensive solution for the Zip file format vulnerability to be provided to protect customers. The latest update for the current 4320 McAfee Anti-Virus Engine DATS drivers (Version 4398 released on Oct 13th 2004) further enhances the protection afforded to McAfee customers against such potential exploits. A DATS Driver update issued in Version 4397 (October 6th 2004) provided early protection for the same potential exploit targeted specifically for Gateway and Command line scanning. If a detection of this type of exploit is found it will trigger the message "Found the Exploit-Zip Trojan!" to be displayed. Updates for the DAT files mentioned above can be located at the following links: Home (Retail) Users: http://download.mcafee.com/uk/updates/updates.asp Business (Enterprise) Users: http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1 It should be noted that whilst McAfee take the potential for this exploit to be used maliciously seriously, to date no evidence of such an exploit has been discovered. McAfee has provided additional protection through the DATS driver update however with usage of the comprehensive suite of anti-virus protection strategies provided by McAfee products, MacAfee are confident that this exploit presented no additional threat to its customers. It should be noted that with McAfee on-access scanning active, such modification for malicious purposes to hide payloads only delays eventual detection - McAfee on-access detection will detect any payload with malicious intent as malware. McAfee continues to focus on ensuring that customers receive maximum protection and provide a rapid response to all potential vulnerabilities thus ensuring customer satisfaction." Computer Associates "With the assistance of iDEFENSE, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .ZIP file to bypass virus detection. A number of CA products embed this technology including solutions from eTrust, Brightstor and others. Customers are encouraged to visit the CA support web site below for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures. http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp. At Computer Associates, every reported exposure is handled with the utmost urgency. We strive to ensure that no customer is left in a vulnerable situation." Kaspersky (09/24/2004) "...this bug for scanners based on 3.x-4.x engines will be fixed in next (not current) cumulative update. For scanners based on new 5.0 engine we recommend you waiting for the release of our next maintenance pack. We are going to release it in October." Sophos "A vulnerability has been discovered in Sophos's handling of Zip archive files, whereby a Zip file can be deliberately altered to prevent accurate scanning by Sophos anti-virus products of its contents. Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability. Furthermore, The vulnerability does not prevent Sophos's desktop on-access scanner from correctly detecting viruses (and preventing actual infection) which manage to bypass the email gateway software, so the risks of infection are very small. Sophos has enhanced its scan engine to deal with malformed Zip files. Version 3.87.0 of Sophos Anti-Virus on all operating system platforms except Windows 95/98/Me includes this fix and customers will be automatically updated to this version via EM Library from Wednesday 20 October 2004. Additionally, a version of the software will be available for download from the Sophos website from Friday 22 October 2004. Sophos Anti-Virus for Windows 95/98/Me customers will be updated with the fix from version 3.88.0 (available from 24 November 2004). Sophos thanks iDEFENSE for their assistance in identifying this vulnerability." Eset "The vulnerability was caused by the fact that some archive compression/decompression software (including Winzip) incorrectly handles compressed files with deliberately damaged header fields, thus, in-fact, allowing creation of the damaged archive files, that could be automatically repaired on the victims computer without notifying the user. Eset has made appropriate modifications to archive-scanning code to handle such kind of archives immediately after receiving notification from iDEFENSE. These changes are contained in archive-support module version 1.020, released on 16th September 2004 at 21:00 CET. The update was available for all clients with Automatic Virus-Signatures Update set." RAV No vendor response VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues: CAN-2004-0932 - McAfee CAN-2004-0933 - Computer Associates CAN-2004-0934 - Kaspersky CAN-2004-0937 - Sophos CAN-2004-0935 - Eset CAN-2004-0936 - RAV These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/16/2004 Initial vendor notification 09/16/2004 iDEFENSE clients notified 10/18/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. RAV is an antivirus software. Due to a problem with the processing of zip files in RAV, zip files can bypass antivirus detection

Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. libtiff of tif_next.c , tif_thunder.c , tif_luv.c In RLE In the process of decompressing a compressed file, a buffer overflow vulnerability exists due to improper bounds checking.Crafted by a third party TIFF Format image files LibTIFF Interpretation via applications and components that use the library will cause the application to crash and cause denial of service (DoS) It may be possible to run into arbitrary code with the privileges of the target user. LibTIFF is affected by multiple buffer-overflow vulnerabilities because the software fails to properly perform boundary checks before copying user-supplied strings into finite process buffers. An attacker may leverage these issues to execute arbitrary code on a vulnerable computer with the privileges of the user running a vulnerable application, facilitating unauthorized access. The attacker may also leverage these issues to crash the affected application. libtiff is an application library responsible for encoding/decoding TIFF image format. kfax is a small tool for displaying FAX files, using the libtiff library. There is a problem with libtiff when processing fax files. kfax calls the libtiff library to process .g3 files. Attackers can build malformed .g3 files and entice users to process them, which can lead to buffer overflows. Carefully constructed file data may execute arbitrary instructions with user process privileges. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 567-1 security@debian.org http://www.debian.org/security/ Martin Schulze October 15th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : tiff Vulnerability : heap overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. CAN-2004-0804 Matthias Clasen discovered a division by zero through an integer overflow. CAN-2004-0886 Dmitry V. Levin discovered several integer overflows that caused malloc issues which can result to either plain crash or memory corruption. For the stable distribution (woody) these problems have been fixed in version 3.5.5-6woody1. For the unstable distribution (sid) these problems have been fixed in version 3.6.1-2. We recommend that you upgrade your libtiff package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.dsc Size/MD5 checksum: 635 11a374e916d818c05a373feb04cab6a0 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.diff.gz Size/MD5 checksum: 36717 6f4d137f7c935d57757313a610dbd389 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8 Alpha architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 141424 18b6e6b621178c1419de8a13a0a62366 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 105148 875257fb73ba05a575d06650c130a545 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 423194 9796f3e82553cedb237f1b574570f143 ARM architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_arm.deb Size/MD5 checksum: 116928 5ed91b9586d830e8da9a5086fc5a6e76 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_arm.deb Size/MD5 checksum: 90466 f04c381a418fd33602d1ba30158597d3 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_arm.deb Size/MD5 checksum: 404262 30f13bfdf54cfca30ee5ca0f6c6d0e4e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_i386.deb Size/MD5 checksum: 112068 d15dfdf84f010be08799d456726e1d9d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_i386.deb Size/MD5 checksum: 81054 293f5c99f0a589917257ec7fee0b92fe http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_i386.deb Size/MD5 checksum: 387052 9606adb1668decf5ac1ee02a94298e85 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 158774 80c1b7ad68ecc78091ea95414125e81c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 135386 b17f87aa0ad98fc50aa8c137a6f5089c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 446496 757f3b6cc9d3f1ec5a2dfb1c3485caf3 HP Precision architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 128298 46dece015f0282bca0af7f6e740e9d31 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 106788 b837005b41c54c341cbd61e8fdb581ff http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 420346 3a2b91ee22af99eec3ab42d81cf9d59f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 107302 0c702a3e5c2ad7ad7bd96dae64fa2d61 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 79770 d67f4347d35bf898a6ab1914cb53a42f http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 380218 42e6f07cf2e70de01ca40ac4a97254bf Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mips.deb Size/MD5 checksum: 124048 85d8c8cbb62cc62c876bf4ed721027cf http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mips.deb Size/MD5 checksum: 87840 5f3312f22b0f345c7eae434f5b871993 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mips.deb Size/MD5 checksum: 410770 be817ddffa91c423b55fda3388d7ce48 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 123558 42594e9270de16ff802c11eccf7a0efb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 88198 a8f0abe9205431caf94dce77d11ac477 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 410860 68a12ef6d37fc575105c4ceb9b766949 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 116042 2258da94549ae05ffae643bc40790487 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 89424 c8d782561a299ffb65ea84b59d88117a http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 402372 1eca24adda52b40c7a8d789fdeb3cb2e IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_s390.deb Size/MD5 checksum: 116870 dcddc86a0d96296c07076391adc9d754 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_s390.deb Size/MD5 checksum: 91742 40c1de704b191e4abb65af8a4b7fd75d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_s390.deb Size/MD5 checksum: 395332 86d351b75f1f146ddad6d562ca77005c Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 132888 9ed9db78d727ba8bfbb25c1e68b03bf2 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 88556 a4069600bd9295a27d4eb6e9e0995495 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 397026 149e12055c5711129552fa938b5af431 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcA4UW5ql+IAeqTIRAgMFAKC3Kbs2MxW5XlOa3aK9oo76W8wt9gCfXzyA fD+15yHAK6bw15bB4ejaGV8= =KPqY -----END PGP SIGNATURE-----

Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. Apple Mac OS X with Bluetooth support may unintentionally allow files to be exchanged with other systems by default. Apple Mac OS X Directory Service utilities use external programs insecurely, potentially allowing an attacker to execute arbitrary code. Multiple integer overflows in the LibTIFF library may allow an attacker to execute arbitrary code. Multiple integer overflows in the LibTIFF library may allow an attacker to execute arbitrary code. LibTIFF is affected by multiple buffer-overflow vulnerabilities because the software fails to properly perform boundary checks before copying user-supplied strings into finite process buffers. An attacker may leverage these issues to execute arbitrary code on a vulnerable computer with the privileges of the user running a vulnerable application, facilitating unauthorized access. The attacker may also leverage these issues to crash the affected application. libtiff is an application library responsible for encoding/decoding the TIFF image format. Impacts of other vulnerabilities addressed by the update include disclosure of information and denial of service. I. Description Apple Security Update 2005-005 resolves a number of vulnerabilities affecting Mac OS X and OS X Server. (CAN-2004-0594) Please note that Apple Security Update 2005-005 addresses additional vulnerabilities not described above. As further information becomes available, we will publish individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary, for information about specific impacts please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, disclosure of sensitive information, and denial of service. III. Solution Install an Update Install the update as described in Apple Security Update 2005-005. Appendix A. References * US-CERT Vulnerability Note VU#582934 - <http://www.kb.cert.org/vuls/id/582934> * US-CERT Vulnerability Note VU#258390 - <http://www.kb.cert.org/vuls/id/258390> * US-CERT Vulnerability Note VU#331694 - <http://www.kb.cert.org/vuls/id/331694> * US-CERT Vulnerability Note VU#706838 - <http://www.kb.cert.org/vuls/id/706838> * US-CERT Vulnerability Note VU#539110 - <http://www.kb.cert.org/vuls/id/539110> * US-CERT Vulnerability Note VU#354486 - <http://www.kb.cert.org/vuls/id/354486> * US-CERT Vulnerability Note VU#882750 - <http://www.kb.cert.org/vuls/id/882750> * US-CERT Vulnerability Note VU#537878 - <http://www.kb.cert.org/vuls/id/537878> * US-CERT Vulnerability Note VU#125598 - <http://www.kb.cert.org/vuls/id/125598> * US-CERT Vulnerability Note VU#356070 - <http://www.kb.cert.org/vuls/id/356070> * Apple Security Update 2005-005 - <http://docs.info.apple.com/article.html?artnum=301528> _________________________________________________________________ These vulnerabilities were discovered by several people and reported in Apple Security Update 2005-005. Please see the Vulnerability Notes for individual reporter acknowledgements. _________________________________________________________________ Feedback can be directed to the authors: Jeffrey Gennari and Jason Rafail. _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use Revision History May 16, 2005: Initial release Last updated May 16, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+ J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7 /gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA== =uqBU -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 567-1 security@debian.org http://www.debian.org/security/ Martin Schulze October 15th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : tiff Vulnerability : heap overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. The Common Vulnerabilities and Exposures Project has identified the following problems: CAN-2004-0803 Chris Evans discovered several problems in the RLE (run length encoding) decoders that could lead to arbitrary code execution. CAN-2004-0804 Matthias Clasen discovered a division by zero through an integer overflow. CAN-2004-0886 Dmitry V. For the stable distribution (woody) these problems have been fixed in version 3.5.5-6woody1. For the unstable distribution (sid) these problems have been fixed in version 3.6.1-2. We recommend that you upgrade your libtiff package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.dsc Size/MD5 checksum: 635 11a374e916d818c05a373feb04cab6a0 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.diff.gz Size/MD5 checksum: 36717 6f4d137f7c935d57757313a610dbd389 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8 Alpha architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 141424 18b6e6b621178c1419de8a13a0a62366 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 105148 875257fb73ba05a575d06650c130a545 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 423194 9796f3e82553cedb237f1b574570f143 ARM architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_arm.deb Size/MD5 checksum: 116928 5ed91b9586d830e8da9a5086fc5a6e76 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_arm.deb Size/MD5 checksum: 90466 f04c381a418fd33602d1ba30158597d3 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_arm.deb Size/MD5 checksum: 404262 30f13bfdf54cfca30ee5ca0f6c6d0e4e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_i386.deb Size/MD5 checksum: 112068 d15dfdf84f010be08799d456726e1d9d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_i386.deb Size/MD5 checksum: 81054 293f5c99f0a589917257ec7fee0b92fe http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_i386.deb Size/MD5 checksum: 387052 9606adb1668decf5ac1ee02a94298e85 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 158774 80c1b7ad68ecc78091ea95414125e81c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 135386 b17f87aa0ad98fc50aa8c137a6f5089c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 446496 757f3b6cc9d3f1ec5a2dfb1c3485caf3 HP Precision architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 128298 46dece015f0282bca0af7f6e740e9d31 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 106788 b837005b41c54c341cbd61e8fdb581ff http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 420346 3a2b91ee22af99eec3ab42d81cf9d59f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 107302 0c702a3e5c2ad7ad7bd96dae64fa2d61 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 79770 d67f4347d35bf898a6ab1914cb53a42f http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 380218 42e6f07cf2e70de01ca40ac4a97254bf Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mips.deb Size/MD5 checksum: 124048 85d8c8cbb62cc62c876bf4ed721027cf http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mips.deb Size/MD5 checksum: 87840 5f3312f22b0f345c7eae434f5b871993 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mips.deb Size/MD5 checksum: 410770 be817ddffa91c423b55fda3388d7ce48 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 123558 42594e9270de16ff802c11eccf7a0efb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 88198 a8f0abe9205431caf94dce77d11ac477 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 410860 68a12ef6d37fc575105c4ceb9b766949 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 116042 2258da94549ae05ffae643bc40790487 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 89424 c8d782561a299ffb65ea84b59d88117a http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 402372 1eca24adda52b40c7a8d789fdeb3cb2e IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_s390.deb Size/MD5 checksum: 116870 dcddc86a0d96296c07076391adc9d754 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_s390.deb Size/MD5 checksum: 91742 40c1de704b191e4abb65af8a4b7fd75d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_s390.deb Size/MD5 checksum: 395332 86d351b75f1f146ddad6d562ca77005c Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 132888 9ed9db78d727ba8bfbb25c1e68b03bf2 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 88556 a4069600bd9295a27d4eb6e9e0995495 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 397026 149e12055c5711129552fa938b5af431 These files will probably be moved into the stable distribution on its next update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00600177 Version: 1 HPSBUX02119 SSRT4848 rev.1 - HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. References: CERT VU#537878, VU#882750 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.11, B.11.23 running Motif applications. BACKGROUND Potential vulnerabilities have been reported with the handling of XPixMap format data: http://www.kb.cert.org/vuls/id/882750 http://www.kb.cert.org/vuls/id/537878 AFFECTED VERSIONS HP-UX B.11.00 ============= X11.MOTIF-SHLIB action: install PHSS_33129 or subsequent HP-UX B.11.11 ============= X11.MOTIF-SHLIB action: install PHSS_33130 or subsequent HP-UX B.11.23 ============= X11.MOTIF-SHLIB action: install PHSS_33132 or subsequent RESOLUTION HP has made the following patches available to resolve the issue. The patches can be downloaded from http://itrc.hp.com HP-UX B.11.00 PHSS_33129 or subsequent HP-UX B.11.11 PHSS_33130 or subsequent HP-UX B.11.23 PHSS_33132 or subsequent MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA HISTORY Version:1 (rev.1) 17 May 2006 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com. It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA& langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." (c)Copyright 2006 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. Microsoft XML Parser is prone to a remote denial of service vulnerability when handling malformed requests. The vulnerability can be exploited through the WebDAV XML message handler of Microsoft IIS server. It is reported that this issue requires a remote attacker to create specially crafted WebDAV requests and send them to a vulnerable server over TCP port 80. There is a possibility of increased CPU resource and memory consumption as the IIS server attempts to process these requests. This can eventually lead to a denial of service condition in the server. A reboot is required to restore normal functionality. This vulnerability can also be exposed through other applications that rely on Microsoft XML Parser to process XML messages

MySQL MaxDB before 7.5.00.18 allows remote attackers to cause a denial of service (crash) via an HTTP request to webdbm with high ASCII values in the Server field, which triggers an assert error in the IsAscii7 function. A remotely exploitable denial of service vulnerability exists in MaxDB. This will reportedly trigger an exception due to an assert directive failing, resulting in a denial of service condition in the web agent. This issue was reportedly tested on Windows and Linux versions. Other versions could also be affected. MySQL MaxDB Web Agent WebDBM Server Name Denial of Service Vulnerability iDEFENSE Security Advisory 10.06.04a: www.idefense.com/application/poi/display?id=150&type=vulnerabilities October 6, 2004 I. BACKGROUND MaxDB by MySQL is a re-branded and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a heavy-duty, SAP-certified open source database that offers high availability, scalability and a comprehensive feature set. MaxDB complements the MySQL database server, targeted for large mySAP ERP environments and other applications that require maximum enterprise-level database functionality. II. The problem specifically exists due to improper input validation of a user-supplied variable in the IsAscii7() function. wahttp: ToolsCommon/Tools_DynamicUTF8String.hpp:249: Tools_DynamicUTF8String::Tools_DynamicUTF8String(const SAPDB_Char *) Assertion `IsAscii7(src)' failed. Program received signal SIGABRT, Aborted. [Switching to Thread 10251 (LWP 12706)] 0x40429781 in kill () from /lib/libc.so.6 III. IV. DETECTION iDEFENSE has confirmed that SAP DB version 7.5 for both Linux and Windows is vulnerable. V. WORKAROUND Use of an ingress perimeter firewall filter can help detect and mitigate the risk of attack. VI. VENDOR RESPONSE "A solution for the issue is available with MaxDB 7.5.00.18." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0931 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2004 Initial vendor notification 08/16/2004 iDEFENSE clients notified 08/19/2004 Initial vendor response 10/06/2004 Coordinated public disclosure IX. CREDIT Patrik Karlsson (cqure.net) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

RealNetworks Helix Universal Server 9.0.2 for Linux and 9.0.3 for Windows allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. The problem surrounds the mishandling of some POST headers values. An attacker can exploit this issue to cause the affected server to consume excessive computer resources and hang, denying service to legitimate users. BACKGROUND RealNetworks Helix Universal Server is a universal digital media delivery platform with industry leading performance, integrated content distribution and Web services support. More information is available at http://www.realnetworks.com. II. The problem specifically exists in the handling of specially crafted POST requests. Generating a request with the Content-Length header set to -1 triggers an integer handling error resulting in mass utilization of memory and CPU time. III. ANALYSIS Any unauthenticated remote attacker can exploit this vulnerability, which causes the affected system to utilize mass amounts of memory and CPU time. The system will no longer be able to process future requests. The affected server must be restarted in order to resume normal functionality. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in RealNetworks Helix Server version 9.0.2 for Linux and version 9.0.3 for Windows. It is suspected that earlier versions on both platforms are vulnerable as well. V. WORKAROUND Usage of an inline application level filter can help mitigate risk of exploitation by scanning for and filtering invalid Content-Length parameters. VI. VENDOR RESPONSE "Customers are encouraged to upgrade their Server software to the latest version, which contains a security patch." RealNetworks has released binaries that guard against the described vulnerability. The related advisory from RealNetworks is available at: http://service.real.com/help/faq/security/security100704.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0774 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/01/2004 Initial vendor notification 07/01/2004 iDEFENSE clients notified 08/05/2004 Initial vendor response 10/07/2004 Coordinated public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Buffer overflow in digestmd5.c CVS release 1.170 (also referred to as digestmda5.c), as used in the DIGEST-MD5 SASL plugin for Cyrus-SASL but not in any official releases, allows remote attackers to execute arbitrary code. Cyrus SASL is affected by multiple critical vulnerabilities that may be remotely exploitable. The first issue is due to a boundary condition error, the second issue is due to a failure of the application to properly handle environment variables. Information currently available regarding these issues is insufficient to provide a more detailed analysis. This BID will be updated and split into separate BIDs when more information becomes available. An attacker can leverage the boundary condition issue to exploit arbitrary code on the affected computer. The impact of the environment variable issue is currently unknown. Cyrus SASL provides several open source implementations for security authentication. Cyrus SASL incorrectly handles the SASL_PATH environment variable, which could be exploited by a local attacker for privilege escalation attacks. Attackers can use the SASL_PATH environment variable to make privileged applications load arbitrary library files from any directory specified by the user, which can cause malicious programs to run with high privileges

Symantec Norton AntiVirus 2004, and earlier versions, allows a virus or other malicious code to avoid detection or cause a denial of service (application crash) using a filename containing an MS-DOS device name. Norton AntiVirus is affected by a scan evasion vulnerability when handling files with MS-DOS reserve device names. This issue is due to a design error that allows the files to avoid being scanned. It should be noted that this vulnerability only arises once the file is already present on a vulnerable computer. All Norton AntiVirus products are able to detect malicious files through incoming email. BACKGROUND Symantec's Norton AntiVirus protects email, instant messages, and other files by automatically removing viruses, worms, and Trojan horses. More information about the product is available from http://www.symantec.com II. The problem specifically exists in attempts to scan files and directories named as reserved MS-DOS devices. Reserved MS-DOS device names are a hold over from the original days of Microsoft DOS. The reserved MS-DOS device names represent devices such as the first printer port (LPT1) and the first serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. reserved device names can be creating with standard Windows utilities by specifying the full Universal Naming Convention (UNC) path. The following command will successfully copy a file to the reserved device name 'aux' on the C:\ drive: copy source \\.\C:\aux III. ANALYSIS Exploitation allows attackers to evade detection of malicious code. Attackers can unpack or decode an otherwise detected malicious payload in a stealth manner. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest version of Norton AntiVirus. It is reported that earlier versions crash upon parsing files or directories using reserved MS-DOS device names. V. WORKAROUND Ensure that no local files or directories using reserved MS-DOS device names exist. On most modern Windows systems there should be no reserved MS-DOS device names present. While the Windows search utility can be used to locate offending files and directories, either a seperate tool or the specification of Universal Naming Convention (UNC) must be used to remote them. The following command will successfully remove a file stored on the C:\ drive named 'aux': del \\.\C:\aux VI. VENDOR RESPONSE "Symantec engineers have developed a fix for this issue for Symantec Norton AntiVirus 2004 that is currently available through LiveUpdate. The fix is being incorporated into all other supported Symantec Norton AntiVirus versions and will be available through LiveUpdate when fully tested and released." More information is available in Symantec Security Advisory SYM04-015. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0920 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/12/2004 Vulnerability acquired by iDEFENSE 06/25/2004 iDEFENSE clients notified 06/29/2004 Initial vendor notification 06/30/2004 Initial vendor response 10/05/2004 Coordinated public disclosure IX. CREDIT Kurt Seifried (kurt[at]seifried.org) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html