Next Page >>
return value
a. Updated OpenSSL package for the Service Console fixes a
security issue.
OpenSSL 0.9.7a-33.24 and earlier does not properly check the return
value from the EVP_VerifyFinal function, which could allow a remote
attacker to bypass validation of the certificate chain via a
malformed SSL/TLS signature for DSA and ECDSA keys.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-5077 to this issue.
1 net-analyzer/tcpdump < 3.9.5-r3 >= 3.9.5-r3
Description
===========
mu-b from Digital Labs discovered that the return value of a snprintf()
call is not properly checked before being used. This could lead to an
integer overflow.
Impact
======
1 net-dns/bind < 9.4.3_p1 >= 9.4.3_p1
Description
===========
BIND does not properly check the return value from the OpenSSL
functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265)
certificates.
Impact
======
_______________________________________________________________________
Problem Description:
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check
the return value from the OCSP_basic_verify function, which might allow
remote attackers to successfully present an invalid X.509 certificate,
possibly involving a revoked certificate.
This update corrects the problem, including for older ruby versions.
_______________________________________________________________________
Details follow:
Using the Codenomicon LDAPv3 test suite, Ilkka Mattila and Tuomas
Salomki discovered that the slap_modrdn2mods function in modrdn.c
in OpenLDAP does not check the return value from a call to the
smr_normalize function. A remote attacker could use specially crafted
modrdn requests to crash the slapd daemon or possibly execute arbitrary
code. (CVE-2010-0211)
Using the Codenomicon LDAPv3 test suite, Ilkka Mattila and Tuomas
Eric Sesterhenn reported a local DoS issue in the hfsplus
filesystem. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that results in a kernel oops due to an unchecked
return value.
CVE-2008-5025
Eric Sesterhenn reported a local DoS issue in the hfs filesystem.
Local users who have been granted the privileges necessary to
system crash) via an hfsplus filesystem image with an invalid
catalog namelength field, related to the hfsplus_cat_build_key_uni
function. (CVE-2008-4933)
The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the
Linux kernel before 2.6.28-rc1 does not check a certain return value
from the read_mapping_page function before calling kmap, which allows
attackers to cause a denial of service (system crash) via a crafted
hfsplus filesystem image. (CVE-2008-4934)
The __scm_destroy function in net/core/scm.c in the Linux kernel
attackers to bypass intended access restrictions via a crafted web
site that triggers an unspecified internal error (CVE-2011-3001).
Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla
Firefox before 7.0 and SeaMonkey before 2.4, does not validate the
return value of a GrowAtomTable function call, which allows remote
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via vectors that trigger a memory-allocation
error and a resulting buffer overflow (CVE-2011-3002).
Mozilla Firefox before 7.0 and SeaMonkey before 2.4 allow remote
fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel
before 2.6.28.1 allows local users to cause a denial of service (fault
or memory corruption), or possibly have unspecified other impact,
via a readlink call that results in an error, leading to use of a -1
return value as an array index. (CVE-2009-0269)
The audit_syscall_entry function in the Linux kernel 2.6.28.7
and earlier on the x86_64 platform does not properly handle (1)
a 32-bit process making a 64-bit syscall or (2) a 64-bit process
making a 32-bit syscall, which allows local users to bypass certain
VUPEN Security Research - Microsoft Office Word Return Value Handling
Vulnerability (CVE-2010-3215)
http://www.vupen.com/english/research.php
I. BACKGROUND
---------------------
Microsoft Office Word, included in the Microsoft Office suite,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
https://www.isc.org/node/373
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33
Description:
Previous versions of BIND incorrectly interpret the return value of the
OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone
could present a malformed DSA certificate and bypass proper certificate
validation, allowing spoofing attacks.
rPath Linux does not ship with DNSSEC enabled, and therefore is not, by
setegid() and related legacy interfaces. If no setegid() equivalent
appears to exist on the system, k5-util.h defines krb5_setegid() to
always fail with errno EPERM. Since the relevant autoconf tests never
execute, k5-util.h will always define krb5_setegid() to fail.
The FTP daemon does not check the return value of krb5_setegid(), so
it silently fails to set its effective GID, allowing users to gain
unauthorized access using the effective GID that the daemon process
started with.
REVISION HISTORY
vulnerable to a ciphersuite downgrade attack, which could lead to
a remote attacker to potentially forcing a client to use a weaker
cipher.
Additinally, previous versions of openssl did not check for a NULL
return value from the bn_wexpand function, which could lead to a
remote denial of service.
http://wiki.rpath.com/Advisories:rPSA-2011-0013
Copyright 2011 rPath, Inc.
_______________________________________________________________________
Problem Description:
Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not
properly check the return value from the OpenSSL EVP_VerifyFinal
function, which allows remote attackers to bypass validation of
the certificate chain via a malformed SSL/TLS signature, a similar
vulnerability to CVE-2008-5077 and CVE-2009-0025.
In this particular case the DSA_verify function was fixed with
Debian-specific: no
CVE Id(s) : CVE-2009-0050
Debian Bug : 511262
It was discovered that Lasso, a library for Liberty Alliance and SAML
protocols performs incorrect validation of the return value of OpenSSL's
DSA_verify() function.
For the stable distribution (etch), this problem has been fixed in
version 0.6.5-3+etch1.
Multiple race conditions in smtpd.py in the smtpd module in Python 2.6,
2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of
service (daemon outage) by establishing and then immediately closing
a TCP connection, leading to the accept function having an unexpected
return value of None, an unexpected value of None for the address,
or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername
function having an ENOTCONN error, a related issue to CVE-2010-3492
(CVE-2010-3493).
Packages for 2009.0 are provided as of the Extended Maintenance
Problem Description:
A vulnerability has been found and corrected in libnasl:
nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library
(aka libnasl) 2.2.11 does not properly check the return value from
the OpenSSL DSA_do_verify function, which allows remote attackers to
bypass validation of the certificate chain via a malformed SSL/TLS
signature, a similar vulnerability to CVE-2008-5077 (CVE-2009-0125).
This update fixes this vulnerability.
Description
===========
Marcus Meissner from SUSE reported that the pa_drop_root() function
does not properly check the return value of the system calls setuid(),
seteuid(), setresuid() and setreuid() when dropping its privileges.
Impact
======
Problem Description:
Multiple vulnerabilities has been discovered and corrected in openldap:
The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not
check the return value of a call to the smr_normalize function, which
allows remote attackers to cause a denial of service (segmentation
fault) and possibly execute arbitrary code via a modrdn call with an
RDN string containing invalid UTF-8 sequences, which triggers a free
of an invalid, uninitialized pointer in the slap_mods_free function, as
demonstrated using the Codenomicon LDAPv3 test suite (CVE-2010-0211).
files!
o Redesign of VCG parser: easier to read, easier to use.
Bug Fixes:
o Return value (HWND) of createTable
o Fixed Attach Search Filtering :
http://forum.immunityinc.com/index.php?topic=49.0
o Grapher: Vertex lastline jumps correctly displayed now
o Fixed crash when searching on modules:
http://forum.immunityinc.com/index.php?topic=63.0
A vulnerability was discovered and corrected in krb5-appl:
ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications
(aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid
return value, which allows remote authenticated users to bypass
intended group access restrictions, and create, overwrite, delete,
or read files, via standard FTP commands, related to missing autoconf
tests in a configure script (CVE-2011-1526).
The updated packages have been patched to correct this issue.
This update fixes several security issues in openssl:
- The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
through 0.9.8m allows remote attackers to cause a denial of service
(crash) via a malformed record in a TLS connection (CVE-2010-0740)
- OpenSSL before 0.9.8m does not check for a NULL return value
from bn_wexpand function calls which has unspecified impact and
context-dependent attack vectors (CVE-2009-3245)
- The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL
before 0.9.8n, when Kerberos is enabled but Kerberos configuration
files cannot be opened, could allow remote attackers to cause a denial
problems:
CVE-2010-0211
The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does
not check the return value of a call to the smr_normalize
function, which allows remote attackers to cause a denial of
service (segmentation fault) and possibly execute arbitrary code
via a modrdn call with an RDN string containing invalid UTF-8
sequences.
Problem Description:
Multiple vulnerabilities was discovered and corrected in ruby:
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check
the return value from the OCSP_basic_verify function, which might allow
remote attackers to successfully present an invalid X.509 certificate,
possibly involving a revoked certificate (CVE-2009-0642).
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before
p173 allows context-dependent attackers to cause a denial of service
http://www.debian.org/security/ Sébastien Delafond
Sep 3, 2010 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : barnowl
Vulnerability : unchecked return value
Problem type : remote
Debian-specific: no
CVE Id : CVE-2010-2725
Debian Bug : 593299
This update fixes several security issues in openssl:
- The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
through 0.9.8m allows remote attackers to cause a denial of service
(crash) via a malformed record in a TLS connection (CVE-2010-0740)
- OpenSSL before 0.9.8m does not check for a NULL return value
from bn_wexpand function calls which has unspecified impact and
context-dependent attack vectors (CVE-2009-3245)
- The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL
before 0.9.8n, when Kerberos is enabled but Kerberos configuration
files cannot be opened, could allow remote attackers to cause a denial
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://www.openssl.org/news/secadv_20090107.txt
Description:
Previous versions of OpenSSL do not properly check the return value from
the EVP_VerifyFinal function, which allows remote attackers to bypass
validation of the certificate chain via a malformed SSL/TLS signature
for DSA and ECDSA keys.
http://wiki.rpath.com/Advisories:rPSA-2009-0008
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
Description:
Previous versions of NTP do not properly check the return value from the
OpenSSL EVP_VerifyFinal funciton, which allows remote attackers to bypass
validation of the certificate chain via a malformed SSL/TLS signature for
DSA and ECDSA keys.
http://wiki.rpath.com/Advisories:rPSA-2009-0010
Eric Sesterhenn reported a local DoS issue in the hfsplus
filesystem. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that results in a kernel oops due to an unchecked
return value.
CVE-2008-5025
Eric Sesterhenn reported a local DoS issue in the hfs filesystem.
Local users who have been granted the privileges necessary to
available input large than the output buffer, but smaller than the
size required to hit an unmapped or read-only page of memory.
A semi-interesting note is that the value -1 will not work as when
extracting
this integer an API call mixes the return value and error code, with -1
indicating that an error occurred. This check is done in conjunction
with
another check and thus does not cause the routine to fail, but rather
causes
PyArg_ParseTuple() to initialize the length variable with a value of 1.
Next Page>>
|
