Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Apr 2008 14:35:17 -0700 (PDT)
From:      Nick Barkas <snb@threerings.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/122872: [patch] Four new vulnerabilities to add to security/vuxml
Message-ID:  <20080417213517.D3C5961E38@smtp.earth.threerings.net>
Resent-Message-ID: <200804172140.m3HLeBf0090585@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         122872
>Category:       ports
>Synopsis:       [patch] Four new vulnerabilities to add to security/vuxml
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 17 21:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Nick Barkas
>Release:        FreeBSD 6.2-RELEASE-p11 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #0: Wed Feb 13 07:00:04 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386
>Description:
This patch adds VuXML entries for recent vulnerabilities in python, php, libpng,
and openfire.
>How-To-Repeat:
>Fix:
--- vuxml.patch begins here ---
--- vuln.xml.orig	Wed Apr 16 08:28:37 2008
+++ vuln.xml	Thu Apr 17 14:30:28 2008
@@ -34,6 +34,165 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="1382a290-0cba-11dd-bfca-0030488b5ba8">
+    <topic>php -- Integer Overflow Vulnerability</topic>
+    <affects>
+      <package>
+	<name>php5</name>
+	<range><lt>5.2.6</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>SecurityFocus reports:</p>
+	<blockquote cite="http://www.securityfocus.com/bid/28392/discuss">;
+	  <p>PHP 5 is prone to an integer-overflow vulnerability because the 
+	    software fails to ensure that integer values are not overrun.</p>
+	  <p>Successful exploits of this vulnerability allow remote attackers 
+	    to execute arbitrary machine code in the context of a webserver 
+	    affected by the issue. Failed attempts will likely result in 
+	    denial-of-service conditions.</p>
+	  <p>PHP 5.2.5 and prior versions are vulnerable.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2008-1384</cvename>
+      <bid>28392</bid>
+    </references>
+    <dates>
+      <discovery>2008-03-21</discovery>
+      <entry>2008-04-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="effaeb3a-0cb9-11dd-8472-0030485949d4">
+    <topic>python -- Integer Signedness Error in zlib Module</topic>
+    <affects>
+      <package>
+	<name>python</name>
+	<range><le>2.5.2</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>SecurityFocus reports:</p>
+	<blockquote cite="http://www.securityfocus.com/bid/28715/discuss">;
+	  <p>Python zlib module is prone to a remote buffer-overflow 
+	    vulnerability because the library fails to properly sanitize 
+	    user-supplied data.</p>
+	  <p>An attacker can exploit this issue to execute arbitrary code with 
+	    the privileges of the user running an application that relies on
+	    the affected library. Failed exploit attempts will result in a 
+	    denial-of-service condition.</p>
+	  <p>This issue affects Python 2.5.2; other versions may also be 
+	    vulnerable.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2008-1721</cvename>
+      <bid>28715</bid>
+      <url>http://bugs.python.org/issue2586</url>;
+    </references>
+    <dates>
+      <discovery>2008-04-08</discovery>
+      <entry>2008-04-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="cc99877f-0cb9-11dd-8c6a-00304881ac9a">
+    <topic>openfire -- Denial of Service</topic>
+    <affects>
+      <package>
+	<name>openfire</name>
+	<range><eq>3.4.5</eq></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Secunia reports:</p>
+	<blockquote cite="http://secunia.com/advisories/29751">;
+	  <p>A vulnerability has been reported in Openfire, which can be 
+	    exploited by malicious people to cause a DoS (Denial of 
+	    Service).</p>
+	  <p>The vulnerability is caused due to an unspecified error and can 
+	    be exploited to cause a DoS.</p>
+	  <p>The vulnerability is reported in version 3.4.5. Other versions 
+	    may also be affected.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2008-1728</cvename>
+      <url>http://secunia.com/advisories/29751</url>;
+    </references>
+    <dates>
+      <discovery>2008-04-10</discovery>
+      <entry>2008-04-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="d33efa42-0cb9-11dd-b659-0030483143e0">
+    <topic>png -- buffer overflow</topic>
+    <affects>
+      <package>
+	<name>png</name>
+	<range><le>1.2.26</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>libpng developers report:</p>
+	<blockquote cite="http://libpng.sourceforge.net/Advisory-1.2.26.txt">;
+	  <p>Tavis Ormandy advised us of a bug in libpng in its handling of
+	    unknown chunks with zero data length.</p>
+	  <p>We have examined the report and find that the bug exists in all
+	    libpng versions since 1.0.6.  It only manifests itself when all
+	    three of the following conditions exist:</p>
+	  <p>1. The application is loaded with libpng-1.0.6 through 1.0.32,
+	    libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through
+	    libpng-1.4.0beta19, and</p>
+	  <p>2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
+	    or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active in default
+	    libpng installations), and</p>
+	  <p>3. the application includes either a call to 
+	    png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn) or a 
+	    call to png_set_keep_unknown_chunks(png_ptr, keep, list, N) with 
+	    keep = PNG_HANDLE_CHUNK_IF_SAFE (2) or keep = 
+	    PNG_HANDLE_CHUNK_ALWAYS (3)</p>
+	  <p>We believe this is a rare circumstance.  It occurs in "pngtest"
+	    that is a part of the libpng distribution, in pngcrush, and in
+	    recent versions of ImageMagick (6.2.5 through 6.4.0-4).  We are
+	    not aware of any other vulnerable applications.</p>
+	  <p>When an application with the bug is run, libpng will generate
+	    spurious warning messages about a CRC error in the zero-length 
+	    chunk and an out-of-memory condition, unless warnings are being
+	    suppressed. There is not actually a memory overflow, but the NULL
+	    pointer returned from the memory allocator when it tries to 
+	    generate a zero-length buffer for the chunk data triggers the 
+	    warning. Later, there may be an error when the application tries 
+	    to free the non-existent buffer. This has been observed to cause a 
+	    segmentation violation in pngtest.</p>
+	  <p>Libpng-1.2.27 and later, and 1.0.33 and later, will not be 
+	    vulnerable. These are in beta and will be released on or about 
+	    April 30, 2008. Libpng-1.2.27beta01, which was released on April 
+	    12, is also not vulnerable.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2008-1382</cvename>
+      <bid>28770</bid>
+      <url>http://libpng.sourceforge.net/Advisory-1.2.26.txt</url>;
+      <url>http://secunia.com/advisories/29792</url>;
+    </references>
+    <dates>
+      <discovery>2008-04-12</discovery>
+      <entry>2008-04-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="589d8053-0b03-11dd-b4ef-00e07dc4ec84">
     <topic>clamav -- Multiple Vulnerabilities</topic>
     <affects>
--- vuxml.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080417213517.D3C5961E38>