Date: Thu, 17 Apr 2008 14:35:17 -0700 (PDT) From: Nick Barkas <snb@threerings.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/122872: [patch] Four new vulnerabilities to add to security/vuxml Message-ID: <20080417213517.D3C5961E38@smtp.earth.threerings.net> Resent-Message-ID: <200804172140.m3HLeBf0090585@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 122872 >Category: ports >Synopsis: [patch] Four new vulnerabilities to add to security/vuxml >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Apr 17 21:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 6.2-RELEASE-p11 i386 >Organization: Three Rings Design >Environment: System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #0: Wed Feb 13 07:00:04 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386 >Description: This patch adds VuXML entries for recent vulnerabilities in python, php, libpng, and openfire. >How-To-Repeat: >Fix: --- vuxml.patch begins here --- --- vuln.xml.orig Wed Apr 16 08:28:37 2008 +++ vuln.xml Thu Apr 17 14:30:28 2008 @@ -34,6 +34,165 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="1382a290-0cba-11dd-bfca-0030488b5ba8"> + <topic>php -- Integer Overflow Vulnerability</topic> + <affects> + <package> + <name>php5</name> + <range><lt>5.2.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>SecurityFocus reports:</p> + <blockquote cite="http://www.securityfocus.com/bid/28392/discuss">; + <p>PHP 5 is prone to an integer-overflow vulnerability because the + software fails to ensure that integer values are not overrun.</p> + <p>Successful exploits of this vulnerability allow remote attackers + to execute arbitrary machine code in the context of a webserver + affected by the issue. Failed attempts will likely result in + denial-of-service conditions.</p> + <p>PHP 5.2.5 and prior versions are vulnerable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2008-1384</cvename> + <bid>28392</bid> + </references> + <dates> + <discovery>2008-03-21</discovery> + <entry>2008-04-17</entry> + </dates> + </vuln> + + <vuln vid="effaeb3a-0cb9-11dd-8472-0030485949d4"> + <topic>python -- Integer Signedness Error in zlib Module</topic> + <affects> + <package> + <name>python</name> + <range><le>2.5.2</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>SecurityFocus reports:</p> + <blockquote cite="http://www.securityfocus.com/bid/28715/discuss">; + <p>Python zlib module is prone to a remote buffer-overflow + vulnerability because the library fails to properly sanitize + user-supplied data.</p> + <p>An attacker can exploit this issue to execute arbitrary code with + the privileges of the user running an application that relies on + the affected library. Failed exploit attempts will result in a + denial-of-service condition.</p> + <p>This issue affects Python 2.5.2; other versions may also be + vulnerable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2008-1721</cvename> + <bid>28715</bid> + <url>http://bugs.python.org/issue2586</url>; + </references> + <dates> + <discovery>2008-04-08</discovery> + <entry>2008-04-17</entry> + </dates> + </vuln> + + <vuln vid="cc99877f-0cb9-11dd-8c6a-00304881ac9a"> + <topic>openfire -- Denial of Service</topic> + <affects> + <package> + <name>openfire</name> + <range><eq>3.4.5</eq></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Secunia reports:</p> + <blockquote cite="http://secunia.com/advisories/29751">; + <p>A vulnerability has been reported in Openfire, which can be + exploited by malicious people to cause a DoS (Denial of + Service).</p> + <p>The vulnerability is caused due to an unspecified error and can + be exploited to cause a DoS.</p> + <p>The vulnerability is reported in version 3.4.5. Other versions + may also be affected.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2008-1728</cvename> + <url>http://secunia.com/advisories/29751</url>; + </references> + <dates> + <discovery>2008-04-10</discovery> + <entry>2008-04-17</entry> + </dates> + </vuln> + + <vuln vid="d33efa42-0cb9-11dd-b659-0030483143e0"> + <topic>png -- buffer overflow</topic> + <affects> + <package> + <name>png</name> + <range><le>1.2.26</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>libpng developers report:</p> + <blockquote cite="http://libpng.sourceforge.net/Advisory-1.2.26.txt">; + <p>Tavis Ormandy advised us of a bug in libpng in its handling of + unknown chunks with zero data length.</p> + <p>We have examined the report and find that the bug exists in all + libpng versions since 1.0.6. It only manifests itself when all + three of the following conditions exist:</p> + <p>1. The application is loaded with libpng-1.0.6 through 1.0.32, + libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through + libpng-1.4.0beta19, and</p> + <p>2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED + or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active in default + libpng installations), and</p> + <p>3. the application includes either a call to + png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn) or a + call to png_set_keep_unknown_chunks(png_ptr, keep, list, N) with + keep = PNG_HANDLE_CHUNK_IF_SAFE (2) or keep = + PNG_HANDLE_CHUNK_ALWAYS (3)</p> + <p>We believe this is a rare circumstance. It occurs in "pngtest" + that is a part of the libpng distribution, in pngcrush, and in + recent versions of ImageMagick (6.2.5 through 6.4.0-4). We are + not aware of any other vulnerable applications.</p> + <p>When an application with the bug is run, libpng will generate + spurious warning messages about a CRC error in the zero-length + chunk and an out-of-memory condition, unless warnings are being + suppressed. There is not actually a memory overflow, but the NULL + pointer returned from the memory allocator when it tries to + generate a zero-length buffer for the chunk data triggers the + warning. Later, there may be an error when the application tries + to free the non-existent buffer. This has been observed to cause a + segmentation violation in pngtest.</p> + <p>Libpng-1.2.27 and later, and 1.0.33 and later, will not be + vulnerable. These are in beta and will be released on or about + April 30, 2008. Libpng-1.2.27beta01, which was released on April + 12, is also not vulnerable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2008-1382</cvename> + <bid>28770</bid> + <url>http://libpng.sourceforge.net/Advisory-1.2.26.txt</url>; + <url>http://secunia.com/advisories/29792</url>; + </references> + <dates> + <discovery>2008-04-12</discovery> + <entry>2008-04-17</entry> + </dates> + </vuln> + <vuln vid="589d8053-0b03-11dd-b4ef-00e07dc4ec84"> <topic>clamav -- Multiple Vulnerabilities</topic> <affects> --- vuxml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080417213517.D3C5961E38>