From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Apr 17 21:40:12 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C1FC1065678 for ; Thu, 17 Apr 2008 21:40:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DB0718FC2D for ; Thu, 17 Apr 2008 21:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3HLeBsr090586 for ; Thu, 17 Apr 2008 21:40:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3HLeBf0090585; Thu, 17 Apr 2008 21:40:11 GMT (envelope-from gnats) Resent-Date: Thu, 17 Apr 2008 21:40:11 GMT Resent-Message-Id: <200804172140.m3HLeBf0090585@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nick Barkas Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D658106566B for ; Thu, 17 Apr 2008 21:35:18 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: from smtp.earth.threerings.net (smtp1.earth.threerings.net [64.127.109.108]) by mx1.freebsd.org (Postfix) with ESMTP id 3A1788FC20 for ; Thu, 17 Apr 2008 21:35:18 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: by smtp.earth.threerings.net (Postfix, from userid 10038) id D3C5961E38; Thu, 17 Apr 2008 14:35:17 -0700 (PDT) Message-Id: <20080417213517.D3C5961E38@smtp.earth.threerings.net> Date: Thu, 17 Apr 2008 14:35:17 -0700 (PDT) From: Nick Barkas To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/122872: [patch] Four new vulnerabilities to add to security/vuxml X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nick Barkas List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 21:40:12 -0000 >Number: 122872 >Category: ports >Synopsis: [patch] Four new vulnerabilities to add to security/vuxml >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Apr 17 21:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 6.2-RELEASE-p11 i386 >Organization: Three Rings Design >Environment: System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #0: Wed Feb 13 07:00:04 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386 >Description: This patch adds VuXML entries for recent vulnerabilities in python, php, libpng, and openfire. >How-To-Repeat: >Fix: --- vuxml.patch begins here --- --- vuln.xml.orig Wed Apr 16 08:28:37 2008 +++ vuln.xml Thu Apr 17 14:30:28 2008 @@ -34,6 +34,165 @@ --> + + php -- Integer Overflow Vulnerability + + + php5 + 5.2.6 + + + + +

SecurityFocus reports:

+
+

PHP 5 is prone to an integer-overflow vulnerability because the + software fails to ensure that integer values are not overrun.

+

Successful exploits of this vulnerability allow remote attackers + to execute arbitrary machine code in the context of a webserver + affected by the issue. Failed attempts will likely result in + denial-of-service conditions.

+

PHP 5.2.5 and prior versions are vulnerable.

+
+ +
+ + CVE-2008-1384 + 28392 + + + 2008-03-21 + 2008-04-17 + +
+ + + python -- Integer Signedness Error in zlib Module + + + python + 2.5.2 + + + + +

SecurityFocus reports:

+
+

Python zlib module is prone to a remote buffer-overflow + vulnerability because the library fails to properly sanitize + user-supplied data.

+

An attacker can exploit this issue to execute arbitrary code with + the privileges of the user running an application that relies on + the affected library. Failed exploit attempts will result in a + denial-of-service condition.

+

This issue affects Python 2.5.2; other versions may also be + vulnerable.

+
+ +
+ + CVE-2008-1721 + 28715 + http://bugs.python.org/issue2586 + + + 2008-04-08 + 2008-04-17 + +
+ + + openfire -- Denial of Service + + + openfire + 3.4.5 + + + + +

Secunia reports:

+
+

A vulnerability has been reported in Openfire, which can be + exploited by malicious people to cause a DoS (Denial of + Service).

+

The vulnerability is caused due to an unspecified error and can + be exploited to cause a DoS.

+

The vulnerability is reported in version 3.4.5. Other versions + may also be affected.

+
+ +
+ + CVE-2008-1728 + http://secunia.com/advisories/29751 + + + 2008-04-10 + 2008-04-17 + +
+ + + png -- buffer overflow + + + png + 1.2.26 + + + + +

libpng developers report:

+
+

Tavis Ormandy advised us of a bug in libpng in its handling of + unknown chunks with zero data length.

+

We have examined the report and find that the bug exists in all + libpng versions since 1.0.6. It only manifests itself when all + three of the following conditions exist:

+

1. The application is loaded with libpng-1.0.6 through 1.0.32, + libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through + libpng-1.4.0beta19, and

+

2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED + or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active in default + libpng installations), and

+

3. the application includes either a call to + png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn) or a + call to png_set_keep_unknown_chunks(png_ptr, keep, list, N) with + keep = PNG_HANDLE_CHUNK_IF_SAFE (2) or keep = + PNG_HANDLE_CHUNK_ALWAYS (3)

+

We believe this is a rare circumstance. It occurs in "pngtest" + that is a part of the libpng distribution, in pngcrush, and in + recent versions of ImageMagick (6.2.5 through 6.4.0-4). We are + not aware of any other vulnerable applications.

+

When an application with the bug is run, libpng will generate + spurious warning messages about a CRC error in the zero-length + chunk and an out-of-memory condition, unless warnings are being + suppressed. There is not actually a memory overflow, but the NULL + pointer returned from the memory allocator when it tries to + generate a zero-length buffer for the chunk data triggers the + warning. Later, there may be an error when the application tries + to free the non-existent buffer. This has been observed to cause a + segmentation violation in pngtest.

+

Libpng-1.2.27 and later, and 1.0.33 and later, will not be + vulnerable. These are in beta and will be released on or about + April 30, 2008. Libpng-1.2.27beta01, which was released on April + 12, is also not vulnerable.

+
+ +
+ + CVE-2008-1382 + 28770 + http://libpng.sourceforge.net/Advisory-1.2.26.txt + http://secunia.com/advisories/29792 + + + 2008-04-12 + 2008-04-17 + +
+ clamav -- Multiple Vulnerabilities --- vuxml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: