ports/122872: [patch] Four new vulnerabilities to add to security/vuxml
Nick Barkas
snb at threerings.net
Thu Apr 17 21:40:12 UTC 2008
>Number: 122872
>Category: ports
>Synopsis: [patch] Four new vulnerabilities to add to security/vuxml
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 17 21:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: FreeBSD 6.2-RELEASE-p11 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #0: Wed Feb 13 07:00:04 UTC 2008 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386
>Description:
This patch adds VuXML entries for recent vulnerabilities in python, php, libpng,
and openfire.
>How-To-Repeat:
>Fix:
--- vuxml.patch begins here ---
--- vuln.xml.orig Wed Apr 16 08:28:37 2008
+++ vuln.xml Thu Apr 17 14:30:28 2008
@@ -34,6 +34,165 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="1382a290-0cba-11dd-bfca-0030488b5ba8">
+ <topic>php -- Integer Overflow Vulnerability</topic>
+ <affects>
+ <package>
+ <name>php5</name>
+ <range><lt>5.2.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>SecurityFocus reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/28392/discuss">
+ <p>PHP 5 is prone to an integer-overflow vulnerability because the
+ software fails to ensure that integer values are not overrun.</p>
+ <p>Successful exploits of this vulnerability allow remote attackers
+ to execute arbitrary machine code in the context of a webserver
+ affected by the issue. Failed attempts will likely result in
+ denial-of-service conditions.</p>
+ <p>PHP 5.2.5 and prior versions are vulnerable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2008-1384</cvename>
+ <bid>28392</bid>
+ </references>
+ <dates>
+ <discovery>2008-03-21</discovery>
+ <entry>2008-04-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="effaeb3a-0cb9-11dd-8472-0030485949d4">
+ <topic>python -- Integer Signedness Error in zlib Module</topic>
+ <affects>
+ <package>
+ <name>python</name>
+ <range><le>2.5.2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>SecurityFocus reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/28715/discuss">
+ <p>Python zlib module is prone to a remote buffer-overflow
+ vulnerability because the library fails to properly sanitize
+ user-supplied data.</p>
+ <p>An attacker can exploit this issue to execute arbitrary code with
+ the privileges of the user running an application that relies on
+ the affected library. Failed exploit attempts will result in a
+ denial-of-service condition.</p>
+ <p>This issue affects Python 2.5.2; other versions may also be
+ vulnerable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2008-1721</cvename>
+ <bid>28715</bid>
+ <url>http://bugs.python.org/issue2586</url>
+ </references>
+ <dates>
+ <discovery>2008-04-08</discovery>
+ <entry>2008-04-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cc99877f-0cb9-11dd-8c6a-00304881ac9a">
+ <topic>openfire -- Denial of Service</topic>
+ <affects>
+ <package>
+ <name>openfire</name>
+ <range><eq>3.4.5</eq></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Secunia reports:</p>
+ <blockquote cite="http://secunia.com/advisories/29751">
+ <p>A vulnerability has been reported in Openfire, which can be
+ exploited by malicious people to cause a DoS (Denial of
+ Service).</p>
+ <p>The vulnerability is caused due to an unspecified error and can
+ be exploited to cause a DoS.</p>
+ <p>The vulnerability is reported in version 3.4.5. Other versions
+ may also be affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2008-1728</cvename>
+ <url>http://secunia.com/advisories/29751</url>
+ </references>
+ <dates>
+ <discovery>2008-04-10</discovery>
+ <entry>2008-04-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d33efa42-0cb9-11dd-b659-0030483143e0">
+ <topic>png -- buffer overflow</topic>
+ <affects>
+ <package>
+ <name>png</name>
+ <range><le>1.2.26</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>libpng developers report:</p>
+ <blockquote cite="http://libpng.sourceforge.net/Advisory-1.2.26.txt">
+ <p>Tavis Ormandy advised us of a bug in libpng in its handling of
+ unknown chunks with zero data length.</p>
+ <p>We have examined the report and find that the bug exists in all
+ libpng versions since 1.0.6. It only manifests itself when all
+ three of the following conditions exist:</p>
+ <p>1. The application is loaded with libpng-1.0.6 through 1.0.32,
+ libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through
+ libpng-1.4.0beta19, and</p>
+ <p>2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
+ or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active in default
+ libpng installations), and</p>
+ <p>3. the application includes either a call to
+ png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn) or a
+ call to png_set_keep_unknown_chunks(png_ptr, keep, list, N) with
+ keep = PNG_HANDLE_CHUNK_IF_SAFE (2) or keep =
+ PNG_HANDLE_CHUNK_ALWAYS (3)</p>
+ <p>We believe this is a rare circumstance. It occurs in "pngtest"
+ that is a part of the libpng distribution, in pngcrush, and in
+ recent versions of ImageMagick (6.2.5 through 6.4.0-4). We are
+ not aware of any other vulnerable applications.</p>
+ <p>When an application with the bug is run, libpng will generate
+ spurious warning messages about a CRC error in the zero-length
+ chunk and an out-of-memory condition, unless warnings are being
+ suppressed. There is not actually a memory overflow, but the NULL
+ pointer returned from the memory allocator when it tries to
+ generate a zero-length buffer for the chunk data triggers the
+ warning. Later, there may be an error when the application tries
+ to free the non-existent buffer. This has been observed to cause a
+ segmentation violation in pngtest.</p>
+ <p>Libpng-1.2.27 and later, and 1.0.33 and later, will not be
+ vulnerable. These are in beta and will be released on or about
+ April 30, 2008. Libpng-1.2.27beta01, which was released on April
+ 12, is also not vulnerable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2008-1382</cvename>
+ <bid>28770</bid>
+ <url>http://libpng.sourceforge.net/Advisory-1.2.26.txt</url>
+ <url>http://secunia.com/advisories/29792</url>
+ </references>
+ <dates>
+ <discovery>2008-04-12</discovery>
+ <entry>2008-04-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="589d8053-0b03-11dd-b4ef-00e07dc4ec84">
<topic>clamav -- Multiple Vulnerabilities</topic>
<affects>
--- vuxml.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list