Author: neilm Date: 2005-12-05 14:55:43 +0000 (Mon, 05 Dec 2005) New Revision: 2945 Modified: data/DTSA/advs/22-uim.adv data/DTSA/advs/23-centericq.adv data/DTSA/advs/24-inkscape.adv data/DTSA/advs/25-smb4k.adv data/DTSA/advs/26-trackballs.adv Log: Filled in the .advs Modified: data/DTSA/advs/22-uim.adv ==================================================================--- data/DTSA/advs/22-uim.adv 2005-12-05 11:56:05 UTC (rev 2944) +++ data/DTSA/advs/22-uim.adv 2005-12-05 14:55:43 UTC (rev 2945) @@ -1,13 +1,16 @@ -source: xxx -date: Bloptember 99th, 1990 -author: xxx -vuln-type: xxx -problem-scope: remote/local -debian-specifc: yes/no -cve: xxx xxx -vendor-advisory: -testing-fix: xxx -sid-fix: xxx -upgrade: apt-get install xxx +source: uim +date: December 5th, 2005 +author: Neil McGovern +vuln-type: local privilege escalation +problem-scope: local +debian-specifc: no +cve: CVE-2005-3149 +testing-fix: 1:0.4.7-2.0etch1 +sid-fix: 1:0.4.7-2 +upgrade: apt-get upgrade -xxx multiline description here +CVE-2005-3149 + + Masanari Yamamoto discovered that incorrect use of environment + variables in uim. This bug causes privilege escalation if setuid/setgid + applications was linked to libuim. Modified: data/DTSA/advs/23-centericq.adv ==================================================================--- data/DTSA/advs/23-centericq.adv 2005-12-05 11:56:05 UTC (rev 2944) +++ data/DTSA/advs/23-centericq.adv 2005-12-05 14:55:43 UTC (rev 2945) @@ -1,13 +1,16 @@ -source: xxx -date: Bloptember 99th, 1990 -author: xxx -vuln-type: xxx -problem-scope: remote/local -debian-specifc: yes/no -cve: xxx xxx -vendor-advisory: -testing-fix: xxx -sid-fix: xxx -upgrade: apt-get install xxx +source: centericq +date: December 5th, 2005 +author: Neil McGovern +vuln-type: buffer overflow +problem-scope: local +debian-specifc: no +cve: CVE-2005-3863 +testing-fix: 4.21.0-6.0etch1 +sid-fix: 4.21.0-6 +upgrade: apt-get upgrade -xxx multiline description here +CVE-2005-3863 + + Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H + Research Team discovered a buffer overflow in kkstrtext.h of the ktools + library, which is included in centericq. Modified: data/DTSA/advs/24-inkscape.adv ==================================================================--- data/DTSA/advs/24-inkscape.adv 2005-12-05 11:56:05 UTC (rev 2944) +++ data/DTSA/advs/24-inkscape.adv 2005-12-05 14:55:43 UTC (rev 2945) @@ -1,13 +1,16 @@ -source: xxx -date: Bloptember 99th, 1990 -author: xxx -vuln-type: xxx -problem-scope: remote/local -debian-specifc: yes/no -cve: xxx xxx -vendor-advisory: -testing-fix: xxx -sid-fix: xxx -upgrade: apt-get install xxx +source: inkscape +date: December 5th, 2005 +author: Neil McGovern +vuln-type: buffer overflow +problem-scope: remote +debian-specifc: no +cve: CVE-2005-3737 +testing-fix: 0.43-0.0etch1 +sid-fix: 0.43-1 +upgrade: apt-get install inkscape -xxx multiline description here +CVE-2005-3737 + + Joxean Koret discovered that inkscape is vulnerable in the SVG importer + (style.cpp), which might allow remote attackers to execute arbitrary code + via a SVG file with long CSS style property values. Modified: data/DTSA/advs/25-smb4k.adv ==================================================================--- data/DTSA/advs/25-smb4k.adv 2005-12-05 11:56:05 UTC (rev 2944) +++ data/DTSA/advs/25-smb4k.adv 2005-12-05 14:55:43 UTC (rev 2945) @@ -1,13 +1,19 @@ -source: xxx -date: Bloptember 99th, 1990 -author: xxx -vuln-type: xxx -problem-scope: remote/local -debian-specifc: yes/no -cve: xxx xxx -vendor-advisory: -testing-fix: xxx -sid-fix: xxx -upgrade: apt-get install xxx +source: smb4k +date: December 5th, 2005 +author: Neil McGovern +vuln-type: access validation error +problem-scope: local +debian-specifc: no +cve: CVE-2005-2851 +vendor-advisory: http://smb4k.berlios.de +testing-fix: 0.6.4-0.0etch1 +sid-fix: 0.6.4-1 +upgrade: apt-get install smb4k -xxx multiline description here +CVE-2005-2851 + + A vulnerability leading to unauthorized file access has been found. A + pre-existing symlink from /tmp/sudoers and /tmp/super.tab to a textfile + will cause Smb4k to write the contents of these files to the target of the + symlink, as Smb4k does not check for the existence of these files before + writing to them. Modified: data/DTSA/advs/26-trackballs.adv ==================================================================--- data/DTSA/advs/26-trackballs.adv 2005-12-05 11:56:05 UTC (rev 2944) +++ data/DTSA/advs/26-trackballs.adv 2005-12-05 14:55:43 UTC (rev 2945) @@ -1,13 +1,17 @@ -source: xxx -date: Bloptember 99th, 1990 -author: xxx -vuln-type: xxx +source: trackballs +date: December 5th, 2005 +author: Neil McGovern +vuln-type: symlink attack problem-scope: remote/local debian-specifc: yes/no -cve: xxx xxx +cve: vendor-advisory: -testing-fix: xxx -sid-fix: xxx -upgrade: apt-get install xxx +testing-fix: 1.1.1-0.0etch1 +sid-fix: 1.1.1-1 +upgrade: apt-get upgrade -xxx multiline description here +Ulf Harnhammar notices that that trackballs follows symlinks when running as +gid games. It writes to files such as $HOME/.trackballs/[USERNAME].gmr and +$HOME/.trackballs/settings without checking if they are symlinks somewhere +else. This can be abused for overwriting or creating files wherever the games +group is allowed to do so.