The OVAL Repository5.62015-09-03T07:26:52.906-04:00Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1, has unknown impact and attack vectors related to "missing sanity checks around exif processing."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1, has unknown impact and attack vectors related to "missing sanity checks around exif processing."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRed Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsrc/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3; and Sun StarOffice 6, 7, and 8 Office Suite (StarSuite); allows remote attackers to execute arbitrary code via a TIFF file with crafted values of unspecified length fields, which triggers allocation of an incorrect amount of memory, resulting in a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3; and Sun StarOffice 6, 7, and 8 Office Suite (StarSuite); allows remote attackers to execute arbitrary code via a TIFF file with crafted values of unspecified length fields, which triggers allocation of an incorrect amount of memory, resulting in a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the JBIG2 decoding feature in the SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and kdegraphics KPDF, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the JBIG2 decoding feature in the SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and kdegraphics KPDF, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files or execute arbitrary code via a crafted GIF image, aka CR 6804998.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files or execute arbitrary code via a crafted GIF image, aka CR 6804998.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey before 1.1.12, allow user-assisted remote attackers to move a window during a mouse click, and possibly force a file download or unspecified other drag-and-drop action, via a crafted onmousedown action that calls window.moveBy, a variant of CVE-2003-0823.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey before 1.1.12, allow user-assisted remote attackers to move a window during a mouse click, and possibly force a file download or unspecified other drag-and-drop action, via a crafted onmousedown action that calls window.moveBy, a variant of CVE-2003-0823.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsmbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka gstreamer-plugins) 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample (aka stts) atom data in a malformed QuickTime media .mov file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka gstreamer-plugins) 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample (aka stts) atom data in a malformed QuickTime media .mov file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe signal handling in the Linux kernel before 2.6.22, including 2.6.2, when running on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency, related to clearing of MSR bits.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The signal handling in the Linux kernel before 2.6.22, including 2.6.2, when running on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency, related to clearing of MSR bits.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnet/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTED(1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5(1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to associate spoofed content with an invalid URL by setting document.location to this URL, and then writing arbitrary web script or HTML to the associated blank document, a related issue to CVE-2009-2654.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to associate spoofed content with an invalid URL by setting document.location to this URL, and then writing arbitrary web script or HTML to the associated blank document, a related issue to CVE-2009-2654.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFirefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the protection mechanism for codebase principals and execute arbitrary script via the -moz-binding CSS property in a signed JAR file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the protection mechanism for codebase principals and execute arbitrary script via the -moz-binding CSS property in a signed JAR file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDQEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeader.pm in Net::DNS before 0.60, a Perl module, (1) generates predictable sequence IDs with a fixed increment and (2) can use the same starting ID for all child processes of a forking server, which allows remote attackers to spoof DNS responses, as originally reported for qpsmtp and spamassassin.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Header.pm in Net::DNS before 0.60, a Perl module, (1) generates predictable sequence IDs with a fixed increment and (2) can use the same starting ID for all child processes of a forking server, which allows remote attackers to spoof DNS responses, as originally reported for qpsmtp and spamassassin.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbrowser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel before 2.6.22-rc7 does not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel before 2.6.22-rc7 does not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDKDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled causes the skb structure to be freed.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled and causes the skb structure to be freed.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via vectors related to "insufficient class checking" in the Date class.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via vectors related to "insufficient class checking" in the Date class.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to cause a denial of service (loss of new connections) by repeatedly sending data or attempting connections.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to cause a denial of service (loss of new connections) by repeatedly sending data or attempting connections.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDgtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the DNP3 dissector in Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP3 packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the DNP3 dissector in Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP3 packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe copy_to_user function in the PAL emulation functionality for Xen 3.1.2 and earlier, when running on ia64 systems, allows HVM guest users to access arbitrary physical memory by triggering certain mapping operations.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The copy_to_user function in the PAL emulation functionality for Xen 3.1.2 and earlier, when running on ia64 systems, allows HVM guest users to access arbitrary physical memory by triggering certain mapping operations.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDcache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsDOMClassInfo.cpp, (2) JS_HashTableRawLookup, and (3) MirrorWrappedNativeParent and js_LockGCThingRT.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsDOMClassInfo.cpp, (2) JS_HashTableRawLookup, and (3) MirrorWrappedNativeParent and js_LockGCThingRT.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDjs/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to run arbitrary JavaScript with chrome privileges via unknown vectors in which "page content can pollute XPCNativeWrappers."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to run arbitrary JavaScript with chrome privileges via unknown vectors in which "page content can pollute XPCNativeWrappers."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.12 allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug." NOTE: this was originally reported as affecting versions before 3.0.13.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.12 allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug." NOTE: this was originally reported as affecting versions before 3.0.13.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (backend crash) via an out-of-bounds backref number.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (backend crash) via an out-of-bounds backref number.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe XPCVariant::VariantDataToJS function in the XPCOM implementation in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 does not enforce intended restrictions on interaction between chrome privileged code and objects obtained from remote web sites, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via unspecified method calls, related to "doubly-wrapped objects."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The XPCVariant::VariantDataToJS function in the XPCOM implementation in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 does not enforce intended restrictions on interaction between chrome privileged code and objects obtained from remote web sites, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via unspecified method calls, related to "doubly-wrapped objects."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4 allows remote attackers to execute arbitrary code via a crafted file that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4 allows remote attackers to execute arbitrary code via a crafted file that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current-clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe focus handling for the onkeydown event in Mozilla Firefox 1.5.0.12, 2.0.0.4 and other versions before 2.0.0.8, and SeaMonkey before 1.1.5 allows remote attackers to change field focus and copy keystrokes via the "for" attribute in a label, which bypasses the focus prevention, as demonstrated by changing focus from a textarea to a file upload field.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The focus handling for the onkeydown event in Mozilla Firefox 1.5.0.12, 2.0.0.4 and other versions before 2.0.0.8, and SeaMonkey before 1.1.5 allows remote attackers to change field focus and copy keystrokes via the "for" attribute in a label, which bypasses the focus prevention, as demonstrated by changing focus from a textarea to a file upload field.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsmbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDNFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple stack-based buffer overflows in the ReadSetOfCurves function in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file associated with a large integer value for the (1) input or (2) output channel, related to the ReadLUT_A2B and ReadLUT_B2A functions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple stack-based buffer overflows in the ReadSetOfCurves function in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file associated with a large integer value for the (1) input or (2) output channel, related to the ReadLUT_A2B and ReadLUT_B2A functions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUntrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstated by the (1) /admin?OP=redirectURL=% and (2) /admin?URL=/admin/OP=% URIs.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstrated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUntrusted search path vulnerability in Lynx before 2.8.6rel.4 allows local users to execute arbitrary code via malicious (1) .mailcap and (2) mime.types files in the current working directory.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Untrusted search path vulnerability in Lynx before 2.8.6rel.4 allows local users to execute arbitrary code via malicious (1) .mailcap and (2) mime.types files in the current working directory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDVFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDQemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsealert in setroubleshoot 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the sealert.log temporary file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sealert in setroubleshoot 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the sealert.log temporary file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdrivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5302 due to affected versions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5302 due to affected versions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDAlgorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDouble free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe XPConnect component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to (1) chrome XBL and (2) chrome JS.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The XPConnect component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to (1) chrome XBL and (2) chrome JS.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Hewlett-Packard Graphics Language (HPGL) filter in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via crafted pen width and pen color opcodes that overwrite arbitrary memory.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Hewlett-Packard Graphics Language (HPGL) filter in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via crafted pen width and pen color opcodes that overwrite arbitrary memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application crash) or possibly execute arbitrary code via a request to display a crafted text dialog box.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application crash) or possibly execute arbitrary code via a request to display a crafted text dialog box.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 ignores the '\0' escaped null character, which might allow remote attackers to bypass protection mechanisms such as sanitization routines.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 ignores the '\0' escaped null character, which might allow remote attackers to bypass protection mechanisms such as sanitization routines.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nsXMLDocument::OnChannelRedirect function in Mozilla Firefox before 2.0.0.17, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nsXMLDocument::OnChannelRedirect function in Mozilla Firefox before 2.0.0.17, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and 3.0.14 and earlier 2.x and 3.x versions, on Linux uses a predictable /tmp pathname for files selected from the Downloads window, which allows local users to replace an arbitrary downloaded file by placing a file in a /tmp location before the download occurs, related to the Download Manager component. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and 3.0.14 and earlier 2.x and 3.x versions, on Linux uses a predictable /tmp pathname for files selected from the Downloads window, which allows local users to replace an arbitrary downloaded file by placing a file in a /tmp location before the download occurs, related to the Download Manager component. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUntrusted search path vulnerability in a certain Red Hat build script for Standards Based Linux Instrumentation for Manageability (sblim) libraries before 1-13a.el4_6.1 in Red Hat Enterprise Linux (RHEL) 4, and before 1-31.el5_2.1 in RHEL 5, allows local users to gain privileges via a malicious library in a certain subdirectory of /var/tmp, related to an incorrect RPATH setting, as demonstrated by a malicious libc.so library for tog-pegasus.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Untrusted search path vulnerability in a certain Red Hat build script for Standards Based Linux Instrumentation for Manageability (sblim) libraries before 1-13a.el4_6.1 in Red Hat Enterprise Linux (RHEL) 4, and before 1-31.el5_2.1 in RHEL 5, allows local users to gain privileges via a malicious library in a certain subdirectory of /var/tmp, related to an incorrect RPATH setting, as demonstrated by a malicious libc.so library for tog-pegasus.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in Cscope before 15.7a allow remote attackers to execute arbitrary code via long strings in input such as (1) source-code tokens and (2) pathnames, related to integer overflows in some cases. NOTE: this issue exists because of an incomplete fix for CVE-2004-2541.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in Cscope before 15.7a allow remote attackers to execute arbitrary code via long strings in input such as (1) source-code tokens and (2) pathnames, related to integer overflows in some cases. NOTE: this issue exists because of an incomplete fix for CVE-2004-2541.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnet/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe WLCCP dissector in Wireshark 0.99.7 through 1.0.4 allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The WLCCP dissector in Wireshark 0.99.7 through 1.0.4 allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDouble free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDracoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attackers to cause a denial of service (crash) via crafted fragmented packets without a payload, which triggers a NULL pointer dereference.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attackers to cause a denial of service (crash) via crafted fragmented packets without a payload, which triggers a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDEvolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpacket-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDJDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, related to a "quantization problem," aka Bug Id 6862968.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, related to a "quantization problem," aka Bug Id 6862968.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nsXULTemplateQueryProcessorRDF::CheckIsSeparator function in Mozilla Firefox before 3.0.12, SeaMonkey 2.0a1pre, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to loading multiple RDF files in a XUL tree element.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nsXULTemplateQueryProcessorRDF::CheckIsSeparator function in Mozilla Firefox before 3.0.12, SeaMonkey 2.0a1pre, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to loading multiple RDF files in a XUL tree element.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Red Hat build script for the GNOME Display Manager (GDM) before 2.16.0-56 on Red Hat Enterprise Linux (RHEL) 5 omits TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions via XDMCP connections, a different vulnerability than CVE-2007-5079.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Red Hat build script for the GNOME Display Manager (GDM) before 2.16.0-56 on Red Hat Enterprise Linux (RHEL) 5 omits TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions via XDMCP connections, a different vulnerability than CVE-2007-5079.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDqemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the (1) X11 and (2) Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and attack vectors, related to failure to clone arrays that are returned by the getConfigurations function, aka Bug Id 6822057.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the (1) X11 and (2) Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and attack vectors, related to failure to clone arrays that are returned by the getConfigurations function, aka Bug Id 6822057.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 allow remote attackers to cause a denial of service (crash) via a crafted packet that triggers a NULL pointer dereference, as demonstrated by fuzz-2009-12-07-11141.pcap.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 allow remote attackers to cause a denial of service (crash) via a crafted packet that triggers a NULL pointer dereference, as demonstrated by fuzz-2009-12-07-11141.pcap.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel 2.6.18, and possibly other versions, when running on AMD64 architectures, allows local users to cause a denial of service (crash) via certain ptrace calls.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel 2.6.18, and possibly other versions, when running on AMD64 architectures, allows local users to cause a denial of service (crash) via certain ptrace calls.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat patch for tog-pegasus in OpenGroup Pegasus 2.7.0 does not properly configure the PAM tty name, which allows remote authenticated users to bypass intended access restrictions and send requests to OpenPegasus WBEM services.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat patch for tog-pegasus in OpenGroup Pegasus 2.7.0 does not properly configure the PAM tty name, which allows remote authenticated users to bypass intended access restrictions and send requests to OpenPegasus WBEM services.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting (XSS) and other attacks by using the addEventListener method to add an event listener for a site, which is executed in the context of that site.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting (XSS) and other attacks by using the addEventListener method to add an event listener for a site, which is executed in the context of that site.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first. NOTE: this issue is due to an incorrect patch for CVE-2007-5378.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first. NOTE: this issue is due to an incorrect patch for CVE-2007-5378.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving (1) js_FindPropertyHelper, related to the definitions of Math and Date; and (2) js_CheckRedeclaration.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving (1) js_FindPropertyHelper, related to the definitions of Math and Date; and (2) js_CheckRedeclaration.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe XPConnect component in Mozilla Firefox before 2.0.0.17 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to a SCRIPT element.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The XPConnect component in Mozilla Firefox before 2.0.0.17 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to a SCRIPT element.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdrivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFormat string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in cluster/cman/daemon/daemon.c in cman (redhat-cluster-suite) before 20070622 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via long client messages.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in cluster/cman/daemon/daemon.c in cman (redhat-cluster-suite) before 20070622 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via long client messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsEventStateManager::GetContentState and nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4) IsPercentageAware; (5) PL_DHashTableFinish; (6) nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related to the atom table, DOM mutation events, and Unicode surrogates; (8) nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to changing the cursor; and other vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsEventStateManager::GetContentState and nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4) IsPercentageAware; (5) PL_DHashTableFinish; (6) nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related to the atom table, DOM mutation events, and Unicode surrogates; (8) nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to changing the cursor; and other vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDKDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a pointer during handling of a Cascading Style Sheets (CSS) attr function call with a large numerical argument, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a pointer during handling of a Cascading Style Sheets (CSS) attr function call with a large numerical argument, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDXen 3.x, possibly before 3.1.2, when running on IA64 systems, does not check the RID value for mov_to_rr, which allows a VTi domain to read memory of other domains.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Xen 3.x, possibly before 3.1.2, when running on IA64 systems, does not check the RID value for mov_to_rr, which allows a VTi domain to read memory of other domains.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDslapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 allows remote authenticated users to cause a denial of service (daemon crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 allows remote authenticated users to cause a denial of service (daemon crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDneon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to nsSVGElement::BindToTree.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to nsSVGElement::BindToTree.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to "MT exec + utrace_attach spin failure mode," as demonstrated by ptrace-thrash.c.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to "MT exec + utrace_attach spin failure mode," as demonstrated by ptrace-thrash.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the JavaScript engine in Mozilla Firefox before 3.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the JavaScript engine in Mozilla Firefox before 3.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe encoder in Sun Java SE 6 before Update 15, and OpenJDK, grants read access to private variables with unspecified names, which allows context-dependent attackers to obtain sensitive information via an untrusted (1) applet or (2) application.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The encoder in Sun Java SE 6 before Update 15, and OpenJDK, grants read access to private variables with unspecified names, which allows context-dependent attackers to obtain sensitive information via an untrusted (1) applet or (2) application.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdrivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly handle an invalid .properties file for an add-on, which allows remote attackers to read uninitialized memory, as demonstrated by use of ISO 8859 encoding instead of UTF-8 encoding in a French .properties file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly handle an invalid .properties file for an add-on, which allows remote attackers to read uninitialized memory, as demonstrated by use of ISO 8859 encoding instead of UTF-8 encoding in a French .properties file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDtog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RHEL) 5, Fedora 9, and Fedora 10 does not log failed authentication attempts to the OpenPegasus CIM server, which makes it easier for remote attackers to avoid detection of password guessing attacks.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5tog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RHEL) 5, Fedora 9, and Fedora 10 does not log failed authentication attempts to the OpenPegasus CIM server, which makes it easier for remote attackers to avoid detection of password guessing attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 and PHP 4 before 4.4.8 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 and PHP 4 before 4.4.8 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDslp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibexif 0.6.16 and earlier allows context-dependent attackers to cause a denial of service (infinite recursion) via an image file with crafted EXIF tags, possibly involving the exif_loader_write function in exif_loader.c.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libexif 0.6.16 and earlier allows context-dependent attackers to cause a denial of service (infinite recursion) via an image file with crafted EXIF tags, possibly involving the exif_loader_write function in exif_loader.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe __qdisc_run function in net/sched/sch_generic.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service (soft lockup) by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in UDP_STREAM mode.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The __qdisc_run function in net/sched/sch_generic.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service (soft lockup) by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in UDP_STREAM mode.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users to cause a denial of service (memory consumption) via a large number of calls to the get_user_pages function, which lacks a ZERO_PAGE optimization and results in allocation of "useless newly zeroed pages."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users to cause a denial of service (memory consumption) via a large number of calls to the get_user_pages function, which lacks a ZERO_PAGE optimization and results in allocation of "useless newly zeroed pages."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to "encoding type."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to "encoding type."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the setBytePixels function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via crafted arguments, aka Bug Id 6872358.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the setBytePixels function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via crafted arguments, aka Bug Id 6872358.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDXMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the exif_data_load_data_entry function in libexif/exif-data.c in Libexif before 0.6.16 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via an image with many EXIF components, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the exif_data_load_data_entry function in libexif/exif-data.c in Libexif before 0.6.16 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via an image with many EXIF components, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Distributed Lock Manager (DLM) in the cluster manager for Linux kernel 2.6.15 allows remote attackers to cause a denial of service (loss of lock services) by connecting to the DLM port, which probably prevents other processes from accessing the service.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Distributed Lock Manager (DLM) in the cluster manager for Linux kernel 2.6.15 allows remote attackers to cause a denial of service (loss of lock services) by connecting to the DLM port, which probably prevents other processes from accessing the service.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDAdobe Macromedia Flash Player 7 and 9, when used with Opera before 9.20 or Konqueror before 20070613, allows remote attackers to obtain sensitive information (browser keystrokes), which are leaked to the Flash Player applet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Adobe Macromedia Flash Player 7 and 9, when used with Opera before 9.20 or Konqueror before 20070613, allows remote attackers to obtain sensitive information (browser keystrokes), which are leaked to the Flash Player applet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe LDAP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet, a different vulnerability than CVE-2006-5740.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The LDAP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet, a different vulnerability than CVE-2006-5740.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Wireshark (formerly Ethereal) 0.99.5 through 0.99.8 allow remote attackers to cause a denial of service (application crash) via a malformed packet to the (1) X.509sat or (2) Roofnet dissectors. NOTE: Vector 2 might also lead to a hang.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) 0.99.5 through 0.99.8 allow remote attackers to cause a denial of service (application crash) via a malformed packet to the (1) X.509sat or (2) Roofnet dissectors. NOTE: Vector 2 might also lead to a hang.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.14 does not properly implement certain dialogs associated with the (1) pkcs11.addmodule and (2) pkcs11.deletemodule operations, which makes it easier for remote attackers to trick a user into installing or removing an arbitrary PKCS11 module.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.14 does not properly implement certain dialogs associated with the (1) pkcs11.addmodule and (2) pkcs11.deletemodule operations, which makes it easier for remote attackers to trick a user into installing or removing an arbitrary PKCS11 module.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the cpuset_tasks_read function in the Linux kernel before 2.6.20.13, and 2.6.21.x before 2.6.21.4, when the cpuset filesystem is mounted, allows local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the cpuset_tasks_read function in the Linux kernel before 2.6.20.13, and 2.6.21.x before 2.6.21.4, when the cpuset filesystem is mounted, allows local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the do_setlk function in fs/nfs/file.c in the Linux kernel before 2.6.26 allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the do_setlk function in fs/nfs/file.c in the Linux kernel before 2.6.26 allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDyum-rhn-plugin in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Enterprise Linux (RHEL) 5 and Fedora uses world-readable permissions for the /var/spool/up2date/loginAuth.pkl file, which allows local users to access the Red Hat Network profile, and possibly prevent future security updates, by leveraging authentication data from this file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5yum-rhn-plugin in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Enterprise Linux (RHEL) 5 and Fedora uses world-readable permissions for the /var/spool/up2date/loginAuth.pkl file, which allows local users to access the Red Hat Network profile, and possibly prevent future security updates, by leveraging authentication data from this file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDAbsolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSamba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted OGG file, aka trac Changeset 13217.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted OGG file, aka trac Changeset 13217.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDcomponents/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDjslock.cpp in Mozilla Firefox 3.x before 3.0.2, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying the window.__proto__.__proto__ object in a way that causes a lock on a non-native object, which triggers an assertion failure related to the OBJ_IS_NATIVE function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5jslock.cpp in Mozilla Firefox 3.x before 3.0.2, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying the window.__proto__.__proto__ object in a way that causes a lock on a non-native object, which triggers an assertion failure related to the OBJ_IS_NATIVE function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe page cache feature in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 can generate hash collisions that cause page data to be appended to the wrong page cache, which allows remote attackers to obtain sensitive information or enable further attack vectors when the target page is reloaded from the cache.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The page cache feature in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 can generate hash collisions that cause page data to be appended to the wrong page cache, which allows remote attackers to obtain sensitive information or enable further attack vectors when the target page is reloaded from the cache.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow remote attackers to cause a denial of service (crash) via (1) a crafted MP3 file or (2) unspecified vectors to the NCP dissector.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow remote attackers to cause a denial of service (crash) via (1) a crafted MP3 file or (2) unspecified vectors to the NCP dissector.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe fragment_add_work function in epan/reassemble.c in Wireshark 0.8.19 through 1.0.1 allows remote attackers to cause a denial of service (crash) via a series of fragmented packets with non-sequential fragmentation offset values, which lead to a buffer over-read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The fragment_add_work function in epan/reassemble.c in Wireshark 0.8.19 through 1.0.1 allows remote attackers to cause a denial of service (crash) via a series of fragmented packets with non-sequential fragmentation offset values, which lead to a buffer over-read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple untrusted search path vulnerabilities in dstat before 0.7.0 allow local users to gain privileges via a Trojan horse Python module in (1) the current working directory or (2) a certain subdirectory of the current working directory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple untrusted search path vulnerabilities in dstat before 0.7.0 allow local users to gain privileges via a Trojan horse Python module in (1) the current working directory or (2) a certain subdirectory of the current working directory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the fbShmPutImage function in the MIT-SHM extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to read arbitrary process memory via crafted values for a Pixmap width and height.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the fbShmPutImage function in the MIT-SHM extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to read arbitrary process memory via crafted values for a Pixmap width and height.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGNOME NetworkManager before 0.7.0.99 does not properly verify privileges for dbus (1) modify and (2) delete requests, which allows local users to change or remove the network connections of arbitrary users via unspecified vectors related to org.freedesktop.NetworkManagerUserSettings and at_console.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5GNOME NetworkManager before 0.7.0.99 does not properly verify privileges for dbus (1) modify and (2) delete requests, which allows local users to change or remove the network connections of arbitrary users via unspecified vectors related to org.freedesktop.NetworkManagerUserSettings and at_console.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTED** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-0689. Reason: This candidate is a duplicate of CVE-2009-0689. Certain codebase relationships were not originally clear. Notes: All CVE users should reference CVE-2009-0689 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-0689. Reason: This candidate is a duplicate of CVE-2009-0689. Certain codebase relationships were not originally clear. Notes: All CVE users should reference CVE-2009-0689 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "javascript" sequence, aka "HTML escaped low surrogates bug."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav�ascript" sequence, aka "HTML escaped low surrogates bug."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657026.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657026.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGUI overlay vulnerability in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 allows remote attackers to spoof certain user interface elements, such as the host name or security indicators, via the CSS3 hotspot property with a large, transparent, custom cursor.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5GUI overlay vulnerability in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 allows remote attackers to spoof certain user interface elements, such as the host name or security indicators, via the CSS3 hotspot property with a large, transparent, custom cursor.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the browser engine in Mozilla Firefox before 3.0.16, SeaMonkey before 2.0.1, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the browser engine in Mozilla Firefox before 3.0.16, SeaMonkey before 2.0.1, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an SLP invite message that lacks certain required fields, as demonstrated by a malformed message from a KMess client.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an SLP invite message that lacks certain required fields, as demonstrated by a malformed message from a KMess client.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the SMB dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service via unknown vectors. NOTE: this identifier originally included MP3 and NCP, but those issues are already covered by CVE-2007-6111.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the SMB dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service via unknown vectors. NOTE: this identifier originally included MP3 and NCP, but those issues are already covered by CVE-2007-6111.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to graphics rendering and (1) handling of a long alert messagebox in the cairo_surface_set_device_offset function, (2) integer overflows when handling animated PNG data in the info_callback function in nsPNGDecoder.cpp, and (3) an integer overflow when handling SVG data in the nsSVGFEGaussianBlurElement::SetupPredivide function in nsSVGFilters.cpp.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to graphics rendering and (1) handling of a long alert messagebox in the cairo_surface_set_device_offset function, (2) integer overflows when handling animated PNG data in the info_callback function in nsPNGDecoder.cpp, and (3) an integer overflow when handling SVG data in the nsSVGFEGaussianBlurElement::SetupPredivide function in nsSVGFilters.cpp.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCamel (camel-imap-folder.c) in the mailer component for Evolution Data Server 1.11 allows remote IMAP servers to execute arbitrary code via a negative SEQUENCE value in GData, which is used as an array index.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Camel (camel-imap-folder.c) in the mailer component for Evolution Data Server 1.11 allows remote IMAP servers to execute arbitrary code via a negative SEQUENCE value in GData, which is used as an array index.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDneon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 allows remote authenticated users to cause a denial of service (crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table, as originally demonstrated using ORDER BY.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 allows remote authenticated users to cause a denial of service (crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table, as originally demonstrated using ORDER BY.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the XFree86-Misc extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via a PassMessage request containing a large array index.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the XFree86-Misc extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via a PassMessage request containing a large array index.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 do not properly implement JavaScript onUnload handlers, which allows remote attackers to run certain JavaScript code and access the location DOM hierarchy in the context of the next web site that is visited by a client.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 do not properly implement JavaScript onUnload handlers, which allows remote attackers to run certain JavaScript code and access the location DOM hierarchy in the context of the next web site that is visited by a client.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in the Archive::Tar Perl module 1.36 and earlier allows user-assisted remote attackers to overwrite arbitrary files via a TAR archive that contains a file whose name is an absolute path or has ".." sequences.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in the Archive::Tar Perl module 1.36 and earlier allows user-assisted remote attackers to overwrite arbitrary files via a TAR archive that contains a file whose name is an absolute path or has ".." sequences.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the AFS dissector in Wireshark 0.9.2 through 1.2.0 allows remote attackers to cause a denial of service (crash) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 through 1.2.0 allows remote attackers to cause a denial of service (crash) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple format string vulnerabilities in the gm_main_window_flash_message function in Ekiga before 2.0.5 allow attackers to cause a denial of service and possibly execute arbitrary code via a crafted Q.931 SETUP packet.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple format string vulnerabilities in the gm_main_window_flash_message function in Ekiga before 2.0.5 allow attackers to cause a denial of service and possibly execute arbitrary code via a crafted Q.931 SETUP packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely handled by a vector application, as exploited in conjunction with CVE-2008-2540. NOTE: this issue exists because of an insufficient fix for CVE-2005-2267.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely handled by a vector application, as exploited in conjunction with CVE-2008-2540. NOTE: this issue exists because of an insufficient fix for CVE-2005-2267.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerl-Compatible Regular Expression (PCRE) library before 6.2 does not properly count the number of named capturing subpatterns, which allows context-dependent attackers to cause a denial of service (crash) via a regular expression with a large number of named subpatterns, which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Perl-Compatible Regular Expression (PCRE) library before 6.2 does not properly count the number of named capturing subpatterns, which allows context-dependent attackers to cause a denial of service (crash) via a regular expression with a large number of named subpatterns, which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the SystemTap stap tool 0.0.20080705 and 0.0.20090314 allows local users in the stapusr group to insert arbitrary SystemTap kernel modules and gain privileges via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.20090314 allows local users in the stapusr group to insert arbitrary SystemTap kernel modules and gain privileges via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to create documents that lack script-handling objects, and execute arbitrary code with chrome privileges, via vectors related to (1) the document.loadBindingDocument function and (2) XSLT.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to create documents that lack script-handling objects, and execute arbitrary code with chrome privileges, via vectors related to (1) the document.loadBindingDocument function and (2) XSLT.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRuby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDusr/mgmt_ipc.c in iscsid in open-iscsi (iscsi-initiator-utils) before 2.0-865 checks the client's UID on the listening AF_LOCAL socket instead of the new connection, which allows remote attackers to access the management interface and cause a denial of service (iscsid exit or iSCSI connection loss).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5usr/mgmt_ipc.c in iscsid in open-iscsi (iscsi-initiator-utils) before 2.0-865 checks the client's UID on the listening AF_LOCAL socket instead of the new connection, which allows remote attackers to access the management interface and cause a denial of service (iscsid exit or iSCSI connection loss).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the insertItemBefore method in WebKit, as used in Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before 1.0.154.65, and possibly other products allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the (1) SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object, which triggers memory corruption.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the insertItemBefore method in WebKit, as used in Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before 1.0.154.65, and possibly other products allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the (1) SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object, which triggers memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDarch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some AMD64 systems does not erase destination memory locations after an exception during kernel memory copy, which allows local users to obtain sensitive information.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some AMD64 systems does not erase destination memory locations after an exception during kernel memory copy, which allows local users to obtain sensitive information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the iso_recv_msg function (iso.c) in rdesktop 1.5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Remote Desktop Protocol (RDP) request with a small length field.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the iso_recv_msg function (iso.c) in rdesktop 1.5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Remote Desktop Protocol (RDP) request with a small length field.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to execute arbitrary JavaScript with chrome privileges by leveraging a reference to a chrome window from a content window, related to the window.opener property.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to execute arbitrary JavaScript with chrome privileges by leveraging a reference to a chrome window from a content window, related to the window.opener property.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via large subsample dimensions in a JPEG file that triggers a heap-based buffer overflow, aka Bug Id 6874643.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via large subsample dimensions in a JPEG file that triggers a heap-based buffer overflow, aka Bug Id 6874643.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFormat string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerl-Compatible Regular Expression (PCRE) library before 6.7 does not properly calculate the compiled memory allocation for regular expressions that involve a quantified "subpattern containing a named recursion or subroutine reference," which allows context-dependent attackers to cause a denial of service (error or crash).Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Perl-Compatible Regular Expression (PCRE) library before 6.7 does not properly calculate the compiled memory allocation for regular expressions that involve a quantified "subpattern containing a named recursion or subroutine reference," which allows context-dependent attackers to cause a denial of service (error or crash).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes the hosts_ctl function with the wrong order of arguments, which causes TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The good_client function in nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes the hosts_ctl function with the wrong order of arguments, which causes TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an "inverted logic" issue.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an "inverted logic" issue.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows remote attackers to inject arbitrary web script or HTML via the sort parameter.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows remote attackers to inject arbitrary web script or HTML via the sort parameter.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the HTTP dissector for Wireshark (formerly Ethereal) 0.10.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted chunked messages.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the HTTP dissector for Wireshark (formerly Ethereal) 0.10.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted chunked messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe version of Sendmail 8.13.1-2 on Red Hat Enterprise Linux 4 Update 4 and earlier does not reject the "localhost.localdomain" domain name for e-mail messages that come from external hosts, which might allow remote attackers to spoof messages.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The version of Sendmail 8.13.1-2 on Red Hat Enterprise Linux 4 Update 4 and earlier does not reject the "localhost.localdomain" domain name for e-mail messages that come from external hosts, which might allow remote attackers to spoof messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion in jsinterp.c; and other vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion in jsinterp.c; and other vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing br sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not prevent the existence of children of a resurrected ClassLoader, which allows remote attackers to gain privileges via unspecified vectors, related to an "information leak vulnerability," aka Bug Id 6636650.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not prevent the existence of children of a resurrected ClassLoader, which allows remote attackers to gain privileges via unspecified vectors, related to an "information leak vulnerability," aka Bug Id 6636650.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the Window's titlebar when displaying XUL markup language documents, which makes it easier for remote attackers to conduct phishing and spoofing attacks by setting the hidechrome attribute.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the Window's titlebar when displaying XUL markup language documents, which makes it easier for remote attackers to conduct phishing and spoofing attacks by setting the hidechrome attribute.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the gif_read_lzw function in CUPS 1.3.6 allows remote attackers to have an unknown impact via a GIF file with a large code_size value, a similar issue to CVE-2006-4484.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the gif_read_lzw function in CUPS 1.3.6 allows remote attackers to have an unknown impact via a GIF file with a large code_size value, a similar issue to CVE-2006-4484.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass "restrictions imposed on local HTML files," and obtain sensitive information and prompt users to write this information into a file, via directory traversal sequences in a resource: URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass "restrictions imposed on local HTML files," and obtain sensitive information and prompt users to write this information into a file, via directory traversal sequences in a resource: URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the libsvn_delta library in Subversion before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and remote Subversion servers to execute arbitrary code via an svndiff stream with large windows that trigger a heap-based buffer overflow, a related issue to CVE-2009-2412.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the libsvn_delta library in Subversion before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and remote Subversion servers to execute arbitrary code via an svndiff stream with large windows that trigger a heap-based buffer overflow, a related issue to CVE-2009-2412.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDVixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure permissions, which allows local users to cause a denial of service (cron failure) by creating hard links, which results in a failed st_nlink check in database.c.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Vixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure permissions, which allows local users to cause a denial of service (cron failure) by creating hard links, which results in a failed st_nlink check in database.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe default configuration for autofs 5 (autofs5) in some Linux distributions, such as Red Hat Enterprise Linux (RHEL) 4 and 5, does not specify the nodev mount option for the -hosts map, which allows local users to access "important devices" by operating a remote NFS server and creating special device files on that server, as demonstrated by the /dev/mem device.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The default configuration for autofs 5 (autofs5) in some Linux distributions, such as Red Hat Enterprise Linux (RHEL) 4 and 5, does not specify the nodev mount option for the -hosts map, which allows local users to access "important devices" by operating a remote NFS server and creating special device files on that server, as demonstrated by the /dev/mem device.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not prevent stack expansion from entering into reserved kernel page memory, which allows local users to cause a denial of service (OOPS) via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not prevent stack expansion from entering into reserved kernel page memory, which allows local users to cause a denial of service (OOPS) via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail 1.4.0 through 1.4.9a allows remote attackers to send e-mails from arbitrary users via certain data in the SRC attribute of an IMG element.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail 1.4.0 through 1.4.9a allows remote attackers to send e-mails from arbitrary users via certain data in the SRC attribute of an IMG element.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5, when running on Linux systems with gnome-vfs support, might allow remote attackers to read arbitrary files on SSH/sftp servers that accept key authentication by creating a web page on the target server, in which the web page contains URIs with (1) smb: or (2) sftp: schemes that access other files from the server.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5, when running on Linux systems with gnome-vfs support, might allow remote attackers to read arbitrary files on SSH/sftp servers that accept key authentication by creating a web page on the target server, in which the web page contains URIs with (1) smb: or (2) sftp: schemes that access other files from the server.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in xpcom/io/nsEscape.cpp in the browser engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in xpcom/io/nsEscape.cpp in the browser engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. NOTE: this issue can be leveraged for phishing and other attacks.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. NOTE: this issue can be leveraged for phishing and other attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe MMIO instruction decoder in the Xen hypervisor in the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows guest OS users to cause a denial of service (32-bit guest OS crash) via vectors that trigger an unspecified instruction emulation.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The MMIO instruction decoder in the Xen hypervisor in the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows guest OS users to cause a denial of service (32-bit guest OS crash) via vectors that trigger an unspecified instruction emulation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbackend/parser/analyze.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via certain aggregate functions in an UPDATE statement, which are not properly handled during a "MIN/MAX index optimization."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5backend/parser/analyze.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via certain aggregate functions in an UPDATE statement, which are not properly handled during a "MIN/MAX index optimization."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the nsGenericDOMDataNode::SetTextInternal function in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a DOM node with a long text value that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the nsGenericDOMDataNode::SetTextInternal function in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a DOM node with a long text value that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDstap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCoolKey 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files in the /tmp/.pk11ipc1/ directory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5CoolKey 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files in the /tmp/.pk11ipc1/ directory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRed Hat Cluster Project 2.x allows local users to modify or overwrite arbitrary files via symlink attacks on files in /tmp, involving unspecified components in Resource Group Manager (aka rgmanager) before 2.03.09-1, gfs2-utils before 2.03.09-1, and CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Red Hat Cluster Project 2.x allows local users to modify or overwrite arbitrary files via symlink attacks on files in /tmp, involving unspecified components in Resource Group Manager (aka rgmanager) before 2.03.09-1, gfs2-utils before 2.03.09-1, and CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Open Phone Abstraction Library (opal), as used by (1) Ekiga before 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause a denial of service (crash) via an invalid Content-Length header field in Session Initiation Protocol (SIP) packets, which causes a \0 byte to be written to an "attacker-controlled address."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Open Phone Abstraction Library (opal), as used by (1) Ekiga before 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause a denial of service (crash) via an invalid Content-Length header field in Session Initiation Protocol (SIP) packets, which causes a \0 byte to be written to an "attacker-controlled address."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Internationalized Domain Names (IDN) blacklist in Mozilla Firefox 3.0.6 and other versions before 3.0.9; Thunderbird before 2.0.0.21; and SeaMonkey before 1.1.15 does not include box-drawing characters, which allows remote attackers to spoof URLs and conduct phishing attacks, as demonstrated by homoglyphs of the / (slash) and ? (question mark) characters in a subdomain of a .cn domain name, a different vulnerability than CVE-2005-0233. NOTE: some third parties claim that 3.0.6 is not affected, but much older versions perhaps are affected.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox 3.0.6 and other versions before 3.0.9; Thunderbird before 2.0.0.21; and SeaMonkey before 1.1.15 does not include box-drawing characters, which allows remote attackers to spoof URLs and conduct phishing attacks, as demonstrated by homoglyphs of the / (slash) and ? (question mark) characters in a subdomain of a .cn domain name, a different vulnerability than CVE-2005-0233. NOTE: some third parties claim that 3.0.6 is not affected, but much older versions perhaps are affected.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a "missing kfree."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a "missing kfree."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Evolution Data Server (aka evolution-data-server) before 2.24.5 allow context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation in (1) addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c in libcamel.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Evolution Data Server (aka evolution-data-server) before 2.24.5 allow context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation in (1) addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c in libcamel.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a denial of service (NULL pointer dereference and application crash) via a TOPIC message that lacks a topic string.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a denial of service (NULL pointer dereference and application crash) via a TOPIC message that lacks a topic string.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for CVE-2007-6239.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for CVE-2007-6239.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to cause a denial of service (crash) via a malformed RPC Portmap packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to cause a denial of service (crash) via a malformed RPC Portmap packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XML file with a crafted XSLT transform.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XML file with a crafted XSLT transform.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors related to the _moveToEdgeShift XUL tree method, which triggers garbage collection on objects that are still in use, as demonstrated by Nils during a PWN2OWN competition at CanSecWest 2009.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors related to the _moveToEdgeShift XUL tree method, which triggers garbage collection on objects that are still in use, as demonstrated by Nils during a PWN2OWN competition at CanSecWest 2009.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInternational Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5International Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.2, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to use of mutable strings in the js_StringReplaceHelper function in js/src/jsstr.cpp, and unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.2, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to use of mutable strings in the js_StringReplaceHelper function in js/src/jsstr.cpp, and unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox 3.x before 3.0.4, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via multiple vectors that trigger an assertion failure or other consequences.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox 3.x before 3.0.4, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via multiple vectors that trigger an assertion failure or other consequences.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark 1.0.4 and earlier allows remote attackers to cause a denial of service via a long SMTP request, which triggers an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark 1.0.4 and earlier allows remote attackers to cause a denial of service via a long SMTP request, which triggers an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocator in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted document, related to a "numeric truncation error," a different vulnerability than CVE-2008-2152.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocator in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted document, related to a "numeric truncation error," a different vulnerability than CVE-2008-2152.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDcmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted image that triggers execution of incorrect code for "transformations of monochrome profiles."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted image that triggers execution of incorrect code for "transformations of monochrome profiles."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified "random addresses."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified "random addresses."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe audio system in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to java.lang.System properties by (1) untrusted applets and (2) Java Web Start applications, which allows context-dependent attackers to obtain sensitive information by reading these properties.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The audio system in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to java.lang.System properties by (1) untrusted applets and (2) Java Web Start applications, which allows context-dependent attackers to obtain sensitive information by reading these properties.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the RMI dissector in Wireshark (formerly Ethereal) 0.9.5 through 1.0.0 allows remote attackers to read system memory via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the RMI dissector in Wireshark (formerly Ethereal) 0.9.5 through 1.0.0 allows remote attackers to read system memory via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDNetworkManager (NM) 0.7.2 does not ensure that the configured Certification Authority (CA) certificate file for a (1) WPA Enterprise or (2) 802.1x network remains present upon a connection attempt, which might allow remote attackers to obtain sensitive information or cause a denial of service (connectivity disruption) by spoofing the identity of a wireless network.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5NetworkManager (NM) 0.7.2 does not ensure that the configured Certification Authority (CA) certificate file for a (1) WPA Enterprise or (2) 802.1x network remains present upon a connection attempt, which might allow remote attackers to obtain sensitive information or cause a denial of service (connectivity disruption) by spoofing the identity of a wireless network.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption and assertion failures.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption and assertion failures.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in Mozilla Thunderbird before 1.5.0.10 and SeaMonkey before 1.0.8 allows remote attackers to trigger a buffer overflow and possibly execute arbitrary code via a text/enhanced or text/richtext e-mail message with an extremely long line.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in Mozilla Thunderbird before 1.5.0.10 and SeaMonkey before 1.0.8 allows remote attackers to trigger a buffer overflow and possibly execute arbitrary code via a text/enhanced or text/richtext e-mail message with an extremely long line.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Quattro Pro (QPRO) file with crafted values that trigger an excessive loop and a stack-based buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Quattro Pro (QPRO) file with crafted values that trigger an excessive loop and a stack-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnet/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDError handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the seek_to_and_unpack_pixeldata function in the psd.c plugin in Gimp 2.2.15 allows remote attackers to execute arbitrary code via a crafted PSD file that contains a large (1) width or (2) height value.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the seek_to_and_unpack_pixeldata function in the psd.c plugin in Gimp 2.2.15 allows remote attackers to execute arbitrary code via a crafted PSD file that contains a large (1) width or (2) height value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (hang) via a crafted NCP packet that triggers an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (hang) via a crafted NCP packet that triggers an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the bundled libxmlrpc library in PHP before 4.4.7, and 5.x before 5.2.2, has unknown impact and remote attack vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the bundled libxmlrpc library in PHP before 4.4.7, and 5.x before 5.2.2, has unknown impact and remote attack vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple format string vulnerabilities in isns.c in (1) Linux SCSI target framework (aka tgt or scsi-target-utils) 1.0.3, 0.9.5, and earlier and (2) iSCSI Enterprise Target (aka iscsitarget) 0.4.16 allow remote attackers to cause a denial of service (tgtd daemon crash) or possibly have unspecified other impact via vectors that involve the isns_attr_query and qry_rsp_handle functions, and are related to (a) client appearance and (b) client disappearance messages.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple format string vulnerabilities in isns.c in (1) Linux SCSI target framework (aka tgt or scsi-target-utils) 1.0.3, 0.9.5, and earlier and (2) iSCSI Enterprise Target (aka iscsitarget) 0.4.16 allow remote attackers to cause a denial of service (tgtd daemon crash) or possibly have unspecified other impact via vectors that involve the isns_attr_query and qry_rsp_handle functions, and are related to (a) client appearance and (b) client disappearance messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) "D" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) "D" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allow remote attackers to access files or execute arbitrary code via (1) a crafted PNG image that triggers an integer overflow during memory allocation for display on the splash screen, aka CR 6804996; and (2) a crafted GIF image from which unspecified values are used in calculation of offsets, leading to object-pointer corruption, aka CR 6804997.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allow remote attackers to access files or execute arbitrary code via (1) a crafted PNG image that triggers an integer overflow during memory allocation for display on the splash screen, aka CR 6804996; and (2) a crafted GIF image from which unspecified values are used in calculation of offsets, leading to object-pointer corruption, aka CR 6804997.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the ReadPCXImage function in the PCX coder in coders/pcx.c in (1) ImageMagick 6.2.4-5 and 6.2.8-0 and (2) GraphicsMagick (aka gm) 1.1.7 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the ReadPCXImage function in the PCX coder in coders/pcx.c in (1) ImageMagick 6.2.4-5 and 6.2.8-0 and (2) GraphicsMagick (aka gm) 1.1.7 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlayout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 through 2.6.18-53, when running on PowerPC, might allow local users to cause a denial of service (crash) via unknown vectors that cause the of_get_property function to fail, which triggers a NULL pointer dereference.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 through 2.6.18-53, when running on PowerPC, might allow local users to cause a denial of service (crash) via unknown vectors that cause the of_get_property function to fail, which triggers a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Infiniband dissector in Wireshark 1.0.6 through 1.2.0, when running on unspecified platforms, allows remote attackers to cause a denial of service (crash) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Infiniband dissector in Wireshark 1.0.6 through 1.2.0, when running on unspecified platforms, allows remote attackers to cause a denial of service (crash) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe form autocomplete feature in Mozilla Firefox 1.5.x before 1.5.0.12, 2.x before 2.0.0.4, and possibly earlier versions, allows remote attackers to cause a denial of service (persistent temporary CPU consumption) via a large number of characters in a submitted form.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The form autocomplete feature in Mozilla Firefox 1.5.x before 1.5.0.12, 2.x before 2.0.0.4, and possibly earlier versions, allows remote attackers to cause a denial of service (persistent temporary CPU consumption) via a large number of characters in a submitted form.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx is configured as a URL handler, allows remote attackers to execute arbitrary commands via a crafted lynxcgi: URL, a related issue to CVE-2005-2929. NOTE: this might only be a vulnerability in limited deployments that have defined a lynxcgi: handler.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx is configured as a URL handler, allows remote attackers to execute arbitrary commands via a crafted lynxcgi: URL, a related issue to CVE-2005-2929. NOTE: this might only be a vulnerability in limited deployments that have defined a lynxcgi: handler.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via unknown packets.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via unknown packets.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe backend for XenSource Xen Para Virtualized Frame Buffer (PVFB) in Xen ioemu does not properly restrict the frame buffer size, which allows attackers to cause a denial of service (crash) by mapping an arbitrary amount of guest memory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The backend for XenSource Xen Para Virtualized Frame Buffer (PVFB) in Xen ioemu does not properly restrict the frame buffer size, which allows attackers to cause a denial of service (crash) by mapping an arbitrary amount of guest memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the same-origin policy and execute arbitrary script via multiple listeners, which bypass the inner window check.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the same-origin policy and execute arbitrary script via multiple listeners, which bypass the inner window check.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21 and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before 2.8.9, allows remote attackers to cause a denial of service (daemon crash and restart) via a crafted (1) R_U_THERE or (2) R_U_THERE_ACK Dead Peer Detection (DPD) IPsec IKE Notification message that triggers a NULL pointer dereference related to inconsistent ISAKMP state and the lack of a phase2 state association in DPD.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21 and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before 2.8.9, allows remote attackers to cause a denial of service (daemon crash and restart) via a crafted (1) R_U_THERE or (2) R_U_THERE_ACK Dead Peer Detection (DPD) IPsec IKE Notification message that triggers a NULL pointer dereference related to inconsistent ISAKMP state and the lack of a phase2 state association in DPD.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows remote user-assisted web sites to corrupt the user's password store via newlines that are not properly handled when the user saves a password.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5CRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows remote user-assisted web sites to corrupt the user's password store via newlines that are not properly handled when the user saves a password.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and (1) a zero value of the "this" variable in the nsContentList::Item function; (2) interaction of the indic IME extension, a Hindi language selection, and the "g" character; and (3) interaction of the nsFrameList::SortByContentOrder function with a certain insufficient protection of inline frames.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and (1) a zero value of the "this" variable in the nsContentList::Item function; (2) interaction of the indic IME extension, a Hindi language selection, and the "g" character; and (3) interaction of the nsFrameList::SortByContentOrder function with a certain insufficient protection of inline frames.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_splice_from function in fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_splice_from function in fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses a random number generator that is seeded only once per browser session, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses a random number generator that is seeded only once per browser session, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to gczeal, a different vulnerability than CVE-2009-0773.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to gczeal, a different vulnerability than CVE-2009-0773.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDouble free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2007-3278.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libspice, as used in QEMU-KVM in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H or rhev-hypervisor) before 5.5-2.2 and possibly other products, allows guest OS users to read from or write to arbitrary QEMU memory by modifying the address that is used by Cairo for memory mappings.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2007-3278.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2007-3278.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to execute arbitrary code via an XUL document that includes a script from a chrome: URI that points to a fastload file, related to this file's "privilege level."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to execute arbitrary code via an XUL document that includes a script from a chrome: URI that points to a fastload file, related to this file's "privilege level."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDVim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDgcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in extract.c in star before 1.5a84 allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in extract.c in star before 1.5a84 allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote attackers to bypass Python macro security restrictions and execute arbitrary Python code via a crafted OpenDocument Text (ODT) file that triggers code execution when the macro directory structure is previewed.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote attackers to bypass Python macro security restrictions and execute arbitrary Python code via a crafted OpenDocument Text (ODT) file that triggers code execution when the macro directory structure is previewed.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe garbage-collection implementation in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets an element's owner document to null in unspecified circumstances, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted event handler, related to an incorrect context for this event handler.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The garbage-collection implementation in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets an element's owner document to null in unspecified circumstances, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted event handler, related to an incorrect context for this event handler.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10, 4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before 2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via an X.509 certificate with (1) crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME string, or (3) a crafted GENERALIZEDTIME string.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10, 4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before 2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via an X.509 certificate with (1) crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME string, or (3) a crafted GENERALIZEDTIME string.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDprotocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ecryptfs_write_metadata_to_contents function in the eCryptfs functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the LDAP implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier allows remote LDAP servers to execute arbitrary code via unknown vectors related to serialized data.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the LDAP implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier allows remote LDAP servers to execute arbitrary code via unknown vectors related to serialized data.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrary JavaScript with chrome privileges via malicious code in a file that has already been saved on the local system.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrary JavaScript with chrome privileges via malicious code in a file that has already been saved on the local system.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsocket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL Community Server before 5.0.45 allows remote attackers to cause a denial of service (daemon crash) via a malformed password packet in the connection protocol.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL Community Server before 5.0.45 allows remote attackers to cause a denial of service (daemon crash) via a malformed password packet in the connection protocol.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to (1) a reachable assertion or (2) an integer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to (1) a reachable assertion or (2) an integer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 do not properly manage reference counts for option elements in a XUL tree optgroup, which might allow remote attackers to execute arbitrary code via unspecified vectors that trigger access to deleted elements, related to a "dangling pointer vulnerability."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 do not properly manage reference counts for option elements in a XUL tree optgroup, which might allow remote attackers to execute arbitrary code via unspecified vectors that trigger access to deleted elements, related to a "dangling pointer vulnerability."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe CUPS service on multiple platforms allows remote attackers to cause a denial of service (service hang) via a "partially-negotiated" SSL connection, which prevents other requests from being accepted.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The CUPS service on multiple platforms allows remote attackers to cause a denial of service (service hang) via a "partially-negotiated" SSL connection, which prevents other requests from being accepted.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not properly parse URLs with leading whitespace or control characters, which might allow remote attackers to misrepresent URLs and simplify phishing attacks.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not properly parse URLs with leading whitespace or control characters, which might allow remote attackers to misrepresent URLs and simplify phishing attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSIONs:39:".Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exif_data_load_data_thumbnail function in exif-data.c.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exif_data_load_data_thumbnail function in exif-data.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in PHP before 5.2.4 has unknown impact and attack vectors, related to an "Improved fix for MOPB-03-2007," probably a variant of CVE-2007-1285.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in PHP before 5.2.4 has unknown impact and attack vectors, related to an "Improved fix for MOPB-03-2007," probably a variant of CVE-2007-1285.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the "file" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the "file" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the DHCP/BOOTP dissector in Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via crafted DHCP-over-DOCSIS packets.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the DHCP/BOOTP dissector in Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via crafted DHCP-over-DOCSIS packets.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple heap-based buffer overflows in OpenOffice.org before 2.4 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Quattro Pro (QPRO) file with crafted (1) Attribute and (2) Font Description records.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple heap-based buffer overflows in OpenOffice.org before 2.4 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Quattro Pro (QPRO) file with crafted (1) Attribute and (2) Font Description records.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe http-index-format MIME type parser (nsDirIndexParser) in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 does not check for an allocation failure, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP index response with a crafted 200 header, which triggers memory corruption and a buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The http-index-format MIME type parser (nsDirIndexParser) in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 does not check for an allocation failure, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP index response with a crafted 200 header, which triggers memory corruption and a buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibungif library before 4.1.0 allows attackers to cause a denial of service via a crafted GIF file that triggers a null dereference.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libungif library before 4.1.0 allows attackers to cause a denial of service via a crafted GIF file that triggers a null dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDX.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to execute arbitrary code via vectors involving multiple plugin instances.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to execute arbitrary code via vectors involving multiple plugin instances.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a "malformed POSIX character class", as demonstrated via an invalid character after a [[ sequence.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a "malformed POSIX character class", as demonstrated via an invalid character after a [[ sequence.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the RPC library used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.4 through 1.6.3 allows remote attackers to execute arbitrary code by triggering a large number of open file descriptors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the RPC library used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.4 through 1.6.3 allows remote attackers to execute arbitrary code by triggering a large number of open file descriptors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDwtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application abort) via a malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" that triggers a failed assertion.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application abort) via a malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" that triggers a failed assertion.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFormat string vulnerability in Ekiga 2.0.3, and probably other versions, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2007-1006.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Format string vulnerability in Ekiga 2.0.3, and probably other versions, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2007-1006.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe session restore feature in Mozilla Firefox 3.x before 3.0.4 and 2.x before 2.0.0.18 allows remote attackers to violate the same origin policy to conduct cross-site scripting (XSS) attacks and execute arbitrary JavaScript with chrome privileges via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The session restore feature in Mozilla Firefox 3.x before 3.0.4 and 2.x before 2.0.0.18 allows remote attackers to violate the same origin policy to conduct cross-site scripting (XSS) attacks and execute arbitrary JavaScript with chrome privileges via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs").Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs").Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in Mozilla Thunderbird before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long header in a news article, related to "canceling [a] newsgroup message" and "cancelled newsgroup messages."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long header in a news article, related to "canceling [a] newsgroup message" and "cancelled newsgroup messages."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpwlib, as used by Ekiga 2.0.5 and possibly other products, allows remote attackers to cause a denial of service (application crash) via a long argument to the PString::vsprintf function, related to a "memory management flaw". NOTE: this issue was originally reported as being in the SIPURL::GetHostAddress function in Ekiga (formerly GnomeMeeting).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5pwlib, as used by Ekiga 2.0.5 and possibly other products, allows remote attackers to cause a denial of service (application crash) via a long argument to the PString::vsprintf function, related to a "memory management flaw". NOTE: this issue was originally reported as being in the SIPURL::GetHostAddress function in Ekiga (formerly GnomeMeeting).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDudev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of DOM nodes that are moved from one document to another, which allows remote attackers to conduct use-after-free attacks and execute arbitrary code via unspecified vectors involving improper interaction with garbage collection, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of DOM nodes that are moved from one document to another, which allows remote attackers to conduct use-after-free attacks and execute arbitrary code via unspecified vectors involving improper interaction with garbage collection, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when the existing_ticket option is enabled, uses incorrect privileges when reading a Kerberos credential cache, which allows local users to gain privileges by setting the KRB5CCNAME environment variable to an arbitrary cache filename and running the (1) su or (2) sudo program. NOTE: there may be a related vector involving sshd that has limited relevance.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5pam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when the existing_ticket option is enabled, uses incorrect privileges when reading a Kerberos credential cache, which allows local users to gain privileges by setting the KRB5CCNAME environment variable to an arbitrary cache filename and running the (1) su or (2) sudo program. NOTE: there may be a related vector involving sshd that has limited relevance.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe "cache update reply processing" functionality in Squid 2.x before 2.6.STABLE17 and Squid 3.0 allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers and an Array memory leak during requests for cached objects.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The "cache update reply processing" functionality in Squid 2.x before 2.6.STABLE17 and Squid 3.0 allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers and an Array memory leak during requests for cached objects.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) the frame chain and synchronous events, (2) a SetMayHaveFrame assertion and nsCSSFrameConstructor::CreateFloatingLetterFrame, (3) nsCSSFrameConstructor::ConstructFrame, (4) the child list and initial reflow, (5) GetLastSpecialSibling, (6) nsFrameManager::GetPrimaryFrameFor and MathML, (7) nsFrame::GetBoxAscent, (8) nsCSSFrameConstructor::AdjustParentFrame, (9) nsDOMOfflineResourceList, and (10) nsContentUtils::ComparePosition.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) the frame chain and synchronous events, (2) a SetMayHaveFrame assertion and nsCSSFrameConstructor::CreateFloatingLetterFrame, (3) nsCSSFrameConstructor::ConstructFrame, (4) the child list and initial reflow, (5) GetLastSpecialSibling, (6) nsFrameManager::GetPrimaryFrameFor and MathML, (7) nsFrame::GetBoxAscent, (8) nsCSSFrameConstructor::AdjustParentFrame, (9) nsDOMOfflineResourceList, and (10) nsContentUtils::ComparePosition.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbackend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0.x before 8.0.9, and 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via a coercion of an unknown element to ANYARRAY.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5backend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0.x before 8.0.9, and 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via a coercion of an unknown element to ANYARRAY.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdrivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2".Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2".Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPHP before 5.2.3 allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the pattern parameter to the glob function; or (2) a long string in the string parameter to the fnmatch function, accompanied by a pattern parameter value with undefined characteristics, as demonstrated by a "*[1]e" value. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PHP before 5.2.3 allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the pattern parameter to the glob function; or (2) a long string in the string parameter to the fnmatch function, accompanied by a pattern parameter value with undefined characteristics, as demonstrated by a "*[1]e" value. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDVim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe GDM daemon in GNOME Display Manager (GDM) before 2.14.13, 2.16.x before 2.16.7, 2.18.x before 2.18.4, and 2.19.x before 2.19.5 does not properly handle NULL return values from the g_strsplit function, which allows local users to cause a denial of service (persistent daemon crash) via a crafted command to the daemon's socket, related to (1) gdm.c and (2) gdmconfig.c in daemon/, and (3) gdmconfig.c and (4) gdmflexiserver.c in gui/.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The GDM daemon in GNOME Display Manager (GDM) before 2.14.13, 2.16.x before 2.16.7, 2.18.x before 2.18.4, and 2.19.x before 2.19.5 does not properly handle NULL return values from the g_strsplit function, which allows local users to cause a denial of service (persistent daemon crash) via a crafted command to the daemon's socket, related to (1) gdm.c and (2) gdmconfig.c in daemon/, and (3) gdmconfig.c and (4) gdmflexiserver.c in gui/.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the Red Hat Content Accelerator kernel patch in Red Hat Enterprise Linux (RHEL) 4 and 5 allows local users to cause a denial of service (memory consumption) via a large number of open requests involving O_ATOMICLOOKUP.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the Red Hat Content Accelerator kernel patch in Red Hat Enterprise Linux (RHEL) 4 and 5 allows local users to cause a denial of service (memory consumption) via a large number of open requests involving O_ATOMICLOOKUP.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via crafted records in the document table of a Word document, leading to a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via crafted records in the document table of a Word document, leading to a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Check Point High-Availability Protocol (CPHAP) dissector in Wireshark 0.9.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted FWHA_MY_STATE packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Check Point High-Availability Protocol (CPHAP) dissector in Wireshark 0.9.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted FWHA_MY_STATE packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDVisual truncation vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Visual truncation vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the backend framebuffer of XenSource Xen Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows local users to cause a denial of service (SDL crash) and possibly execute arbitrary code via "bogus screen updates," related to missing validation of the "format of messages."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the backend framebuffer of XenSource Xen Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows local users to cause a denial of service (SDL crash) and possibly execute arbitrary code via "bogus screen updates," related to missing validation of the "format of messages."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark 0.99.5 and 0.10.x up to 0.10.14, when running on certain systems, allows remote attackers to cause a denial of service (crash) via crafted iSeries capture files that trigger a SIGTRAP.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running on certain systems, allows remote attackers to cause a denial of service (crash) via crafted iSeries capture files that trigger a SIGTRAP.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDyum-rhn-plugin in Red Hat Enterprise Linux (RHEL) 5 does not verify the SSL certificate for a file download from a Red Hat Network (RHN) server, which makes it easier for remote man-in-the-middle attackers to cause a denial of service (loss of updates) or force the download and installation of official Red Hat packages that were not requested.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5yum-rhn-plugin in Red Hat Enterprise Linux (RHEL) 5 does not verify the SSL certificate for a file download from a Red Hat Network (RHN) server, which makes it easier for remote man-in-the-middle attackers to cause a denial of service (loss of updates) or force the download and installation of official Red Hat packages that were not requested.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the WP6GeneralTextPacket::_readContents function in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file, a different vulnerability than CVE-2007-0002.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the WP6GeneralTextPacket::_readContents function in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file, a different vulnerability than CVE-2007-0002.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe GSM SMS dissector in Wireshark (formerly Ethereal) 0.99.2 through 1.0.0 allows remote attackers to cause a denial of service (application crash) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The GSM SMS dissector in Wireshark (formerly Ethereal) 0.99.2 through 1.0.0 allows remote attackers to cause a denial of service (application crash) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfs/nfs/client.c in the Linux kernel before 2.6.23 does not properly initialize a certain structure member that stores the maximum NFS filename length, which allows local users to cause a denial of service (OOPS) via a long filename, related to the encode_lookup function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly initialize a certain structure member that stores the maximum NFS filename length, which allows local users to cause a denial of service (OOPS) via a long filename, related to the encode_lookup function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDparse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted Tektronix K12 text capture file, as demonstrated by a file with exactly one frame.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted Tektronix K12 text capture file, as demonstrated by a file with exactly one frame.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir-i_size and dir-i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in OpenOffice.org (OOo) 2.x before 2.4.2 allow remote attackers to execute arbitrary code via crafted EMR records in an EMF file associated with a StarOffice/StarSuite document, which trigger a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in OpenOffice.org (OOo) 2.x before 2.4.2 allow remote attackers to execute arbitrary code via crafted EMR records in an EMF file associated with a StarOffice/StarSuite document, which trigger a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe load_tile function in the XCF coder in coders/xcf.c in (1) ImageMagick 6.2.8-0 and (2) GraphicsMagick (aka gm) 1.1.7 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write, possibly related to the ScaleCharToQuantum function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The load_tile function in the XCF coder in coders/xcf.c in (1) ImageMagick 6.2.8-0 and (2) GraphicsMagick (aka gm) 1.1.7 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write, possibly related to the ScaleCharToQuantum function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the image loader plug-ins in GIMP before 2.2.16 allow user-assisted remote attackers to execute arbitrary code via crafted length values in (1) DICOM, (2) PNM, (3) PSD, (4) PSP, (5) Sun RAS, (6) XBM, and (7) XWD files.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the image loader plug-ins in GIMP before 2.2.16 allow user-assisted remote attackers to execute arbitrary code via crafted length values in (1) DICOM, (2) PNM, (3) PSD, (4) PSP, (5) Sun RAS, (6) XBM, and (7) XWD files.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the unpack200 utility in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows context-dependent attackers to gain privileges via unspecified length fields in the header of a Pack200-compressed JAR file, which leads to a heap-based buffer overflow during decompression.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the unpack200 utility in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows context-dependent attackers to gain privileges via unspecified length fields in the header of a Pack200-compressed JAR file, which leads to a heap-based buffer overflow during decompression.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCRLF injection vulnerability in the ftp_putcmd function in PHP before 4.4.7, and 5.x before 5.2.2 allows remote attackers to inject arbitrary FTP commands via CRLF sequences in the parameters to earlier FTP commands.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5CRLF injection vulnerability in the ftp_putcmd function in PHP before 4.4.7, and 5.x before 5.2.2 allows remote attackers to inject arbitrary FTP commands via CRLF sequences in the parameters to earlier FTP commands.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote attackers to read form history by forging mouse and keyboard events that leverage the auto-fill feature to populate form fields, in an attacker-readable form, with history entries.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote attackers to read form history by forging mouse and keyboard events that leverage the auto-fill feature to populate form fields, in an attacker-readable form, with history entries.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified versions of the Linux kernel allow local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified versions of the Linux kernel allow local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, frees the contents of the window.navigator.plugins array while a reference to an array element is still active, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, related to a "dangling pointer vulnerability."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, frees the contents of the window.navigator.plugins array while a reference to an array element is still active, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, related to a "dangling pointer vulnerability."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as "an argument in the XSL input."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as "an argument in the XSL input."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe International Components for Unicode (ICU) library in Apple Mac OS X before 10.5.3, Red Hat Enterprise Linux 5, and other operating systems omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The International Components for Unicode (ICU) library in Apple Mac OS X before 10.5.3, Red Hat Enterprise Linux 5, and other operating systems omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDarch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDgnome-screensaver before 2.22.1, when a remote authentication server is enabled, crashes upon an unlock attempt during a network outage, which allows physically proximate attackers to gain access to the locked session, a related issue to CVE-2007-1859.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5gnome-screensaver before 2.22.1, when a remote authentication server is enabled, crashes upon an unlock attempt during a network outage, which allows physically proximate attackers to gain access to the locked session, a related issue to CVE-2007-1859.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe init.d script for the X.Org X11 xfs font server on various Linux distributions might allow local users to change the permissions of arbitrary files via a symlink attack on the /tmp/.font-unix temporary file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The init.d script for the X.Org X11 xfs font server on various Linux distributions might allow local users to change the permissions of arbitrary files via a symlink attack on the /tmp/.font-unix temporary file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the (1) user_info_callback, (2) user_endrow_callback, and (3) gst_pngdec_task functions (ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka gst-plugins-good or gstreamer-plugins-good) 0.10.15 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted PNG file, which triggers a buffer overflow.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the (1) user_info_callback, (2) user_endrow_callback, and (3) gst_pngdec_task functions (ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka gst-plugins-good or gstreamer-plugins-good) 0.10.15 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted PNG file, which triggers a buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the MathML component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via an mtd element with a large integer value in the rowspan attribute, related to the layout engine.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the MathML component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via an mtd element with a large integer value in the rowspan attribute, related to the layout engine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier dereferences an iwl_get_hw_mode return value without checking for NULL, which might allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors during module initialization.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier dereferences an iwl_get_hw_mode return value without checking for NULL, which might allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors during module initialization.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in OpenOffice.org (OOo) 2.x before 2.4.2 allows remote attackers to execute arbitrary code via a crafted WMF file associated with a StarOffice/StarSuite document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in OpenOffice.org (OOo) 2.x before 2.4.2 allows remote attackers to execute arbitrary code via a crafted WMF file associated with a StarOffice/StarSuite document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 on Linux allows remote attackers to read arbitrary files via a .. (dot dot) and URL-encoded / (slash) characters in a resource: URI.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 on Linux allows remote attackers to read arbitrary files via a .. (dot dot) and URL-encoded / (slash) characters in a resource: URI.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an "out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2) fib_props (fib_semantics.c, IPv4) functions.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an "out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2) fib_props (fib_semantics.c, IPv4) functions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id 6664512.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id 6664512.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDcontent_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to cause a denial of service via (1) a large cookie path parameter, which triggers memory consumption, or (2) an internal delimiter within cookie path or name values, which could trigger a misinterpretation of cookie data, aka "Path Abuse in Cookies."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to cause a denial of service via (1) a large cookie path parameter, which triggers memory consumption, or (2) an internal delimiter within cookie path or name values, which could trigger a misinterpretation of cookie data, aka "Path Abuse in Cookies."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe BDB backend for slapd in OpenLDAP before 2.3.36 allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The BDB backend for slapd in OpenLDAP before 2.3.36 allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 does not apply XPCNativeWrappers to scripts loaded from (1) file: URIs, (2) data: URIs, or (3) certain non-canonical chrome: URIs, which allows remote attackers to execute arbitrary code via vectors involving third-party add-ons.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 does not apply XPCNativeWrappers to scripts loaded from (1) file: URIs, (2) data: URIs, or (3) certain non-canonical chrome: URIs, which allows remote attackers to execute arbitrary code via vectors involving third-party add-ons.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ("overflow" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ("overflow" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the setDiffICM function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a crafted argument, aka Bug Id 6872357.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the setDiffICM function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a crafted argument, aka Bug Id 6872357.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a "dangling pointer vulnerability."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a "dangling pointer vulnerability."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Free Software Foundation (FSF) Berkeley DB NSS module (aka libnss-db) 2.2.3pre1 reads the DB_CONFIG file in the current working directory, which allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses this module.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Free Software Foundation (FSF) Berkeley DB NSS module (aka libnss-db) 2.2.3pre1 reads the DB_CONFIG file in the current working directory, which allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses this module.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via unspecified records in a crafted Word document, related to "table parsing."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via unspecified records in a crafted Word document, related to "table parsing."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in enscript before 1.6.4 has unknown impact and attack vectors, possibly related to the font escape sequence.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in enscript before 1.6.4 has unknown impact and attack vectors, possibly related to the font escape sequence.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the make_http_soap_request function in PHP before 5.2.2 has unknown impact and remote attack vectors, possibly related to "/" (slash) characters.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the make_http_soap_request function in PHP before 5.2.2 has unknown impact and remote attack vectors, possibly related to "/" (slash) characters.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in the JavaScript engine for Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, Thunderbird 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple vulnerabilities in the JavaScript engine for Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, Thunderbird 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFormat string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDhpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger signedness error in the cmsAllocGamma function in src/cmsgamma.c in Little cms color engine (aka lcms) before 1.17 allows attackers to have an unknown impact via a file containing a certain "number of entries" value, which is interpreted improperly, leading to an allocation of insufficient memory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer signedness error in the cmsAllocGamma function in src/cmsgamma.c in Little cms color engine (aka lcms) before 1.17 allows attackers to have an unknown impact via a file containing a certain "number of entries" value, which is interpreted improperly, leading to an allocation of insufficient memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the "stack unwinder fixes" in kernel in Red Hat Enterprise Linux 5, when running on AMD64 and Intel 64, allows local users to cause a denial of service via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the "stack unwinder fixes" in kernel in Red Hat Enterprise Linux 5, when running on AMD64 and Intel 64, allows local users to cause a denial of service via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Pack200 component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Pack200 component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark before 0.99.6 allows remote attackers to cause a denial of service via malformed (1) SSL or (2) MMS packets that trigger an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark before 0.99.6 allows remote attackers to cause a denial of service via malformed (1) SSL or (2) MMS packets that trigger an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDliblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDusr/log.c in iscsid in open-iscsi (iscsi-initiator-utils) before 2.0-865 uses a semaphore with insecure permissions (world-writable/world-readable) for managing log messages using shared memory, which allows local users to cause a denial of service (hang) by grabbing the semaphore.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5usr/log.c in iscsid in open-iscsi (iscsi-initiator-utils) before 2.0-865 uses a semaphore with insecure permissions (world-writable/world-readable) for managing log messages using shared memory, which allows local users to cause a denial of service (hang) by grabbing the semaphore.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDgfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat build script for nfs-utils before 1.0.9-35z.el5_2 on Red Hat Enterprise Linux (RHEL) 5 omits TCP wrappers support, which might allow remote attackers to bypass intended access restrictions.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat build script for nfs-utils before 1.0.9-35z.el5_2 on Red Hat Enterprise Linux (RHEL) 5 omits TCP wrappers support, which might allow remote attackers to bypass intended access restrictions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe hpssd message parser in hpssd.py in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to cause a denial of service (process stop) via a crafted packet, as demonstrated by sending "msg=0" to TCP port 2207.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The hpssd message parser in hpssd.py in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to cause a denial of service (process stop) via a crafted packet, as demonstrated by sending "msg=0" to TCP port 2207.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDxend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in nss_ldap, when used in applications that are linked against the pthread library and fork after a call to nss_ldap, might send user data to the wrong process because of improper handling of the LDAP connection. NOTE: this issue was originally reported for Dovecot with the wrong mailboxes being returned, but other applications might also be affected.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in nss_ldap, when used in applications that are linked against the pthread library and fork after a call to nss_ldap, might send user data to the wrong process because of improper handling of the LDAP connection. NOTE: this issue was originally reported for Dovecot with the wrong mailboxes being returned, but other applications might also be affected.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in packet_ncp2222.inc in Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted NCP packet that causes an invalid pointer to be used.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in packet_ncp2222.inc in Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted NCP packet that causes an invalid pointer to be used.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCertain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to cause a denial of service (disk consumption) by using the Font.createFont function to create temporary files of arbitrary size in the %temp% directory.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to cause a denial of service (disk consumption) by using the Font.createFont function to create temporary files of arbitrary size in the %temp% directory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdrivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDarch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 does not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 does not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRace condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an "off-by-two error."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an "off-by-two error."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDNet::DNS before 0.60, a Perl module, allows remote attackers to cause a denial of service (stack consumption) via a malformed compressed DNS packet with self-referencing pointers, which triggers an infinite loop.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Net::DNS before 0.60, a Perl module, allows remote attackers to cause a denial of service (stack consumption) via a malformed compressed DNS packet with self-referencing pointers, which triggers an infinite loop.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDcupsd in CUPS 1.3.9 and earlier allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5cupsd in CUPS 1.3.9 and earlier allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDouble free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe setTimeout function in Mozilla Firefox before 3.0.12 does not properly preserve object wrapping, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted call, related to XPCNativeWrapper.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The setTimeout function in Mozilla Firefox before 3.0.12 does not properly preserve object wrapping, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted call, related to XPCNativeWrapper.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1, as used in Winamp before 5.5 and other products, allow user-assisted remote attackers to execute arbitrary code via a malformed FLAC file that triggers improper memory allocation, resulting in a heap-based buffer overflow.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1, as used in Winamp before 5.5 and other products, allow user-assisted remote attackers to execute arbitrary code via a malformed FLAC file that triggers improper memory allocation, resulting in a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service via (1) an invalid mapping type, which triggers an out-of-bounds read in the vorbis_info_clear function in info.c, and (2) invalid blocksize values that trigger a segmentation fault in the read function in block.c.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service via (1) an invalid mapping type, which triggers an out-of-bounds read in the vorbis_info_clear function in info.c, and (2) invalid blocksize values that trigger a segmentation fault in the read function in block.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL Community Server before 5.0.45 allows remote authenticated users to gain update privileges for a table in another database via a view that refers to this external table.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL Community Server before 5.0.45 allows remote authenticated users to gain update privileges for a table in another database via a view that refers to this external table.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPerl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter. NOTE: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter. NOTE: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat patch for acpid 1.0.4 effectively triggers a call to the open function with insufficient arguments, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file, cause a denial of service by overwriting this file, or gain privileges by executing this file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to the open function with insufficient arguments, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file, cause a denial of service by overwriting this file, or gain privileges by executing this file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror in KDE 3.5.5, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror in KDE 3.5.5, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe IPsec implementation in Linux kernel before 2.6.25 allows remote routers to cause a denial of service (crash) via a fragmented ESP packet in which the first fragment does not contain the entire ESP header and IV.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The IPsec implementation in Linux kernel before 2.6.25 allows remote routers to cause a denial of service (crash) via a fragmented ESP packet in which the first fragment does not contain the entire ESP header and IV.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSquirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDicc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "" characters in the GECOS field, which triggers the overflow during alias expansion.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnm-connection-editor in NetworkManager (NM) 0.7.x exports connection objects over D-Bus upon actions in the connection editor GUI, which allows local users to obtain sensitive information by reading D-Bus signals, as demonstrated by using dbus-monitor to discover the password for the WiFi network.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nm-connection-editor in NetworkManager (NM) 0.7.x exports connection objects over D-Bus upon actions in the connection editor GUI, which allows local users to obtain sensitive information by reading D-Bus signals, as demonstrated by using dbus-monitor to discover the password for the WiFi network.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) PANA and (2) KISMET dissectors in Wireshark (formerly Ethereal) 0.99.3 through 1.0.0 allow remote attackers to cause a denial of service (application stop) via unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) PANA and (2) KISMET dissectors in Wireshark (formerly Ethereal) 0.99.3 through 1.0.0 allow remote attackers to cause a denial of service (application stop) via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as used in the pdftops filter in CUPS 1.1.17, 1.1.22, and 1.3.7, GPdf, and kdegraphics KPDF, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file that triggers a heap-based buffer overflow, possibly related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the JBIG2Stream.cxx vector may overlap CVE-2009-1179.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as used in the pdftops filter in CUPS 1.1.17, 1.1.22, and 1.3.7, GPdf, and kdegraphics KPDF, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file that triggers a heap-based buffer overflow, possibly related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the JBIG2Stream.cxx vector may overlap CVE-2009-1179.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the ReadEmbeddedTextTag function in src/cmsio1.c in Little cms color engine (aka lcms) before 1.16 allows attackers to have an unknown impact via vectors related to a length parameter inconsistency involving the contents of "the input file," a different vulnerability than CVE-2007-2741.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the ReadEmbeddedTextTag function in src/cmsio1.c in Little cms color engine (aka lcms) before 1.16 allows attackers to have an unknown impact via vectors related to a length parameter inconsistency involving the contents of "the input file," a different vulnerability than CVE-2007-2741.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in the ICC_Profile.getInstance method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local International Color Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka Bug Id 6631533.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in the ICC_Profile.getInstance method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local International Color Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka Bug Id 6631533.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via certain header values.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via certain header values.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x before 5.0.52, Server 5.1.x before 5.1.23, and Server 6.0.x before 6.0.4, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x before 5.0.52, Server 5.1.x before 5.1.23, and Server 6.0.x before 6.0.4, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe isakmp_info_recv function in src/racoon/isakmp_inf.c in racoon in Ipsec-tools before 0.6.7 allows remote attackers to cause a denial of service (tunnel crash) via crafted (1) DELETE (ISAKMP_NPTYPE_D) and (2) NOTIFY (ISAKMP_NPTYPE_N) messages.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The isakmp_info_recv function in src/racoon/isakmp_inf.c in racoon in Ipsec-tools before 0.6.7 allows remote attackers to cause a denial of service (tunnel crash) via crafted (1) DELETE (ISAKMP_NPTYPE_D) and (2) NOTIFY (ISAKMP_NPTYPE_N) messages.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDJakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION AUTHORIZATION within index functions, which allows remote authenticated users to gain privileges.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION AUTHORIZATION within index functions, which allows remote authenticated users to gain privileges.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a splice of an array that contains "some non-set elements," which causes jsarray.cpp to pass an incorrect argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a hang.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a splice of an array that contains "some non-set elements," which causes jsarray.cpp to pass an incorrect argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a hang.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a stack-based buffer overflow using an untrusted size value in the readMabCurveData function in the CMM module in the JVM.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a stack-based buffer overflow using an untrusted size value in the readMabCurveData function in the CMM module in the JVM.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.12 and 3.5 before 3.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a Flash object, a slow script dialog, and the unloading of the Flash plugin, which triggers attempted use of a deleted object.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.12 and 3.5 before 3.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a Flash object, a slow script dialog, and the unloading of the Flash plugin, which triggers attempted use of a deleted object.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted HTTP headers, which are not properly parsed by the ASN.1 DER input stream parser, aka Bug Id 6864911.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted HTTP headers, which are not properly parsed by the ASN.1 DER input stream parser, aka Bug Id 6864911.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpacket-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption or assert errors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption or assert errors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in setroubleshoot 2.0.5 allows local users to inject arbitrary web script or HTML via a crafted (1) file or (2) process name, which triggers an Access Vector Cache (AVC) log entry in a log file used during composition of HTML documents for sealert.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in setroubleshoot 2.0.5 allows local users to inject arbitrary web script or HTML via a crafted (1) file or (2) process name, which triggers an Access Vector Cache (AVC) log entry in a log file used during composition of HTML documents for sealert.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before 0.7.1 allows remote authenticated users to cause a denial of service (memory consumption) via invalid proposals.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before 0.7.1 allows remote authenticated users to cause a denial of service (memory consumption) via invalid proposals.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to "unaligned access on some platforms."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to "unaligned access on some platforms."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsrc/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned ph1" (phase 1) handle when it has been initiated remotely, which allows remote attackers to cause a denial of service (resource consumption).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned ph1" (phase 1) handle when it has been initiated remotely, which allows remote attackers to cause a denial of service (resource consumption).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this vulnerability reportedly exists because of an incorrect fix for CVE-2009-1302.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this vulnerability reportedly exists because of an incorrect fix for CVE-2009-1302.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.x before 3.0.5 allows remote attackers to bypass intended privacy restrictions by using the persist attribute in an XUL element to create and access data entities that are similar to cookies.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.x before 3.0.5 allows remote attackers to bypass intended privacy restrictions by using the persist attribute in an XUL element to create and access data entities that are similar to cookies.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfunctions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDcontent/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allows user-assisted remote attackers to bypass the Same Origin Policy and read an arbitrary content selection via the document.getSelection function.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5content/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allows user-assisted remote attackers to bypass the Same Origin Policy and read an arbitrary content selection via the document.getSelection function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDVisual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows remote attackers to spoof the location bar via an IDN with invalid Unicode characters that are displayed as whitespace, as demonstrated by the \u115A through \u115E characters.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows remote attackers to spoof the location bar via an IDN with invalid Unicode characters that are displayed as whitespace, as demonstrated by the \u115A through \u115E characters.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to execute arbitrary code via a regular expression containing a large number of named subpatterns (name_count) or long subpattern names (max_name_size), which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to execute arbitrary code via a regular expression containing a large number of named subpatterns (name_count) or long subpattern names (max_name_size), which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPython 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace and is processed by the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissector. NOTE: it was later reported that the RADIUS issue also affects 0.10.13 through 1.0.9.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace and is processed by the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissector. NOTE: it was later reported that the RADIUS issue also affects 0.10.13 through 1.0.9.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.12 and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via vectors involving double frame construction, related to (1) nsHTMLContentSink.cpp, (2) nsXMLContentSink.cpp, and (3) nsPresShell.cpp, and the nsSubDocumentFrame::Reflow function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.12 and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via vectors involving double frame construction, related to (1) nsHTMLContentSink.cpp, (2) nsXMLContentSink.cpp, and (3) nsPresShell.cpp, and the nsSubDocumentFrame::Reflow function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger an assertion failure in jstracer.cpp.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger an assertion failure in jstracer.cpp.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to "suspend_* sysfs attributes" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to "suspend_* sysfs attributes" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid LDT segment selector in %cs (the xcs field) during ptrace single-step operations, which allows local users to cause a denial of service (NULL dereference and OOPS) via certain code that makes ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to the TRACE_IRQS_ON function, and possibly related to the arch_ptrace function.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid LDT segment selector in %cs (the xcs field) during ptrace single-step operations, which allows local users to cause a denial of service (NULL dereference and OOPS) via certain code that makes ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to the TRACE_IRQS_ON function, and possibly related to the arch_ptrace function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a heap-based buffer overflow that allows arbitrary code execution via a crafted image.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a heap-based buffer overflow that allows arbitrary code execution via a crafted image.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to execute arbitrary JavaScript with chrome privileges via vectors involving an object, the FeedWriter, and the BrowserFeedWriter.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to execute arbitrary JavaScript with chrome privileges via vectors involving an object, the FeedWriter, and the BrowserFeedWriter.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the session-restore feature in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks via unknown vectors related to restoration of SessionStore data.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the session-restore feature in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks via unknown vectors related to restoration of SessionStore data.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via (1) a large switch statement, (2) certain uses of watch and eval, (3) certain uses of the mousedown event listener, and other vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via (1) a large switch statement, (2) certain uses of watch and eval, (3) certain uses of the mousedown event listener, and other vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Java Management Extensions (JMX) implementation in Sun Java SE 6 before Update 15, and OpenJDK, does not properly enforce OpenType checks, which allows context-dependent attackers to bypass intended access restrictions by leveraging finalizer resurrection to obtain a reference to a privileged object.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Java Management Extensions (JMX) implementation in Sun Java SE 6 before Update 15, and OpenJDK, does not properly enforce OpenType checks, which allows context-dependent attackers to bypass intended access restrictions by leveraging finalizer resurrection to obtain a reference to a privileged object.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDXen 3.1.1 does not prevent modification of the CR4 TSC from applications, which allows pv guests to cause a denial of service (crash).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Xen 3.1.1 does not prevent modification of the CR4 TSC from applications, which allows pv guests to cause a denial of service (crash).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving "bound check ordering". NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving "bound check ordering". NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the (1) PL_Base64Decode and (2) PL_Base64Encode functions in nsprpub/lib/libc/src/base64.c in Mozilla Firefox before 3.0.12, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors that trigger buffer overflows.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the (1) PL_Base64Decode and (2) PL_Base64Encode functions in nsprpub/lib/libc/src/base64.c in Mozilla Firefox before 3.0.12, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors that trigger buffer overflows.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDA certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe money_format function in PHP 5 before 5.2.4, and PHP 4 before 4.4.8, permits multiple (1) %i and (2) %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The money_format function in PHP 5 before 5.2.4, and PHP 4 before 4.4.8, permits multiple (1) %i and (2) %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbackend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple buffer overflows in the HP-GL/2-to-PostScript filter in CUPS before 1.3.6 might allow remote attackers to execute arbitrary code via a crafted HP-GL/2 file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple buffer overflows in the HP-GL/2-to-PostScript filter in CUPS before 1.3.6 might allow remote attackers to execute arbitrary code via a crafted HP-GL/2 file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSpamAssassin 3.1.x, 3.2.0, and 3.2.1 before 20070611, when running as root in unusual configurations using vpopmail or virtual users, allows local users to cause a denial of service (corrupt arbitrary files) via a symlink attack on a file that is used by spamd.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5SpamAssassin 3.1.x, 3.2.0, and 3.2.1 before 20070611, when running as root in unusual configurations using vpopmail or virtual users, allows local users to cause a denial of service (corrupt arbitrary files) via a symlink attack on a file that is used by spamd.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDAlgorithmic complexity vulnerability in the MCS translation daemon in mcstrans 0.2.3 allows local users to cause a denial of service (temporary daemon outage) via a large range of compartments in sensitivity labels.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Algorithmic complexity vulnerability in the MCS translation daemon in mcstrans 0.2.3 allows local users to cause a denial of service (temporary daemon outage) via a large range of compartments in sensitivity labels.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.3, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the BinHex decoder in netwerk/streamconv/converters/nsBinHexDecoder.cpp, and unknown vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.3, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the BinHex decoder in netwerk/streamconv/converters/nsBinHexDecoder.cpp, and unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDkonqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted description of a shared framebuffer.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted description of a shared framebuffer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostgreSQL 8.1 and probably later versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from 127.0.0.1.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5PostgreSQL 8.1 and probably later versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from 127.0.0.1.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDWireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite or large loop) via the (1) IPv6 or (2) USB dissector, which can trigger resource consumption or a crash. NOTE: this identifier originally included Firebird/Interbase, but it is already covered by CVE-2007-6116. The DCP ETSI issue is already covered by CVE-2007-6119.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite or large loop) via the (1) IPv6 or (2) USB dissector, which can trigger resource consumption or a crash. NOTE: this identifier originally included Firebird/Interbase, but it is already covered by CVE-2007-6116. The DCP ETSI issue is already covered by CVE-2007-6119.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted DER encoded data, which is not properly decoded by the ASN.1 DER input stream parser, aka Bug Id 6864911.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted DER encoded data, which is not properly decoded by the ASN.1 DER input stream parser, aka Bug Id 6864911.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlibpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an OLE file with a crafted DocumentSummaryInformation stream.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an OLE file with a crafted DocumentSummaryInformation stream.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDouble free vulnerability in the gss_krb5int_make_seal_token_v3 function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Double free vulnerability in the gss_krb5int_make_seal_token_v3 function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the JBIG2 decoding feature in Poppler before 0.10.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to CairoOutputDev (CairoOutputDev.cc).Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the JBIG2 decoding feature in Poppler before 0.10.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to CairoOutputDev (CairoOutputDev.cc).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback function in OpenPegasus CIM management server (tog-pegasus), when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC defined, might allow remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2007-5360.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback function in OpenPegasus CIM management server (tog-pegasus), when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC defined, might allow remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2007-5360.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the WriteProlog function in texttops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the WriteProlog function in texttops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unspecified vectors, related to a declaration that lacks the final keyword.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unspecified vectors, related to a declaration that lacks the final keyword.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript garbage collector in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle allocation failures, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document that triggers write access to an "offset of a NULL pointer."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript garbage collector in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle allocation failures, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document that triggers write access to an "offset of a NULL pointer."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDDirectory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service via vectors that trigger an assertion failure.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service via vectors that trigger an assertion failure.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe escapeshellcmd API function in PHP before 5.2.6 has unknown impact and context-dependent attack vectors related to "incomplete multibyte chars."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The escapeshellcmd API function in PHP before 5.2.6 has unknown impact and context-dependent attack vectors related to "incomplete multibyte chars."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDsendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDhttputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an EMF file with a crafted EMR_STRETCHBLT record, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an EMF file with a crafted EMR_STRETCHBLT record, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe "decode as" feature in packet-bssap.c in the SCCP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The "decode as" feature in packet-bssap.c in the SCCP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors involving "double frame construction."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors involving "double frame construction."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDAlgorithmic complexity vulnerability in the regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (memory consumption) via a crafted "complex" regular expression with doubly-nested states.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Algorithmic complexity vulnerability in the regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (memory consumption) via a crafted "complex" regular expression with doubly-nested states.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ssm_i emulation in Xen 5.1 on IA64 architectures allows attackers to cause a denial of service (dom0 panic) via certain traffic, as demonstrated using an FTP stress test tool.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ssm_i emulation in Xen 5.1 on IA64 architectures allows attackers to cause a denial of service (dom0 panic) via certain traffic, as demonstrated using an FTP stress test tool.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDpacket-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle exceptions thrown by post dissectors, which allows remote attackers to cause a denial of service (application crash) via a certain series of packets, as demonstrated by enabling the (1) PRP or (2) MATE post dissector.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle exceptions thrown by post dissectors, which allows remote attackers to cause a denial of service (application crash) via a certain series of packets, as demonstrated by enabling the (1) PRP or (2) MATE post dissector.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDRed Hat Enterprise Linux (RHEL) 5 ships the rpm for the Advanced Intrusion Detection Environment (AIDE) before 0.13.1 with a database that lacks checksum information, which allows context-dependent attackers to bypass file integrity checks and modify certain files.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Red Hat Enterprise Linux (RHEL) 5 ships the rpm for the Advanced Intrusion Detection Environment (AIDE) before 0.13.1 with a database that lacks checksum information, which allows context-dependent attackers to bypass file integrity checks and modify certain files.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an "rt_cache leak."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an "rt_cache leak."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine and (1) misinterpretation of the characteristics of Namespace and QName in jsxml.c, (2) misuse of signed integers in the nsEscapeCount function in nsEscape.cpp, and (3) interaction of JavaScript garbage collection with certain use of an NPObject in the nsNPObjWrapper::GetNewOrUsed function in nsJSNPRuntime.cpp.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine and (1) misinterpretation of the characteristics of Namespace and QName in jsxml.c, (2) misuse of signed integers in the nsEscapeCount function in nsEscape.cpp, and (3) interaction of JavaScript garbage collection with certain use of an NPObject in the nsNPObjWrapper::GetNewOrUsed function in nsJSNPRuntime.cpp.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCRLF injection vulnerability in the Digest Authentication support for Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allows remote attackers to conduct HTTP request splitting attacks via LF (%0a) bytes in the username attribute.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5CRLF injection vulnerability in the Digest Authentication support for Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allows remote attackers to conduct HTTP request splitting attacks via LF (%0a) bytes in the username attribute.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly reserve input focus, which allows attackers with physical access to take control of the session after entering an Alt-Tab sequence, a related issue to CVE-2007-3069.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly reserve input focus, which allows attackers with physical access to take control of the session after entering an Alt-Tab sequence, a related issue to CVE-2007-3069.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the Windows Pluggable Look and Feel (PLF) feature in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657138.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the Windows Pluggable Look and Feel (PL&F) feature in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657138.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOff-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through 0.99.7, when running on Ubuntu 7.10, allows remote attackers to cause a denial of service (crash or memory consumption) via a malformed packet, possibly related to a Cairo library bug.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through 0.99.7, when running on Ubuntu 7.10, allows remote attackers to cause a denial of service (crash or memory consumption) via a malformed packet, possibly related to a Cairo library bug.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDOpenLDAP before 2.3.39 allows remote attackers to cause a denial of service (slapd crash) via an LDAP request with a malformed objectClasses attribute. NOTE: this has been reported as a double free, but the reports are inconsistent.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5OpenLDAP before 2.3.39 allows remote attackers to cause a denial of service (slapd crash) via an LDAP request with a malformed objectClasses attribute. NOTE: this has been reported as a double free, but the reports are inconsistent.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x allows remote attackers to execute arbitrary SQL commands via multibyte character encodings for unspecified input.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x, when configured to use a multibyte character set that allows a \ (backslash) as part of the character encoding, allows remote attackers to execute arbitrary SQL commands via unspecified inputs in a login request.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 ignores trailing invalid HTML characters in attribute names, which allows remote attackers to bypass content filters that use regular expressions.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 ignores trailing invalid HTML characters in attribute names, which allows remote attackers to bypass content filters that use regular expressions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDdrivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUse-after-free vulnerability in the garbage-collection implementation in WebCore in WebKit in Apple Safari before 4.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via an SVG animation element, related to SVG set objects, SVG marker elements, the targetElement attribute, and unspecified "caches."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Use-after-free vulnerability in the garbage-collection implementation in WebCore in WebKit in Apple Safari before 4.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via an SVG animation element, related to SVG set objects, SVG marker elements, the targetElement attribute, and unspecified "caches."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe default configuration of autofs 5 in some Linux distributions, such as Red Hat Enterprise Linux (RHEL) 5, omits the nosuid option for the hosts (/net filesystem) map, which allows local users to gain privileges via a setuid program on a remote NFS server.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The default configuration of autofs 5 in some Linux distributions, such as Red Hat Enterprise Linux (RHEL) 5, omits the nosuid option for the hosts (/net filesystem) map, which allows local users to gain privileges via a setuid program on a remote NFS server.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak."Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to force the upload of arbitrary local files from a client computer via vectors involving originalTarget and DOM Range.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to force the upload of arbitrary local files from a client computer via vectors involving originalTarget and DOM Range.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe alert-mailing implementation in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to gain privileges and send e-mail messages from the root account via vectors related to the setalerts message, and lack of validation of the device URI associated with an event message.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The alert-mailing implementation in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to gain privileges and send e-mail messages from the root account via vectors related to the setalerts message, and lack of validation of the device URI associated with an event message.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDnet/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in entity_cache in ELinks before 0.11.4rc0 allows remote attackers to cause a denial of service (crash) via a crafted link.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in entity_cache in ELinks before 0.11.4rc0 allows remote attackers to cause a denial of service (crash) via a crafted link.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbackend/tcop/postgres.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) related to duration logging of V3-protocol Execute messages for (1) COMMIT and (2) ROLLBACK SQL statements.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5backend/tcop/postgres.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) related to duration logging of V3-protocol Execute messages for (1) COMMIT and (2) ROLLBACK SQL statements.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmodules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe sctp_new function in (1) ip_conntrack_proto_sctp.c and (2) nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of service by causing certain invalid states that trigger a NULL pointer dereference.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2) nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of service by causing certain invalid states that trigger a NULL pointer dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDlib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe fbComposite function in fbpict.c in the Render extension in the X server in X.Org X11R7.1 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted request, related to an incorrect macro definition.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The fbComposite function in fbpict.c in the Render extension in the X server in X.Org X11R7.1 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted request, related to an incorrect macro definition.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving JSOP_DEFVAR and properties that lack the JSPROP_PERMANENT attribute.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving JSOP_DEFVAR and properties that lack the JSPROP_PERMANENT attribute.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSession fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to (1) nsAsyncInstantiateEvent::Run, (2) nsStyleContext::Destroy, (3) nsComputedDOMStyle::GetWidth, (4) the xslt_attributeset_ImportSameName.html test case for the XSLT stylesheet compiler, (5) nsXULDocument::SynchronizeBroadcastListener, (6) IsBindingAncestor, (7) PL_DHashTableOperate and nsEditor::EndUpdateViewBatch, and (8) gfxSkipCharsIterator::SetOffsets, and other vectors.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to (1) nsAsyncInstantiateEvent::Run, (2) nsStyleContext::Destroy, (3) nsComputedDOMStyle::GetWidth, (4) the xslt_attributeset_ImportSameName.html test case for the XSLT stylesheet compiler, (5) nsXULDocument::SynchronizeBroadcastListener, (6) IsBindingAncestor, (7) PL_DHashTableOperate and nsEditor::EndUpdateViewBatch, and (8) gfxSkipCharsIterator::SetOffsets, and other vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5MySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDXiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDmount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDFormat string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Format string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) psp (aka .tub), (2) bmp, (3) pcx, and (4) psd plugins in gimp allow user-assisted remote attackers to cause a denial of service (crash or memory consumption) via crafted image files, as discovered using the fusil fuzzing tool.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) psp (aka .tub), (2) bmp, (3) pcx, and (4) psd plugins in gimp allow user-assisted remote attackers to cause a denial of service (crash or memory consumption) via crafted image files, as discovered using the fusil fuzzing tool.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the ReadImage function in tkImgGIF.c in Tk (Tcl/Tk) before 8.5.1 allows remote attackers to execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the ReadImage function in tkImgGIF.c in Tk (Tcl/Tk) before 8.5.1 allows remote attackers to execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount "symlinks," which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount "symlinks," which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUntrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the layout engine.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the layout engine.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe child frames in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 inherit the default charset from the parent window, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The child frames in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 inherit the default charset from the parent window, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the cgiCompileSearch function in CUPS 1.3.5, and other versions including the version bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the cgiCompileSearch function in CUPS 1.3.5, and other versions including the version bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the SIEVE script component (sieve/script.c), as used in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14, and Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the SIEVE script component (sieve/script.c), as used in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14, and Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm.c in Camel in Evolution Data Server (aka evolution-data-server) 2.24.5 and earlier, and 2.25.92 and earlier 2.25.x versions, does not validate whether a certain length value is consistent with the amount of data in a challenge packet, which allows remote mail servers to read information from the process memory of a client, or cause a denial of service (client crash), via an NTLM authentication type 2 packet with a length value that exceeds the amount of packet data.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm.c in Camel in Evolution Data Server (aka evolution-data-server) 2.24.5 and earlier, and 2.25.92 and earlier 2.25.x versions, does not validate whether a certain length value is consistent with the amount of data in a challenge packet, which allows remote mail servers to read information from the process memory of a client, or cause a denial of service (client crash), via an NTLM authentication type 2 packet with a length value that exceeds the amount of packet data.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) htmlentities and (2) htmlspecialchars functions in PHP before 5.2.5 accept partial multibyte sequences, which has unknown impact and attack vectors, a different issue than CVE-2006-5465.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) htmlentities and (2) htmlspecialchars functions in PHP before 5.2.5 accept partial multibyte sequences, which has unknown impact and attack vectors, a different issue than CVE-2006-5465.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, and probably other products, allows remote attackers to execute arbitrary code via a PDF file with crafted JBIG2 symbol dictionary segments.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, and probably other products, allows remote attackers to execute arbitrary code via a PDF file with crafted JBIG2 symbol dictionary segments.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDGecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in javaws.exe in Sun Java Web Start in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 allows context-dependent attackers to execute arbitrary code via a crafted JPEG image that is not properly handled during display to a splash screen, which triggers a heap-based buffer overflow.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in javaws.exe in Sun Java Web Start in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 allows context-dependent attackers to execute arbitrary code via a crafted JPEG image that is not properly handled during display to a splash screen, which triggers a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDbzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in the layout engine for Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, Thunderbird 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2 allow remote attackers to cause a denial of service (crash) via vectors related to dangling pointers, heap corruption, signed/unsigned, and other issues.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple vulnerabilities in the layout engine for Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, Thunderbird 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2 allow remote attackers to cause a denial of service (crash) via vectors related to dangling pointers, heap corruption, signed/unsigned, and other issues.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDLinux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDUnspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDStack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Stack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23 does not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23 does not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDNTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDresolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDPostfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 3.0.12 does not properly handle an SVG element that has a property with a watch function and an __defineSetter__ function, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted document, related to a certain pointer misinterpretation.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 3.0.12 does not properly handle an SVG element that has a property with a watch function and an __defineSetter__ function, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted document, related to a certain pointer misinterpretation.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDArray index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDInteger overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMemory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted image file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted image file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDfilter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code via a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code via a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDBuffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMultiple unspecified vulnerabilities in the layout engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allow remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via certain vectors.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Multiple unspecified vulnerabilities in the layout engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allow remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via certain vectors.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDMozilla Firefox before 2.0.0.5 allows remote attackers to execute arbitrary code with chrome privileges by calling an event handler from an unspecified "element outside of a document."Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Mozilla Firefox before 2.0.0.5 allows remote attackers to execute arbitrary code with chrome privileges by calling an event handler from an unspecified "element outside of a document."Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets the ICQWebMessage message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory.Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets the ICQWebMessage message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) via vectors that trigger memory corruption, related to the GetXMLEntity and FastAppendChar functions.Red Hat Enterprise Linux 3CentOS Linux 3Red Hat Enterprise Linux 4CentOS Linux 4Oracle Linux 4Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) via vectors that trigger memory corruption, related to the GetXMLEntity and FastAppendChar functions.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDCentOS Linux 3.xCentOS Linux 3The operating system installed on the system is CentOS Linux 3.xDragos PrisacaDRAFTINTERIMACCEPTEDACCEPTEDCentOS Linux 4.xCentOS Linux 4The operating system installed on the system is CentOS Linux 4.xDragos PrisacaDRAFTINTERIMACCEPTEDACCEPTEDOracle Linux 4.xOracle Linux 4The operating system installed on the system is Oracle Linux 4.xDragos PrisacaDRAFTINTERIMACCEPTEDChandan M CINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 4Red Hat Enterprise Linux 4The operating system installed on the system is Red Hat Enterprise Linux 4.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 3Red Hat Enterprise Linux 3The operating system installed on the system is Red Hat Enterprise Linux 3.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDHeap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.Red Hat Enterprise Linux 5CentOS Linux 5Oracle Linux 5Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is CentOS Linux 5.xCentOS Linux 5The operating system installed on the system is CentOS Linux 5.xDanny HaynesDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDOracle Linux 5.xOracle Linux 5The operating system installed on the system is Oracle Linux 5.xDanny HaynesDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDChandan M CINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 5Red Hat Enterprise Linux 5The operating system installed on the system is Red Hat Enterprise Linux 5.Aharon CherninDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDavahi-glib-develavahi-compat-howlavahi-compat-howl-develavahi-qt3avahi-compat-libdns_sd-develavahi-qt3-develavahi-compat-libdns_sdavahi-glibavahiavahi-toolsavahi-develbluez-libsbluez-utils-cupsbluez-libs-develbluez-utilsaprapr-docsapr-develgstreamer-plugins-develgstreamer-pluginsriccilucicongasamba3x-winbind-develsamba3x-doctdb-toolssamba3x-swatsamba3xsamba3x-clientsamba3x-domainjoin-guilibtdblibtalloc-devellibsmbclient-develsamba3x-winbindlibtallocsamba3x-commonlibsmbclientlibtdb-devellibX11libX11-develxorg-x11-appsgstreamer-plugins-basegstreamer-plugins-base-develnewt-develnewtsblim-tools-libra-develsblim-cim-client-manualsblim-cmpi-samba-testsblim-cmpi-sysfs-testsblim-cmpi-samba-develsblim-wbemclisblim-gathersblim-cmpi-paramssblim-cmpi-basesblim-cmpi-fsvol-develsblim-cmpi-nfsv3-testsblim-gather-develsblim-cim-clientsblim-cim-client-javadocsblim-cmpi-dns-develsblim-cmpi-fsvol-testsblim-cmpi-params-testsblim-cmpi-fsvolsblim-cmpi-network-testsblim-testsuitesblim-cmpi-base-develsblim-cmpi-networksblim-cmpi-develsblim-tools-librasblim-cmpi-nfsv3sblim-cmpi-nfsv4sblim-cmpi-base-testsblim-gather-providersblim-cmpi-syslogsblimsblim-cmpi-network-develsblim-cmpi-dns-testsblim-cmpi-nfsv4-testsblim-cmpi-dnssblim-cmpi-sambasblim-gather-testsblim-cmpi-syslog-testsblim-cmpi-sysfsselinux-policy-targeted-sourcesselinux-policy-targetedselinux-policy-strictselinux-policy-mlsselinux-policy-develselinux-policyecryptfs-utilsecryptfs-utils-guiecryptfs-utils-devellibsouplibsoup-develevolution28-libsoupevolution28-libsoup-develgdm-docsarpwatchlibpcap-devellibpcaptcpdumpperl-DBD-Pgnfs-utils-libnfs-utils-lib-develvncvnc-serverxerces-j2-javadoc-xnixerces-j2-demoxerces-j2-javadoc-otherxerces-j2-javadoc-implxerces-j2-scriptsxerces-j2-javadoc-apisxerces-j2xtermrhn-checkrhn-setup-gnomerhn-setuprhn-client-toolsdevice-mapper-multipathkpartxopenssl096bdstatvsftpdneon-develneonautomake14automakeautomake15automake17automake16gcc-ppc32libgcj4-srcgcc-objc++gcc4-javalibgfortranlibobjclibmudflap-devellibtool-ltdl-devellibtool-ltdllibgcj4gcc4-c++libgcj4-develcpplibstdc++-devellibgcj-develgcc-gnatlibgcj-srcgcc4-gfortranlibgompgcc4libgnatgcc-javagcc-gfortrangcc-objclibtool-libsgcclibf2clibtoolgcc-c++libstdc++gcc-g77gcc-c++-ppc32libgcclibmudflaplibgcjperl-Archive-Tarnspluginwrapperrdesktophtdightdig-webcdrecordmkisofscdrecord-develcdrtoolssubversion-perlsubversion-javahlsubversion-rubymod_dav_svnsubversionsubversion-develvixie-cronsystemtap-clientsystemtap-testsuitesystemtap-initscriptsystemtapsystemtap-runtimesystemtap-serversystemtap-sdt-develcoolkeycoolkey-develrgmanagergfs2-utilsglib2glib2-developal-developalgfs-kmodkmod-gfs-xenkmod-gfs-PAEkmod-gfscairocairo-develscsi-target-utilslynxopenldap-servers-overlaysqt-PostgreSQLqt-devel-docsqt-develqt-ODBCqtqt-configqt-designerqt-MySQLfreeradius-mysqlfreeradius-postgresqlfreeradiusfreeradius-unixODBCpam-develpamwgetstaropenoffice.org-urequaggaquagga-contribquagga-devellibexiflibexif-devel4SuitePyXMLgiflibgiflib-utilsgiflib-devellibungif-progslibungiflibungif-develmod_perl-develmod_perllibwmf-devellibwmfekigapwlibpwlib-devellibvolume_idudevlibvolume_id-develpam_krb5gdmyum-rhn-pluginlibwpdlibwpd-toolslibwpd-develImageMagick-perlImageMagickImageMagick-c++ImageMagick-c++-develImageMagick-devellibxslt-devellibxsltlibxslt-pythonnet-snmp-develnet-snmpnet-snmp-perlnet-snmp-utilsnet-snmp-libsgnome-screensaverlftpxorg-x11-xfs-utilscman-develcmannss_dbenscriptedfileiscsi-initiator-utilsnfs-utilsnss_ldapexpatexpat-develperl-Net-DNSsudoperl-CGIperl-suidperlperl-DB_Fileperl-CPANperlacpidgzipmuttNetworkManager-gnomeNetworkManager-develNetworkManager-glib-develNetworkManagerNetworkManager-glibdnsmasqfetchmailpostgresql84-pythonpostgresql84-testpostgresql84-tclpostgresql84-pltclpostgresql84-plpythonpostgresql84postgresql84-develpostgresql84-plperlpostgresql84-serverpostgresql84-docspostgresql84-libspostgresql84-contriblibicuiculibicu-doclibicu-develjakarta-commons-modelerjakarta-commons-modeler-javadocgnupgsetroubleshoot-serversetroubleshoot-pluginssetroubleshootipsec-toolsxmms-flacflacflac-develpcrepcre-devele2fsprogs-libse2fsprogs-devele2fsprogsdovecotmcstransgd-develgdgd-progskdebase-develkdebaseevolution-helpevolution28-develevolution28libsmi-devellibsmidbus-libsgstreamer-plugins-goodgstreamer-plugins-good-develsquidtog-pegasus-develtog-pegasus-testtog-pegasustarcpioapr-utilapr-util-docsapr-util-develsendmail-cfsendmail-docsendmailsendmail-develdbus-develdbus-x11dbusvim-minimalvimvim-X11vim-commonvim-enhancedkdelibs-apidocskdelibskdelibs-develaidecompizcompiz-develcaching-nameserverbindbind-develbind-chrootbind-libbind-develbind-sdbbind-libsbind-utilsxmlsec1-gnutls-develxmlsec1-nss-develxmlsec1-gnutlsxmlsec1xmlsec1-develxmlsec1-opensslxmlsec1-openssl-develxmlsec1-nssopenldap-servers-sqlcompat-openldapopenldap-serversopenldapopenldap-developenldap-clientsopenssh-askpass-gnomeopenssh-clientsopenssh-askpassopensshopenssh-servermod_auth_mysqlpython-toolspython-develtkinterpythonpython-docsgnome-python2-gtkhtml2totemgnome-python2-gtkmozembedgnome-python2-libeggtotem-develtotem-mozplugingnome-python2-extrasgnome-python2-gtkspellescautofsautofs5hsqldbhsqldb-demohsqldb-manualhsqldb-javadocfreetype-demosfreetype-develfreetype-utilsfreetypelibtifflibtiff-develnetpbm-progsnetpbmnetpbm-develkvm-qemu-imgkmod-kvmkvmkvm-toolsevolution28-pango-develevolution28-pangopango-develpangohpliplibsane-hpaiohpijspidgin-docslibxmllibxml-devellibvirt-pythonlibvirt-devellibvirtelinkscurl-develcurlxorg-x11-server-Xvnc-sourcexorg-x11-server-randr-sourcexorg-x11-serverxorg-x11-server-Xnestxorg-x11-server-sdkxorg-x11-server-Xorgxorg-x11-server-Xvfbxorg-x11-server-Xephyrxorg-x11-server-Xdmxsquirrelmailmysql-benchmysql-testmysql-develmysql-servermysqllibvorbis-devellibvorbiswireshark-gnomewiresharklosetupmountutil-linuxtk-develtcltixexpect-develtcltktcl-develitcltktclxexpectlibpng10libpng10-devellibpnglibpng-develrh-postgresql-develrh-postgresql-contribrh-postgresql-pythonpostgresql-tclrh-postgresqlrh-postgresql-jdbcrh-postgresql-plpostgresql-develpostgresql-contribrh-postgresql-docsrh-postgresql-testpostgresql-plpostgresql-serverpostgresqlrh-postgresql-libspostgresql-libspostgresql-pythonpostgresql-jdbcpostgresql-docspostgresql-testrh-postgresql-serverrh-postgresql-tclopenssl-develgnutls-develgnutls-utilsgnutlsopensslopenssl097aopenssl-perlmod_sslhttpdhttpd-suexechttpd-manualhttpd-develcyrus-imapd-perlcyrus-imapd-nntpcyrus-imapd-utilsperl-Cyruscyrus-imapdcyrus-imapd-develcyrus-imapd-murderevolution-data-server-develevolutionevolution28-evolution-data-serverevolution28-evolution-data-server-develevolution-develevolution-data-serverevolution-data-server-docopenswan-docopenswantomcat5-servlet-2.4-api-javadoctomcat5-jaspertomcat5-webappstomcat5-server-libtomcat5-jsp-2.0-api-javadoctomcat5-admin-webappstomcat5-common-libtomcat5tomcat5-servlet-2.4-apitomcat5-jsp-2.0-apitomcat5-jasper-javadoccscopebzip2-libsbzip2-develbzip2kernel-sourcekernel-smp-unsupportedkernel-hugemem-unsupportedkernel-BOOTkernel-unsupportedgimp-develgimpgimp-perlgimp-libskrb5-develkrb5krb5-workstationkrb5-serverkrb5-libsgpdfpopplercupspoppler-develtetex-fontskdegraphics-develcups-libstetex-afmkdegraphicsxpdfcups-lpdtetextetex-dvipspoppler-utilstetex-latexcups-develtetex-doctetex-xdvintpruby-riirbruby-docsrubyruby-irbruby-moderuby-rdocruby-tcltkruby-develruby-libspostfix-pflogsummpostfixkernel-hugememkernel-debugkernel-hugemem-develkernel-xenUkernel-smpkernel-smp-develkernel-xenU-develkernel-largesmpkernel-debug-develkernel-largesmp-develspeex-develspeexlibxml2-devellibxml2libxml2-pythonjava-1.6.0-openjdkpython-lcmsjava-1.6.0-openjdk-srclcmslcms-develjava-1.6.0-openjdk-develjava-1.6.0-openjdk-javadocjava-1.6.0-openjdk-demoopenoffice.org-sdkopenoffice.org-headlessopenoffice.org-sdk-docxorg-x11-twmxorg-x11-deprecated-libs-develxorg-x11-Xvfbxorg-x11-develXFree86-xfsXFree86-docXFree86-ISO8859-14-100dpi-fontsxorg-x11-xdmXFree86-75dpi-fontsxorg-x11-XdmxXFree86-ISO8859-9-100dpi-fontsxorg-x11-XnestXFree86-XnestXFree86-toolsXFree86-font-utilsxorg-x11-Mesa-libGLUxorg-x11-libsXFree86-ISO8859-14-75dpi-fontsXFree86-libsXFree86-cyrillic-fontsXFree86-Mesa-libGLXFree86-sdkxorg-x11-toolsxorg-x11-sdkXFree86-ISO8859-2-75dpi-fontslibXfont-develxorg-x11-deprecated-libsXFree86-100dpi-fontsxorg-x11XFree86-truetype-fontsXFree86XFree86-xauthXFree86-base-fontsxorg-x11-docXFree86-ISO8859-15-75dpi-fontsXFree86-ISO8859-15-100dpi-fontsXFree86-Mesa-libGLUXFree86-twmXFree86-ISO8859-9-75dpi-fontsXFree86-syriac-fontsxorg-x11-font-utilsXFree86-develXFree86-XvfbXFree86-libs-datalibXfontXFree86-ISO8859-2-100dpi-fontsxorg-x11-xfsxorg-x11-xauthxorg-x11-Mesa-libGLXFree86-xdmsambasamba-swatsamba-commonsamba-clientghostscriptghostscript-develghostscript-gtkspamassassinkernel-xenkernel-dockernel-xen-develkernel-debuginfo-commonkernelkernel-kdump-develkernel-develkernel-PAE-develkernel-PAEkernel-kdumpkernel-headersyelpdevhelpdevhelp-develfirefox-develphp-snmpphp-domxmlphp-dbaphp-bcmathphp-commonphp-cliphp-pdophp-mbstringphp-pgsqlphp-ldapphp-mysqlphp-xmlphp-soapphp-ncursesphp-pearphp-xmlrpcphp-gdphp-develphp-imapphpphp-odbclibpurple-perlpidgin-devellibpurple-tcllibpurplepidgin-perlpidginfinchfinch-devellibpurple-developenoffice.org-langpack-zh_TWopenoffice.org-langpack-ss_ZAopenoffice.org-langpack-ms_MYopenoffice.org-langpack-ts_ZAopenoffice.org-langpack-pt_BRopenoffice.org-langpack-mr_INopenoffice.org-langpack-da_DKopenoffice.org-langpack-uropenoffice.org-langpack-eu_ESopenoffice.org-langpack-hu_HUopenoffice.org-langpack-pa_INopenoffice.org-langpack-hr_HRopenoffice.org-langpack-zh_CNopenoffice.org-langpack-bnopenoffice.org-langpack-nso_ZAopenoffice.org-langpack-ruopenoffice.org-langpack-zu_ZAopenoffice.org-baseopenoffice.org-langpack-svopenoffice.org-langpack-fropenoffice.org-langpack-et_EEopenoffice.org-pyunoopenoffice.org-langpack-nlopenoffice.org2-langpack-sr_CSopenoffice.org-langpack-th_THopenoffice.org-langpack-esopenoffice.org-langpack-pt_PTopenoffice.org-langpack-hi_INopenoffice.org-langpack-pl_PLopenoffice.org2-langpack-ruopenoffice.org-langpack-cy_GBopenoffice.org2-langpack-nn_NOopenoffice.org2-langpack-ko_KRopenoffice.org-langpack-gl_ESopenoffice.org-testtoolsopenoffice.org-langpack-af_ZAopenoffice.org-langpack-te_INopenoffice.org-langpack-ja_JPopenoffice.org2-langpack-itopenoffice.org-langpack-or_INopenoffice.org-langpack-deopenoffice.org-langpack-ta_INopenoffice.org-langpack-itopenoffice.org-langpack-as_INopenoffice.org-langpack-ko_KRopenoffice.org-langpack-ml_INopenoffice.org-langpack-nb_NOopenoffice.org2-langpack-sl_SIopenoffice.org2-langpack-pt_PTopenoffice.org2-langpack-hr_HRopenoffice.org2-coreopenoffice.org-langpack-ga_IEopenoffice.org2-testtoolsopenoffice.org2-langpack-et_EEopenoffice.org2-langpack-fi_FIopenoffice.org-langpack-sr_CSopenoffice.org2-langpack-he_ILopenoffice.org-langpack-tn_ZAopenoffice.org2-langpack-ta_INopenoffice.org-calcopenoffice.org-mathopenoffice.org2-langpack-af_ZAopenoffice.org2-langpack-zh_CNopenoffice.org2-langpack-pt_BRopenoffice.org2-langpack-zu_ZAopenoffice.org2-langpack-ms_MYopenoffice.org2-langpack-pa_INopenoffice.org2-langpack-hi_INopenoffice.org2-langpack-el_GRopenoffice.org-drawopenoffice.org2-writeropenoffice.org2-baseopenoffice.org2-langpack-lt_LTopenoffice.org-langpack-gu_INopenoffice.org-langpack-el_GRopenoffice.org-langpack-sl_SIopenoffice.org2-impressopenoffice.org2-drawopenoffice.org2-langpack-deopenoffice.org2-mathopenoffice.org-langpack-lt_LTopenoffice.org-kdeopenoffice.org-coreopenoffice.org2-langpack-cy_GBopenoffice.org2-langpack-eu_ESopenoffice.org-langpack-aropenoffice.org-langpack-ca_ESopenoffice.org-langpack-ve_ZAopenoffice.org-langpack-st_ZAopenoffice.org2-langpack-hu_HUopenoffice.org2-langpack-bg_BGopenoffice.org-langpack-xh_ZAopenoffice.org2-langpack-fropenoffice.org2-langpack-gl_ESopenoffice.org2-langpack-sk_SKopenoffice.org2-langpack-svopenoffice.org2-langpack-bnopenoffice.org2-xsltfilteropenoffice.org2-calcopenoffice.org-langpack-nr_ZAopenoffice.org-graphicfilteropenoffice.org2-langpack-cs_CZopenoffice.org-langpack-sk_SKopenoffice.org2-langpack-ca_ESopenoffice.org2-langpack-zh_TWopenoffice.org2-graphicfilteropenoffice.org2openoffice.org-langpack-tr_TRopenoffice.org-emailmergeopenoffice.org-impressopenoffice.org2-langpack-nb_NOopenoffice.org-langpack-kn_INopenoffice.org2-langpack-aropenoffice.org2-langpack-ga_IEopenoffice.org2-langpack-th_THopenoffice.org2-pyunoopenoffice.org-langpack-cs_CZopenoffice.org-i18nopenoffice.org-xsltfilteropenoffice.org2-langpack-ja_JPopenoffice.org-libsopenoffice.orgopenoffice.org2-langpack-esopenoffice.org2-emailmergeopenoffice.org-langpack-he_ILopenoffice.org2-langpack-pl_PLopenoffice.org-writeropenoffice.org2-langpack-da_DKopenoffice.org-langpack-nn_NOopenoffice.org-langpack-fi_FIopenoffice.org2-javafilteropenoffice.org-langpack-bg_BGopenoffice.org2-langpack-tr_TRopenoffice.org-javafilteropenoffice.org2-langpack-nlopenoffice.org2-langpack-gu_INenterprise-releaseseamonkey-nsprxulrunnerfirefoxseamonkey-nssnss-pkcs11-develseamonkey-develxulrunner-develseamonkey-nss-develseamonkey-js-debuggerseamonkey-mailnssseamonkeyseamonkey-chatseamonkey-nspr-develxulrunner-devel-unstablensprnspr-develnss-toolsseamonkey-dom-inspectorthunderbirdnss-develcentos-releaseoraclelinux-releaseredhat-releasexenxen-libsxen-devel6:3.5.4-21.el5_5.16:3.3.1-13.el4_8.10:1.0.9-0.39.el30:1.0.9-44.el4_80:0.6.16-1.el5_2.10:3.7-2.20:2.10-30:3.7-1.10:2.10-2.40:1.1.5-10.6.0.2.EL40:1.1.2-40.2.0.EL31:2.0.4-5.4.17.31:2.0.4-5.7.0.2.00:1.2.7-11.el5_3.10:0.9.4-24.9.el4_8.20:1.2.7-7.el5_3.20:0.9.4-22.el4_8.20:1.0.4-7.el5_3.10:1.0.2-40:1.0.3-2.el4_7.10:3.0.9-1.3E.160:0.8.5-1.EL.20:2.6.18-8.1.8.el50:1.1.3-1.5.el5_40:4.1.20-1.RHEL4.10:0.48-2.el40:2.6.9-67.0.7.EL0:0.10-0.8.1.el40:1.0.9-0.22.el30:1.0.9-16.4.el4_62:7.0.109-3.el5.30:0.10.0-6.el50:4.3p2-36.el5_4.20:5.0.9-2.30E.250:5.1.2-13.el4_7.21:5.3.1-24.el5_2.20:3.0.9-1.3E.170:3.0.33-0.19.el4_8.10:3.3.8-0.52.el5_50:3.0.33-3.29.el5_57:3.5.4-5.el5_10:1.0.7-67.110:2.6.9-42.0.10.EL0:2.5.10-110:2.6.26-2.1.2.40:2.6.16-12.30:1.1.1-48.13.0.1.el50:0.9.6b-16.500:0.9.6b-22.46.el4_8.10:1.1.2-42.2.0.EL30:1.1.5-10.6.0.5.EL40:2.3.0-6.5.1.el5_20:2.0.4-5.7.0.5.00:1.1.17-2.el5_1.10:1.0.33-60:1.1.11-1.el4_6.10:6.2.0-3.el3.40:6.3.6-1.0.1.el50:2.0.2-35.0.2.el40:6.2.5-6.0.1.el40:1.4.5-20.el30:1.8.0-15.0.3.el50:1.0.3-8.0.1.el50:7.1-4.0.1.el50:3.0.23c-2.el5.20:3.0.9-1.3E.120:3.0.10-1.4E.110:2.6.9-55.0.9.EL0:2.4.21-52.EL0:2.6.18-8.1.14.el50:0.10.20-3.0.1.el5_31:3.3.6-21.el51:3.1.2-16.RHEL31:3.3.3-11.RHEL40:0.6.2-2.el4_8.10:0.51.6-10.el4_8.10:0.51.5-2.el30:0.52.2-12.el5_4.10:2.2.14-150:1.0.4-31.el5_2.10:1-13a.el4_6.10:1.5.1-31.el5_2.10:1.5.1-13a.el4_6.10:1.2.4-13a.el4_6.10:1.1.8-13a.el4_6.10:1.3.3-31.el5_2.10:1.4.4-31.el5_2.10:1.5.4-13a.el4_6.10:1.2.6-31.el5_2.10:1.4.3-13a.el4_6.10:1.2.4-31.el5_2.10:1.3.8-31.el5_2.10:1.0.13-13a.el4_6.10:1.0.4-13a.el4_6.10:0.2.3-31.el5_2.10:1.0.14-31.el5_2.10:1.0.12-31.el5_2.10:1.5.5-31.el5_2.10:2.1.1-13a.el4_6.10:1.3.7-13a.el4_6.10:1-31.el5_2.10:1.0.11-13a.el4_6.10:0.7.9-13a.el4_6.10:0.5.2-31.el5_2.10:2.1.2-31.el5_2.10:0.7.11-31.el5_2.10:1.1.9-31.el5_2.11:1.3.7-8.el5_3.60:2.45-1.el5_2.10:1.17.30-2.150.el420:9.2.4-22.el330:9.3.4-6.0.2.P1.el5_220:9.2.4-28.0.1.el40:2.4.6-137.1.el5_20:1.2.4-11.14.el5_1.40:75-5.el50:2.2.1-4.el4.10:2.2.98-2.el5_3.10:2.2.98-5.el4.11:2.16.0-56.el50:1.3-32.1.130:7.05-32.1.130:8.15.2-9.1.el5_1.10:7.07-33.2.el4_6.16:3.3.1-17.el4_8.16:3.5.4-25.el5_4.10:2.0.64-1.0.1.el514:2.1a13-12.el414:0.8.3-12.el414:2.1a13-18.el514:0.9.4-11.el514:3.9.4-11.el514:3.8.2-12.el41:1.1.2-3.el5_3.31:1.1.0-3.el4_8.21:1.0-11.el30:1.49-2.el5_3.10:1.6.1-36.el5_5.26:3.1.3-6.130:3.0.3-94.el5_4.12:2.7.0-2.el5_2.10:1.14.9-8.el50:1.6.0-16.el4_80:1.14.9-13.el4_80:1.2.5-100:2.6.3-2.el40:2.6.3-2.el50:1.7.2p1-6.el5_50:1.0.8-7.2.z20:1.0.6-8.z10:4.0-12.el4_7.10:4.1.2-14.el5_3.10:4.0-0.beta4.1.80:2.7.1-7jpp.2.el5_4.20:1.0.0-6.3.el5_10:0.5.12-5.1.0.20:0.6.13-4.0.2.el56:3.5.4-13.6.el56:3.1.3-5.166:3.3.1-5.19.rhel40:2.6.9-89.0.16.EL0:2.1.9-8.el4.60:2.1.4-10.el30:179-11.EL30:215-5.el5_2.20:192-8.el4_7.20:2.0.46-75.ent0:2.2.3-22.el5_3.20:0.4.20-33.el5_5.20:0.4.5-31.el4_7.10:0.4.7-23.el5_3.20:0.9.6b-16.490:0.9.7a-43.17.el4_7.20:0.9.6b-22.46.el4_70:0.9.8b-10.el5_2.10:0.9.7a-9.el5_2.10:0.9.7a-33.250:4.3.2-36.ent0:4.3.9-3.180:0.6.6-3.el5_4.10:1.2.7-680:2.0.5-12.el50:1.1.22-0.rc1.9.20.2.el4_6.80:1.1.17-13.3.530:1.2.4-11.18.el5_2.10:2.6.16-12.50:2.5.10-130:2.6.26-2.1.2.630:9.3.6-4.P1.el5_4.20:1.8.0-15.0.4.el50:1.4.5-21.el30:2.0.2-35.0.4.el40:0.25.5-10.el5_4.10:0.24.7-4.el4_8.20:1.4p6-13.el5.10:1.9.6-2.3.el50:1.5-16.el5.20:1.7.9-7.el5.20:1.6.3-8.el5.10:1.5.1-2.el40:2.3.1-2.el5_20:1.5.1-2.el30:1.5.22-7.el5_40:1.5.6-5.el4_80:1.4.3-70:3.4.6-11.el4_8.10:4.1.2-46.el5_4.20:4.1.2-44.EL4_8.10:3.2.3-601:1.39.1-1.el5_5.10:1.39.1-1.el4_8.10:1.4.1-3.el5_2.10:2.6.9-78.EL0:0.9.91.5-22.el50:1.9.0.1-1.el50:3.0.1-1.el50:0.12-18.el50:2.16.0-20.el50:1.5.0.12-0.21.el40:0.7.2-3.el5_30:0.6.2-2.el4_70:1.3.4-62.el4_8.20:1.6.1-36.el5_5.40:1.2.7-720:2.6.16-10.10:2.6.26-2.1.2.10:2.5.10-80:2.4.21-60.EL0:2.6.9-89.0.9.EL0:2.6.18-128.7.1.el51:2.0.52-32.3.ent0:2.0.46-68.ent1:2.0.46-68.ent0:2.0.52-32.3.ent0:3.0.9-1.3E.14.30:3.0.25b-1.el4_6.40:3.0.25b-1.el5_1.40:1.3.1-90:1.2.0-30:1.4.1-61:1.1.17-13.3.581:1.0.9-42.el53:5.8.5-53.el42:5.8.0-101.EL320:9.2.4-24.EL430:9.3.3-8.el520:9.2.4-20.EL33:3.2.0b6-9.0.1.el5_13:3.2.0b6-4.el4_60:8.13.1-3.2.el40:3.6.1-12.el4_7.20:3.5.7-31.el30:3.8.2-7.el5_2.20:2.6.6-1.el50:2.6.6-1.el40:0.75-728:2.01.0.a32-0.EL3.60:1.4.2-4.el5_3.10:1.1.4-3.el4_8.24:4.1-70.el50:4.1-19.EL34:4.1-47.EL41:5.0.1-0.rc2.55.el5.21:5.0.1-0.rc2.55.el4_6.20:1.8.1-7.el4_8.30:1.8.5-5.el5_3.70:1.4.8-4.0.1.el50:1.4.8-4.0.1.el40:1.4.8-6.el30:7.3.18-10:7.4.16-1.RHEL4.11:2.0.4-5.4.17.10:0.9.7-5.el5_4.30:2.6.9-89.0.26.EL0:1.1.0-5.el50:2.0.52-1.el50:0.1.62-1.el50:2.12.3-4.el5_3.10:2.2.2-1.1.0.10:0.1.34-12.el50:2.6.18-194.el50:1.5.1-6.el30:2.5.STABLE3-9.3E0:2.5.STABLE14-1.4E.el4_6.20:2.6.STABLE6-5.el5_1.30:3.0.7-3.el40:1.0.9-0.36.el30:1.0.9-40.el40:1.9.0.7-3.el50:3.6-5.11.40:2.6.18-53.1.13.el51:2.3.0-6.5.2.el5_20:83-105.el5_4.70:2.2.1-19.el50:2.0.52-41.ent.20:2.0.46-71.ent0:2.2.3-11.el5_2.40:4.3p2-36.el50:1.3.4-62.el4_8.10:1.2.7-710:1.6.1-36.el5_4.10:2.1.4-6.el30:2.1.9-5.el40:2.2.1-17.el51:5.3.1-19.el5_1.10:5.0.9-2.30E.230:5.1.2-11.el4_6.11.10:1.2.4-3.el5_10:0.0-6.20091205snap.el5_5.20:4.2.2p1-9.el5_3.20:4.2.0.a.20040617-8.el4_7.20:2.8.2-7.7.20:0.5.4-4.4.el5_11:3.00-16.el40:3.3.1-9.el4_60:4.1.2-6.el30:4.2.0.a.20040617-8.el4_8.10:4.2.2p1-9.el5_4.11:1.3.7-11.el5_4.60:7.07-33.2.el4_7.80:7.05-32.1.200:2.8.5-18.2.el4_7.10:2.8.5-28.1.el5_2.10:2.8.5-11.30:2.0.28-5.4E.el4_8.10:2.0.33-9.4.el5_4.20:3.0.3-64.el5_2.30:2.2.1-20.el5_20:2.6.9-78.0.22.EL1:1.3.7-11.el5_4.40:2.3.43-12.el50:1.0.9-0.41.el31:3.1.2-17.RHEL31:3.3.3-13.RHEL41:3.3.6-23.el50:1.0.1-2.RHEL3.40:1.1.3-1.2.el50:1.0.1-3.RHEL4.51:2.02-10.RHEL30:2.8.2-7.71:1.2.4-11.5.3.el57:3.5.4-2.el51:3.00-12.RHEL41:1.1.17-13.3.451:1.1.22-0.rc1.9.20.20:1.0.7-67.107:3.3.1-4.RHEL40:3.0-33.1.el50:2.0.2-22.0.1.EL4.80:0.5.4-4.1.el50:2.6.18-92.1.22.el50:83-164.el50:0.77-66.230:0.99.6.2-3.26.el50:4.1.22-2.el4_8.30:1.10.2-0.30E.10:1.10.2-1.el4_8.10:1.11.4-2.el5_4.10:1.5a08-50:1.5a75-20:1.5a25-80:2.2.3-22.el5_3.11:2.0.4-5.7.0.6.1.el4_8.41:3.1.1-19.5.el5_5.10:83-105.el5_4.130:1.0.9-43.el4_80:1.0.9-0.38.el30:2.6.14-1.el5_3.34:5.8.8-32.el5_5.10:2.6.2-2.el40:2.6.2-2.el50:5.0.22-2.1.0.10:4.1.20-2.RHEL4.1.0.10:7.12.1-11.1.el4_7.10:7.15.5-2.1.el5_3.40:7.10.6-9.rhel30:0.96.2-12.3E0:0.98.6-2.1.0.1.el50:0.98.3-2.4.0.1.el40:1.2.4-11.5.1.el50:1.1.22-0.rc1.9.181:1.1.17-13.3.420:0.5.4-4.4.el5_4.111:1.3.7-11.el5_4.30:2.6.9-67.0.22.EL0:0.5.12-5.1.0.2.el4_6.10:0.6.13-4.0.2.el5_1.10:0.8.3-6.el4_8.20:0.11.1-150:1.0-3.el4_8.10:0.8.4-4.el5_4.20:1.5.0.12-7.el40:1.5.0.12-7.el50:1.0.9-0.7.el30:1.0.9-7.el40:1.5.0.12-0.8.el40:4.10-3.0.2.el40:4.17-9.0.1.el50:4.1.3-7.1.el5_3.10:4.1.0-15.el3.30:4.1.3-1.el4.21:1.1.0-3.el4_8.31:1.0-12.el31:1.1.2-3.el5_4.40:2.0.2-6.3.el50:1.99_09-12.ent0:1.99_16-4.50:1.5.0.12-11.el5_10:1.5.0.12-14.el5_10:1.5.0.12-10.el40:1.5.0.12-0.14.el40:1.0.9-15.el40:1.0.9-0.16.el30:2.6.18-92.1.10.el50:0.2.8.3-5.80:0.2.8.4-10.20:83-105.el5_4.220:2.0.2-7.0.20:3.0.4-1.el40:3.12.1.1-3.el40:0.12-20.el50:2.16.0-22.el50:3.12.1.1-3.el50:1.9.0.4-1.el50:3.0.4-1.el50:5.0.77-4.el5_4.20:1.0.20-4.el4_60:1.4.1-3.el5_10:1.10.1-7.0.1.el50:095-14.20.el5_30:2.2.14-1.el5_2.17:2.5.STABLE14-1.4E.el4_6.17:2.6.STABLE6-5.el5_1.27:2.5.STABLE3-8.3E0:0.9.7a-43.17.el4_6.10:0.9.7a-33.241:6.3.046-0.30E.111:6.3.046-1.el4_7.5z1:2.16.0-31.0.1.el520:9.2.4-30.el4_7.120:9.2.4-23.el330:9.3.4-6.0.3.P1.el5_20:0.5.3-12.el5_2.90:0.8.7-3.el50:1.1.5-10.6.0.EL40:1.1.2-38.2.0.EL30:2.6.18-128.1.10.el50:2.6.9-89.EL0:1.6.9p17-3.el5_3.10:5.5.6-280:6.0.7.1-17.el4_6.10:6.2.8.0-4.el5_1.10:4.3.9-3.22.50:1.0.9-54.el4_80:1.0.9-0.52.el31:0.7.0-4.el5_30:0.3.1-5.el40:1.1.17-2.el5_2.20:1.1.11-1.el4_7.20:3.6-5.11.230:9.3.6-4.P1.el5_4.11:5.3.1-24.el5_2.10:5.0.9-2.30E.240:5.1.2-11.el4_6.11.30:1.6.9p17-6.el5_40:2.16.1-8.el50:4.5-4.el4_6.60:6.6-2.el5_1.70:3.9p1-11.el4_70:4.3p2-26.el5_2.10:3.7.11-4.el50:2.2.3-6.80:2.3.4-14.4.el4_6.11:1.0.2-40:6.8.2-1.EL.190:2.0.115-1.el50:0.10.9-1.el5_3.20:2.6.18-53.1.14.el50:1.1.5-10.6.0.7.EL40:1.1.2-43.2.0.EL31:2.0.4-5.7.0.6.01:2.3.0-6.5.4.el5_20:1.0.20-4.el4_8.30:1.4.1-3.el5_3.50:1.0.9-52.el4_80:1.0.9-0.50.el30:0.9.8e-12.el5_4.10:7.10.6-11.rhel30:7.15.5-9.el50:7.12.1-11.1.el4_8.30:1.5.0.12-12.el5_10:1.5.0.12-0.15.el40:1.5.0.12-11.el40:1.5.0.12-15.el5_10:1.0.9-16.el40:1.0.9-0.17.el30:4.7.4-1.el5_3.10:4.7.4-1.el4_8.10:3.12.3.99.3-1.el5_3.20:3.12.3.99.3-1.el4_8.20:2.0.0.18-1.el50:1.5.0.12-17.el40:1.0.9-28.el40:1.0.9-0.25.el30:2.1.30-8.el4_6.40:2.3.27_2.2.29-8.el5_1.30:2.2.13-8.el4_6.40:2.3.27-8.el5_1.30:1.8.1-7.EL4.8.10:1.8.5-5.el5_1.10:2.2-35.4.el5_50:1.1.5-10.6.0.7.EL4.11:2.0.4-5.7.0.6.0.10:1.1.2-44.2.0.EL31:2.3.0-6.11.el5_4.10:2.4.21-58.EL0:2.6.18-92.1.6.el50:2.6.9-67.0.20.EL0:2.6.18-53.1.6.el50:2.6.9-67.0.4.EL0:1.6.4-4.1.1.el5_20:1.6.1-33.el4_7.10:1.6.1-24.70:5.1.6-12.el50:2.8.0-40.el5_1.10:2.0.2-35.0.4.el4_6.10:2.8.0-53.el4_6.20:1.5.0.12-19.el40:2.0.0.21-1.el50:1.0.9-35.el40:1.0.9-0.32.el30:3.0.18-1.el5_40:3.0.18-1.el40:1.9.0.18-1.el5_40:1.2.7-700:1.3.4-60.el4_7.20:1.6.7-4.1.el5_0.30:2.3.7-2.el5_3.20:2.2.12-10.el4_8.10:0.2-39.el5_20:0.2-33.30E.10:0.2-36.el4_7.12:1.806-97.EL33:5.8.5-36.el4_5.22:2.89-97.EL32:1.61-97.EL34:5.8.8-10.el5_0.22:5.8.0-97.EL30:1.4.8-16.el30:1.4.8-5.el4_8.80:1.4.8-5.el5_4.100:0.99.6-EL4.10:0.99.6-1.el50:2.3.27_2.2.29-8.el5_2.40:2.2.13-8.el4_6.50:2.1.30-8.el4_6.50:2.3.27-8.el5_2.40:0.99.7-EL3.10:0.4.5-3.el30:4.17-9.el50:4.10-3.EL4.50:6.2.0.742-0.6.el50:1.0.8-1.el4_8.10:1.0.8-1.el5_3.10:1.0.8-EL3.10:1.0.6-93.EL41:1.0.9-35z.el5_20:2.6.9-89.0.11.EL0:1.3.4-490:1.5-260:1.2.7-660:3.0.3-64.el5_2.90:253-12.el50:253-5.el40:1.0.13-182:1.2.2-282:1.2.10-7.1.el5_0.12:1.2.7-3.el4_5.10:1.0.16-3.el4_5.10:1.95.7-4.el4_8.20:1.95.8-8.3.el5_4.20:1.95.5-6.20:3.0.6-1.el50:3.12.2.0-3.el40:3.0.6-1.el40:1.9.0.6-1.el50:3.12.2.0-4.el50:2.6.9-89.0.19.EL0:2.6.18-164.10.1.el51:1.2.4-11.14.el5_1.10:1.1.17-13.3.460:2.6.9-67.0.1.EL0:2.6.18-53.1.4.el50:0.59-3.el50:0.31-4.el30:2.6.18-8.1.6.el57:2.6.STABLE21-6.el51:1.2.4-11.18.el5_2.30:0.6.5-13.el5_3.10:1.7.2p1-7.el5_50:5.8.8-10.el5_2.32:2.89-98.EL32:1.806-98.EL33:5.8.5-36.el4_6.32:1.61-98.EL32:5.8.0-98.EL30:5.5.23-0jpp.1.0.4.el50:5.5.23-0jpp.7.el5_2.11:1.0-8.el31:1.1.0-2.el4.51:1.1.2-3.el5.00:3.9-10.40:6.6-2.el5_0.10:4.5-4.el4_5.10:1.0.4-9.el5_4.10:2.6.9-89.0.23.EL0:1.4.8-8.el30:1.4.8-5.el4_7.20:1.4.8-5.el5_2.20:1.3.5-11.el5_4.10:1.3.3-15.rhel30:1.3.3-18.el4_8.10:7.07-33.2.el4_7.50:8.15.2-9.4.el5_3.40:7.05-32.1.175:1.4.1-5.el35:1.4.1-12.0.3.el45:1.4.2.2-3.0.2.el51:0.7.0-9.el5_40:2.45-1.1.el5_31:2.02-17.el30:2.8.2-7.7.2.el4_8.57:3.3.1-15.el4_8.27:3.5.4-15.el5_4.21:3.00-22.el4_8.11:1.1.22-0.rc1.9.32.el4_8.31:1.1.17-13.3.620:1.15-1.2.2.el5_2.20:6.3.6-1.1.el5_3.10:6.2.5-6.0.1.el4_8.10:6.2.0-3.el3.51:2.2.3-11.el51:2.0.52-38.ent0:2.2.3-11.el50:2.0.52-38.ent0:1.6.8-12.el30:1.8.5-5.el5_2.30:1.8.1-7.el4_6.10:1.2.2-1.0.2.el50:4.3.0-120.EL0:6.8.2-1.EL.13.37.70:8.4.4-1.el5_5.10:7.4.29-1.el4_8.10:8.1.21-1.el5_5.10:7.3.21-30:4.1.20-3.RHEL4.1.el4_6.10:5.0.22-2.2.el5_1.10:3.6-5.11.10:0.6.5-8.el50:2.6.9-55.0.6.EL0:2.4.21-51.EL0:1.1-8jpp.1.0.2.el50:5.5.23-0jpp.1.0.3.el50:1.2.1-200:1.2.6-90:1.4.5-130:2.6.18-53.1.21.el50:3.0.3-25.0.3.el50:1.5.1-3.el30:2.5.5-2.el40:2.5.5-3.el50:1.4.5-22.el30:2.0.2-35.0.4.el4_6.20:2.6.18-128.1.1.el50:0.99.5-1.el50:0.99.5-EL3.10:0.99.5-EL4.10:3.0.19-1.el40:3.0.19-1.el5_50:1.9.0.19-1.el5_50:1.0.7-2.el50:2.0.4-2.el50:2.0.5-3.el50:0.3.3-7.el4_70:0.6.5-9.el5_2.30:0.2.5-0.7.rhel3.50:3.0.10-1.el50:3.0.10-1.el40:1.9.0.10-1.el50:1.4.8-5.el4_8.50:1.4.8-13.el30:1.4.8-5.el5_3.70:3.0.15-3.el40:1.9.0.15-3.el5_40:3.0.15-3.el5_40:1.0.9-0.47.el30:4.7.6-1.el5_40:1.0.9-50.el4_80:4.7.6-1.el4_80:1.1.2-28.el5_0.10:1.1.0-7.el4_5.20:3.0.33-3.15.el5_40:3.0.33-0.18.el4_82:1.15.1-23.0.1.el50:1.14-12.5.1.RHEL40:5.5.23-0jpp.3.0.3.el5_120:9.2.4-25.el330:9.3.4-10.P1.el5_3.320:9.2.4-30.el4_8.40:6.6-2.el5_1.10:4.5-4.el4_5.40:1.32-15.40:1.39-10.el5_1.10:1.35-12.11.el4_6.10:2.6.18-164.2.1.el50:2.6.18-164.9.1.el50:2.6.9-89.0.15.EL0:2.6.18-92.1.18.el50:4.3.2-39.ent0:4.3.9-3.22.30:5.1.6-7.el50:1.0.7-7.el50:1.1.1-48.26.el5_1.51:1.1.22-0.rc1.9.32.el4_8.61:1.3.7-18.el5_5.41:1.1.17-13.3.650:4.3.2-43.ent0:5.1.6-15.el50:4.3.9-3.22.90:2.2.3-31.el5_4.40:2.0.52-41.ent.71:1.1.17-13.3.521:1.1.22-0.rc1.9.20.2.el4_6.60:3.1.9-1.el50:3.1.9-1.el40:0.2.6-1.el50:3.0.14-1.el40:4.7.5-1.el5_40:3.0.14-1.el5_40:4.7.5-1.el4_80:1.9.0.14-1.el5_40:1.0.9-48.el4_80:1.0.9-0.45.el30:2.0.33-9.4.el5_1.10:2.0.28-5.4E.el4_6.10:3.5.4-15.el50:3.3.1-6.el40:2.6.18-8.1.1.el50:2.6.18-164.el50:2.12.3-8.el5_2.20:2.8.0-53.el4_6.30:0.9.2-3.3.5.20:0.11.1-5.1.0.1.el50:7.3.21-10:2.6.5-1.el50:2.6.5-1.el4.10:0.99.7-1.el40:0.4.5-2.el50:0.99.7-1.el50:0.4.5-2.el40:2.6.9-89.0.7.EL0:1.5.1-4.el30:2.5.9-1.el40:2.5.9-1.el50:3.0.7-1.el40:1.0.13-200:3.0.7-1.el52:1.2.7-3.el4_7.22:1.2.10-7.1.el5_3.20:1.0.16-3.el4_7.32:1.2.2-290:1.0.9-38.el40:1.0.9-0.34.el30:1.9.0.7-1.el50:3.0.3-25.0.4.el50:2.6.18-128.1.14.el50:2.6.9-89.0.3.EL0:1.1.2-12.el5_4.10:0.10.9-1.el5_3.10:1.3.4-54.el4_6.10:1.6.1-17.el5_1.120:9.2.4-27.0.1.el430:9.3.3-9.0.1.el520:9.2.4-21.el37:2.6.STABLE6-4.el50:0.9.8b-8.3.el5_0.20:4.3.9-3.22.150:5.1.6-23.2.el5_30:4.3.2-51.ent0:2.4.21-63.EL0:2.6.9-78.0.13.EL0:2.6.18-128.el52:2.5.1-5.el4_6.12:2.6.1-2.el5_1.10:2.6-23.el5_4.10:1.14-13.el4_8.10:1.13.25-16.RHEL30:2.5-6.RHEL32:1.15.1-23.0.1.el5_4.20:2.5-16.el4_8.10:2.0.52-38.ent.20:2.0.46-70.ent0:2.0.46-73.ent0:1.2.7-7.el5_3.10:0.9.4-22.el4_8.11:1.1.22-0.rc1.9.27.el4_7.11:1.1.17-13.3.541:1.2.4-11.18.el5_2.26:3.5.4-22.el5_36:3.3.1-14.el40:5.0.77-4.el5_5.30:8.13.8-8.el50:1.0.0-7.el5_2.10:1.8.5-5.el5_2.60:1.8.1-7.el4_7.20:1.1.2-41.2.0.EL30:1.1.5-10.6.0.3.EL40:2.0.4-5.4.260:2.0.4-5.7.0.4.02:7.0.109-4.el5_2.4z6:3.3.1-9.el46:3.5.4-13.el50:1.5-290:3.0.11-4.el40:3.0.11-2.el5_30:1.9.0.11-3.el5_30:7.4.19-1.el4_6.10:8.1.11-1.el5_1.10:5.5.23-0jpp.7.el5_3.20:3.0.25b-1.el4_6.20:3.0.9-1.3E.14.10:3.0.25b-1.el5_1.20:1.0.6-2.el5_30:1.0.6-EL3.30:1.0.6-2.el4_70:0.13.1-2.0.4.el50:2.6.18-164.6.1.el50:2.6.9-89.0.18.EL0:1.5.0.12-16.el40:2.16.0-21.el50:1.9.0.2-5.el50:0.10-0.10.el40:0.12-19.el50:2.0.0.17-1.el50:3.0.2-3.el50:3.0.2-3.el40:1.0.9-26.el40:1.0.9-0.24.el30:3.12.1.1-1.el50:0.9.8e-12.el50:1.5.0.12-25.el40:2.0.0.24-2.el5_40:1.0.9-0.40.el30:1.0.9-45.el4_80:1.5.0.12-0.7.el40:1.5.0.12-0.5.el40:1.5.0.12-6.el50:1.5.0.12-5.el50:1.0.9-0.5.el30:1.0.9-6.el40:0.0.13-0.37.20060817git.el51:1.6.0.0-1.7.b09.el50:9.3.4-6.P1.el50:1.0.3-3.el4_70:1.0.3-EL3.30:1.2.6-3.10:1.2.9-8.1.10:2.1.30-8.el4_6.10:2.3.27_2.2.29-8.el5_1.10:2.2.13-8.el4_6.10:2.3.27-8.el5_1.10:2.2.3-11.el5_1.30:4.3.2-40.ent0:5.1.6-11.el50:4.3.9-3.22.40:4.3p2-24.el50:3.9p1-8.RHEL4.241:3.0.0-3.2.el5_30:2.4.3-24.el5_3.60:2.3.4-14.7.el4_8.20:2.2.3-6.110:2.16.0-26.el50:3.6.4-8.el40:2.16.7-7.el50:0.12-21.el50:3.6.4-8.el50:2.14.2-7.el50:1.1.0-12.el50:1.9.2.4-10.el50:1.0.9-58.el4_80:1.0.9-0.55.el30:7.3.21-20:8.1.18-2.el5_4.10:7.4.26-1.el4_8.10:2.6.9-78.0.17.EL0:2.6.18-128.1.6.el57:3.5.4-13.el5_31:5.0.1-0.rc2.55.el5.11:5.0.1-0.rc2.55.el4_6.10:2.2.3-7.el51:2.0.46-67.ent1:2.0.52-32.2.ent1:2.2.3-7.el50:2.0.46-67.ent0:2.0.52-32.2.ent1:1.8.0.4-3jpp.61:2.0.4-5.7.0.3.01:2.0.4-5.4.250:2.2.1-21.el5_30:2.1.9-10.el4.70:2.1.4-12.el30:3.6.1-12.el4_8.40:3.5.7-33.el30:3.8.2-7.el5_3.40:10.25-2.1.el4_7.40:10.35-6.1.el5_3.10:83-105.el5_4.270:1.2.5-80:1.14.9-11.el4_70:1.14.9-5.el5_30:1.6.0-14.4_70:1.6.7-4.1.el5_2.40:5.0.77-3.el50:4.1.22-2.el40:2.5.2-6.el50:2.5.2-6.el40:2.4.21-50.EL0:2.6.18-8.1.4.el50:2.6.9-55.EL0:2.5.10-150:2.6.16-12.70:2.6.26-2.1.2.81:1.8.17-9.30:0.3.3-14.el5_3.10:0.11.1-6.el5_4.10:0.9.2-4.el4_8.10:8.1.8-1.el50:2.4.21-53.EL0:2.6.18-8.1.15.el50:2.6.9-55.0.12.EL0:2.6.18-8.1.10.el50:2.6.9-55.0.2.EL0:7.12.1-11.1.el4_8.10:7.10.6-10.rhel30:7.15.5-2.1.el5_3.50:1.1.1-48.76.el5_5.10:2.0.0.22-2.el5_30:1.5.0.12-23.el40:1.0.9-41.el40:1.0.9-0.37.el30:4.3.0-128.EL0:1.1.1-48.41.el5_2.10:6.8.2-1.EL.33.0.40:1.4.8-5.el5_2.30:1.4.8-5.el4_7.30:1.4.8-9.el30:3.0.9-1.el40:3.0.9-1.el50:1.9.0.9-1.el50:5.0.45-7.el51:1.0-10.el30:1.1.2-3.el5_1.20:1.1.0-3.el4_6.10:1.0.11-1.el5_5.50:1.0.11-1.el4_8.50:1.0.11-EL3.60:2.12a-17.el4_6.10:2.11y-31.240:2.13-0.45.el5_1.10:2.8.0-33.0.1.el50:2.0.5-7.0.7.el40:2.2.13-2.0.7.el50:1.2.3-20.9.el30:8.4.7-3.el4_6.10:8.1.4-92.80:8.3.5-92.80:3.2-92.80:8.4.13-5.el5_1.10:8.3-92.80:5.38.0-92.82:1.2.2-270:1.0.13-170:1.0.16-32:1.2.7-3.el42:1.2.10-7.0.20:2.6.18-194.8.1.el50:2.6.9-89.0.20.EL0:2.6.18-164.11.1.el50:7.4.17-1.RHEL4.10:8.1.9-1.el50:7.3.19-10:4.8.4-1.1.el4_80:3.12.6-1.el4_80:1.4.1-3.el5_4.80:0.9.7a-33.260:1.0.20-4.el4_8.70:0.9.8e-12.el5_4.60:0.9.7a-9.el5_4.20:3.12.6-1.el5_40:0.9.7a-43.17.el4_8.50:4.8.4-1.el5_40:2.0.46-77.ent0:2.2.3-31.el5_4.20:2.0.52-41.ent.60:2.0.0.16-1.el50:2.16.0-19.el50:1.5.0.12-0.19.el40:0.12-17.el50:1.5.0.12-14.el40:3.0-2.el50:1.0.9-0.20.el30:1.9-1.el50:1.0.9-16.3.el4_61:1.2.4-11.14.el5_1.60:2.3.7-7.el5_4.30:2.2.12-10.el4_8.40:1.0.2-14.el4_7.10:1.4.5-25.el30:1.8.0-37.el4_7.20:2.0.2-41.el4_7.20:1.12.3-10.el5_3.30:4.3.9-3.22.120:5.1.6-20.el5_2.10:4.3.2-48.ent0:2.6.14-1.el5_3.20:5.5.23-0jpp.3.0.2.el51:3.00-20.el40:0.5.4-4.4.el5_3.90:2.8.2-7.7.2.el4_7.41:2.02-14.el37:3.5.4-12.el5_31:1.1.22-0.rc1.9.27.el4_7.57:3.3.1-13.el41:1.3.7-8.el5_3.40:1.5.0.12-8.el40:1.5.0.12-0.10.el40:1.0.9-0.9.el30:1.5.0.12-8.el50:1.5.0.12-9.el50:1.0.9-9.el41:1.6.0.0-1.2.b09.el50:2.6.18-128.4.1.el50:15.5-16.RHEL30:15.5-15.1.el5_3.10:15.5-10.RHEL4.30:3.0-33.8.el5_5.50:1.0.7-67.190:2.0.2-22.0.1.EL4.160:1.0.2-14.el4_70:1.0.2-12.EL30:1.0.3-4.el5_20:1.5.0.12-0.1.el40:0.12-11.el50:1.5.0.12-1.el50:1.0.9-2.el40:1.0.9-0.1.el30:0.10-0.8.el40:2.16.0-15.el50:2.4.21-57.EL0:2.6.9-67.0.15.EL0:2.6.18-53.1.19.el50:3.0.10-1.4E.12.20:3.0.9-1.3E.13.20:3.0.23c-2.el5.2.0.20:2.6.18-164.15.1.el51:1.6.0.0-1.11.b16.el51:2.0.5-6.2.el41:1.2.3-20.3.el32:2.2.13-2.el50:2.6.9-78.0.8.EL0:2.6.18-92.1.13.el50:3.0.16-1.el5_40:1.0.9-51.el4_80:1.9.0.16-2.el5_40:3.0.16-4.el40:1.0.9-0.48.el30:1.5-230:1.3.4-460:1.2.7-610:1.6.1-31.el5_3.30:2.02-11.el30:2.8.2-7.7.17:3.3.1-6.el4_51:3.00-14.el40:1.2.4-11.14.el5_1.30:0.5.4-4.3.el5_10:2.0.2-22.0.1.EL4.100:1.1.22-0.rc1.9.20.2.el4_5.20:3.0-33.2.el5_1.20:4.2.0.a.20040617-8.el4_7.10:4.2.2p1-9.el5_3.10:1.8.5-5.el5_2.50:1.8.1-7.el4_7.10:1.6.8-13.el32:2.2.10-1.2.1.el4_72:2.0.16-14.1.RHEL32:2.3.3-2.1.el5_20:3.0.12-1.el5_30:3.0.12-1.el40:1.9.0.12-1.el5_30:2.6.9-89.0.25.EL0:2.6.18-194.3.1.el50:1.0.4-4.el4_6.10:1.0.5-4.el5_1.10:2.6.16-12.60:2.5.10-140:2.6.26-2.1.2.70:1.18-0.1.beta1.el5_3.21:1.6.0.0-0.30.b09.el50:1.1.5-10.6.0.7.EL4.30:1.1.2-46.2.0.EL31:2.0.4-5.7.0.6.1.el4_8.31:2.3.0-6.11.el5_4.40:1.2.2-1.0.3.el5_10:6.8.2-1.EL.33.0.20:4.3.0-126.EL0:3.0.25b-1.el4_6.50:3.0.9-1.3E.150:3.0.28-1.el5_2.10:8.15.2-9.4.el5_3.70:3.1.8-2.el50:3.1.8-2.el40:2.6.18-8.1.3.el50:2.16.0-14.0.1.el50:1.5.0.10-1.el50:1.5.0.10-2.el50:0.12-10.0.1.el50:1.0.8-0.2.el30:1.0.8-0.2.el40:1.5.0.10-0.1.el40:0.10-0.7.el40:1.5.0.12-0.3.el40:1.5.0.12-3.el50:1.0.9-4.el40:1.0.9-0.3.el30:4.3.2-54.ent0:4.3.9-3.290:5.1.6-24.el5_4.50:2.5.8-1.el50:2.5.8-1.el40:1.1.5-10.6.0.1.EL40:1.1.2-39.2.0.EL31:2.0.4-5.4.17.21:2.0.4-5.7.0.1.0^3.*$^4.*$^4\D.+$^3\D.+$0:3.0.5-1.el5_20:3.0.5-1.el40:2.0.0.19-1.el5_20:1.0.9-0.29.el30:1.9.0.5-1.el5_20:4.7.3-1.el40:4.7.3-2.el50:3.12.2.0-2.el50:1.0.9-32.el40:1.5.0.12-18.el40:3.12.2.0-1.el4^5.*$unix^5\D.+$0:3.0.3-41.el5_1.5