From jimbysharp at gmail.com Mon Oct 1 05:37:33 2007 From: jimbysharp at gmail.com (Jimby Sharp) Date: Mon, 1 Oct 2007 10:07:33 +0530 Subject: [Full-disclosure] Trolls food In-Reply-To: <985b1a3d0709301310k542c1b47vf7e5ce7273fa16fc@mail.gmail.com> References: <003101c801fa$d5535840$b800a8c0@cybergeneration.com> <3eab9ed60709300848m5a386701u3560d2015a3c106b@mail.gmail.com> <985b1a3d0709301310k542c1b47vf7e5ce7273fa16fc@mail.gmail.com> Message-ID: <3eab9ed60709302137k1e9a09mc210310ab7a745b4@mail.gmail.com> Stop writing useless mails for heaven's sake! On 10/1/07, Guasconi Vincent wrote: > Stop writing useless mails ! > > On 9/30/07, Jimby Sharp wrote: > > i suggest you stop adding to the noise by writing the same useless > > shit as countless others before you > > > > On 9/30/07, poo wrote: > > > i suggest you stop adding to the noise by writing the same useless shit as > > > countless others before you > > > > > > > > > > > > On 9/28/07, Maxime Ducharme wrote: > > > > > > > > Hi to the list > > > > > > > > Got a suggestion > > > > > > > > I suggest not to respond to trolls on the list > > > > (or the "noise" on this list) > > > > > > > > Responding them is in fact feeding them > > > > > > > > Trolls like spam, the most we reply to shut down > > > > their mouth, the more they will open it > > > > > > > > If I receive a viagra/cialis offer, i do not reply > > > > > > > > this is the same for what we can consider as "noise", > > > > do not reply > > > > > > > > Take a coffee (or water/tea/beer/scotch/...), relax, laugh a little then > > > > press DEL button ;-) > > > > > > > > many still post very useful information, and I thank these people > > > > for sharing the information > > > > > > > > I repeat this is a suggestion > > > > > > > > Have a nice day everyone > > > > > > > > Maxime > > > > > > > > > > > > > > > > _______________________________________________ > > > > Full-Disclosure - We believe in it. > > > > Charter: > > > http://lists.grok.org.uk/full-disclosure-charter.html > > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > > > > > > -- > > > smile tomorrow will be worse > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > > > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > -- > Guasconi Vincent > Etudiant. > From jimbysharp at gmail.com Mon Oct 1 05:42:09 2007 From: jimbysharp at gmail.com (Jimby Sharp) Date: Mon, 1 Oct 2007 10:12:09 +0530 Subject: [Full-disclosure] New term "RDV" is born In-Reply-To: <985b1a3d0709301241r67ee962crc3abcca8d80ff919@mail.gmail.com> References: <67ea64530709270644ka5e9a26p32373d824b15e3e6@mail.gmail.com> <67ea64530709280929t7732f7e8u8699706733ef4cf5@mail.gmail.com> <18695.1191000270@turing-police.cc.vt.edu> <985b1a3d0709301241r67ee962crc3abcca8d80ff919@mail.gmail.com> Message-ID: <3eab9ed60709302142x7fd60b16q8e21af4db953b0dd@mail.gmail.com> You know nothing. It is http://uncyclopedia.org/wiki/RUAASETXCSDFGASRTVBFDGRDSGFVDB-day Now be a good boy and stop spamming. :-| On 10/1/07, Guasconi Vincent wrote: > On 9/28/07, Valdis.Kletnieks at vt.edu wrote: > > On Fri, 28 Sep 2007 17:29:51 BST, worried security said: > > > > > Two months is still recently. Think about "In recent history we invaded > > > Iraq", "In recent times terrorism has become more prominent". > > > > The real problem here is that "0-day" originally meant "previously undisclosed > > vulnerability/exploit". The term lost its usefulness when all the hacker > > wannabe's started posting "I found a 0-day", when what they really had was > > a "*yawn*-we've-been-waiting-18-months-for-vendor-to-fix-day". > > Yes, it's a YWVBW18MFVTF-day. I know that. > http://uncyclopedia.org/wiki/YWVBW18MFVTF-day > > -- > Guasconi Vincent > Etudiant. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From fareeduddin.ahmad at gmail.com Mon Oct 1 10:13:38 2007 From: fareeduddin.ahmad at gmail.com (Fareeduddin Ahmad) Date: Mon, 1 Oct 2007 12:13:38 +0300 Subject: [Full-disclosure] Netscreen 5400 Message-ID: <332d6cf90710010213p584b6094l237874b9ff419a1b@mail.gmail.com> Hi guys, The CPU utilization of our Netscreen 5400 suddenly went up from 5% to 54% - upto 81%. Now its moving between 33% and 81%. What are all the reasons the firewall could be doing this ? Any suggestions? Thanks. Fareed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/782086e6/attachment.html From admin at vulntrac.com Mon Oct 1 14:35:24 2007 From: admin at vulntrac.com (Brian Toovey) Date: Mon, 1 Oct 2007 09:35:24 -0400 Subject: [Full-disclosure] Netscreen 5400 In-Reply-To: <332d6cf90710010213p584b6094l237874b9ff419a1b@mail.gmail.com> References: <332d6cf90710010213p584b6094l237874b9ff419a1b@mail.gmail.com> Message-ID: <3a335a850710010635s5894253eq5d46a68ab0b0495d@mail.gmail.com> On 10/1/07, Fareeduddin Ahmad wrote: > Hi guys, > > The CPU utilization of our Netscreen 5400 suddenly went up from 5% to 54% - > upto 81%. Now its moving between 33% and 81%. What are all the reasons the > firewall could be doing this ? Policies related to ALG. Brian -- Brian Toovey admin at vulntrac.com http://vulntrac.com From andy.davis at irmplc.com Mon Oct 1 17:58:50 2007 From: andy.davis at irmplc.com (Andy Davis) Date: Mon, 1 Oct 2007 17:58:50 +0100 Subject: [Full-disclosure] High-Level Reverse Engineering whitepaper Message-ID: <7B01ACCEDD4FFE48B12A55E2DB16A9301D7FED@dccheltenham.local.irmplc.com> This paper aims to present a methodical framework for high-level reverse engineering. The methodology is a culmination of existing tools and techniques within the IT security research community, which presents ways to identify process operation at a higher-level of abstraction than traditional binary reversing. Here, we focus our attention on application DLLs and the functions that they implement and export, which includes process interactions with other applications and various operating system function calls. We use existing tools and techniques to derive ways of quickly identifying how applications are constructed, the functions that they use and how they use them. Following this high-level reverse engineering, the researcher is then free to take further steps at reversing specific functions with the more traditional lower-level binary analysis. The key tools required and used throughout the methodology are the Universal Hooker (uhooker) by Core Security Technologies [1], the Interactive Disassembler (IDA) [2] and the OllyDbg debugger [3]. It is assumed that the reader is already familiar with these tools. Further information on these tools and their operation can be found from the references section at the end of this document. The full paper can be downloaded here: http://www.irmplc.com/index.php/69-Whitepapers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/c2ba1a9c/attachment.html From waldoalvarez00 at gmail.com Mon Oct 1 18:27:59 2007 From: waldoalvarez00 at gmail.com (wac) Date: Mon, 1 Oct 2007 13:27:59 -0400 Subject: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug In-Reply-To: <5031B661-FD4E-44E6-A112-4B7BBE94585C@gmail.com> References: <3eab9ed60709280934o1da17b8bm44f8a5db7552cdf0@mail.gmail.com> <5031B661-FD4E-44E6-A112-4B7BBE94585C@gmail.com> Message-ID: Hello: On 9/29/07, Andrew Farmer wrote: > > > If your bank is doing financial calculations using Javascript in a > standard web browser, you have bigger things to worry about than > roundoff errors. Ok let's explain this with more details because I realize that you got something else (and might be the case of others). I was not refering to banks performing all of the calculations on the browser. That would be insane because users would be manipulating that for sure changing a couple of web pages. A bank would not last a single day on the internet in such case. I was commenting you about some calculations done in your browser so you don't have to make them in your head, your operating system calculator or a pocket calculator. Taxes and other kind of financial calculations for example. Hey I could add a financial calculator on one side of a page so you don't have to pick one. I don't know wich calculus you could do I'm not a banker (not yet. I tell you by then). The browser can do that kind of things better than you. I don't know an exact example but it could be the case. Remeber there are a zillion websites out there. All the bank needs to be sure is that all of the movements you do does not exceeds your balance. If you (or your browser) intentionally or not performs the calculation wrong... Well... that is your problem. You won't steal money with that to the bank. And that kind of things are very likely to be putted into the browser more and more with AJAX, SilverLight and all of them just to prevent mistakes in the first place. Is the trend. So a rounding bug in javascript (in such case) could be really serious. Also notice that if there is really a problem in FF javascript engine it goes beyond the browser. You could run Tamarin, Spidermonkey or Rhino on the server side and perform some processing there with javascript. http://developer.mozilla.org/en/docs/About_JavaScript "Another common application for JavaScript is as a (web) server side scripting language. A JavaScript web server would expose host objects representing a HTTP request and response objects, which could then be manipulated by a JavaScript program to dynamically generate web pages." I based my previous comments on comments from some other persons but not on my tests. I tried this code and is giving me the same result ( 5.1000000000000005) in IE 6, FF 2.0.0.7 and Opera 9.23: This one is giving me the same numbers too in every browser: arrf So seems to me that IE is actually performing those calculations with higher precision only when used as a calculator (directly in the address box) but not in javascript code (fortunately). However let me know if you find something. I'm interested and would like to be aware of it. As a side comment I wanted to tell you that what is out there on the internet is not a standart. Is what IE dictates. IE rules the internet whether you like or not. It comes from a big one and also comes preinstalled. That's why it holds a big share of the market. It imperates and has a lot of pressure on the content published on the internet. As IE adapts to the web, the web also adapts to IE. As another side comment about the FP math. Well don't worry I already did that some time ago. While I'm not the expert in numeric math that was the first part of the first course of numeric math on my second year. As a curiority and also a very usual mistake is that in FP math a + b + c is not always equal to a + c + b. You must sort the numbers before doing that and do the calculus from lower to higher if you want the most accurate results. Yes FP math is tricky sometimes and a lot of care must be taken with it since is not real math but approximations. For example sometimes you need to make transformations to equations or use Taylor. It might look boring at first sight but when you look closer you realize that is very important and catches your eye. Regards Waldo Alvarez -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/5681b0fd/attachment.html From waldoalvarez00 at gmail.com Mon Oct 1 18:33:20 2007 From: waldoalvarez00 at gmail.com (wac) Date: Mon, 1 Oct 2007 13:33:20 -0400 Subject: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug In-Reply-To: <3eab9ed60709292325x152bee2akdd41faac7e8705fe@mail.gmail.com> References: <3eab9ed60709280934o1da17b8bm44f8a5db7552cdf0@mail.gmail.com> <5031B661-FD4E-44E6-A112-4B7BBE94585C@gmail.com> <3eab9ed60709292325x152bee2akdd41faac7e8705fe@mail.gmail.com> Message-ID: > > If I use strcpy() to read user input into a buffer, I am at fault and > not C compiler. I don't think that's a fair comparison. If you make the right algorithm and you do not get the expected results *is* not your fault but what are you sitting at (compiler, framework, library ...). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/84590c6d/attachment.html From Valdis.Kletnieks at vt.edu Mon Oct 1 18:51:22 2007 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 01 Oct 2007 13:51:22 -0400 Subject: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug In-Reply-To: Your message of "Mon, 01 Oct 2007 13:33:20 EDT." References: <3eab9ed60709280934o1da17b8bm44f8a5db7552cdf0@mail.gmail.com> <5031B661-FD4E-44E6-A112-4B7BBE94585C@gmail.com> <3eab9ed60709292325x152bee2akdd41faac7e8705fe@mail.gmail.com> Message-ID: <5795.1191261082@turing-police.cc.vt.edu> On Mon, 01 Oct 2007 13:33:20 EDT, wac said: > > > > If I use strcpy() to read user input into a buffer, I am at fault and > > not C compiler. > > > I don't think that's a fair comparison. > If you make the right algorithm and you do not get the expected > results *is* not > your fault but what are you sitting at (compiler, framework, library ...). No, it's still your fault. The *actual* semantics of strcpy() are well documented - if you use it incorrectly because your mental model of what the "expected" results is broken, you're to blame. It's only the library's fault if the provided strcpy() does not in fact provide the actual documented semantics. It isn't required to implement the semantics the programmer *thought* it had. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/1276e9ec/attachment.bin From aluigi at autistici.org Mon Oct 1 20:31:38 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Mon, 1 Oct 2007 21:31:38 +0200 Subject: [Full-disclosure] Unexploitable buffer-overflow in America's Army 2.8.2 through PB Message-ID: <20071001213138.366f623f.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: America's Army and America's Army Special Forces http://www.americasarmy.com Versions: <= 2.8.2 Platforms: Windows, Linux and Mac Bugs: unexploitable buffer-overflow in the logging function Exploitation: remote, versus servers with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army is a realistic FPS game based and developed just by the the U.S. Army (http://www.goarmy.com). ####################################################################### ====== 2) Bug ====== This bug is the same reported here: http://aluigi.org/adv/unrwebdos-adv.txt What changes now is the possibility of exploiting it also in this specific game (since it doesn't support or doesn't seem to support the web service used as way for exploiting the bug in that advisory) and anonymously from outside the server with a single UDP packet. The only requirement is the running of Punkbuster on the server while for exploiting the vulnerability will be used the PB_Y (YPG server) or the PB_U (UCON) packets with a content of about 1024 bytes. Exists also another minor problem which can be exploited only versus the Windows dedicated server (ever with Punkbuster enabled) since the chars printed on the console are not filtered so using invalid chars or 0x07 (the bell) can cause the freezing of the entire server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/aaboompb.zip ####################################################################### ====== 4) Fix ====== No fix. The bug is public from the 18 Aug 2007 and the developers of the engine are aware of it from some weeks before that date. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org From aluigi at autistici.org Mon Oct 1 20:31:43 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Mon, 1 Oct 2007 21:31:43 +0200 Subject: [Full-disclosure] Format string in F.E.A.R. 1.08 through PB Message-ID: <20071001213143.b205fe10.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: F.E.A.R. (First Encounter Assault Recon) http://www.whatisfear.com Versions: <= 1.08 Platforms: Windows and Linux Bug: format string Exploitation: remote, versus server with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== F.E.A.R. is the most recent FPS game developed by Monolith (http://www.lith.com). ####################################################################### ====== 2) Bug ====== This bug is nothing new moreover considering that it's public from the far 2004 when this game was still a beta: http://aluigi.org/adv/lithfs-adv.txt What changes this time is the type of exploitation and the derived advantages since now the attack is completely anonymous from outside the server using only one UDP packet. When Punkbuster is enabled on a server (true for many public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Lithtech engine and NOT in Punkbuster which is used only as a "way" for exploiting it. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/fearfspb.zip ####################################################################### ====== 4) Fix ====== No fix. The bug has been never "really" patched although it's public from 3 years. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org From aluigi at autistici.org Mon Oct 1 20:31:32 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Mon, 1 Oct 2007 21:31:32 +0200 Subject: [Full-disclosure] Format string in the Doom 3 engine through PB Message-ID: <20071001213132.f0f3e568.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Doom 3 engine Games: Doom 3 (http://www.doom3.com) <= 1.3.1 Quake 4 (http://www.quake4game.com) <= 1.4.2 Prey (http://www.prey.com) <= 1.3 Enemy Territory: Quake Wars NOT VULNERABLE Platforms: Windows, Linux and Mac Bug: format string Exploitation: remote, versus servers with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Doom 3 engine (formerly known as id Tech 4) is the latest version of the famous game engine developed by ID Software (http://www.idsoftware.com) and used in some recent games: http://en.wikipedia.org/wiki/Id_Tech_4 ####################################################################### ====== 2) Bug ====== The function which visualizes the strings on the game's console is vulnerable to a format string vulnerability, something similar to snprintf(buff, 1024, string); Usually this is not a problem since the engine uses some functions and tricks to avoid the visualization of the % char like dropping it or inserting a space between it and the subsequent char. But there is a way for bypassing this limitation with also the better advantages of doing it anonymously and with only one single spoofable UDP packet: Punkbuster. When Punkbuster is active on a server (practically almost all the public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Doom 3 engine and affects both dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is used only as a "way" for reaching a zone of the code otherwise unexploitable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/d3engfspb.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org From aluigi at autistici.org Mon Oct 1 20:31:00 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Mon, 1 Oct 2007 21:31:00 +0200 Subject: [Full-disclosure] Two buffer-overflow in FSD V2.052 d9 and FSFDT V3.000 d9 Message-ID: <20071001213100.160d44b7.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: FSD http://www.mcdu.com/en/download.php Versions: <= "V2.052 d9" (original FSD) and "V3.000 d9" (FSFDT FSD) Platforms: Windows and *nix Bugs: A] buffer-overflow in exechelp B] buffer-overflow in execmulticast Exploitation: remote Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== FSD is an (the only?) open source Flight Simulator server. An interesting story about it is available here: http://www.vatpac.org/administration/history.htm ####################################################################### ======= 2) Bugs ======= ------------------------------ A] buffer-overflow in exechelp ------------------------------ A buffer-overflow vulnerability caused by the usage of strcpy() on a stack's buffer of 100 bytes is exploitable through the HELP command on port 3010. from sysuser.cpp: void sysuser::exechelp(char **array, int count) { int copymode=0, topicmode=0, globalmode=0; char topic[100],line[100]; char *s=(count>0)?array[0]:(char *)NULL; if (s) strcpy(topic,s); else ... ----------------------------------- B] buffer-overflow in execmulticast ----------------------------------- Another stack buffer-overflow with another buffer of 100 bytes is exploitable through the sending of various commands to port 6809 which calls the sendmulticast function. from servinterface.cpp: int servinterface::sendmulticast(client *source, char *dest, char *s, int cmd, int multiok, absuser *ex) { client *destination=NULL; char data[1000], servdest[100]; ... switch (dest[0]) { case '@': case '*': if (!multiok) return 0; strcpy(servdest, dest); break; default: sprintf(servdest,"%%%s",dest); ... ####################################################################### =========== 3) The Code =========== A] connect with nc or telnet to port 3010 (sometimes it can be 3011, but it's easy to recognize since it shows a "FSD>" prompt) and then send: HELP aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...(more_than_100_'a's)...aaaa B] connect with nc or telnet to port 6809, now you must log in or create a new user, but seems that all usernames and passwords are available on port 3011 (or 3012) where they are sent just when you connect: #AAcallsign::ident:122222:122222:1:9 $PIcallsign:aaaaaaaaaaaaaaaaaaaaaaaaaaaaa...(more_than_100_'a's)...aaaa (in the above example the first 122222 is the CID and the second one is the password) ####################################################################### ====== 4) Fix ====== No fix. No reply from the current maintainers (MCDU). ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org From nicolas.waisman at immunityinc.com Mon Oct 1 19:56:00 2007 From: nicolas.waisman at immunityinc.com (Nicolas Waisman) Date: Mon, 1 Oct 2007 13:56:00 -0500 Subject: [Full-disclosure] Immunity Debugger v1.2 Release Message-ID: <20071001185600.GB26639@mail.immunityinc.com> This release we include a flurry of new exciting features! We are proud to announce the first beta version of our free Vista Heap Library, which supports the new 'Freelist' and Low Fragmentation Chunk. Check out the new usage of the !heap command for more details. Also included in this release the new recognition library using heuristic patterns, with a huge database of known windows static functions. Immunity Debugger includes this library both as a PyCommand (use !recognize) and as a function for scripting (use searchFunctionByHeuristic). As an example usage, imagine you want to release your own script and set a breakpoint on a unnamed function which might move or change slightly across different versions of the program. Using Immunity Debugger's API you can get the heuristic out of the function and do: address = imm.searchFunctionByHeuristic( heuristic) imm.setBreakpoint( address ) Finally, we include our own small version of peid called !findpacker using Ero Carrera's pefile and Bob's UserDB with around 1300 signatures for packers, cryptors and other loaders. Immunity is also moving the deadline for the PyCommands contest to the 10th of December to give you more time to use the new features. Thanks for using Immunity Debugger! We hope you enjoy this month's release. You+can upgrade your current Immunity Debugger by going to Help/Update or by directly downloading the new installer from http://debugger.immunityinc.com/register.html Don't forget to check out the Immunity Forum (http://forum.immunityinc.com) for more examples, feedback, cool screenshots, etc. Thanks Immunity Debugger Team 1.20 Build 0 October 1, 2007 New Features: - Immunity Debugger API o immlib.getThreadId() method added: return the current debuggee thread id o immlib.getCallTree() method added: return the call tree for given address o immlib.setFocus() method added: focus ID window o immlib.isValidHandle() method added: check if a HWND is still valid o immlib.getInfoPanel() method added: get information from panel window and optionally receives a type flag to force the kind of comment fetched. o imm.findPacker() method added: find packers/cryptors on a file or a loaded module o imm.getMemoryPagebyOwner(): Find all the memory pages belonging to a module. o immlib.ps() returns two extra objects: the tcp list and the udp list o immlib.getComment() now will try to fetch all types of comments o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the breakpoint is hit (Decoding events timeline) o New Vista support for libheap o Custom Tables has "Clear Window" menu now o Added several methods from librecognize - PyCommands o findpacker added. (Use of findPacker to get Packers from a module) o recognize added. (Function Recognizing using heuristic patterns) o Hippie now can filter by heap o heap updated to work with new Vista Heap o Optimized code for stackvars (Memory usage reduction during runtime) - Core o Pyshell can be focused once created with alt-F11 o Shortcut for attach process added: Ctrl+F1 o Added librecognition.py (Library for function recognizing) - Graph o immvcglib.generateGraphFromBuf() method added: play with your own vcg files! o Redesign of VCG parser: easier to read, easier to use. Bug Fixes: o Return value (HWND) of createTable o Fixed Attach Search Filtering : http://forum.immunityinc.com/index.php?topic=49.0 o Grapher: Vertex lastline jumps correctly displayed now o Fixed crash when searching on modules: http://forum.immunityinc.com/index.php?topic=63.0 o Fixed search issue on protected binary: http://forum.immunityinc.com/index.php?topic=34 o Fixed breakpoint/logpoint hooks issue (logic/stepping inside a hook) o Fixed PyString_AsString() missbehaviour o Fixed PyCommand Gui Arguments box to receive \x00 as argument o Fixed imm.getModulebyAddress() to receive any module address and not only module entry point http://forum.immunityinc.com/index.php?topic=74.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/7f519874/attachment.bin From dudevanwinkle at gmail.com Mon Oct 1 21:21:37 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Mon, 1 Oct 2007 16:21:37 -0400 Subject: [Full-disclosure] Testing DidTheyReadIt.com In-Reply-To: References: <998832236.20070929141509@Zoller.lu>

Message-ID: On 9/29/07, Morning Wood wrote: > Outlook Express blocks this by default, unless you click > the "show images" dialog thingie Same with gmail -JP From security at mandriva.com Mon Oct 1 21:31:08 2007 From: security at mandriva.com (security at mandriva.com) Date: Mon, 01 Oct 2007 14:31:08 -0600 Subject: [Full-disclosure] [ MDKSA-2007:191 ] - Updated libsndfile packages fix vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:191 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libsndfile Date : October 1, 2007 Affected: 2007.0, 2007.1 _______________________________________________________________________ Problem Description: A heap-based buffer overflow in libsndfile could allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data which contains a block with a size exceeding that of the previous block. Updated packages have been patched to prevent this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4974 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 24100ae70e6966132dd2df9c1b232888 2007.0/i586/libsndfile-progs-1.0.17-2.1mdv2007.0.i586.rpm c5c705acb80947a1eb97755a1327e83c 2007.0/i586/libsndfile1-1.0.17-2.1mdv2007.0.i586.rpm 5958c9bb24d22926f68f7f92ee2571c9 2007.0/i586/libsndfile1-devel-1.0.17-2.1mdv2007.0.i586.rpm 71dfb4edb740b99a32667606048b055b 2007.0/i586/libsndfile1-static-devel-1.0.17-2.1mdv2007.0.i586.rpm 5f738e2181c2e32c75bc0213a8c28c0d 2007.0/SRPMS/libsndfile-1.0.17-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 0e642cd6090fe922f058b246c93efcd8 2007.0/x86_64/lib64sndfile1-1.0.17-2.1mdv2007.0.x86_64.rpm 23841c5fb2828c9205488b1c6755cbea 2007.0/x86_64/lib64sndfile1-devel-1.0.17-2.1mdv2007.0.x86_64.rpm 7836510356ed0f325ff23dbc329005a1 2007.0/x86_64/lib64sndfile1-static-devel-1.0.17-2.1mdv2007.0.x86_64.rpm 98f6ed8e57c9fd0f1f9dd377ad766813 2007.0/x86_64/libsndfile-progs-1.0.17-2.1mdv2007.0.x86_64.rpm 5f738e2181c2e32c75bc0213a8c28c0d 2007.0/SRPMS/libsndfile-1.0.17-2.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 04da55eb81107b358e3309d8dd82264b 2007.1/i586/libsndfile-progs-1.0.17-5.1mdv2007.1.i586.rpm f26b54c27ca835daf206fbfe43f4129e 2007.1/i586/libsndfile1-1.0.17-5.1mdv2007.1.i586.rpm 2d10c1398d7fde98919a7c181fae5db3 2007.1/i586/libsndfile1-devel-1.0.17-5.1mdv2007.1.i586.rpm 58eb5002ea5e1a1a2331018addcf83fd 2007.1/i586/libsndfile1-static-devel-1.0.17-5.1mdv2007.1.i586.rpm 50e0901b2142c229a8c0564feb1bb550 2007.1/SRPMS/libsndfile-1.0.17-5.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 7ade2e35ca8c79740df74248fe15d83f 2007.1/x86_64/lib64sndfile1-1.0.17-5.1mdv2007.1.x86_64.rpm 0d3a26b5f9b92029d35760cee29847a4 2007.1/x86_64/lib64sndfile1-devel-1.0.17-5.1mdv2007.1.x86_64.rpm d5dc6aae1605789598b9d7c7c4910dab 2007.1/x86_64/lib64sndfile1-static-devel-1.0.17-5.1mdv2007.1.x86_64.rpm 4476ecc80e248574f4a1af631024ddfd 2007.1/x86_64/libsndfile-progs-1.0.17-5.1mdv2007.1.x86_64.rpm 50e0901b2142c229a8c0564feb1bb550 2007.1/SRPMS/libsndfile-1.0.17-5.1mdv2007.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHAS6RmqjQ0CJFipgRAruqAJ0YYFCi9JfIOmXa8QVJlMVdghSb3gCg28jY vBAAT39DVZDVBK8HBuwcwYg= =XBET -----END PGP SIGNATURE----- From Thierry at Zoller.lu Mon Oct 1 22:56:18 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Mon, 1 Oct 2007 23:56:18 +0200 Subject: [Full-disclosure] Testing DidTheyReadIt.com In-Reply-To: <13524.1191250625@turing-police.cc.vt.edu> References: <998832236.20070929141509@Zoller.lu> <23229.1191128269@turing-police.cc.vt.edu> <19510224178.20070930120930@Zoller.lu> <13524.1191250625@turing-police.cc.vt.edu> Message-ID: <1749970633.20071001235618@Zoller.lu> Dear Nick, Thank you for your insight on this, I think it should be clear to anybody that if you display just text it should be useless, the stats proof you wrong though. - Some poeple like clicking on links even if they are simply displayed. - Some mailing list mirrors do not remove the image thus I get referes from www sites (talk about cross mail archive injection..or whatever) - Some gateways retrieve the image (possibly prior to sending the mail to the recipient?) A wonderfull way to find out what GW software they use. >This is an example of a service that, in general, should not work, and >in future will be increasingly more useless, I think. Tell this the USCERT, F-SECURE and Microsoft, both registered in the stats; again a wonderfull proof that theory is far behind real life. Stats are still coming in from various areas, mostly MAC users though (no pun intented) Who is interested in the stats ? >In the meantime, all (???) those using it should be asking what kind of >data leakage they are exposing themselves to, through possible message >content scanning and sender/receiver address usage patterns, among >others. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From anshu.pg at gmail.com Mon Oct 1 23:02:07 2007 From: anshu.pg at gmail.com (Anshuman G) Date: Tue, 2 Oct 2007 03:32:07 +0530 Subject: [Full-disclosure] Testing DidTheyReadIt.com In-Reply-To: <1749970633.20071001235618@Zoller.lu> References: <998832236.20070929141509@Zoller.lu> <23229.1191128269@turing-police.cc.vt.edu> <19510224178.20070930120930@Zoller.lu> <13524.1191250625@turing-police.cc.vt.edu> <1749970633.20071001235618@Zoller.lu> Message-ID: Meeeee :) and I think lots of people are interested . Regards, Anshu On 10/2/07, Thierry Zoller wrote: > > Who is interested in the stats ? > From security at mandriva.com Tue Oct 2 00:52:58 2007 From: security at mandriva.com (security at mandriva.com) Date: Mon, 01 Oct 2007 17:52:58 -0600 Subject: [Full-disclosure] [ MDKSA-2007:192 ] - Updated mplayer packages fix vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:192 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mplayer Date : October 1, 2007 Affected: 2007.0, 2007.1 _______________________________________________________________________ Problem Description: A heap-based buffer overflow was found in MPlayer's AVI handling that could allow a remote attacker to cause a denial of service or possibly execute arbitrary code via a crafted .avi file. Updated packages have been patched to prevent this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4938 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 664764460655f8fa3ffe837fe1c753c4 2007.0/i586/libdha1.0-1.0-1.pre8.13.5mdv2007.0.i586.rpm 92e7649f53c13651062b76f33b093f16 2007.0/i586/mencoder-1.0-1.pre8.13.5mdv2007.0.i586.rpm ea399734d197db1b88a8706ad9bf855a 2007.0/i586/mplayer-1.0-1.pre8.13.5mdv2007.0.i586.rpm 9d751d448cf399915dc11233f291bed5 2007.0/i586/mplayer-gui-1.0-1.pre8.13.5mdv2007.0.i586.rpm c015287479e38ccf22e271b3e97cc3ac 2007.0/SRPMS/mplayer-1.0-1.pre8.13.5mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: a841c634484003178dbe3edcf04250fb 2007.0/x86_64/mencoder-1.0-1.pre8.13.5mdv2007.0.x86_64.rpm 0c59b24ecd8977087b546ad373b5c556 2007.0/x86_64/mplayer-1.0-1.pre8.13.5mdv2007.0.x86_64.rpm 8a9e6cd4f9b438470a08f770a6f3faca 2007.0/x86_64/mplayer-gui-1.0-1.pre8.13.5mdv2007.0.x86_64.rpm c015287479e38ccf22e271b3e97cc3ac 2007.0/SRPMS/mplayer-1.0-1.pre8.13.5mdv2007.0.src.rpm Mandriva Linux 2007.1: 1f9dba71ed8296072bbb29a276b24349 2007.1/i586/libdha1.0-1.0-1.rc1.11.3mdv2007.1.i586.rpm b679aa7cfb01a9173539045c7ae06a42 2007.1/i586/mencoder-1.0-1.rc1.11.3mdv2007.1.i586.rpm 518690338f0b044e2e591f9cc49c3eab 2007.1/i586/mplayer-1.0-1.rc1.11.3mdv2007.1.i586.rpm 54a46f319a936e2e94c833385dc01b92 2007.1/i586/mplayer-doc-1.0-1.rc1.11.3mdv2007.1.i586.rpm bd9470eb57ee6ced6a9e3358d8d47484 2007.1/i586/mplayer-gui-1.0-1.rc1.11.3mdv2007.1.i586.rpm 3e6887feff803bc3a3efe864842e0679 2007.1/SRPMS/mplayer-1.0-1.rc1.11.3mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: af0ee01741af03a7a75b6a5289dbca9d 2007.1/x86_64/mencoder-1.0-1.rc1.11.3mdv2007.1.x86_64.rpm 0e7e5f18937ebd4a050a683da5116e3e 2007.1/x86_64/mplayer-1.0-1.rc1.11.3mdv2007.1.x86_64.rpm 4eeb75257e99b553e90b2c767fce6903 2007.1/x86_64/mplayer-doc-1.0-1.rc1.11.3mdv2007.1.x86_64.rpm 2604e564242de95388b4e543624db4dc 2007.1/x86_64/mplayer-gui-1.0-1.rc1.11.3mdv2007.1.x86_64.rpm 3e6887feff803bc3a3efe864842e0679 2007.1/SRPMS/mplayer-1.0-1.rc1.11.3mdv2007.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHAV4CmqjQ0CJFipgRAhrhAKC9bfRHlSG6+oVGztLTNtG5AfVqgACg21JC obuu0r4eZMhQuLCVAh4l7Ms= =WAef -----END PGP SIGNATURE----- From g at ut.am Tue Oct 2 02:35:38 2007 From: g at ut.am (Gautam) Date: Mon, 1 Oct 2007 21:35:38 -0400 Subject: [Full-disclosure] Testing DidTheyReadIt.com In-Reply-To: References: <998832236.20070929141509@Zoller.lu> <23229.1191128269@turing-police.cc.vt.edu> <19510224178.20070930120930@Zoller.lu> <13524.1191250625@turing-police.cc.vt.edu> <1749970633.20071001235618@Zoller.lu> Message-ID: <1c2c81610710011835r5c0e926et1508571bdefc73b9@mail.gmail.com> ditto On 10/1/07, Anshuman G wrote: > > Meeeee :) and I think lots of people are interested . > > Regards, > Anshu > > On 10/2/07, Thierry Zoller wrote: > > > > Who is interested in the stats ? > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- g at ut.am 1.866.200.6829:22 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/afae767f/attachment.html From hernan at gmail.com Tue Oct 2 07:09:19 2007 From: hernan at gmail.com (Hernan Ochoa) Date: Tue, 2 Oct 2007 03:09:19 -0300 Subject: [Full-disclosure] WifiZoo v1.2 release Message-ID: WifiZoo v1.2: -Bug Fixes -It now has a web GUI running on localhost:8000, it will hopefully make its use more 'convenient' -And it also has an 'http proxy' ala ferret/hamster. You can display the captured cookies with the web gui, clicking on a cookie will set that cookie on the wifizoo proxy. Set your browser to use the proxy, and again, hopefully, that will do the trick. Updated docs: http://community.corest.com/~hochoa/wifizoo/index.html Direct download link: http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz Thanks!, Hernan From nytrokiss at gmail.com Tue Oct 2 07:23:31 2007 From: nytrokiss at gmail.com (James Matthews) Date: Mon, 1 Oct 2007 23:23:31 -0700 Subject: [Full-disclosure] Testing DidTheyReadIt.com In-Reply-To: <1c2c81610710011835r5c0e926et1508571bdefc73b9@mail.gmail.com> References: <998832236.20070929141509@Zoller.lu> <23229.1191128269@turing-police.cc.vt.edu> <19510224178.20070930120930@Zoller.lu> <13524.1191250625@turing-police.cc.vt.edu> <1749970633.20071001235618@Zoller.lu> <1c2c81610710011835r5c0e926et1508571bdefc73b9@mail.gmail.com> Message-ID: <8a6b8e350710012323tba1d79cla6b112e0d48ae980@mail.gmail.com> Can we get stats? On 10/1/07, Gautam wrote: > > ditto > > On 10/1/07, Anshuman G wrote: > > > > Meeeee :) and I think lots of people are interested . > > > > Regards, > > Anshu > > > > On 10/2/07, Thierry Zoller wrote: > > > > > > Who is interested in the stats ? > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > g at ut.am > 1.866.200.6829:22 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full > -disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://search.goldwatches.com/search.aspx?Search=cufflinks http://www.jewelerslounge.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071001/d21d5cd3/attachment.html From dannf at debian.org Tue Oct 2 09:47:49 2007 From: dannf at debian.org (dann frazier) Date: Tue, 2 Oct 2007 02:47:49 -0600 Subject: [Full-disclosure] [SECURITY] [DSA 1365-3] New id3lib3.8.3 packages fix denial of service Message-ID: <20071002084748.GF29447@colo.lackof.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1365-3 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff, Dann Frazier October 2nd, 2007 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : id3lib3.8.3 Vulnerability : programming error Problem-Type : local Debian-specific: no CVE ID : CVE-2007-4460 Debian Bug : 438540 Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks. This update to DSA-1365-2 provides missing packages for the mipsel architecture for the stable distribution (etch). For the oldstable distribution (sarge) this problem has been fixed in version 3.8.3-4.1sarge1. For the stable distribution (etch) this problem has been fixed in version 3.8.3-6etch1. For the unstable distribution (sid) this problem has been fixed in version 3.8.3-7. We recommend that you upgrade your id3lib3.8.3 packages. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-4.1sarge1.dsc Size/MD5 checksum: 655 94eda5191994c0dbe0146a85a9e94737 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-4.1sarge1.diff.gz Size/MD5 checksum: 134382 b45300bc3341dbedf90f4c593462794f http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3.orig.tar.gz Size/MD5 checksum: 950726 19f27ddd2dda4b2d26a559a4f0f402a7 Alpha architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_alpha.deb Size/MD5 checksum: 200738 a089ad12c4ddd30a4f6fdb340b3c9c26 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_alpha.deb Size/MD5 checksum: 358668 6a3178d16f20a2a4228133a0f692d197 AMD64 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_amd64.deb Size/MD5 checksum: 190378 90cfc4e6ab66afc0618946eda78ce66d http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_amd64.deb Size/MD5 checksum: 295174 79e8d0882c54ffceabff4b4b527317cb ARM architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_arm.deb Size/MD5 checksum: 204106 ae12d537affbc35f82517dbba061b332 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_arm.deb Size/MD5 checksum: 322872 607fdb462573a9d022338c5f011363e0 HP Precision architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_hppa.deb Size/MD5 checksum: 213312 5279c3416cd3d0c301439a8de2b70ee7 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_hppa.deb Size/MD5 checksum: 349392 28751fdfecf730380b111537646cac03 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_i386.deb Size/MD5 checksum: 180852 10afd005f77c934946d1bcaf04998d92 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_i386.deb Size/MD5 checksum: 258526 3bb1cb543f6b2ab1a4985dfa536dd3e5 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_ia64.deb Size/MD5 checksum: 214970 eb496451fad3c40a54f55dd55ff0e4d9 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_ia64.deb Size/MD5 checksum: 371532 2a339fa9b2d875dccf416dc648b5d11a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_m68k.deb Size/MD5 checksum: 190796 9d8b6bb6f224470ea1ac92d92015ad95 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_m68k.deb Size/MD5 checksum: 263074 a5747d036e6df6f1170e8c2607cb632d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_mips.deb Size/MD5 checksum: 197400 144d3525c130676898f379e6ab26c804 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_mips.deb Size/MD5 checksum: 317716 31cde74a7a1328f63ce17907c539791a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_mipsel.deb Size/MD5 checksum: 186678 2f8a8cdbf9a89b49fb43164b248d9196 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_mipsel.deb Size/MD5 checksum: 315966 eb8fd5f5e78b9a0537dca9b5eb5d0f27 PowerPC architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_powerpc.deb Size/MD5 checksum: 189040 0eb109d6c6864a912de8396b2fb7be31 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_powerpc.deb Size/MD5 checksum: 296638 4c113a84cfe17cc506043e26e6b6f094 IBM S/390 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_s390.deb Size/MD5 checksum: 192592 d897e59ae0f1fe48a5e64bdb8c006416 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_s390.deb Size/MD5 checksum: 313664 84727122d6fae1d78f35ecdd3f2beefe Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_sparc.deb Size/MD5 checksum: 184716 52c13bfcb58b41b2ce0456c046194bf4 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_sparc.deb Size/MD5 checksum: 279552 edc8e1d5d6f4f7d7beac85e81b29cdd3 Debian GNU/Linux 4.0 alias etch - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-6etch1.dsc Size/MD5 checksum: 652 ada1a9d686cbfe925a34b2173227b47e http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-6etch1.diff.gz Size/MD5 checksum: 135226 495cb5f4610853f02a740e9b7c1a71c5 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3.orig.tar.gz Size/MD5 checksum: 950726 19f27ddd2dda4b2d26a559a4f0f402a7 Alpha architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_alpha.deb Size/MD5 checksum: 341286 c074664c96375662596d490ce9e59e2f http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_alpha.deb Size/MD5 checksum: 187286 a6cb95da944dfe5e1a28cbf5136f3b6f AMD64 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_amd64.deb Size/MD5 checksum: 283136 6fe99daa8aab3fd9549ab7d2db11aedc http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_amd64.deb Size/MD5 checksum: 176214 e35c8545fe42ae16362144e23772735a ARM architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_arm.deb Size/MD5 checksum: 277156 4f1e8102266eb7fe3f42dd613274c02a http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_arm.deb Size/MD5 checksum: 179072 fa3c352ad012326b3753fa1b7b189eaf HP Precision architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_hppa.deb Size/MD5 checksum: 305654 f9d69c8cdb5585e5b1dc3a9742b5edce http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_hppa.deb Size/MD5 checksum: 196342 fa9087816b58d9ed207e25401906c64a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_i386.deb Size/MD5 checksum: 263064 6b7e0823707843fa76158a0e1ba7f42f http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_i386.deb Size/MD5 checksum: 176662 05ca5942a44486b658a44e4bee16154d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_ia64.deb Size/MD5 checksum: 351960 6fd56a95a8aa66fa890a99a3264a7cbd http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_ia64.deb Size/MD5 checksum: 202690 e1c25a15ff7a480cafd1ac5d95ea0083 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_mips.deb Size/MD5 checksum: 285984 576083197b0d3778f9963ff697f0dd6f http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_mips.deb Size/MD5 checksum: 173660 221f900fe4f7bb66fc1cfdae380844c5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_mipsel.deb Size/MD5 checksum: 285784 ac22324cd11eeb23ee2dd17c52b18401 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_mipsel.deb Size/MD5 checksum: 172404 ff862958eca1c3257d843a956dd64d2c PowerPC architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_powerpc.deb Size/MD5 checksum: 283208 8d6f0c3417ba62980ff80c5084ba0cad http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_powerpc.deb Size/MD5 checksum: 176614 89b9c136ae81ebd9918420d7d6915c28 IBM S/390 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_s390.deb Size/MD5 checksum: 269674 d8dd6f6d7d76a46063c0723f974198da http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_s390.deb Size/MD5 checksum: 177402 028a696232d95ddf67ae6acb7a3aac9c Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-6etch1_sparc.deb Size/MD5 checksum: 251852 2356b2546559f20403987530357a68fc http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-6etch1_sparc.deb Size/MD5 checksum: 176600 80690cceeeb56b25d0cd30381ee28ad4 These files will probably be moved into the stable and oldstable distributions upon their next updates. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHAgVwhuANDBmkLRkRAkYSAJ4pS3pl/ek6zqHEqO2GE6cbmaXn8ACeNxSO 0SxXwI58DNaRFCsT3t5UkJQ= =uGYs -----END PGP SIGNATURE----- From jimbysharp at gmail.com Mon Oct 1 19:09:16 2007 From: jimbysharp at gmail.com (Jimby Sharp) Date: Mon, 1 Oct 2007 23:39:16 +0530 Subject: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug In-Reply-To: References: <3eab9ed60709280934o1da17b8bm44f8a5db7552cdf0@mail.gmail.com> <5031B661-FD4E-44E6-A112-4B7BBE94585C@gmail.com> <3eab9ed60709292325x152bee2akdd41faac7e8705fe@mail.gmail.com> Message-ID: <3eab9ed60710011109v2b0ce067q89dbd5e032a4a58f@mail.gmail.com> > Also notice that if there is really a problem in FF javascript engine it goes beyond the > browser. You could run Tamarin, Spidermonkey or Rhino on the server side and perform some > processing there with javascript. For heaven's sake please try to understand that it is not a problem at all. > As a side comment I wanted to tell you that what is out there on the internet is not a > standart. Is what IE dictates. IE rules the internet whether you like or not. Go and read the ECMA standard. A standard is standard and it has nothing to do with IE. > I don't think that's a fair comparison. If you make the right algorithm and you do not get the > expected results *is* not your fault but what are you sitting at (compiler, framework, library > ...). I fail to understand which part of my argument you failed to understand. strcpy() provides the expected result for the right algorithm so we do not say there is a bug in gcc. if someone uses strcpy() to read user's input directly into a buffer, we say there is a bug in the program. Similarly, Firefox javascript floating point math gives expected results. So there is no bug in Firefox. Now if you write a program assuming the results of the floating math are absolutely accurate, your program might have a bug. --------------------------------------------------------------------------------------------- My protest against stupid Indian security researcher:- Aditya K Sood is an asshole: http://secnichebogus.blogspot.com/ --------------------------------------------------------------------------------------------- From clappymonkey at gmail.com Tue Oct 2 17:28:29 2007 From: clappymonkey at gmail.com (clappymonkey at gmail.com) Date: Tue, 2 Oct 2007 16:28:29 +0000 Subject: [Full-disclosure] (no subject) Message-ID: <1562681731-1191342489-cardhu_decombobulator_blackberry.rim.net-2058461239-@bxe009.bisx.produk.on.blackberry> Sent from my BlackBerry? wireless device From ascii at katamail.com Tue Oct 2 21:21:45 2007 From: ascii at katamail.com (ascii) Date: Tue, 02 Oct 2007 22:21:45 +0200 Subject: [Full-disclosure] Original Photo Gallery Remote Command Execution Message-ID: <4702A859.2010104@katamail.com> Original Photo Gallery Remote Command Execution Name Original Photo Gallery Remote Command Execution Systems Affected Original 0.11.2 version and below Severity High Vendor http://jimmac.musichall.cz/original.php Advisory http://www.ush.it/team/ascii/hack-original/advisory_updated.txt http://www.ush.it/team/ascii/hack-original/advisory.txt Author Francesco `ascii` Ongaro, Antonio `s4tan` Parata Date 20070919 I. BACKGROUND "Original is a set of scripts to get your digital photos on the web. It aims to be as simple to maintain as possible." The systems consist of two parts: "a client side script to scale your images to different sizes, create archives of an album, attach optional metadata" and a "php script to render html pages of the picture gallery". II. DESCRIPTION It's possible to execute arbitrary code on remote systems which have installed a vulnerable software version. III. ANALYSIS The file "inc/exif.inc.php" contains the following vulnerable statement: exec("$exif_prog \"$gallery_dir/$galerie/lq/img-$snimek.jpg\"", $exif_data, $exif_status);". If PHP is configured with the "globals on" option, an attacker can execute arbitrary code doing a direct request to the file and sending shell commands in the parameter/value $exif_prog. IV. DETECTION http://www.x.com/original/inc/exif.inc.php?exif_prog=/path/to/touch%20/tmp/p0wn3d.txt; The request should create a file in the /tmp directory (on Unix systems) named p0wn3d.txt. If this happens than you have a vulnerable version of the software (and a really risky PHP setup). A rapid measurement show that ~10% systems are vulnerable of about 17'000 listed on Google (using the dork: "Generated by Original ver"). V. WORKAROUND Upgrade to the new version 0.11.3 witch fix this vulnerability. http://jimmac.musichall.cz/zip/original/original-0.11.3.tar.bz2 Or if unable to upgrade: 1) Disable access to the directory using Limit (vhosts/.htaccess). 2) Disable execution using disable_functions in php.ini. The result is: Warning: exec() has been disabled for security reasons in /home/XXX/inc/exif.inc.php on line 157 3) Deny direct access to the file in the PHP code by checking for a define or requested url. VI. VENDOR RESPONSE The vendor has promptly replied and addressed the problem issuing a new release. Original version 0.11.3 is available here: http://jimmac.musichall.cz/zip/original/original-0.11.3.tar.bz2 VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20070719 Bug discovered 20070725 Vendor contacted 20070927 Vendor reply and fix 20071002 Advisory released IX. CREDIT Francesco `ascii` Ongaro and Antonio `s4tan` Parata are credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2007 Francesco `ascii` Ongaro Note: this exploit is DUAL LICENSED, 1. if you'll use it for personal and non-profit purposes you can apply GPL v2 and above. 2. In the case you plain to: a. use our code in any commercial context b. implement this code in your non-GPL application c. use this code during a Penetration Test d. make any profit from it you need to contact me in order to obtain a _commercial license_. For more informations about Dual Licensing: http://producingoss.com/html-chunk/dual-licensing.html Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From TSRT at 3com.com Tue Oct 2 21:38:20 2007 From: TSRT at 3com.com (TSRT at 3com.com) Date: Tue, 2 Oct 2007 13:38:20 -0700 Subject: [Full-disclosure] TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities Message-ID: TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-17.html October 2, 2007 -- CVE ID: CVE-2007-5084 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor Hierarchical Storage Manager r11.5 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 2, 2007 by Digital Vaccine protection filter ID 4925. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow a remote attacker to inject arbitrary SQL into the backend database on vulnerable installations of CA BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. At least 7 out of the available 68 opcodes are vulnerable to SQL injections, including: 0x07 - 0x09, 0x1E, 0x32, 0x36, 0x40. -- Vendor Response: http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp -- Disclosure Timeline: 2006.11.01 - Vulnerability reported to vendor 2007.10.02 - Digital Vaccine released to TippingPoint customers 2007.10.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. From TSRT at 3com.com Tue Oct 2 21:36:31 2007 From: TSRT at 3com.com (TSRT at 3com.com) Date: Tue, 2 Oct 2007 13:36:31 -0700 Subject: [Full-disclosure] TPTI-07-16: CA BrightStor Hierarchical Storage Manager Buffer Overflow Vulnerabilities Message-ID: TPTI-07-16: CA BrightStor Hierarchical Storage Manager Buffer Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-16.html October 2, 2007 -- CVE ID: CVE-2007-5082 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor Hierarchical Storage Manager r11.5 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 2, 2007 by Digital Vaccine protection filter ID 4922. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow a remote attacker to execute arbitrary code on vulnerable installations of Computer Associates' BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. A user-supplied DWORD size value is assumed by the vulnerable agent to contain the correct length of the subsequent data and is passed directly to memory allocation routines. At least 26 out of the available 68 opcodes are vulnerable to various overflows that allow for remote code execution due to insecure data copy operations, including: 0x01, 0x06 - 0x09, 0x0d, 0x10, 0x16 - 0x18, 0x1E, 0x1F, 0x21, 0x22, 0x26, 0x27, 0x29, 0x32, 0x36, 0x38, 0x3A - 0x3C, 0x3E and 0x40. -- Vendor Response: http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp -- Disclosure Timeline: 2006.11.01 - Vulnerability reported to vendor 2007.10.02 - Digital Vaccine released to TippingPoint customers 2007.10.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. From labs-no-reply at idefense.com Tue Oct 2 23:18:25 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Tue, 02 Oct 2007 18:18:25 -0400 Subject: [Full-disclosure] iDefense Security Advisory 10.02.07: Multiple Vendor X Font Server Multiple Vulnerabilities Message-ID: <4702C3B1.6000909@idefense.com> Multiple Vendor X Font Server Multiple Vulnerabilities iDefense Security Advisory 10.02.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 02, 2007 I. BACKGROUND The X Window System (or X11) is a graphical windowing system used on Unix-like systems. It is based on a client/server model. The X Window System font server (xfs) is used to render fonts for the X server. More information can be found at the following URLs. http://en.wikipedia.org/wiki/X_Window_System http://www.x.org/wiki/ II. DESCRIPTION Remote exploitation of a multiple vulnerabilities in X.Org Foundation's X Font Server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code. An integer overflow vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the build_range() function. This function takes a 32bit integer from the request, and uses it in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which leads to an improperly sized memory allocation. This results in a heap overflow. Additionally, a heap corruption vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the swap_char2b() function. This function takes a 32bit integer from the request, and uses it as the number of bytes to swap in the request buffer. This allows an attacker to swap an arbitrary number of bytes on the heap. III. ANALYSIS Exploitation of these vulnerabilities could result in the execution of arbitrary code with the privileges of the X Font Server, usually 'xfs'. On current versions of Solaris, these vulnerabilities are remotely exploitable. The XFS service is turned on by default, and listens on TCP port 7100. On modern Linux systems, these vulnerabilities are only locally exploitable since the server is configured to listen on a UNIX socket only. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in XFS version X11R7.2-1.0.4. Previous versions may also be affected. V. WORKAROUND On Solaris, stop XFS from listening remotely by disabling it via the service manager. VI. VENDOR RESPONSE The X.Org team has addressed these vulnerabilities with the release of XFS version 1.0.5. Additionally, a patch for version 1.0.4 has been made available. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4568 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/05/2007 Initial vendor notification 09/08/2007 Initial vendor response 10/02/2007 Public disclosure IX. CREDIT These vulnerabilities were discovered by Sean Larsson of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From skx at debian.org Tue Oct 2 23:34:17 2007 From: skx at debian.org (Steve Kemp) Date: Tue, 2 Oct 2007 23:34:17 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1380-1] New elinks packages fix information disclosure Message-ID: <20071002223417.GA10972@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA 1380-1 security at debian.org http://www.debian.org/security/ Steve Kemp October 2nd, 2007 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : elinks Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5034 Debian Bug : 443891 Kalle Olavi Niemitalo discovered that elinks, an advanced text-mode WWW browser, sent HTTP POST data in cleartext when using an HTTPS proxy server potentially allowing private information to be disclosed. For the stable distribution (etch), this problem has been fixed in version 0.11.1-1.2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.11.1-1.5. We recommend that you upgrade your elinks package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - -------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1.orig.tar.gz Size/MD5 checksum: 3863617 dce0fa7cb2b6e7194ddd00e34825218b http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1.diff.gz Size/MD5 checksum: 30543 87f297355ad1e6d20bab5569672aad5e http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1.dsc Size/MD5 checksum: 872 a4af1ff56a8d39bdf1a92cedce2f335c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_alpha.deb Size/MD5 checksum: 497732 f553f66a91b2245cfa42088a2b4d4517 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_alpha.deb Size/MD5 checksum: 1260704 10b023af79e9d90a7cd664328f5118b5 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_amd64.deb Size/MD5 checksum: 458734 41f1f71a5e3fccf0dde9597bd871cb39 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_amd64.deb Size/MD5 checksum: 1222408 c3ad38db3fbc3a1c130115ab83506bda arm architecture (ARM) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_arm.deb Size/MD5 checksum: 416964 f7c68b19da989a205d0aa045c91c87eb http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_arm.deb Size/MD5 checksum: 1179150 c3560026dc7aa46613ddbb2a24f070cb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_hppa.deb Size/MD5 checksum: 1245642 0a9eb32d625456d171a987d5efe50296 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_hppa.deb Size/MD5 checksum: 480962 ca0f2c3876e1eb5c1b66f7ce5661cc39 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_i386.deb Size/MD5 checksum: 423676 5e433eb3f0c5f6f004ea2285282a4455 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_i386.deb Size/MD5 checksum: 1187014 557a2322c1f91a8debb9993cb46a8f51 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_ia64.deb Size/MD5 checksum: 1432774 4a2706c3945ae2fdc842a67b5d25ca10 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_ia64.deb Size/MD5 checksum: 624134 4c2e59b24b38c3b9fbeb104fb373160b mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_mips.deb Size/MD5 checksum: 1229684 e05d34e21f29f58c93c05c203c448d4b http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_mips.deb Size/MD5 checksum: 470490 a7c54a8151b9b3268e00b3f517f60eb7 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_mipsel.deb Size/MD5 checksum: 466824 53be2f6ef576c97a3aaa01c6af2bb0ac http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_mipsel.deb Size/MD5 checksum: 1223900 a6463ca7afd8ec0781c797c3dfc56e91 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_powerpc.deb Size/MD5 checksum: 1216652 f3e8b9f594f0c124a31f4da53e6f8cb6 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_powerpc.deb Size/MD5 checksum: 450062 1096cd8ffbac60db3214227da0d1ff16 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_s390.deb Size/MD5 checksum: 1232356 95c8e47b24e9eab54e8f809d077b92f0 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_s390.deb Size/MD5 checksum: 470440 1166adf5d3fbcd304ac7eb788288725c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_sparc.deb Size/MD5 checksum: 1184566 adc468ee0c3f9dd86eddba8d822009fa http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_sparc.deb Size/MD5 checksum: 418768 a1d988ba82f30199d83b1d717fee7fbb These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHAscmwM/Gs81MDZ0RAjFhAKCQH2FeFS998uJZRUHOcTzGDev0RQCgnkiK fOp3i5QKEJfopbPFMfOmIs8= =dWDx -----END PGP SIGNATURE----- From noahm at debian.org Tue Oct 2 21:06:48 2007 From: noahm at debian.org (Noah Meyerhans) Date: Tue, 02 Oct 2007 22:06:48 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1379-1] New openssl packages fix arbitrary code execution Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1379 security at debian.org http://www.debian.org/security/ Noah Meyerhans October 02, 2007 - ------------------------------------------------------------------------ Package : openssl Vulnerability : off-by-one error/buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5135 Debian Bug : 444435 An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch1. For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9. We recommend that you upgrade your openssl packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - ---------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.diff.gz Size/MD5 checksum: 30634 b64d10acf6285197d3ad8e923883b6d7 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.dsc Size/MD5 checksum: 639 d19d0a6a8faf12e7e2abe6b82409af05 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 3342712 38ada0535339d8394a829f22ce835578 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_alpha.udeb Size/MD5 checksum: 662280 2e67541092c341c4e26e2d17ad11ccc7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 2449572 a4e4d409db4eb013544112da61b764be http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 940288 928194da95c5f7edb570847de437fbf4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 703530 ca501fee744837c951c78959070eea14 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 903938 b4c46339201162d467bd46a50c9a0f4e http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_amd64.udeb Size/MD5 checksum: 495318 2d10728b8ebfb6fbb4d48bd675f866b8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 2694270 cc856b1fdd41fffc03b867de55ad2b2c arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 607492 63a3b6d82a8d5dd53aa9201322d5f89d http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 2559868 0427629ed30efabf0ea0d168a6c9d36e http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_arm.udeb Size/MD5 checksum: 410604 6d52b2de602333bcb70306fa2198205e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 905292 4b0944650181c97b07abb6e2dcb826a6 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_hppa.udeb Size/MD5 checksum: 510404 06fc22d1d0ff5a2c7d36e08d280d4dea http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 722886 3db792d32f4709c143cb729721278e6c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 914764 2ce08cb33e5eed3dff1c3e35af46298c http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 2695886 a017eb3233fcb938611b5a16bb648277 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_i386.deb Size/MD5 checksum: 2194088 337fe2d6a280d9a761c04c20d434fe9c http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_i386.deb Size/MD5 checksum: 2560372 d104ace51eba364a5ce0a50989eee2a0 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_i386.deb Size/MD5 checksum: 916446 8e96029826588f227906f859bc60667d http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_i386.udeb Size/MD5 checksum: 452446 f97dde687e4bddebb7d87cebfb925058 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_ia64.deb Size/MD5 checksum: 975294 d6cd8d020ce8b01f74b807ea5269ba80 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_ia64.deb Size/MD5 checksum: 3396320 ac2c50b4ec0d45d6192031a4d8e00fd8 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_ia64.deb Size/MD5 checksum: 973262 d0eaac755fc66353eda96509415847ff http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_ia64.udeb Size/MD5 checksum: 713794 f1c57b4b6d304dd3161639974eac3c60 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_m68k.deb Size/MD5 checksum: 890112 7cbbdbd930c014abda49585091ea79e7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_m68k.deb Size/MD5 checksum: 591738 200066dccdc6c71dc1876808a9f171fa http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_m68k.deb Size/MD5 checksum: 2317278 1c817bae9fb36d37b9e01968d12276bc http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_m68k.udeb Size/MD5 checksum: 397376 829b13be689f79cf5939c68a367aba66 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mips.udeb Size/MD5 checksum: 498242 fac3b981032a5208fe1dd09bf5e3a27e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mips.deb Size/MD5 checksum: 896986 d6726bbe47be5a0fdf836543999e3131 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mips.deb Size/MD5 checksum: 2779818 938453cc67d34dfbd4b1c8622d0b0210 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mips.deb Size/MD5 checksum: 706860 ebcbf99b0d7e22f5bb51d934f89844a4 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mipsel.deb Size/MD5 checksum: 2767550 d82a3064d20188b4be8fbb8497afb3b2 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mipsel.deb Size/MD5 checksum: 694712 bfd23ffe84cce310098a30d88d48539e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mipsel.deb Size/MD5 checksum: 896074 5d78a7d03a70187843a61629dcde7c41 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mipsel.udeb Size/MD5 checksum: 487096 7cc469dadf0573d735ef67cb6e0c7cfd powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_powerpc.deb Size/MD5 checksum: 908528 5a246a0cea9ee84aad61a85e1d75649f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_powerpc.deb Size/MD5 checksum: 707858 9991e97fbbedd64773516f5fcd3bce17 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_powerpc.udeb Size/MD5 checksum: 499480 07ea534da914f58872f5ef63aaed3ce2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_powerpc.deb Size/MD5 checksum: 2775668 882321c4fb23cb371b190bf62d94a814 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_s390.udeb Size/MD5 checksum: 533602 b2614e1858e5e7ae29878f6cd79934f6 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_s390.deb Size/MD5 checksum: 918606 0077d713f03a6c353d9f55fd7d7c19b0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_s390.deb Size/MD5 checksum: 746346 e1eb1204c4dfd489bd2a40eddec1a431 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_s390.deb Size/MD5 checksum: 2717578 42d6c056372ae4270319050628f873e6 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_sparc.deb Size/MD5 checksum: 924694 9d9711e944c4b7ec5b01156da26097ad http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_sparc.udeb Size/MD5 checksum: 478366 798596ea4ad82e2a450985256a548818 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_sparc.deb Size/MD5 checksum: 2630730 0b6358a3eeff5b83c684049f7c550582 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_sparc.deb Size/MD5 checksum: 1818686 09d59841628a9975895116aa43e081a8 Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1.dsc Size/MD5 checksum: 807 c7cee551a6affbac043c05484b6f2e8e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1.diff.gz Size/MD5 checksum: 44257 1057ca0c69dedda8cec94a820da1d99a http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz Size/MD5 checksum: 3313857 78454bec556bcb4c45129428a766c886 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_alpha.deb Size/MD5 checksum: 1025888 2d2423d058f55197141c9b3b50164b1a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_alpha.deb Size/MD5 checksum: 2620680 96256021a44fef6e2a7afc6bae5c2dd8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_alpha.deb Size/MD5 checksum: 2560180 528a768eb35e76059a29037f2ac38d21 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_alpha.udeb Size/MD5 checksum: 677058 0c967fa1c1fa56a410d23ce4bed0c6a7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_alpha.deb Size/MD5 checksum: 4557284 84c8cb486348146114216cfdce53a017 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_amd64.udeb Size/MD5 checksum: 580040 7af4acf0ea362be607fe43de6436f2ef http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_amd64.deb Size/MD5 checksum: 2179570 54509d057a7351147f0ed2790b5ef103 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_amd64.deb Size/MD5 checksum: 890368 b2e5ba39115b67c6e1cf7b466bef723f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_amd64.deb Size/MD5 checksum: 1653348 ee8129fe12623d4cb2d0fb8736f7bda2 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_amd64.deb Size/MD5 checksum: 1004882 288b472372e826628fbbc45fc8cc285a arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_arm.deb Size/MD5 checksum: 805358 31e86edb05070ef066093ca95041c86a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_arm.deb Size/MD5 checksum: 1536622 d7e36c20a897d725942af5d41c6fe918 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_arm.deb Size/MD5 checksum: 1011598 f952aa9caa5ac24e3ea6df52ca97c82f http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_arm.udeb Size/MD5 checksum: 516236 dd35eae7f5246fea676e09bb7b45b062 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_arm.deb Size/MD5 checksum: 2049646 e34d78a4037badb7f6cff84aa864d5a2 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_hppa.deb Size/MD5 checksum: 2244384 c5f18be0923ab860fb1f35c3118d34e2 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_hppa.deb Size/MD5 checksum: 946010 139b08751ded8622e07ad1d7f7b9bf28 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_hppa.udeb Size/MD5 checksum: 631064 b5ae5e0ac641956e68cb4f01e86ae1f5 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_hppa.deb Size/MD5 checksum: 1017164 16461933c588563a262baf864795bb2f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_hppa.deb Size/MD5 checksum: 1583762 80ef7c3c1137fe3891c549ace1fda3b9 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_i386.deb Size/MD5 checksum: 5583100 c41c0c1b3a021fa5229e5c9f0aa5c1f0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_i386.deb Size/MD5 checksum: 2716474 649e6cbcf83b68f49732c771447d4eef http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_i386.udeb Size/MD5 checksum: 554580 42c15a29d35082d1d8314ed6e66cc6bd http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_i386.deb Size/MD5 checksum: 2086314 3355cb82f44c379fbaf43fc90f1bbc26 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_i386.deb Size/MD5 checksum: 1000646 5513d9af4e2d7dd18cfc031b54175de2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_ia64.deb Size/MD5 checksum: 1191550 c124efcb25a532994c161ca7efc41161 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_ia64.udeb Size/MD5 checksum: 801478 6cca91efc077aba703a69c006413ac6b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_ia64.deb Size/MD5 checksum: 1568360 3c6b31b0dd48fc4bde48f110e1e3324e http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_ia64.deb Size/MD5 checksum: 2592234 20cb22d640e94394d00da679a2bfbf7f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_ia64.deb Size/MD5 checksum: 1070970 ecb68de4274ca264aa6bc369af65ceaa mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_mips.deb Size/MD5 checksum: 993012 990aea1fca9c480aa06aad0b95efb0cd http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_mips.deb Size/MD5 checksum: 875686 270144a6e54f6e322567d2fda0dcbfdd http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_mips.deb Size/MD5 checksum: 2258570 60fac4bc2f1299ba3cec2e3d0b68b01b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_mips.deb Size/MD5 checksum: 1691868 0dd000f685f4a502e583751453060dda http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_mips.udeb Size/MD5 checksum: 580120 c9514d9592baeb04842301114c0c972f mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_mipsel.deb Size/MD5 checksum: 2255454 5378c671b322cf7c4c47712749db51bb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_mipsel.deb Size/MD5 checksum: 1648470 93df7f8b24908ccc1662b28604a3046e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_mipsel.deb Size/MD5 checksum: 992430 36062847528168d78caf34bc7c6d36f5 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_mipsel.deb Size/MD5 checksum: 860208 f58502f60536c0e926aa7ce085aeac12 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_mipsel.udeb Size/MD5 checksum: 566178 b43167c7131498d8d6d79f7930fa310c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_powerpc.deb Size/MD5 checksum: 1001838 dbbd81da0412854593c26c57075856b7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_powerpc.deb Size/MD5 checksum: 1727494 622925059136caf85520b2486848fe5b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_powerpc.deb Size/MD5 checksum: 894908 c7746da806a7a1024c5905dc23d2f47f http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_powerpc.deb Size/MD5 checksum: 2210384 64390a835586afcd0c75f158256a8512 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_powerpc.udeb Size/MD5 checksum: 585208 dc614e47894295097fd0e46f6cfc43d4 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_s390.deb Size/MD5 checksum: 1014086 133fc07dbc98ae1ab2896ec2ec4ef73e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_s390.deb Size/MD5 checksum: 950970 4606a7811ca36f5a883c404c28161749 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_s390.deb Size/MD5 checksum: 1631932 9bc040542a3f2b454481f8d7f3d1c55c http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_s390.udeb Size/MD5 checksum: 642946 3ea0f5c1bf0e6132f1e42718dda1a405 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_s390.deb Size/MD5 checksum: 2193528 2d4ce4a70f40e5bd357d9d1b307b9fed sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_sparc.deb Size/MD5 checksum: 4089710 b875491e34a765d952d58e38c18adf73 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_sparc.deb Size/MD5 checksum: 2107548 3e03586577a0ba93a75d6385c23772c7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_sparc.deb Size/MD5 checksum: 2125640 16347ca52160e5358171b9c78ab17071 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_sparc.udeb Size/MD5 checksum: 538976 fcd676b77a2fcea70101491de58da682 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_sparc.deb Size/MD5 checksum: 1010338 aaf2c05b6b59a40dc85259f6479fbe04 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHAqPMYrVLjBFATsMRAtYIAJ0X4+0NpFIqpmR8pDxEaHjGrsRTBgCdExbK y41ZdnaMZ1IbgMSDqfWOwmU= =hbSk -----END PGP SIGNATURE----- From announce-noreply at rpath.com Tue Oct 2 23:28:22 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Tue, 02 Oct 2007 18:28:22 -0400 Subject: [Full-disclosure] rPSA-2007-0203-1 rmake rmake-proxy rmake-repos Message-ID: <4702c606.agqNqK6qvligolkb%announce-noreply@rpath.com> rPath Security Advisory: 2007-0203-1 Published: 2007-10-02 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Root Deterministic Privilege Escalation Updated Versions: rmake=/conary.rpath.com at rpl:devel//1/1.0.11.1-2-0.1 rmake-proxy=/conary.rpath.com at rpl:devel//1/1.0.11.1-2-0.1 rmake-repos=/conary.rpath.com at rpl:devel//1/1.0.11.1-2-0.1 rPath Issue Tracking System: https://issues.rpath.com/browse/RMK-634 Description: When building packages, rMake creates device files in the change root environments in which the packages are built. In previous versions of rMake, the "/dev/zero" file had incorrect device number and ownership, which might allow a user to execute arbitrary code as the superuser. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html From anvil at jumperz.net Wed Oct 3 03:28:40 2007 From: anvil at jumperz.net (Kanatoko) Date: Wed, 03 Oct 2007 11:28:40 +0900 Subject: [Full-disclosure] Java Applets can connect to other hosts using HTTP 302 redirection Message-ID: <20071003111841.EDE6.ANVIL@jumperz.net> It seems that the java applet located on the host A is allowed to connect to the host B using HTTP 302 redirection on the host B. Is it a normal behaviour? PoC: http://www.jumperz.net/exploits/appletTest1.jsp host A: www.gyosatu.com host B: www.jumperz.net In this PoC, the java applet is downloaded from www.gyosatu.com and connects to www.jumperz.net port 1111. Use "tcpdump port 1111" to see the packets. -- Kanatoko Open Source WebAppFirewall http://guardian.jumperz.net/ From dannf at debian.org Wed Oct 3 03:07:49 2007 From: dannf at debian.org (dann frazier) Date: Tue, 2 Oct 2007 20:07:49 -0600 Subject: [Full-disclosure] [SECURITY] [DSA 1381-1] New Linux 2.6.18 packages fix several vulnerabilities Message-ID: <20071003020749.GF17676@colo.lackof.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1381-1 security at debian.org http://www.debian.org/security/ Dann Frazier October 2nd, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : linux-2.6 Vulnerability : several Problem-Type : local Debian-specific: no CVE ID : CVE-2006-5755 CVE-2007-4133 CVE-2007-4573 CVE-2007-5093 Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5755 The NT bit maybe leaked into the next task which can local attackers to cause a Denial of Service (crash) on systems which run the 'amd64' flavour kernel. The stable distribution ('etch') was not believed to be vulnerable to this issue at the time of release, however Bastian Blank discovered that this issue still applied to the 'xen-amd64' and 'xen-vserver-amd64' flavours, and is resolved by this DSA. CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. DSA-1378 resolved this problem for the 'amd64' flavour kernels, but Tim Wickberg and Ralf Hemmenst?dt reported an outstanding issue with the 'xen-amd64' and 'xen-vserver-amd64' issues that is resolved by this DSA. CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch4. At the time of this DSA, only the build for the amd64 architecture is available. Due to the severity of the amd64-specific issues, we are releasing an incomplete update. This advisory will be updated once other architecture builds become available. We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.dsc Size/MD5 checksum: 5672 37f70bdc04b866a5dbcaa8f849be618a http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.diff.gz Size/MD5 checksum: 5321790 7bc41f428b95ef6fe99361ca8854e6da http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1.orig.tar.gz Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060 Architecture independent components: http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.18_2.6.18.dfsg.1-13etch4_all.deb Size/MD5 checksum: 3586640 3bd5240a2610896cc497c62eb88b155c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual-2.6.18_2.6.18.dfsg.1-13etch4_all.deb Size/MD5 checksum: 1083674 f8c4bf0032e87733d2ee3f2f1f739f9d http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-debian-2.6.18_2.6.18.dfsg.1-13etch4_all.deb Size/MD5 checksum: 1499612 10c0c285c4183493633f2b29f6036d14 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source-2.6.18_2.6.18.dfsg.1-13etch4_all.deb Size/MD5 checksum: 41419632 8ced68949f94c78c5fc992deebdf1c85 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support-2.6.18-5_2.6.18.dfsg.1-13etch4_all.deb Size/MD5 checksum: 3739000 f73b86b37f56ab817c341c43bd4cf8fe http://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2.6.18_2.6.18.dfsg.1-13etch4_all.deb Size/MD5 checksum: 51982 4593b4bbf1f423b1d6e426602243defd AMD64 architecture: http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 3165218 4f4764c3aef1f9e11201852b94467850 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-all_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 51516 a90387023090038a122da75482b981fd http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-all-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 51542 cb132c34f0684e6a7b1facc9432ecca2 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 269088 d3d721166785a2acfc475b8a87eb7de0 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-vserver_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 3188578 58346ab81a8dae1bbff87412b9d071a8 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 269454 ef04a599ceb19d37a544cd6f95000138 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 3331732 8b0e214847656f1fb6b2d35396db36a7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 269772 1d3f9740c35d4510c6612bb645b1ef79 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen-vserver_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 3354462 30fce94ecaa6650c7eb3307e76ad47d9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 270790 4cd241518cb91e87bbcc62c09117accc http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 16800532 5cd7846a71c94945df71cf67b3d9f254 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 16840344 d264466281d7596876f18427dc7dad37 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 1648548 ff22e2a8c3f269295231b2b24289a892 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 1679922 f7061df614029b187d6883902b2053b7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-modules-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 15239984 c8de0964da37ad0d13a7c0b1a8dbe927 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-modules-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 15257046 7fbf51b2580cdf39314d5cae996f8059 http://security.debian.org/pool/updates/main/l/linux-2.6/xen-linux-system-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 51500 d813a622add08eb6ca03f118af21e6c0 http://security.debian.org/pool/updates/main/l/linux-2.6/xen-linux-system-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb Size/MD5 checksum: 51514 9f3b1193357e2b448f653e3dd8cac1ac These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ etch/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/etch/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHAvmDhuANDBmkLRkRAnP+AJ9AjvJ0omMbXO1kkyncnucj9DKgcwCfaRGg yOqlvjNwuKuGmBPP2MvwDhg= =j6lX -----END PGP SIGNATURE----- From hacking4froggies at gmail.com Wed Oct 3 07:09:51 2007 From: hacking4froggies at gmail.com (Mr Frog) Date: Tue, 2 Oct 2007 23:09:51 -0700 Subject: [Full-disclosure] The real motivations of vulnerability disclosure Message-ID: <698750180710022309j73ea7d86w230e3ef8bf8a553@mail.gmail.com> For the past 10 years when a vulnerability in a major site is discovered people freak out. I'm not debating the importance of certain site vulnerabilities such as those exposing personal or account information. I'm going to talk about one of those things people think, but don't speak publicly about which involves the intentions of those vulnerability disclosure folks. I'm going to break down these types of people and some people in the 'industry' are going to laugh and others possibly be offended. If you have a problem with this then we can meet in an alley for warfare, but please don't bring salt as it burns. http://hackingfrog.blogspot.com/2007/10/o-o-omg-frog.html - Froggie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071002/19058a95/attachment.html From foresight-security-noreply at foresightlinux.org Wed Oct 3 09:18:48 2007 From: foresight-security-noreply at foresightlinux.org (Foresight Linux Essential Announcement Service) Date: Wed, 03 Oct 2007 00:18:48 -0800 Subject: [Full-disclosure] FLEA-2007-0057-1 pidgin Message-ID: <47035068.DbT7beSdpddonzTQ%foresight-security-noreply@foresightlinux.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0057-1 Published: 2007-10-02 Rating: Minor Updated Versions: pidgin=/foresight.rpath.org at fl:1-devel//1/2.2.1-1-0.1 group-dist=/foresight.rpath.org at fl:1-devel//1/1.4.0-0.5-8 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4996 http://www.pidgin.im/news/security/?id=23 Description: Previous versions of the pidgin package are vulnerable to a Denial of Service (crash) caused by a user not on the target's buddy list sending a "nudge," a feature of the MSN protocol. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRwNQXtfwEn07iAtZAQIz5w/+JeDrbpAETc1uvaeBZKTYgaas5vxaxbqV AgcUkpxCbCSGCq6A3ama2WRZ46ecXqcOXLZJO0DU8KA6zMbe/fHbu57W3wkBOgJY rBo3eopPwN3nw9bL/L/rrZ1OAY3vPzwg91OK7xxIfbD0pQSxcvNX7QuexgfWe/+I /q21WHa5ccdbcGcnUKWsJpr8F9km+30iVQ4Gx5qZ/HG4oli2w5kh1IuKTt5TrC0H O0Lpru6lWS8vPsBwdKZrzqAp1YplVrpAC4oIRSloksirS+ticsj28IpaEEDicWWv a0g+3o1MzYu57nKfGSG1DkRRXc0CredREXzDSYR63kjZPeyfDr5QNhuzXgDXFK8Z jZLwFEzUFWbmtWkOnaTzfnWkqZZQepCp7XBBbrFScReys5ip1MthFyAAxWye0QPJ N0sJ8I49sWoo2MY97bKRy0lExTB7a5F5PJBsjVHvX4ip2isSEz0Nh8fswT1z75g/ Jfx53rqHEkWKER/b9VtjHwZN9OpOUMpYln+INH6yLbiEIRwRGBrpDZwOjJHWAjOh mUXNvb2Wo2m42X7AsELveoWtYpvjak+W8h3CUN/C20KQMI631cG8UyuRC+6sGUw4 SRXPaTLMVVX7+yilaaxQhmo+ZGb3k8ZF9E4F7XH5FAcLL8D0DwURm3H4eIoIWCjA 1S+p9aiiyl4= =EHgc -----END PGP SIGNATURE----- From skx at debian.org Wed Oct 3 09:59:11 2007 From: skx at debian.org (Steve Kemp) Date: Wed, 3 Oct 2007 09:59:11 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1379-1] New quagga packages fix denial of service Message-ID: <20071003085911.GA10078@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA 1379-1 security at debian.org http://www.debian.org/security/ Florian Weimer October 1st, 2007 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : quagga Vulnerability : null pointer dereference Problem type : remote Debian-specific: no CVE ID : CVE-2007-4826 Debian Bug : 442133 It was discovered that BGP peers can trigger a NULL pointer dereference in the BGP daemon if debug logging is enabled, causing the BGP daemon to crash. For the old stable distribution (sarge), this problem has been fixed in version 0.98.3-7.5. For the stable distribution (etch), this problem has been fixed in version 0.99.5-5etch3. For the unstable distribution (sid), this problem has been fixed in version 0.99.9-1. We recommend that you upgrade your quagga packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5.diff.gz Size/MD5 checksum: 43910 8bfd06c851172358137d7b67d5f90490 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5.dsc Size/MD5 checksum: 1017 69dc4e5de4de00ec723ecaad6f285af8 Architecture independent packages: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.5_all.deb Size/MD5 checksum: 488996 4f150df3d0d7c1b26d648590ac02541a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_alpha.deb Size/MD5 checksum: 1613894 c0064c06d8eeed92b7607bc9d1c03c0f amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_amd64.deb Size/MD5 checksum: 1413484 399d4fe967343eb586eb4f17348d2f4b arm architecture (ARM) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_arm.deb Size/MD5 checksum: 1291326 cc876fbb2cf8e3602cde4ea1e93e75e0 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_hppa.deb Size/MD5 checksum: 1447854 ae9502f1d97de52c875f0eb82ab8cf3e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_i386.deb Size/MD5 checksum: 1192432 e3057ed965a580381e7c15dc430df295 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_ia64.deb Size/MD5 checksum: 1829272 e182c3ae76fe84b9b041498aef8807ee m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_m68k.deb Size/MD5 checksum: 1159818 487dd9883427b87d886674996e6850a1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_mips.deb Size/MD5 checksum: 1353182 411564875b0ecb39ffd166865392ed7b mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_mipsel.deb Size/MD5 checksum: 1356062 b828e6228e2b8389d61de6b97c1b6b56 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_powerpc.deb Size/MD5 checksum: 1317460 927a1768a1e2449981c0159d974658e8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_s390.deb Size/MD5 checksum: 1401842 e30e4afa3570324cb913ae0b746f49a3 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.5_sparc.deb Size/MD5 checksum: 1287860 17ad533f4dfc7b184812ad7634bf215f Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5.orig.tar.gz Size/MD5 checksum: 2311140 3f9c71aca6faa22a889e2f84ecfd0076 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3.dsc Size/MD5 checksum: 1046 3a36e812322157de715626cbe04c519f http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3.diff.gz Size/MD5 checksum: 33551 0de3c5021dbed0e4739f88b6f00a9c59 Architecture independent packages: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.5-5etch3_all.deb Size/MD5 checksum: 720288 2bafee611f8a75fedc07be2224f90922 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_alpha.deb Size/MD5 checksum: 1681786 b98d10ce3b2906b13031f9d09fcdde3c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_amd64.deb Size/MD5 checksum: 1414716 00846f88e7df3db61001d54fd5647d23 arm architecture (ARM) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_arm.deb Size/MD5 checksum: 1349946 5e8c58f59352222caf345fbf3f1551de hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_hppa.deb Size/MD5 checksum: 1531350 54a89d669ab617597c7abf53eb7c3e6a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_i386.deb Size/MD5 checksum: 1247076 6334fa5dd1344e6be4bfe77d8f5efba7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_ia64.deb Size/MD5 checksum: 1955634 6b98821ad60bd0a757b274488f92a50d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_mips.deb Size/MD5 checksum: 1455714 1b8e171cb0b8dd1d5643f4960fb227de mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_mipsel.deb Size/MD5 checksum: 1460804 4bbd130c9419f69f6c759c80ec672352 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_powerpc.deb Size/MD5 checksum: 1379640 a0c25edb50d2b0c3ddbcacf96a702b29 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_s390.deb Size/MD5 checksum: 1482930 e22c407cb6fdf8071799d3891de4c12c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch3_sparc.deb Size/MD5 checksum: 1348064 843f3b9bcfc7f25f1fe096a0c0f46793 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHA1mZwM/Gs81MDZ0RAkQKAJ0e62VGuLeKLA45EoX0tQjuxLZAvgCg2+ZA afnCKMICWQr2nctmiDuB7pA= =y4Hb -----END PGP SIGNATURE----- From worriedsecurity at googlemail.com Wed Oct 3 12:22:59 2007 From: worriedsecurity at googlemail.com (worried security) Date: Wed, 3 Oct 2007 12:22:59 +0100 Subject: [Full-disclosure] The real motivations of vulnerability disclosure In-Reply-To: <698750180710022309j73ea7d86w230e3ef8bf8a553@mail.gmail.com> References: <698750180710022309j73ea7d86w230e3ef8bf8a553@mail.gmail.com> Message-ID: <67ea64530710030422s1ae1ca88p99398dc842397f7b@mail.gmail.com> new-bie - hangs around web based chat: yahoo chat, msn chat. watches what hackers are doing, hangs about with them to befriend them and gain intelligence on how they hack, and ask for the tools from the people who make them to hack a few yahoo or msn accounts for themselves. while this isn't true hacker, its the beginning of a career of electronic hacking. kool-bie - has made friends with hackers who make the tools, has gained their trust and is welcomed into the real hacker social circles that the newbie wasn't socially accepted into as a newbie. koolbies are poked and probed and groomed, as in, if an insect is in your furr, then the real hackers will tell you and remove the pest irritating their skin. koolbie is given beta releases of the hackers tools before the newbie "general public". curious-bie - the curiousbie,now bored with what the new-bie and kool-bie scene had on offer, starts wanting to dismantle, the tools they've been using. the curiousbie starts wanting to have the popularity, respect and chicks the real-bies have in the scene. the real-bie will discover a hex editor and start exploring the real world of infosec, may start discovering new things by typing catchphrases into search engines, and finding security news articles interesting. starts finding mailing lists to do with real vulnerabilies. real-bie - the real hacker, has finally been reading mailing lists and news articles for a while, starts thinking about linux distros, joining internet relay chat, joining real discussion about technical emphasis of vulnerabilities, wants to start hacking. true-bie - has sucessfully penetrated an online application, maybe e-mail, gathers intelligence, gets interested in forming views of government and other people who are active members of mailing lists. at this point the industry discovers the person, the true-bie becomes vocal on online communities such as lists, social media sites, and news feedback forums. student-bie - has formed strong views and believes he is right, now wants to make money in a career of information security. goes to collage to become professional. hides hacking background from student peers, feels guilty about being part of the underground, keeps it secret. pro-bie