Weekly Vulnerabilities Reports > September 27 to October 3, 2004

Overview

12 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 15 products from 10 vendors including Trolltech, Debian, MIT, KDE, and Adobe. Vulnerabilities are notably categorized as "Link Following", and "Double Free".

  • 9 reported vulnerabilities are remotely exploitables.
  • 11 reported vulnerabilities are exploitable by an anonymous user.
  • Trolltech has the most reported vulnerabilities, with 3 reported vulnerabilities.
  • Tsugio Okamoto has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-09-28 CVE-2004-0745 Tsugio Okamoto Unspecified vulnerability in Tsugio Okamoto LHA

LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name.

10.0
2004-09-28 CVE-2004-0200 Microsoft Unspecified vulnerability in Microsoft products

Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.

9.3

16 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-09-28 CVE-2004-0699 Checkpoint Buffer Overflow vulnerability in Check Point VPN-1 ASN.1

Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data.

7.5
2004-09-28 CVE-2004-0691 Trolltech Unspecified vulnerability in Trolltech QT

Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.

7.5
2004-09-28 CVE-2004-0629 Adobe Buffer Overflow vulnerability in Adobe Acrobat/Acrobat Reader ActiveX Control URI Request Heap

Buffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5.0.5 and Acrobat Reader, and possibly other versions, allows remote attackers to execute arbitrary code via a URI for a PDF file with a null terminator (%00) followed by a long string.

7.5
2004-09-28 CVE-2004-0593 Sygate Technologies Unspecified vulnerability in Sygate Technologies Enforcer and Secure Enterprise

Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before authentication, which could allow remote attackers to bypass filtering rules.

7.5
2004-09-28 CVE-2004-0573 Microsoft Unspecified vulnerability in Microsoft products

Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.

7.5
2004-09-28 CVE-2004-0500 ROB Flynn
Gentoo
Mandrakesoft
MSN Protocol Buffer Overflow vulnerability in Gaim

Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call.

7.5
2004-09-28 CVE-2004-0458 Nicolas Boullis
Debian
NULL Pointer Dereference vulnerability in multiple products

mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.

7.5
2004-09-28 CVE-2004-0408 Michael Bacarella Remote Buffer Overflow vulnerability in Michael Bacarella IDent2 Daemon Child_Service

Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code.

7.5
2004-09-28 CVE-2003-0930 Clearswift Unspecified vulnerability in Clearswift Mailsweeper

Clearswift MAILsweeper before 4.3.15 does not properly detect filenames in BinHex (HQX) encoded files, which allows remote attackers to bypass intended policy.

7.5
2004-09-28 CVE-2003-0929 Clearswift Unspecified vulnerability in Clearswift Mailsweeper

Clearswift MAILsweeper before 4.3.15 does not properly detect and filter ZIP 6.0 encoded files, which allows remote attackers to bypass intended policy.

7.5
2004-09-28 CVE-2003-0928 Clearswift Unspecified vulnerability in Clearswift Mailsweeper

Clearswift MAILsweeper before 4.3.15 does not properly detect and filter RAR 3.20 encoded files, which allows remote attackers to bypass intended policy.

7.5
2004-09-28 CVE-2003-1052 IBM Unspecified vulnerability in IBM DB2 and DB2 Universal Database

IBM DB2 7.1 and 8.1 allow the bin user to gain root privileges by modifying the shared libraries that are used in setuid root programs.

7.2
2004-09-28 CVE-2003-1051 IBM Command-line Format String vulnerability in IBM DB2 9.0

Multiple format string vulnerabilities in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via certain command line arguments to (1) db2start, (2) db2stop, or (3) db2govd.

7.2
2004-09-28 CVE-2003-1050 IBM Command-Line Argument Buffer Overflow vulnerability in IBM DB2

Multiple buffer overflows in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via long command line arguments to (1) db2start, (2) db2stop, or (3) db2govd.

7.2
2004-09-28 CVE-2002-1583 IBM Buffer Overflow vulnerability in IBM DB2 db2ckpw

Buffer overflow in sqllib/security/db2ckpw for IBM DB2 Universal Database 6.0 and 7.0 allows local users to execute arbitrary code via a long username that is read from a file descriptor argument.

7.2
2004-09-28 CVE-2004-0689 KDE
Debian
Link Following vulnerability in multiple products

KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.

7.1

12 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-09-30 CVE-2004-1604 Cpanel Remote Security vulnerability in Cpanel 9.9.1R3

cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled.

5.0
2004-09-28 CVE-2004-0693 Trolltech Unspecified vulnerability in Trolltech QT

The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.

5.0
2004-09-28 CVE-2004-0692 Trolltech Unspecified vulnerability in Trolltech QT

The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.

5.0
2004-09-28 CVE-2004-0644 MIT Denial Of Service vulnerability in MIT Kerberos 5 ASN.1 Decoder

The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.

5.0
2004-09-28 CVE-2004-0558 Easy Software Products Remote Denial Of Service vulnerability in CUPS UDP Packet

The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.

5.0
2004-09-28 CVE-2004-0163 Sygate Technologies Unspecified vulnerability in Sygate Technologies Secure Enterprise

Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session.

5.0
2004-09-28 CVE-2003-0931 Sygate Technologies Unspecified vulnerability in Sygate Technologies Enforcer

Sygate Enforcer 4.0 earlier allows remote attackers to cause a denial of service (service hang) by replaying a malformed discovery packet to UDP port 39999.

5.0
2004-09-28 CVE-2003-0105 Port80 Software Unspecified vulnerability in Port80 Software Servermask

ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Status Message, or (3) Allow HTTP responses, which could tell remote attackers that the web server is an IIS server.

5.0
2004-09-28 CVE-2004-0690 KDE Unspecified vulnerability in KDE 3.2.1

The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory.

4.6
2004-09-28 CVE-2004-0643 MIT
Debian
Redhat
Double Free vulnerability in multiple products

Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.

4.6
2004-09-28 CVE-2004-0457 Oracle Unspecified vulnerability in Oracle Mysql

The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.

4.6
2004-09-28 CVE-2003-1049 IBM Unspecified vulnerability in IBM DB2 Universal Database 7.0/8.0

IBM DB2 Universal Database 7 before FixPak 12 creates certain DMS directories with insecure permissions (777), which allows local users to modify or delete certain DB2 files.

4.6

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-09-29 CVE-2005-0190 Realnetworks Remote Arbitrary File Deletion vulnerability in RealNetworks RealOne Player And RealPlayer

Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing ..

2.6