Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2007 > OpenPKG Security Advisories

January 2007

OpenPKG Security Advisories

ID: 00017
Ref: 15/2007
Date: 08 January 2007:15:46:36
Version: 1
Title: OpenPKG Security Advisories
Abstract: bzip2, Drupal, fetchmail. WordPress
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/

Advisory Id (public): OpenPKG-SA-2007.002
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.002
Advisory Published: 2007-01-05 21:58 UTC

Issue Id (internal): OpenPKG-SI-20070105.01
Issue First Created: 2007-01-05
Issue Last Modified: 2007-01-05
Issue Revision: 04
____________________________________________________________________________

Subject Name: bzip2
Subject Summary: Compression Tool
Subject Home: http://www.bzip.org/
Subject Versions: * <= 1.0.3

Vulnerability Id: CVE-2005-0953, CVE-2005-0758
Vulnerability Scope: global (not OpenPKG specific)

Attack Feasibility: run-time
Attack Vector: local system
Attack Impact: manipulation of data, arbitrary code execution

Description:
Together with two portability and stability issues, two older
security issues were fixed in the compression tool BZip2 [0], versions
up to and including 1.0.3.

The first issue is a race condition which allows local users to
modify permissions of arbitrary files via a hard link attack on a
file while it is being decompressed, whose permissions are changed
by bzip2 after the decompression is complete.

The second issue affects the script bzgrep(1). It does not properly
sanitize arguments, which allows local users to execute arbitrary
commands via filenames that are injected into a sed(1) script.

References:
[0] http://www.bzip.org/
____________________________________________________________________________

Primary Package Name: bzip2
Primary Package Home: http://openpkg.org/go/package/bzip2

Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID bzip2-1.0.3-E1.0.1
OpenPKG Enterprise E1.0-SOLID openpkg-E1.0.2-E1.0.2
OpenPKG Community 2-STABLE-20061018 bzip2-1.0.4-2.20070105
OpenPKG Community 2-STABLE-20061018 openpkg-2.20070105-2.20070105
OpenPKG Community 2-STABLE bzip2-1.0.4-2.20070105
OpenPKG Community 2-STABLE openpkg-2.20070105-2.20070105
OpenPKG Community CURRENT bzip2-1.0.4-20070105
OpenPKG Community CURRENT openpkg-20070105-20070105
____________________________________________________________________________

For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

- -----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH

iD8DBQFFnrwRZwQuyWG3rjQRAgkdAJ9YBx7auj7ursOTj5M/78Kq3SlGlACfc0aV
2IRFnTk4CCJwa9FPgv1z7c0=
=Iq2w
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/

Advisory Id (public): OpenPKG-SA-2007.003
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.003
Advisory Published: 2007-01-05 23:29 UTC

Issue Id (internal): OpenPKG-SI-20070105.02
Issue First Created: 2007-01-05
Issue Last Modified: 2007-01-05
Issue Revision: 03
____________________________________________________________________________

Subject Name: Drupal
Subject Summary: CMS
Subject Home: http://drupal.org/
Subject Versions: * <= 4.7.4

Vulnerability Id: none
Vulnerability Scope: global (not OpenPKG specific)

Attack Feasibility: run-time
Attack Vector: remote network
Attack Impact: denial of service, privilege escalation

Description:
According to upstream vendor security advisories [0][1], two
vulnerabilities exist in the content management system Drupal [2],
version up to and including 4.7.4.

The first vulnerability exists because a few arguments passed via
URLs are not properly sanitized before display. When an attacker is
able to entice an administrator to follow a specially crafted link,
arbitrary HTML and script code can be injected and executed in the
victim's session. Such an attack may lead to administrator access if
certain conditions are met.

The second vulnerability is related to the way page caching was
implemented. It allows a Denial of Service (DoS) attack. An attacker
has to have the ability to post content on the site. He or she would
then be able to poison the page cache, so that it returns cached
HTTP response code 404 ("page not found") errors for existing pages.
If the page cache is not enabled, your site is not vulnerable. The
vulnerability only affects sites running on top of MySQL, which is
the case in the OpenPKG packaging of Drupal.

References:
[0] http://drupal.org/files/sa-2007-001/advisory.txt
[1] http://drupal.org/files/sa-2007-002/advisory.txt
[2] http://drupal.org/
____________________________________________________________________________

Primary Package Name: drupal
Primary Package Home: http://openpkg.org/go/package/drupal

Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID drupal-4.7.4-E1.0.1
OpenPKG Community 2-STABLE-20061018 drupal-4.7.5-2.20070105
OpenPKG Community 2-STABLE drupal-4.7.5-2.20070105
OpenPKG Community CURRENT drupal-4.7.5-20070105
____________________________________________________________________________

For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

- -----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH

iD8DBQFFntE0ZwQuyWG3rjQRAl5tAJ9j43fMnKFexNP5n91oxbECsG7yxwCfRkwp
cegWv+RWvCjZmKIxb8fj+rQ=
=U78P
- -----END PGP SIGNATURE-----
______________________________________________________________________
OpenPKG http://openpkg.org
Announcement List openpkg-announce@openpkg.org



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/

Advisory Id (public): OpenPKG-SA-2007.004
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.004
Advisory Published: 2007-01-06 15:15 UTC

Issue Id (internal): OpenPKG-SI-20070106.01
Issue First Created: 2007-01-06
Issue Last Modified: 2007-01-06
Issue Revision: 02
____________________________________________________________________________

Subject Name: fetchmail
Subject Summary: POP3/IMAP Batch Client
Subject Home: http://fetchmail.berlios.de/
Subject Versions: * <= 6.3.5

Vulnerability Id: CVE-2006-5867, CVE-2006-5974
Vulnerability Scope: global (not OpenPKG specific)

Attack Feasibility: run-time
Attack Vector: remote network
Attack Impact: denial of service, exposure of sensitive
information

Description:
According to vendor release notes [0] and security advisories
[1][2], two security issues exist in the POP3/IMAP batch client
Fetchmail [3], version up to and including 6.3.5. First, several
password disclosure vulnerabilities exist because Fetchmail is using
unsafe logins or omitting the necessary protection through SSL/TLS.
Second, a Denial of Service (DoS) vulnerability exists because
Fetchmail crashes during dereferencing the NULL page, when rejecting
a message sent to an MDA.

References:
[0] https://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=11977
[1] http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
[2] http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt
[3] http://fetchmail.berlios.de/
____________________________________________________________________________

Primary Package Name: fetchmail
Primary Package Home: http://openpkg.org/go/package/fetchmail

Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID fetchmail-6.3.5-E1.0.1
OpenPKG Community 2-STABLE-20061018 fetchmail-6.3.6-2.20070106
OpenPKG Community 2-STABLE fetchmail-6.3.6-2.20070106
OpenPKG Community CURRENT fetchmail-6.3.6-20070106
____________________________________________________________________________

For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

- -----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH

iD8DBQFFn68TZwQuyWG3rjQRAtWGAKCc8/kieXjnOr6fmbqmOE3CuV4bxACbBrqb
cAfhP50ct5Mr0sRp2kHnxPU=
=edDb
- -----END PGP SIGNATURE-----
______________________________________________________________________
OpenPKG http://openpkg.org
Announcement List openpkg-announce@openpkg.org



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/

Advisory Id (public): OpenPKG-SA-2007.005
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.005
Advisory Published: 2007-01-06 19:37 UTC

Issue Id (internal): OpenPKG-SI-20070106.02
Issue First Created: 2007-01-06
Issue Last Modified: 2007-01-06
Issue Revision: 05
____________________________________________________________________________

Subject Name: WordPress
Subject Summary: Weblog Publishing System
Subject Home: http://wordpress.org/
Subject Versions: * <= 2.0.5

Vulnerability Id: none
Vulnerability Scope: global (not OpenPKG specific)

Attack Feasibility: run-time
Attack Vector: remote network
Attack Impact: privilege escalation, arbitrary code execution

Description:
According to a security advisory from Stefan Esser [0], a
vulnerability exists in the Weblog publishing system WordPress
[1], versions up to and including 2.0.5. WordPress supports
decoding Trackbacks with different charsets when PHP's
"mbstring" extension is activated (OpenPKG packages "php"
build with option "with_mbstring=yes" or "apache" build with
"with_mod_php_mbstring=yes"). Because the decoding happens after the
database escaping is performed, choosing a suitable charset for the
input data allows bypassing the protection against SQL injection.

References:
[0] http://www.hardened-php.net/advisory_022007.141.html
[1] http://wordpress.org/
____________________________________________________________________________

Primary Package Name: wordpress
Primary Package Home: http://openpkg.org/go/package/wordpress

Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID wordpress-2.0.5-E1.0.1
OpenPKG Community 2-STABLE-20061018 wordpress-2.0.6-2.20070106
OpenPKG Community 2-STABLE wordpress-2.0.6-2.20070106
OpenPKG Community CURRENT wordpress-2.0.6-20070106
____________________________________________________________________________

For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

- -----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH

iD8DBQFFn+xeZwQuyWG3rjQRAjFBAJ9DX4Ze9b7JhAL7J1twDZwP5g9p/gCeMOqY
GHE6wJyih4O9secP3ecwKWg=
=IhAa
- -----END PGP SIGNATURE-----
______________________________________________________________________
OpenPKG http://openpkg.org
Announcement List openpkg-announce@openpkg.org

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |