From the Squid advisory:

Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.

Some scripts installed with xine create temporary files insecurely. It is recommended that these scripts (xine-check, xine-bugreport) not be used. They are not needed for normal operation.

Users with admin rights can severly damage an phpBB installation, potentially triggered by viewing a page with a malicious link sent by an attacker.

A security hole exists that can be used to crash the proxy and execute arbitrary code. An exploit is circulating that takes advantage of this, and in some cases succeeds in obtaining a login shell on the machine.

A remote attacker may use specially crafted IKE/ISAKMP messages to cause racoon to delete security associations. This could result in denial-of-service or possibly cause sensitive traffic to be transmitted in plaintext, depending upon configuration.

The authors of UUDeview report repairing two buffer overflows in their software.

A remote attacker could cause an application using OpenSSL to crash by performing a specially crafted SSL/TLS handshake.

When the directive "SecFilterScanPost" is enabled, the Apache 2.x version of ModSecurity is vulnerable to an off-by-one overflow

An attacker may cause Apache with mod_python to crash by using a specially constructed query string.

Glenn Stewart reports a bug in wu-ftpd's ftpaccess `restricted-uid'/`restricted-gid' directives:

Users can get around the restriction to their home directory by issuing a simple chmod command on their home directory. On the next ftp log in, the user will have '/' as their root directory.

Matt Zimmerman discovered that the cause of the bug was a missing check for a restricted user within a code path that is executed only when a certain error is encountered.

Henning Brauer discovered a programming error in Apache 1.3's mod_access that results in the netmasks in IP address access control rules being interpreted incorrectly on 64-bit, big-endian platforms. In some cases, this could cause a `deny from' IP address access control rule including a netmask to fail.

Jon Orton reports a memory leak in Apache 2's mod_ssl. A remote attacker may issue HTTP requests on an HTTPS port, causing an error. Due to a bug in processing this condition, memory associated with the connection is not freed. Repeated requests can result in consuming all available memory resources, probably resulting in termination of the Apache process.

In 2003, two vulnerabilities were discovered in mpg123 that could result in remote code execution when using untrusted input or streaming from an untrusted server.

Ulf Härnhammar discovered several vulnerabilities in GNU Anubis.

• Unsafe uses of `sscanf'. The `%s' format specifier is used, which allows a classical buffer overflow. (auth.c)
• Format string bugs invoking `syslog'. (log.c, errs.c, ssl.c)

Ulf notes that these vulnerabilities can be exploited by a malicious IDENT server as a denial-of-service attack.

A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on the machine running the X server.

Dave Jones discovered a denial-of-service vulnerability in fetchmail. An email message containing a very long line could cause fetchmail to segfault due to missing NUL termination in transact.c.

Eric Raymond decided not to mention this issue in the release notes for fetchmail 6.2.5, but it was fixed there.

Steve Kemp reports (in a Debian bug submission):

Due to improper bounds checking it is possible for a malicious user to gain a shell with membership group 'games'. (The binary is installed setgid games).

Environmental variables are used without being bounds-checked in any way, from the source code:

highscore.c:
   /* Use the environment variable if it exists */
   if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
        strcpy(filename, str);
   else
        strcpy(filename, HIGH_SCORE_FILE);

misc.c:
    if ((ptr = getenv("HOME")) != NULL)
        (void) strcpy(dest, ptr);

Neither of these checks are boundschecked, and will allow arbitary shell code to be run.

Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().

These vulnerabilities could be triggered by a maliciously formatted email message if `metamail' or `splitmail' is used to process it, possibly resulting in arbitrary code execution with the privileges of the user reading mail.

A malformed message could cause mailman to crash.

Dirk Mueller reports:

I've found a cross-site scripting vulnerability in the admin interface of mailman 2.1.3 that allows, under certain circumstances, for anyone to retrieve the (valid) session cookie.

From the 2.1.3 release notes:

Closed a cross-site scripting exploit in the create cgi script.

From the 2.1.1 release notes:

Closed a cross-site scripting vulnerability in the user options page.

Multiple researchers have discovered multiple SQL injection vulnerabilities in some versions of Php-Nuke. These vulnerabilities may lead to information disclosure, compromise of the Php-Nuke site, or compromise of the back-end database.

Ulf Härnhammar discovered an exploitable vulnerability in lbreakout2's environmental variable handling. In several instances, the contents of the HOME environmental variable are copied to a stack or global buffer without range checking. A local attacker may use this vulnerability to acquire group-ID `games' privileges.

An exploit for this vulnerability has been published by ``Li0n7 voila fr''.

Ulf Härnhammar discovered a format string bug in hsftp's file listing code may allow a malicious server to cause arbitrary code execution by the client.

An attacker can cause an assertion to trigger by sending a long User-Agent field in a request.

Yuuichi Teranishi reported a crash in libxml2's URI handling when a long URL is supplied. The implementation in nanohttp.c and nanoftp.c uses a 4K stack buffer, and longer URLs will overwrite the stack. This could result in denial-of-service or arbitrary code execution in applications using libxml2 to parse documents.

Lack of proper input validation in phpMyAdmin may allow an attacker to obtain the contents of any file on the target system that is readable by the web server.

The NISCC and the OUSPG developed a test suite for the H.323 protocol. This test suite has uncovered vulnerabilities in several H.323 implementations with impacts ranging from denial-of-service to arbitrary code execution.

In the FreeBSD Ports Collection, `pwlib' is directly affected. Other applications such as `asterisk' and `openh323' incorporate `pwlib' statically and so are also independently affected.

Jedi/Sector One <j@pureftpd.org> reported the following on the full-disclosure list:

Every document is stored in multiple parts according to its sections (description, body, etc) in databases. And when the content has to be sent to the client, UdmDocToTextBuf() concatenates those parts together and skips metadata.

Unfortunately, that function lacks bounds checking and a buffer overflow can be triggered by indexing a large enough document.

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c . S->val length depends on the length of the original document and on the indexer settings (the sample configuration file has low limits that work around the bug, though).

Exploitation should be easy, moreover textbuf points to the stack.

libtool attempts to create a temporary directory in which to write scratch files needed during processing. A malicious user may create a symlink and then manipulate the directory so as to write to files to which she normally has no permissions.

This has been reported as a ``symlink vulnerability'', although I do not think that is an accurate description.

This vulnerability could possibly be used on a multi-user system to gain elevated privileges, e.g. root builds some packages, and another user successfully exploits this vulnerability to write to a system file.

The seti@home client contains a buffer overflow in the HTTP response handler. A malicious, spoofed seti@home server can exploit this buffer overflow to cause remote code execution on the client. Exploit programs are widely available.

icecast 1.3.11 and earlier contained numerous security vulnerabilities, the most severe allowing a remote attacker to execute arbitrary code as root.

According to the author:

Fixed security loophole which allowed remote clients to access arbitrary files on our system.

The Chinese Console Environment contains exploitable buffer overflows.

Niels Heinen reports that ChiTeX installs set-user-id root executables that invoked system(3) without setting up the environment, trivially allowing local root compromise.

Kris Kennaway reports a remotely exploitable buffer overflow in newmail.c. Mike Silbersack submitted the fix.

An attacker may send an email message containing a specially constructed URL that will execute arbitrary commands when viewed.

An attacker may send a specially-formatted email message that will cause pine to crash.

Pine versions prior to 4.58 are affected by two vulnerabilities discovered by iDEFENSE, a buffer overflow in mailview.c and an integer overflow in strings.c. Both vulnerabilities can result in arbitrary code execution when processing a malicious message.

When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.

Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory:

While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.

The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.

In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.

From the Samba 3.0.2 release notes:

Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script.

clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav.

Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code.

From the Apache-SSL security advisory:

If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

All the attacker needed is the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the fixed password ("password" by default).

Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process.

The Debian security team reported a pair of vulnerabilities in fsp:

A vulnerability was discovered in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (CAN-2003-1022), and also overflow a fixed-length buffer to execute arbitrary code (CAN-2004-0011).

A small, fixed-size stack buffer is used to construct a filename based on a received control message. This could result in a stack buffer overflow.

A buffer overflow exists in the ProFTPD code that handles translation of newline characters during ASCII-mode file uploads. An attacker may exploit this buffer overflow by uploading a specially crafted file, resulting in code execution and ultimately a remote root compromise.

A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.

Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.

The following summary was written by Werner Koch, GnuPG author:

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.

...

Please take immediate action and revoke your ElGamal signing keys. Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.

Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.

Mathopd contains a buffer overflow in the prepare_reply() function that may be remotely exploitable.

A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP.

Fetchmail can be crashed by a malicious email message.

Applications utilizing pam_smb can be compromised by any user who can enter a password. In many cases, this is a remote root compromise.

libmcrypt does incomplete input validation, leading to several buffer overflow vuxml. Additionally, a memory leak is present. Both of these problems may be exploited in a denial-of-service attack.

An authenticated user may trigger a format string vulnerability present in qpopper's UIDL code, resulting in arbitrary code execution with group ID `mail' privileges.