CVE-2011-1526 – krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)
https://notcve.org/view.php?id=CVE-2011-1526
ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script. ftpd.c en el demonio GSS-API FTP en MIT Kerberos Version 5 Applications (también conocido como krb5-appl) v1.0.1 y anteriores no comprueban el valor de retorno krb5_setegid, lo que permite que usuarios autenticados de forma remota evitar las restricciones de acceso de grupo, y crear, sobreescribir, borrar, o leer ficheros, a través de comandos FTP estándar, relacionado con test autoconfigurados olvidados en un script configurado. It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group. • http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062681.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062699.html http://lists.opensuse.org/opensuse-security-announce/2011-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00005.html http://lists.opensuse.org/opensuse-security-announce/201 • CWE-269: Improper Privilege Management •
CVE-2011-0762 – vsftpd 2.3.2 - Denial of Service
https://notcve.org/view.php?id=CVE-2011-0762
The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632. La función vsf_filename_passes_filter de ls.c de vsftpd en versiones anteriores a la 2.3.3 permite a usuarios autenticados remotos provocar una denegación de servicio (consumo de toda la CPU y agotamiento de los slots de procesos) a través de una expresión glob modificada en comandos STAT en múltiples sesiones FTP. Una vulnerabilidad distinta a la CVE-2010-2632. Vsftpd versions 2.3.2 on NetBSD and 2.3.0 on Ubuntu suffer from a remote denial of service vulnerability. • https://www.exploit-db.com/exploits/16270 ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/Changelog http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622741 http://cxib.net/stuff/vspoc232.c http://jvn.jp/en/jp/JVN37417423/index.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055881.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055882.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055957.html http • CWE-400: Uncontrolled Resource Consumption •
CVE-2011-1011 – policycoreutils: insecure temporary directory handling in seunshare
https://notcve.org/view.php?id=CVE-2011-1011
The seunshare_mount function in sandbox/seunshare.c in seunshare in certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new directory on top of /tmp without assigning root ownership and the sticky bit to this new directory, which allows local users to replace or delete arbitrary /tmp files, and consequently cause a denial of service or possibly gain privileges, by running a setuid application that relies on /tmp, as demonstrated by the ksu application. La función seunshare_mount en sandbox/seunshare.c en seunshare en ciertos paquetes de Red Hat de policycoreutils v2.0.83 y anteriores de Red Hat Enterprise Linux (RHEL) v6 y anteriores, y Fedora v14 y anteriores, monta un nuevo directorio en la parte superior de /tmp sin asignar la pertenencia de root y el bit sticky a este nuevo directorio, lo que permite a usuarios locales reemplazar o eliminar de archivos /tmp de su elección, y por lo tanto provocar una denegación de servicio o ganar privilegios en su caso, mediante la ejecución de una aplicación setuid que se basa en /tmp, como demostrado por la aplicación de KSU. • http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0585.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056227.html http://openwall.com/lists/oss-security/2011/02/23/1 http://openwall.com/lists/oss-security/2011/02/23/2 http://pkgs.fedoraproject.org/gitweb/?p=policycoreutils.git%3Ba=blob%3Bf=policycoreutils-rhat.patch%3Bh=d4db5bc06027de23d12a4b3f18fa6f9b1517df27%3Bhb=HEAD#l2197 http://secunia.com/advisories/43415 http://secunia.com/advisories/43844 http://secunia • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-4162 – kernel: bio: integer overflow page count when mapping/copying user data
https://notcve.org/view.php?id=CVE-2010-4162
Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device. Múltiples desbordamientos de entero en fs/bio.c en el kernel de Linux anterior a v2.6.36.2 permite a usuarios locales causar una denegación de servicio (fallo del sistema) a través de un dispositivo ioctl manipulado a un dispositivo SCSI. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=cb4644cac4a2797afc847e6c92736664d4b0ea34 http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052513.html http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html http://l • CWE-190: Integer Overflow or Wraparound •
CVE-2010-4158 – Linux Kernel 2.6.x - 'net/core/filter.c' Local Information Disclosure
https://notcve.org/view.php?id=CVE-2010-4158
The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter. La función sk_run_filter en net/core/filter.c en el kernel de Linux anteriores a v2.6.36.2 no comprueba si una posición de memoria determinada se ha inicializado antes de ejecutar una instrucción (1) BPF_S_LD_MEM o (2) BPF_S_LDX_MEM, permite a usuarios locales obtener información potencialmente confidencial de pila del núcleo de la memoria a través de un filtro socket manipulado. • https://www.exploit-db.com/exploits/34987 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=57fe93b374a6b8711995c2d466c502af9f3a08bb http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052513.html http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077321.html http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html http://lists.opensuse.org/opensuse- • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •