CVE List 2006

Product
Score
Severity
Status
CVE
               
CVE Score Severity Package Description Published
CVE-2006-7250
5.0 MV Product/Version
affected:
CGE 7.0
Medium openssl The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message. February 29, 2012, 05:02 am
CVE-2006-7243
5.0 MV Product/Version
affected:
CGE 7.0
Medium php PHP before 5.3.4 accepts the character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php.jpg at the end of the argument to the file_exists function. January 18, 2011, 14:01 pm
CVE-2006-7230
4.3 MV Product/Version
affected:
CGE 7.0
Medium pcre Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions. November 15, 2007, 13:11 pm
CVE-2006-7228
6.8 MV Product/Version
affected:
CGE 7.0
Medium pcre Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. November 14, 2007, 15:11 pm
CVE-2006-7227
6.8 MV Product/Version
affected:
CGE 7.0
Medium pcre Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to execute arbitrary code via a regular expression containing a large number of named subpatterns (name_count) or long subpattern names (max_name_size), which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. November 14, 2007, 15:11 pm
CVE-2006-7226
4.3 MV Product/Version
affected:
CGE 7.0
Medium kernel Perl-Compatible Regular Expression (PCRE) library before 6.7 does not properly calculate the compiled memory allocation for regular expressions that involve a quantified "subpattern containing a named recursion or subroutine reference," which allows context-dependent attackers to cause a denial of service (error or crash). December 3, 2007, 14:12 pm
CVE-2006-7225
4.3 MV Product/Version
affected:
CGE 7.0
Medium pcre Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a "malformed POSIX character class", as demonstrated via an invalid character after a [[ sequence. December 3, 2007, 14:12 pm
CVE-2006-7203
4.0 MV Product/Version
affected:
CGE 7.0
Medium kernel The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs"). May 14, 2007, 12:05 pm
CVE-2006-6939
4.6 MV Product/Version
affected:
CGE 7.0
Medium ed GNU ed before 0.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. January 16, 2007, 18:01 pm
CVE-2006-6719
5.0 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Medium wget The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) GNU wget 1.10.2 allows remote attackers to cause a denial of service (application crash) via a malicious FTP server with a large number of blank 220 responses to the SYST command. December 23, 2006, 05:12 am
CVE-2006-6107
1.7 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Low d-bus Unspecified vulnerability in the match_rule_equal function in bus/signals.c in D-Bus before 1.0.2 allows local applications to remove match rules for other applications and cause a denial of service (lost process messages). December 13, 2006, 18:12 pm
CVE-2006-6097
4.0 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Medium tar GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. November 24, 2006, 12:11 pm
CVE-2006-6058
4.0 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Medium kernel The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error. November 21, 2006, 19:11 pm
CVE-2006-6054
4.0 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Medium kernel The ext2 file system code in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext2 stream with malformed data structures that triggers an error in the ext2_check_page due to a length that is smaller than the minimum. November 21, 2006, 19:11 pm
CVE-2006-6053
4.9 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Medium kernel The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures. November 21, 2006, 19:11 pm
CVE-2006-6008
6.5 MV Product/Version
affected:
CGE 6.0
CGE 7.0
Medium netkit ftpd in Linux Netkit (linux-ftpd) 0.17, and possibly other versions, does not check the return status of certain seteuid, setgid, and setuid calls, which might allow remote authenticated users to gain privileges if these calls fail in cases such as PAM failures or resource limits, a different vulnerability than CVE-2006-5778. November 21, 2006, 17:11 pm
CVE-2006-5815
10.0 MV Product/Version
affected:
CGE 6.0
CGE 7.0
High proftpd Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit." November 8, 2006, 17:11 pm
CVE-2006-5794
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High openssh Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. November 8, 2006, 14:11 pm
CVE-2006-5779
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openldap OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure. November 7, 2006, 12:11 pm
CVE-2006-5778
4.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel ftpd in linux-ftpd 0.17, and possibly other versions, performs a chdir before setting the UID, which allows local users to bypass intended access restrictions by redirecting their home directory to a restricted directory. November 7, 2006, 12:11 pm
CVE-2006-5757
1.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel Race condition in the __find_get_block_slow function in the ISO9660 filesystem in Linux 2.6.18 and possibly other versions allows local users to cause a denial of service (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures. November 6, 2006, 14:11 pm
CVE-2006-5751
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel Integer overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request. December 1, 2006, 20:12 pm
CVE-2006-5701
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Double free vulnerability in squashfs module in the Linux kernel 2.6.x, as used in Fedora Core 5 and possibly other distributions, allows local users to cause a denial of service by mounting a crafted squashfs filesystem. November 3, 2006, 17:11 pm
CVE-2006-5619
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linux kernel 2.6 up to 2.6.18-stable allows local users to cause a denial of service (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels. October 31, 2006, 13:10 pm
CVE-2006-5466
5.4 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium package_manager Heap-based buffer overflow in the showQueryPackage function in librpm in RPM Package Manager 4.4.8, when the LANG environment variable is set to ru_RU.UTF-8, might allow user-assisted attackers to execute arbitrary code via crafted RPM packages. November 6, 2006, 11:11 am
CVE-2006-5229
2.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low openssh OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds. October 10, 2006, 18:10 pm
CVE-2006-5158
3.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock. October 4, 2006, 23:10 pm
CVE-2006-5052
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openssh Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort." September 27, 2006, 18:09 pm
CVE-2006-5051
9.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High openssh Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. September 27, 2006, 18:09 pm
CVE-2006-4997
7.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference). October 9, 2006, 23:10 pm
CVE-2006-4980
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High python Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts. October 9, 2006, 23:10 pm
CVE-2006-4925
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openssh packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL. September 28, 2006, 19:09 pm
CVE-2006-4924
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High openssh sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. September 26, 2006, 20:09 pm
CVE-2006-4814
4.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock. December 19, 2006, 20:12 pm
CVE-2006-4813
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13 does not properly clear buffers during certain error conditions, which allows local users to read portions of files that have been unlinked. October 12, 2006, 15:10 pm
CVE-2006-4810
4.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium texinfo Buffer overflow in the readline function in util/texindex.c, as used by the (1) texi2dvi and (2) texindex commands, in texinfo 4.8 and earlier allows local users to execute arbitrary code via a crafted Texinfo file. November 8, 2006, 15:11 pm
CVE-2006-4790
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium gnutls verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339. September 14, 2006, 14:09 pm
CVE-2006-4625
3.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low php PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults. September 12, 2006, 11:09 am
CVE-2006-4600
2.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low openldap slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN). September 6, 2006, 19:09 pm
CVE-2006-4572
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows remote attackers to (1) bypass a rule that disallows a protocol, via a packet with the protocol header not located immediately after the fragment header, aka "ip6_tables protocol bypass bug;" and (2) bypass a rule that looks for a certain extension header, via a packet with an extension header outside the first fragment, aka "ip6_tables extension header bypass bug." November 6, 2006, 18:11 pm
CVE-2006-4535
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745. NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch. September 19, 2006, 14:09 pm
CVE-2006-4482
9.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High php Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990. August 31, 2006, 16:08 pm
CVE-2006-4447
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm, does not check the return values for setuid and seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail, such as by exceeding a ulimit. August 29, 2006, 20:08 pm
CVE-2006-4343
4.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openssl The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. September 28, 2006, 13:09 pm
CVE-2006-4339
4.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openssl OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. September 5, 2006, 12:09 pm
CVE-2006-4338
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium gzip unlzh.c in the LHZ component in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted GZIP archive. September 19, 2006, 16:09 pm
CVE-2006-4337
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High gzip Buffer overflow in the make_table function in the LHZ component in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted decoding table in a GZIP archive. September 19, 2006, 16:09 pm
CVE-2006-4336
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High gzip Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted leaf count table that causes a write to a negative index. September 19, 2006, 16:09 pm
CVE-2006-4335
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High gzip Array index error in the make_table function in unlzh.c in the LZH decompression component in gzip 1.3.5, when running on certain platforms, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GZIP archive that triggers an out-of-bounds write, aka a "stack modification vulnerability." September 19, 2006, 16:09 pm
CVE-2006-4334
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium gzip Unspecified vulnerability in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (crash) via a crafted GZIP (gz) archive, which results in a NULL dereference. September 19, 2006, 16:09 pm
CVE-2006-4145
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command. August 21, 2006, 14:08 pm
CVE-2006-4096
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium bind BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via a flood of recursive queries, which cause an INSIST failure when the response is received after the recursion queue is empty. September 5, 2006, 19:09 pm
CVE-2006-4095
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium bind BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via certain SIG queries, which cause an assertion failure when multiple RRsets are returned. September 5, 2006, 19:09 pm
CVE-2006-3918
4.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium appache http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. July 27, 2006, 19:07 pm
CVE-2006-3784
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High pcanywhere Symantec pcAnywhere 12.5 uses weak default permissions for the "SymantecpcAnywhereHosts" folder, which allows local users to gain privileges by inserting a superuser .cif (aka caller or CallerID) file into the folder, and then using a pcAnywhere client to login as a local administrator. July 24, 2006, 07:07 am
CVE-2006-3747
7.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High appache Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. July 28, 2006, 13:07 pm
CVE-2006-3745
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel Unspecified vulnerability in the sctp_make_abort_user function in the SCTP implementation in Linux 2.6.x before 2.6.17.10 and 2.4.23 up to 2.4.33 allows local users to cause a denial of service (panic) and possibly gain root privileges via unknown attack vectors. August 23, 2006, 14:08 pm
CVE-2006-3738
10.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High openssl Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. September 28, 2006, 13:09 pm
CVE-2006-3468
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attackers to cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only. July 21, 2006, 09:07 am
CVE-2006-3467
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High freetype Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861. July 21, 2006, 09:07 am
CVE-2006-3403
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium samba The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of share connection requests. July 12, 2006, 14:07 pm
CVE-2006-3378
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called with the -f, -g, or -s flag, does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. July 6, 2006, 15:07 pm
CVE-2006-3085
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to cause a denial of service (infinite loop) via an SCTP chunk with a 0 length. June 23, 2006, 05:06 am
CVE-2006-3016
9.3 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High php Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name(). June 14, 2006, 18:06 pm
CVE-2006-2940
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High openssl OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. September 28, 2006, 13:09 pm
CVE-2006-2937
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High openssl OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. September 28, 2006, 13:09 pm
CVE-2006-2936
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. July 10, 2006, 14:07 pm
CVE-2006-2935
4.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c in Linux kernel 2.2.16, and later versions, assigns the wrong value to a length variable, which allows local users to execute arbitrary code via a crafted USB Storage device that triggers a buffer overflow. July 5, 2006, 13:07 pm
CVE-2006-2934
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer. June 30, 2006, 16:06 pm
CVE-2006-2754
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openldap Stack-based buffer overflow in st.c in slurpd for OpenLDAP before 2.3.22 might allow attackers to execute arbitrary code via a long hostname. June 1, 2006, 12:06 pm
CVE-2006-2661
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium freetype ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. May 30, 2006, 14:05 pm
CVE-2006-2656
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High tiff Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE. May 30, 2006, 13:05 pm
CVE-2006-2607
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High vixie_cron do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf. May 25, 2006, 15:05 pm
CVE-2006-2448
5.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c). June 23, 2006, 05:06 am
CVE-2006-2445
4.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21 allows local users to cause a denial of service (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting. June 23, 2006, 05:06 am
CVE-2006-2444
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite. May 25, 2006, 05:05 am
CVE-2006-2362
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High binutils Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character. May 15, 2006, 11:05 am
CVE-2006-2314
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High postgresql PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem. May 24, 2006, 05:05 am
CVE-2006-2313
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High postgresql PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications via invalid encodings of multibyte characters, aka one variant of "Encoding-Based SQL Injection." May 24, 2006, 05:05 am
CVE-2006-2193
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High tiff Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call. June 8, 2006, 14:06 pm
CVE-2006-2120
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low tiff The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read. May 1, 2006, 17:05 pm
CVE-2006-2083
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High rsync Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow. April 28, 2006, 16:04 pm
CVE-2006-2071
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs. April 27, 2006, 12:04 pm
CVE-2006-1862
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel The virtual memory implementation in Linux kernel 2.6.x allows local users to cause a denial of service (panic) by running lsof a large number of times in a way that produces a heavy system load. May 24, 2006, 12:05 pm
CVE-2006-1861
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High freetype Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493. May 23, 2006, 05:05 am
CVE-2006-1859
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an "uninitialised return value," aka "slab leak." May 11, 2006, 20:05 pm
CVE-2006-1858
7.8 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters. May 22, 2006, 11:05 am
CVE-2006-1857
9.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk. May 22, 2006, 11:05 am
CVE-2006-1856
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions. May 19, 2006, 18:05 pm
CVE-2006-1855
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel choose_new_parent in Linux kernel before 2.6.11.12 includes certain debugging code, which allows local users to cause a denial of service (panic) by causing certain circumstances involving termination of a parent process. May 18, 2006, 14:05 pm
CVE-2006-1542
3.7 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low python Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a "stack overflow," and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected. March 30, 2006, 05:03 am
CVE-2006-1528
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space. May 18, 2006, 14:05 pm
CVE-2006-1526
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low x11r6 Buffer overflow in the X render (Xrender) extension in X.org X server 6.8.0 up to allows attackers to cause a denial of service (crash), as demonstrated by the (1) XRenderCompositeTriStrip and (2) XRenderCompositeTriFan requests in the rendertest from XCB xcb/xcb-demo, which leads to an incorrect memory allocation due to a typo in an expression that uses a "&" instead of a "*" operator. NOTE: the subject line of the original announcement used an incorrect CVE number for this issue. May 2, 2006, 16:05 pm
CVE-2006-1525
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference. April 19, 2006, 13:04 pm
CVE-2006-1242
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks. March 15, 2006, 11:03 am
CVE-2006-1168
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High ncompress The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow. August 14, 2006, 15:08 pm
CVE-2006-1061
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High curl Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. March 20, 2006, 19:03 pm
CVE-2006-1056
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low freebsd The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. April 20, 2006, 05:04 am
CVE-2006-0747
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium freetype Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. May 23, 2006, 05:05 am
CVE-2006-0744
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS. April 18, 2006, 05:04 am
CVE-2006-0741
1.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address." March 6, 2006, 20:03 pm
CVE-2006-0678
1.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low postgresql PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553. February 14, 2006, 13:02 pm
CVE-2006-0645
7.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High libtasn1 Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite. February 10, 2006, 12:02 pm
CVE-2006-0557
4.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors. March 12, 2006, 15:03 pm
CVE-2006-0555
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O). March 6, 2006, 20:03 pm
CVE-2006-0554
1.7 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data. March 6, 2006, 20:03 pm
CVE-2006-0553
6.5 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium postgresql PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend protocol" using a crafted SET ROLE to other database users, a different vulnerability than CVE-2006-0678. February 14, 2006, 13:02 pm
CVE-2006-0457
7.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory. March 13, 2006, 20:03 pm
CVE-2006-0454
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value. February 7, 2006, 12:02 pm
CVE-2006-0405
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium tiff The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function. January 24, 2006, 20:01 pm
CVE-2006-0225
4.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium openssh scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. January 25, 2006, 05:01 am
CVE-2006-0208
2.6 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low php Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message. January 13, 2006, 17:01 pm
CVE-2006-0207
5.0 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium php Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. January 13, 2006, 17:01 pm
CVE-2006-0096
7.2 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
High kernel wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels. January 6, 2006, 05:01 am
CVE-2006-0095
2.1 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Low kernel dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key. January 6, 2006, 05:01 am
CVE-2006-0039
4.7 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE. May 19, 2006, 17:05 pm
CVE-2006-0038
6.9 MV Product/Version
affected:
CGE 5.1
CGE 6.0
CGE 7.0
Medium kernel Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function. March 22, 2006, 14:03 pm