Executive Summary
Summary | |
---|---|
Title | New xloadimage packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-694 | First vendor Publication | 2005-03-21 |
Vendor | Debian | Last vendor Modification | 2005-03-21 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in xloadimage, an image viewer for X11. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-0638 Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. CAN-2005-0639 Insufficient validation of image properties in have been discovered which could potentially result in buffer management errors. For the stable distribution (woody) these problems have been fixed in version 4.1-10woody1. For the unstable distribution (sid) these problems have been fixed in version 4.1-14.2. We recommend that you upgrade your xloadimage package. |
Original Source
Url : http://www.debian.org/security/2005/dsa-694 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10898 | |||
Oval ID: | oval:org.mitre.oval:def:10898 | ||
Title: | xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command. | ||
Description: | xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-0638 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-09-04 | Name : FreeBSD Ports: xli File : nvt/freebsd_xli0.nasl |
2008-09-04 | Name : FreeBSD Ports: xli File : nvt/freebsd_xli1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 694-1 (xloadimage) File : nvt/deb_694_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 695-1 (xli) File : nvt/deb_695_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
14366 | xli Unspecified Image Properties Overflow xli contains a flaw related to the validation of image properties that may allow a remote attacker to execute arbitrary code. No further details have been provided. |
14357 | xloadimage Compressed Image Filename Shell Metacharacter Arbitrary Command Ex... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-06-29 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2005-332-01.nasl - Type : ACT_GATHER_INFO |
2006-07-05 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2005-332.nasl - Type : ACT_GATHER_INFO |
2005-09-12 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-237.nasl - Type : ACT_GATHER_INFO |
2005-07-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_310d00870fde4929a41f96f17c5adffe.nasl - Type : ACT_GATHER_INFO |
2005-07-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_bfbbd5053bd6409c8c67445d3635cf4b.nasl - Type : ACT_GATHER_INFO |
2005-05-19 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-236.nasl - Type : ACT_GATHER_INFO |
2005-04-21 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2005-076.nasl - Type : ACT_GATHER_INFO |
2005-04-19 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2005-332.nasl - Type : ACT_GATHER_INFO |
2005-03-23 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-060.nasl - Type : ACT_GATHER_INFO |
2005-03-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-694.nasl - Type : ACT_GATHER_INFO |
2005-03-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-695.nasl - Type : ACT_GATHER_INFO |
2005-03-04 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200503-05.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:33:56 |
|