FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  375358
Date:      2014-12-23
Time:      21:24:55Z
Committer: rea

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
9a035a56-eff0-11d9-8310-0001020eed82ekg -- insecure temporary file creation

Eric Romang reports that ekg creates temporary files in an insecure manner. This can be exploited by an attacker using a symlink attack to overwrite arbitrary files and possibly execute arbitrary commands with the permissions of the user running ekg.


Discovery 2005-07-05
Entry 2005-07-08
Modified 2005-07-31
pl-ekg
lt 1.6r2,1

14146
CVE-2005-1916
http://marc.theaimsgroup.com/?l=bugtraq&m=112060146011122
http://bugs.gentoo.org/show_bug.cgi?id=94172
3b4a6982-0b24-11da-bc08-0001020eed82libgadu -- multiple vulnerabilities

Wojtek Kaniewski reports:

Multiple vulnerabilities have been found in libgadu, a library for handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a Gadu-Gadu client, but is widely used in other clients. Also some of the user contributed scripts were found to behave in an insecure manner.

  • integer overflow in libgadu (CVE-2005-1852) that could be triggered by an incomming message and lead to application crash and/or remote code execution
  • insecure file creation (CVE-2005-1850) and shell command injection (CVE-2005-1851) in other user contributed scripts (discovered by Marcin Owsiany and Wojtek Kaniewski)
  • several signedness errors in libgadu that could be triggered by an incomming network data or an application passing invalid user input to the library
  • memory alignment errors in libgadu that could be triggered by an incomming message and lead to bus errors on architectures like SPARC
  • endianness errors in libgadu that could cause invalid behaviour of applications on big-endian architectures

Discovery 2005-07-21
Entry 2005-08-12
Modified 2005-10-23
gaim
ja-gaim
ko-gaim
ru-gaim
lt 1.4.0_1

kdenetwork
gt 3.2.2 lt 3.4.2

pl-ekg
lt 1.6r3,1

centericq
lt 4.21.0_1

14345
CVE-2005-1850
CVE-2005-1851
CVE-2005-1852
CVE-2005-2369
CVE-2005-2370
CVE-2005-2448
http://marc.theaimsgroup.com/?l=bugtraq&m=112198499417250
http://gaim.sourceforge.net/security/?id=20
http://www.kde.org/info/security/advisory-20050721-1.txt
3b4a6982-0b24-11da-bc08-0001020eed82libgadu -- multiple vulnerabilities

Wojtek Kaniewski reports:

Multiple vulnerabilities have been found in libgadu, a library for handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a Gadu-Gadu client, but is widely used in other clients. Also some of the user contributed scripts were found to behave in an insecure manner.

  • integer overflow in libgadu (CVE-2005-1852) that could be triggered by an incomming message and lead to application crash and/or remote code execution
  • insecure file creation (CVE-2005-1850) and shell command injection (CVE-2005-1851) in other user contributed scripts (discovered by Marcin Owsiany and Wojtek Kaniewski)
  • several signedness errors in libgadu that could be triggered by an incomming network data or an application passing invalid user input to the library
  • memory alignment errors in libgadu that could be triggered by an incomming message and lead to bus errors on architectures like SPARC
  • endianness errors in libgadu that could cause invalid behaviour of applications on big-endian architectures

Discovery 2005-07-21
Entry 2005-08-12
Modified 2005-10-23
gaim
ja-gaim
ko-gaim
ru-gaim
lt 1.4.0_1

kdenetwork
gt 3.2.2 lt 3.4.2

pl-ekg
lt 1.6r3,1

centericq
lt 4.21.0_1

14345
CVE-2005-1850
CVE-2005-1851
CVE-2005-1852
CVE-2005-2369
CVE-2005-2370
CVE-2005-2448
http://marc.theaimsgroup.com/?l=bugtraq&m=112198499417250
http://gaim.sourceforge.net/security/?id=20
http://www.kde.org/info/security/advisory-20050721-1.txt
9a035a56-eff0-11d9-8310-0001020eed82ekg -- insecure temporary file creation

Eric Romang reports that ekg creates temporary files in an insecure manner. This can be exploited by an attacker using a symlink attack to overwrite arbitrary files and possibly execute arbitrary commands with the permissions of the user running ekg.


Discovery 2005-07-05
Entry 2005-07-08
Modified 2005-07-31
pl-ekg
lt 1.6r2,1

14146
CVE-2005-1916
http://marc.theaimsgroup.com/?l=bugtraq&m=112060146011122
http://bugs.gentoo.org/show_bug.cgi?id=94172