Ulf Harnhammar

**Name of the Vulnerable Software and Affected Versions** Evolution versions 2.12.3 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a crafted encrypted message. This is demonstrated using the Version field. **Recommendations** For versions 2.12.3 and earlier, update to a version later than 2.12.3 to resolve the issue. As a temporary workaround, consider avoiding the use of encrypted messages until a patch is available.

Name of the Vulnerable Software and Affected Versions: Evolution Shared Memo versions 2.8.2.1 and earlier Description: The issue is related to a format string vulnerability in the write html function. This vulnerability allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo. Recommendations: For Evolution Shared Memo versions 2.8.2.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Zabbix versions prior to 20061006 Description: The issue is related to multiple buffer overflows that can cause a denial of service, potentially leading to application crashes, and may allow the execution of arbitrary code. This is achieved by sending long strings to the `zabbix log` and `zabbix syslog` functions. Recommendations: For versions prior to 20061006, update to a version released after 20061006 to resolve the issue. As a temporary workaround, consider restricting input to the `zabbix log` and `zabbix syslog` functions to prevent long strings from being processed.

Name of the Vulnerable Software and Affected Versions: zabbix versions prior to 20061006 Description: The issue concerns multiple format string vulnerabilities that could allow attackers to cause a denial of service, potentially leading to an application crash, and possibly execute arbitrary code. This is achieved through format string specifiers in information that would be recorded in the system log using functions such as `zabbix log` or `zabbix syslog`. Recommendations: For versions prior to 20061006, update to a version released after 20061006 to resolve the issue. As a temporary workaround, consider restricting the use of `zabbix log` and `zabbix syslog` functions until a patch is available.

Name of the Vulnerable Software and Affected Versions: ELOG versions 2.6.2 and earlier Description: The issue allows remote attackers to inject arbitrary HTML or web script via specific parameters. This can be achieved by injecting malicious input in the filename for downloading, which is not properly quoted in an error message by the `send file direct` function. Additionally, the Type or Category values in a New entry are not properly handled in an error message by the `submit elog` function, allowing for the injection of arbitrary web script. Recommendations: For ELOG versions 2.6.2 and earlier, consider disabling the `send file direct` and `submit elog` functions until a patch is available to prevent exploitation. Restrict access to error messages that may contain user-inputted data to minimize the risk of arbitrary HTML or web script injection.

Name of the Vulnerable Software and Affected Versions: ELOG versions 2.6.2 and earlier Description: The issue concerns multiple format string vulnerabilities in the elogd.c file. These vulnerabilities can be exploited by remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. The vulnerabilities can be triggered through an entry with an attachment whose name contains format string specifiers in the `el submit` function, as well as potentially other vectors in the `receive config`, `show rss feed`, `show elog list`, `show logbook node`, and `server loop` functions. Recommendations: For ELOG versions 2.6.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Streamripper versions prior to 1.61.26 **Description** The issue is related to a buffer overflow in the HTTP header parsing, which can be triggered by remote attackers sending crafted HTTP headers. This could lead to a denial of service and potentially allow the execution of arbitrary code. **Recommendations** For versions prior to 1.61.26, update to version 1.61.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP header parsing functionality until a patch is applied.

Name of the Vulnerable Software and Affected Versions: curl versions 7.15.0 through 7.15.2 curl version 7.15.3 and earlier Description: The issue allows remote attackers to execute arbitrary commands via a TFTP URL (`tftp://`) with a valid hostname and a long path, leading to a heap-based buffer overflow in `curl` and `libcURL`. This overflow occurs due to the lack of boundary check when using the given file part of a TFTP URL. The affected flaw can be triggered by a redirect if `curl/libcurl` is told to follow redirects and an HTTP server points the client to a TFTP URL with the characteristics described above. Recommendations: For versions 7.15.0 through 7.15.2, update to version 7.15.3 or later to resolve the issue. For version 7.15.3 and earlier, update to a version later than 7.15.3 to resolve the issue. As a temporary workaround, consider disabling the use of TFTP URLs (`tftp://`) in `curl` and `libcURL` until a patch is available. Avoid using paths longer than 512 bytes in TFTP URLs (`tftp://`) until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Metamail version 2.7-50 **Description** The issue is related to a buffer overflow that can be triggered by e-mail messages with a long boundary attribute. This can cause a denial of service, resulting in an application crash, or potentially allow the execution of arbitrary code. **Recommendations** For Metamail version 2.7-50, consider restricting the processing of e-mail messages with long boundary attributes until a fix is available. As a temporary workaround, limiting the length of boundary attributes in incoming e-mails may help minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SMS Server Tools (smstools) versions 1.14.8 and earlier Description: The issue is related to a format string vulnerability in the logging code, which could allow local users to execute arbitrary code. Additionally, there are multiple vulnerabilities in the smstools package that can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited by a local attacker. Recommendations: For versions 1.14.8 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1-beta through 1-beta 3 xine-lib versions 1-rc xine-lib versions 1.0 through 1.0.2 xine-lib version 1.1.1 **Description** The issue allows remote servers to execute arbitrary code via format string specifiers in metadata in CDDB server responses when the victim plays a CD. This occurs due to a format string vulnerability in the input cdda.c file. **Recommendations** For xine-lib versions 1-beta through 1-beta 3, update to a version outside of this range to resolve the issue. For xine-lib version 1-rc, update to a version outside of this range to resolve the issue. For xine-lib versions 1.0 through 1.0.2, update to a version outside of this range to resolve the issue. For xine-lib version 1.1.1, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Weex versions 2.6.1 through 2.6.1.5 **Description** The issue allows remote FTP servers to execute arbitrary code via format strings in filenames. This is due to a format string vulnerability in the Log Flush function. **Recommendations** For versions 2.6.1 through 2.6.1.5, consider disabling the Log Flush function until a patch is available to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** simpleproxy versions prior to 3.4 **Description** The issue concerns multiple vulnerabilities in the simpleproxy package of the Debian GNU/Linux operating system, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. A format string vulnerability allows remote malicious HTTP proxies to execute arbitrary code via format string specifiers in a reply. **Recommendations** For versions prior to 3.4, update to version 3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the simpleproxy package to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Elm versions 2.5 PL5 through 2.5 PL7 **Description** A stack-based buffer overflow issue exists, allowing remote attackers to execute arbitrary code via an e-mail message with a long Expires header. **Recommendations** For versions 2.5 PL5 through 2.5 PL7, update to a version that fixes the buffer overflow issue in expires.c to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** unace version 1.2b **Description** The issue is related to multiple buffer overflows that allow attackers to execute arbitrary code. This can be achieved through various means, including overflows in ACE archives, a long command line argument, or certain "Ready for next volume" messages. **Recommendations** For unace version 1.2b, consider updating to a newer version that addresses these buffer overflows to prevent the execution of arbitrary code. As a temporary workaround, restrict the use of unace to minimize the risk of exploitation, especially when handling ACE archives or command line arguments from untrusted sources.

**Name of the Vulnerable Software and Affected Versions** bidwatcher versions prior to 1.3.17 **Description** The issue allows remote malicious web servers, such as those from eBay or a spoofed eBay server, to cause a denial of service and possibly execute arbitrary code via certain responses. This is due to a format string vulnerability. **Recommendations** For versions prior to 1.3.17, update to version 1.3.17 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: BerliOS GPD daemon (gpsd) versions 1.9.0 through 2.7 Description: The issue is related to a format string vulnerability in the gpsd report function. This vulnerability allows remote attackers to execute arbitrary code via certain GPS requests containing format string specifiers that are not properly handled in syslog calls. Recommendations: For versions 1.9.0 through 2.7, consider disabling the gpsd report function until a patch is available to prevent exploitation. Restrict access to the gpsd daemon to minimize the risk of remote attackers sending malicious GPS requests.

**Name of the Vulnerable Software and Affected Versions** LHA versions (affected versions not specified) lha-1.00 **Description** The issue is related to a buffer overflow in LHA, allowing remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive. This can be exploited through various options. Multiple vulnerabilities in the lha package may lead to breaches of confidentiality, integrity, and availability of protected information, and can be exploited remotely. **Recommendations** For LHA, update the header.c file to fix the buffer overflow issue. For lha-1.00, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** emil versions 2.1.0 and earlier **Description** The issue is related to multiple format string vulnerabilities that may allow remote attackers to execute arbitrary code by triggering certain error messages. **Recommendations** For emil versions 2.1.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU Anubis versions 3.6.0 through 3.6.2 GNU Anubis versions 3.9.92 and 3.9.93 **Description** The issue is related to multiple buffer overflows in the `auth ident()` function in auth.c. This allows remote attackers to gain privileges via a long string. **Recommendations** For GNU Anubis versions 3.6.0 through 3.6.2, consider updating to a version that fixes the buffer overflows in the `auth ident()` function. For GNU Anubis versions 3.9.92 and 3.9.93, consider updating to a version that fixes the buffer overflows in the `auth ident()` function. As a temporary workaround, consider restricting access to the `auth ident()` function until a patch is available.