HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2006-42
Multiple Vulnerabilities in Linux

Original issue date: November 13, 2006

Severity Rating: Medium

Systems Affected

  • Ruby version 1.8.5 and prior
  • Texinfo version 4.8 and prior

Overview

Multiple vulnerabilities have been reported in linux which could be exploited by remote attackers to cause denial of service attack on the affected system.

Description

1 . Ruby invalid boundary specifier vulnerability ( CVE-2006-5467 )

A vulnerability has been reported in Ruby due to an error in "cgi.rb" CGI library when processing HTTP requests with a multipart MIME body containing an invalid boundary specifier. This vulnerability could be exploited by remote attackers to cause a denial of service attack.

2. GNU Texinfo's texindex vulnerability ( CVE-2005-3011 )

A vulnerability has been reported in Texinfo's texindex command which creates temporary files. The "sort_offline()" function in textindex.c creates temporary files insecurely using predictable file names. This vulnerability could be exploited by local users via symlink attacks and compromise a vulnerable system.

3. GNU Texinfo Insecure Temporary File Creation vulnerability ( CVE-2006-4810 )

A vulnerability has been reported in GNU Texinfo due to a buffer overflow error in the "readline()" function when handling malformed data. This vulnerability could be exploited by remote attacker while processing a specially crafted texinfo file using the texindex command to execute arbitrary command on the affected system.


Solution

Apply appropriate patches suggested by vendor

References

Rubyforge
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html

Redhat
http://rhn.redhat.com/errata/RHSA-2006-0729.html
https://rhn.redhat.com/errata/RHSA-2006-0727.html

Securityfocus
http://www.securityfocus.com/bid/20777 http://www.securityfocus.com/bid/14854/info

FrSirt
http://www.frsirt.com/english/advisories/2006/4244 http://www.frsirt.com/english/advisories/2006/4245 http://www.frsirt.com/english/advisories/2006/4412 http://www.frsirt.com/english/advisories/2006/4441

Secunia
http://secunia.com/advisories/22615 http://secunia.com/advisories/22624 http://secunia.com/advisories/16816

CVE Name
CVE-2006- 5467
CVE-2006- 4810
CVE-2005- 3011

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003