Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.
Weakness
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Neon | Webdav | 0.19.0 (including) | 0.24.5 (excluding) |
| Red Hat Enterprise Linux 3 | RedHat | openoffice.org-0:1.1.0-15.EL | * |
| Red Hat Enterprise Linux AS (Advanced Server) version 2.1 | RedHat | * | |
| Red Hat Enterprise Linux ES version 2.1 | RedHat | * | |
| Red Hat Enterprise Linux WS version 2.1 | RedHat | * | |
| Red Hat Linux 9 | RedHat | * | |
| Red Hat Linux 9 | RedHat | * | |
| Red Hat Linux 9 | RedHat | * | |
| Red Hat Linux Advanced Workstation 2.1 | RedHat | * | |
| Bazaar | Ubuntu | dapper | * |
| Bazaar | Ubuntu | devel | * |
| Bazaar | Ubuntu | edgy | * |
| Bazaar | Ubuntu | feisty | * |
| Neon | Ubuntu | dapper | * |
| Neon | Ubuntu | devel | * |
| Neon | Ubuntu | edgy | * |
| Neon | Ubuntu | feisty | * |
| Neon24 | Ubuntu | dapper | * |
| Neon24 | Ubuntu | edgy | * |
| Neon26 | Ubuntu | devel | * |
| Neon26 | Ubuntu | feisty | * |
| Openoffice.org | Ubuntu | dapper | * |
| Openoffice.org | Ubuntu | edgy | * |
| Openoffice.org | Ubuntu | feisty | * |
| Openoffice.org-l10n | Ubuntu | dapper | * |
| Openoffice.org-l10n | Ubuntu | devel | * |
| Openoffice.org-l10n | Ubuntu | edgy | * |
| Openoffice.org-l10n | Ubuntu | feisty | * |
| Tla | Ubuntu | dapper | * |
| Tla | Ubuntu | devel | * |
| Tla | Ubuntu | edgy | * |
| Tla | Ubuntu | feisty | * |
Potential Mitigations
Related Attack Patterns
References
- ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc
- http://lists.suse.com/archive/suse-security-announce/2004-Apr/0002.html
- http://lists.suse.com/archive/suse-security-announce/2004-Apr/0003.html
- http://marc.info/?l=bugtraq\u0026m=108213873203477\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=108214147022626\u0026w=2
- http://secunia.com/advisories/11363
- http://security.gentoo.org/glsa/glsa-200405-01.xml
- http://security.gentoo.org/glsa/glsa-200405-04.xml
- http://www.debian.org/security/2004/dsa-487
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:032
- http://www.osvdb.org/5365
- http://www.redhat.com/support/errata/RHSA-2004-157.html
- http://www.redhat.com/support/errata/RHSA-2004-158.html
- http://www.redhat.com/support/errata/RHSA-2004-159.html
- http://www.redhat.com/support/errata/RHSA-2004-160.html
- http://www.securityfocus.com/bid/10136
- https://bugzilla.fedora.us/show_bug.cgi?id=1552
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1065
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10913
- ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc
- http://lists.suse.com/archive/suse-security-announce/2004-Apr/0002.html
- http://lists.suse.com/archive/suse-security-announce/2004-Apr/0003.html
- http://marc.info/?l=bugtraq\u0026m=108213873203477\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=108214147022626\u0026w=2
- http://secunia.com/advisories/11363
- http://security.gentoo.org/glsa/glsa-200405-01.xml
- http://security.gentoo.org/glsa/glsa-200405-04.xml
- http://www.debian.org/security/2004/dsa-487
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:032
- http://www.osvdb.org/5365
- http://www.redhat.com/support/errata/RHSA-2004-157.html
- http://www.redhat.com/support/errata/RHSA-2004-158.html
- http://www.redhat.com/support/errata/RHSA-2004-159.html
- http://www.redhat.com/support/errata/RHSA-2004-160.html
- http://www.securityfocus.com/bid/10136
- https://bugzilla.fedora.us/show_bug.cgi?id=1552
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1065
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10913