Update with information garnered from FORBIDDEN tags used in ports

in the accessibility, arabic, archives, astro, audio, benchmarks,
biology, cad, and chinese categories.

1 files changed, 238 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index ad11eb675625..f45843e12ce1 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -32,6 +32,244 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   "http://www.vuxml.org/dtd/vuxml-1/vuxml-10.dtd">
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
 
+  <vuln vid="0e154a9c-5d7a-11d8-80e3-0020ed76ef5a">
+    <topic>seti@home remotely exploitable buffer overflow</topic>
+    <affects>
+      <package>
+	<name>setiathome</name>
+	<range><lt>3.0.8</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>The seti@home client contains a buffer overflow in the HTTP
+          response handler.  A malicious, spoofed seti@home server can
+          exploit this buffer overflow to cause remote code execution
+	  on the client.  Exploit programs are widely available.</p>
+      </body>
+    </description>
+    <references>
+      <url>http://setiathome.berkeley.edu/version308.html</url>
+      <url>http://web.archive.org/web/20030609204812/http://spoor12.edup.tudelft.nl/</url>
+    </references>
+    <dates>
+      <discovery>2003/04/08</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="5e92e8a2-5d7b-11d8-80e3-0020ed76ef5a">
+    <topic>icecast 1.x multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>icecast</name>
+	<range><lt>1.3.12</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>icecast 1.3.11 and earlier contained numerous security
+	  vulnerabilities, the most severe allowing a remote attacker
+	  to execute arbitrary code as root.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CAN-2002-0177</cvename>
+      <cvename>CAN-2001-1230</cvename>
+      <cvename>CAN-2001-1229</cvename>
+      <cvename>CAN-2001-1083</cvename>
+      <cvename>CAN-2001-0784</cvename>
+      <bid>4415</bid>
+      <bid>2933</bid>
+    </references>
+    <dates>
+      <discovery>2002/04/28</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="83119e27-5d7c-11d8-80e3-0020ed76ef5a">
+    <topic>nap allows arbitrary file access</topic>
+    <affects>
+      <package>
+	<name>nap</name>
+	<range><lt>1.4.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>According to the author:</p>
+	<blockquote>
+	  <p>Fixed security loophole which allowed remote
+	    clients to access arbitrary files on our
+	    system.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://quasar.mathstat.uottawa.ca/~selinger/nap/NEWS</url>
+    </references>
+    <dates>
+      <discovery>2001/04/12</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="a736deab-5d7d-11d8-80e3-0020ed76ef5a">
+    <topic>CCE contains exploitable buffer overflows</topic>
+    <affects>
+      <package>
+	<name>zh-cce</name>
+	<range><lt>0.40</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Chinese Console Environment contains exploitable buffer
+	  overflows.</p>
+      </body>
+    </description>
+    <references>
+      <url>http://programmer.lib.sjtu.edu.cn/cce/cce.html</url>
+    </references>
+    <dates>
+      <discovery>2000/06/22</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="49ad1bf8-5d7e-11d8-80e3-0020ed76ef5a">
+    <topic>ChiTeX/ChiLaTeX unsafe set-user-id root</topic>
+    <affects>
+      <package>
+	<name>zh-chitex</name>
+	<range><gt>0</gt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Niels Heinen reports that ChiTeX installs set-user-id root
+	  executables that invoked system(3) without setting up the
+	  environment, trivially allowing local root compromise.</p>
+      </body>
+    </description>
+    <references>
+      <url>http://cvsweb.freebsd.org/ports/chinese/chitex/Attic/Makefile?rev=1.5&amp;content-type=text/x-cvsweb-markup</url>
+    </references>
+    <dates>
+      <discovery>2003/04/25</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="5789a92e-5d7f-11d8-80e3-0020ed76ef5a">
+    <topic>pine remotely exploitable buffer overflow in newmail.c</topic>
+    <affects>
+      <package>
+	<name>zh-pine</name>
+	<name>iw-pine</name>
+	<name>pine</name>
+	<name>pine4-ssl</name>
+	<range><le>4.21</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Kris Kennaway reports a remotely exploitable buffer overflow
+	  in newmail.c.  Mike Silbersack submitted the fix.</p>
+      </body>
+    </description>
+    <references>
+      <url>http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/pine4/Makefile?rev=1.43&amp;content-type=text/x-cvsweb-markup</url>
+    </references>
+    <dates>
+      <discovery>2000/09/29</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="34134fd4-5d81-11d8-80e3-0020ed76ef5a">
+    <topic>pine insecure URL handling</topic>
+    <affects>
+      <package>
+	<name>pine</name>
+	<name>zh-pine</name>
+	<name>iw-pine</name>
+	<range><lt>4.44</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>An attacker may send an email message containing a specially
+	  constructed URL that will execute arbitrary commands when
+	  viewed.</p>
+      </body>
+    </description>
+    <references>
+      <freebsdsa>SA-02:05</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2002/01/04</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="5abfee2d-5d82-11d8-80e3-0020ed76ef5a">
+    <topic>pine remote denial-of-service attack</topic>
+    <affects>
+      <package>
+	<name>pine</name>
+	<name>zh-pine</name>
+	<name>iw-pine</name>
+	<range><lt>4.50</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>An attacker may send a specially-formatted email message
+	  that will cause pine to crash.</p>
+      </body>
+    </description>
+    <references>
+      <url>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103668430620531&amp;w=2</url>
+      <cvename>CAN-2002-1320</cvename>
+    </references>
+    <dates>
+      <discovery>2002/10/23</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="39bd57e6-5d83-11d8-80e3-0020ed76ef5a">
+    <topic>pine remotely exploitable vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>pine</name>
+	<name>zh-pine</name>
+	<name>iw-pine</name>
+	<range><lt>4.58</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Pine versions prior to 4.58 are affected by two
+	  vulnerabilities discovered by iDEFENSE, a buffer overflow
+	  in mailview.c and an integer overflow in strings.c.  Both
+	  vulnerabilities can result in arbitrary code execution
+	  when processing a malicious message.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CAN-2003-0720</cvename>
+      <cvename>CAN-2003-0721</cvename>
+      <url>http://www.idefense.com/application/poi/display?id=5</url>
+    </references>
+    <dates>
+      <discovery>2003/09/10</discovery>
+      <entry>2004/02/12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5729b8ed-5d75-11d8-80e3-0020ed76ef5a">
     <topic>rsync buffer overflow in server mode</topic>
     <affects>