+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 17th, 2002 Volume 3, Number 20a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for icecast, shareutils, fileutils, imapd, shadow/pam modules, lukemftp, openssh, tcpdump, and mpg123. The Vendors include Caldera, Mandrake, Red Hat, and SuSE. * SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION * Guarantee transmitted data integrity, secure all communication sessions and more with SSL encryption from Thawte- a leading global certificate provider for the Open Source community. Learn more in our FREE GUIDE--click here to get it now: http://www.gothawte.com/rd250.html FTP Attack Case Study Part I: The Analysis This article presents a case study of a company network server compromise. The attack and other intruder's actions are analyzed. Computer forensics investigation is undertaken and results are presented. The article provides an opportunity to follow the trail of incident response for the real case. http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html +---------------------------------+ | icecast | ----------------------------// +---------------------------------+ Buffer overflows in the icecast server allow remote attackers to execute arbitrary code via a long HTTP GET request, as well as allowing denial of service attacks. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/ 3.1.1/Server/current/RPMS icecast-1.3.12-1.i386.rpm 83407efa0c40a9ceac02606ae37237f2 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2067.html +---------------------------------+ | shareutils | ----------------------------// +---------------------------------+ The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. The uudecode utility would create an output file without checking to see if t was about to write to a symlink or a pipe. If a user uses uudecode to extract data into open shared directories, such as /tmp, this vulnerability could be used by a local attacker to overwrite files or lead to privilege escalation. Red Hat i386: ftp://updates.redhat.com/7.2/en/os/i386/ sharutils-4.2.1-8.7.x.i386.rpm 38d89d89bb513d216b1a2a954be6d07b Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2069.html +---------------------------------+ | fileutils | ----------------------------// +---------------------------------+ A race condition in various utilities from the GNU fileutils package may cause a root user to delete the whole filesystem. This updates resolves a problem in the original fix that would cause an attempt to recursively remove a directory with trailing slashes to memory fault. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS/fileutils-4.1-5.i386.rpm d01d42d41800d0b9c1d02c4fec07a79d Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2070.html Mandrake Linux 8.1: http://www.mandrakesecure.net/en/ftp.php 8.1/RPMS/fileutils-4.1-4.1mdk.i586.rpm 593e200c8b2f2c83e7a6bb90a54cd853 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2075.html +---------------------------------+ | imapd | ----------------------------// +---------------------------------+ A malicious user may construct a malformed request that will cause a buffer overflow, allowing the user to run code on the server with the uid and gid of the e-mail owner. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS/imap-2000-14.i386.rpm 3d4c39ed407a122f963f9f508f908c92 imap-devel-2000-14.i386.rpm 5c49edd5001471188ed6da5a20413f42 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2071.html +---------------------------------+ | shadow/pam modules | ----------------------------// +---------------------------------+ The shadow package contains several useful programs to maintain the entries in the /etc/passwd and /etc/shadow files.The SuSE Security Team discovered a vulnerability that allows local attackers to destroy the contents of these files or to extend the group privileges of certain users. This is possible by setting evil filesize limits before invoking one of the programs modifying the system files. Depening on the permissions of the system binaries this allows a local attacker to gain root privileges in the worst case. This however is not possible in a default installation. SuSE i386 Intel Platform: ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/ shadow-4.0.2-88.i386.rpm a4e0d03ecf7707eb7ca1f0422cae89f1 ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/ pam-modules-2002.3.9- 31.i386.rpm 70322584f014ac3e2dc2dad0beecdefb SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2072.html +---------------------------------+ | lukemftp | ----------------------------// +---------------------------------+ A buffer overflow could be triggered by an malicious ftp server while the client parses the PASV ftp command. An attacker who control an ftp server to which a client using lukemftp is connected can gain remote access to the clients machine with the privileges of the user running lukeftp. SuSE i386 Intel Platform: ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/ lukemftp-1.5-249.i386.rpm 0ae28f7ca49157bfa5783626d3e82cef SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2073.html +---------------------------------+ | openssh | ----------------------------// +---------------------------------+ A buffer overflow exists in OpenSSH if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. A malicious user, possibly remote, could use this vulnerability to gain privileged access to the system. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/ 3.1.1/Server/current/RPMS/openssh-2.9p2-6.i386.rpm f9a494af5e0e6a8eec419f8f94087f7e openssh-askpass-2.9p2-6.i386.rpm b9fcc6352bc4c65f63cda1b0caa2b89c openssh-server-2.9p2-6.i386.rpm ff4a5bc7e7b1d4fd3f79c647d11d9162 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2074.html +---------------------------------+ | tcpdump | ----------------------------// +---------------------------------+ Several buffer overflows were found in the tcpdump package by FreeBSD developers during a code audit, in versions prior to 3.5. However, newer versions of tcpdump, including 3.6.2, are also vulnerable to another buffer overflow in the AFS RPC decoding functions, which was discovered by Nick Cleaton. These vulnerabilities could be used by a remote attacker to crash the the tcpdump process or possibly even be exploited to execute arbitrary code as the user running tcpdump, which is usually root. Mandrake Linux 8.2: http://www.mandrakesecure.net/en/ftp.php 8.2/RPMS/tcpdump-3.6.2-2.1mdk.i586.rpm 8c36a78c9a086c2d582d70d431533650 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2076.html +---------------------------------+ | mpg123 | ----------------------------// +---------------------------------+ It is possible for mpg321 before version 0.2.9 to segfault if given certain specifically crafted data. In the case of network streaming, this data would be remotely supplied, which could lead to remote code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0272 to this issue. It is recommended that users of mpg321 upgrade to these errata packages containing mpg321 version 0.2.10, which is not vulnerable to this issue. Red Hat i386: ftp://updates.redhat.com/7.2/en/os/i386/ mpg321-0.2.9-2.5.i386.rpm 303336e4e07e4df3e4d5eaec1411471a ftp://updates.redhat.com/7.2/en/os/i386/ libmad-0.14.2b-3.i386.rpm 77ea28f34a20a0aa98287bc018240bab Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2077.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------