+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | September 20th, 2002 Volume 3, Number 38a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for purity, openssl, konqueror, php, libkvm, libresolv, NetBSD kernel, libc, shutdown, pppd, kdf, ioctl, dns, nfs, setlocale, postgresql, and libx11. The vendors include Conectiva, Debian, FreeBSD, NetBSD, and SuSE. NetBSD users should pay close attention to this issue because a number of critical advisories were released. For more information, please see the following: Multiple NetBSD Security Advisories Released/Updated http://www.linuxsecurity.com/articles/security_sources_article-5711.html ** Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 FEATURE: What is Slapper? - The question of the week: What Slapper? Let me begin by telling you I am not only describing the Slapper worm, but I am also describing the Apache/mod_ssl worm, the bugtraq.c worm, and the Modap worm. In effect, this is just 4 different names for the same nasty worm. http://www.linuxsecurity.com/feature_stories/feature_story-119.html +---------------------------------+ | Package: purity | ----------------------------// | Date: 09-15-2002 | +---------------------------------+ Description: Two buffer overflows have been discovered in purity, a game for nerds and hackers, which is installed setgid games on a Debian system. This problem could be exploited to gain unauthorized access to the group games. A malicious user could alter the highscore of several games. Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/p/purity/ purity_1-9.1_i386.deb Size/MD5 checksum: 27404 6eb60f91f4cd3730bef018115268c568 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2347.html +---------------------------------+ | Package: openssl | ----------------------------// | Date: 09-15-2002 | +---------------------------------+ Description: The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/o/openssl/ libssl-dev_0.9.6c-0.potato.4_i386.deb Size/MD5 checksum: 1288134 430658383c6c37cfafbddd16a492f407 http://security.debian.org/pool/updates/main/o/openssl/ libssl0.9.6_0.9.6c-0.potato.4_i386.deb Size/MD5 checksum: 463668 37e1e010c4eab318a48b8f1de3c73910 http://security.debian.org/pool/updates/main/o/openssl/ openssl_0.9.6c-0.potato.4_i386.deb Size/MD5 checksum: 724530 82241d5d38dc62b0e4d53f41303e8829 http://security.debian.org/pool/updates/main/o/openssl094/ libssl09_0.9.4-6.potato.0_i386.deb Size/MD5 checksum: 1272012 0e9c6f0a2fde3e72eb4b3c88e57ad9fa Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2348.html Debian Vendor Advisory (UPDATE): http://www.linuxsecurity.com/advisories/debian_advisory-2373.html NetBSD: NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2353.html NetBSD Vendor Advisory 2: http://www.linuxsecurity.com/advisories/netbsd_advisory-2363.html +---------------------------------+ | Package: konqueror | ----------------------------// | Date: 09-15-2002 | +---------------------------------+ Description: A cross site scripting problem has been discovered in Konquerer, a famous browser for KDE and other programs using KHTML. The KDE team reports that Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks. Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/k/kdelibs/ kdelibs3_2.2.2-13.woody.3_i386.deb Size/MD5 checksum: 6618086 c876d1e96c2b9a74475204ed24f651d2 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2350.html +---------------------------------+ | Package: php | ----------------------------// | Date: 09-15-2002 | +---------------------------------+ Description: Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though. Vendor Alerts: Debian: i386: PLEASE SEE VENDOR ADVISORY FOR UPDATE Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2375.html +---------------------------------+ | Package: libkvm | ----------------------------// | Date: 09-15-2002 | +---------------------------------+ Description: The kvm(3) library provides a uniform interface for accessing kernel virtual memory images, including live systems and crash dumps. Access to live systems is via /dev/mem and /dev/kmem. Memory can be read and written, kernel symbol addresses can be looked up efficiently, and information about user processes can be gathered. Vendor Alerts: FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ patches/SA-02:39/libkvm.patch FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2349.html FreeBSD Vendor Advisory (UPDATE): http://www.linuxsecurity.com/advisories/freebsd_advisory-2371.html +---------------------------------+ | Package: libresolv | ----------------------------// | Date: 09-17-2002 | +---------------------------------+ Description: There was a buffer-length computation bug in BIND-based DNS resolver code. A malicious DNS response packet may be able to overwrite data outside the buffer, and it could lead to attacks as serious as a remote root exploit, though there are no public exploits in circulation at this time. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2351.html +---------------------------------+ | Package: NetBSD kernel | ----------------------------// | Date: 09-17-2002 | +---------------------------------+ Description: A Session leader can use the TIOCSCTTY ioctl to set the session controlling terminal. This ioctl can be called any number of times. The call unconditionally raised the hold count of a kernel structure shared between processes in the same session. It was possible to overflow the structure counter, and thus arrange for the structure memory to be freed prematurely, and possibly re-used. This could cause a kernel panic or incorrect operation the next time the session structure is accessed from the context of other processes which are part of the former session. Vendor Alerts: NetBSD: ftp://ftp.netbsd.org/pub/NetBSD/security/patches/ SA2002-007-tiocsctty.patch NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2352.html +---------------------------------+ | Package: libc | ----------------------------// | Date: 09-19-2002 | +---------------------------------+ Description: Integer overflows exist in the RPC code in libc. These cause a buffer to be mistakenly allocated too small, and then overflown. The Automounter amd(8) and its query tool amq(8), and the rusers(1) client binary use the flawed code in a way which could be exploitable. Other uses of the RPC functions have been examined and are believed to not be exploitable. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2355.html NetBSD Vendor Advisory (RPX XDR): http://www.linuxsecurity.com/advisories/netbsd_advisory-2362.html +---------------------------------+ | Package: shutdown | ----------------------------// | Date: 09-19-2002 | +---------------------------------+ Description: shutdown(s, SHUT_RD) is used to indicate that there should be no inbound traffic expected on the socket. There was mistake in TCP with respect to the handling of shutdown'ed socket, leading to unexpected kernel resource consumption and unexpected behavior. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2359.html +---------------------------------+ | Package: fd_set (pppd) | ----------------------------// | Date: 09-19-2002 | +---------------------------------+ Description: The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP daemon pppd(8), are setuid root binaries. A malicious local user can cause a buffer overrun in these programs by filling file descriptor tables before exec'ing them, which could lead to local root compromise. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2358.html NetBSD Vendor Advisory fd_set: http://www.linuxsecurity.com/advisories/netbsd_advisory-2369.html NetBSD Vendor Advisory pppd: http://www.linuxsecurity.com/advisories/netbsd_advisory-2370.html +---------------------------------+ | Package: kdf | ----------------------------// | Date: 09-19-2002 | +---------------------------------+ Description: Kf and kfd are used to forward Kerberos credentials in a stand-alone fashion, and come from the Heimdal Kerberos implementation used by NetBSD. In Heimdal releases earlier than 0.5, these programs have multiple security issues, including possible buffer overruns. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2360.html +---------------------------------+ | Package: ioctl | ----------------------------// | Date: 09-5-2002 | +---------------------------------+ Description: A Session leader can use the TIOCSCTTY ioctl to set the session controlling terminal. This ioctl can be called any number of times. The call unconditionally raised the hold count of a kernel structure shared between processes in the same session. It was possible to overflow the structure counter, and thus arrange for the structure memory to be freed prematurely, and possibly re-used. This could cause a kernel panic or incorrect operation the next time the session structure is accessed from the context of other processes which are part of the former session. Vendor Alerts: NetBSD: ftp://ftp.netbsd.org/pub/NetBSD/security/patches/ SA2002-007-tiocsctty.patch NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2364.html +---------------------------------+ | Package: dns | ----------------------------// | Date: 09-5-2002 | +---------------------------------+ Description: There was a buffer-length computation bug in BIND-based DNS resolver code. A malicious DNS response packet may be able to overwrite data outside the buffer, and it could lead to attacks as serious as a remote root exploit, though there are no public exploits in circulation at this time. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2365.html +---------------------------------+ | Package: nfs | ----------------------------// | Date: 09-5-2002 | +---------------------------------+ Description: The Network File System (NFS) allows a host to export some or all of its filesystems, or parts of them, so that other hosts can access them over the network and mount them as if they were on local disks. NFS is built on top of the Sun Remote Procedure Call (RPC) framework. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2366.html +---------------------------------+ | Package: setlocale | ----------------------------// | Date: 09-5-2002 | +---------------------------------+ Description: There was a boundary checking bug of array suffix in setlocale() function in libc. If the setlocale() function is used with arguments satisfying a specific condition (see below), there is a possibility that this could be exploitable. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2367.html +---------------------------------+ | Package: postgresql | ----------------------------// | Date: 09-19-2002 | +---------------------------------+ Description: In order to exploit any of these vulnerabilities, it is necessary for the attacker to be able to query the database somehow. Some scenarios where this could happen: The attacker already has an account in the database serve and can execute queries. Vendor Alerts: Connectiva: PLEASE SEE VENDOR ADVISORY FOR UPDATE Connectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2376.html +---------------------------------+ | Package: libX11 | ----------------------------// | Date: 09-18-2002 | +---------------------------------+ Description: The xf86 package contains various libraries and programs which are fundamental for the X server to function. The libX11.so library from this package dynamically loads other libraries where the pathname is controlled by the user invoking the program linked against libX11.so. Unfortunately, libX11.so also behaves the same way when linked against setuid programs. This behavior allows local users to execute arbitrary code under a different UID which can be the root-UID in the worst case. Vendor Alerts: SuSE: ftp://ftp.suse.com/pub/suse/i386/update/8.0/x1/ xshared-4.2.0-174.i386.rpm 2a515055a811de5b465d016ffa77a09c ftp://ftp.suse.com/pub/suse/i386/update/8.0/x2/ xdevel-4.2.0-174.i386.rpm 67ddeb24b04b8c2badb7a039d9ea270e SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2374.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------