+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| December 24th, 2004 Volume 5, Number 51a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
Happy Holidays! This week, advisories were released for cscope,
htget, a2ps, ethereal, xzgv, debmake, xcdroast, udev, cups, postgresql,
namazu, pam, samba, glibc, krb5, php, gnumeric, abiword, libtiff, kfax,
abcm2ps, phpMyAdmin, WordPress, NASM, mplayer, mpg123, wget, urpmi,
aspell, krb5, logcheck, samba, Linux kernel, kerberos5, libxml, gd,
XFree86, and nfs-utils. The distributors include Debian, Fedora,
Gentoo, Mandrake, NetBSD, Trustix, Red Hat, and SuSE.
----
Internet Productivity Suite: Open Source Security
Trust Internet Productivity Suite's open source architecture to give
you the best security and productivity applications available.
Collaborating with thousands of developers, Guardian Digital security
engineers implement the most technologically advanced ideas and
methods into their design.
http://store.guardiandigital.com/html/eng/products/software/ips_overview.sh=
tml
---
State of Linux Security 2004
In 2004, security continued to be a major concern. The beginning of the
year was plagued with several kernel flaws and Linux vendor advisories
continue to be released at an ever-increasing rate. This year, we have
seen the reports touting Window's security superiority, only to be
debunked by other security experts immediately after release. Also,
Guardian Digital launched the new LinuxSecurity.com, users continue to
be targeted by automated attacks, and the need for security awareness
and education continues to rise.
2004 started off on shaky ground with a flaw found in mremap(), a piece
of kernel code that controls virtual memory. It affected versions 2.2,
2.4, and 2.6. It was later discovered that the same vulnerability was
used to exploit several high-profile Linux development sites in
November 2003. Patches were released in early January by each of the
major distributions. The flaw was fixed in further kernel releases. In
February, a second mremap vulnerability was discovered by the Polish
security consulting firm ISec. The second mremap flaw was unrelated,
but just as serious as the first. In theory, it could result in a denial
of service or privilege escalation to root. Vendors responded much more
quickly in this second instance. Fixes for 2.4 and 2.6 were released
only in a matter of hours this second time. In March, Paul Starzetz
of ISec released proof-of-concept exploit code for the second mremap
flaw that was released in February. Several news sites failed to
accurately read the report released in March and reported that a
third kernel flaw as found. This was wrong, but it sparked a lot
of interest in rumors. Many were relieved to find out that the "third
vulnerability" was in fact a misinterpretation. It was beginning to
look like the "year of the kernel flaw," but luckily things quieted
down in second quarter. The remaining portion of the year was scattered
with other kernel vulnerabilities, but non received as much press as
mremap. Another notable one was discovered in 2.6 last October. It was
claimed that the vulnerability could be used to shut down 2.6-based
systems remotely. It only affected those systems using iptables based
firewalls, because the flaw had to do with the way 2.6 handled firewall
logging. Patches were released and the problem was resolved.
Read the rest of the article here:
http://www.linuxsecurity.com/content/view/117655/49/
-----
Users Respond with Constructive Feedback
When the new version of LinuxSecurity.com was launched on December 1st,
we also asked our readers to " Tell us what you think ." You have spoken,
and we appreciate that! We received hundreds of comments & requests, and
have been addressing a majority of them. We thought it was important to
share some of the comments with you. While some were purely positive
acknowledgements, others were thoughtful criticisms. We take every
critique into account and address each as resources become available
or when the criticism becomes the concern of many.
http://www.linuxsecurity.com/content/view/117614/49/
-----------------------------------------------------------------------
Vincenzo Ciaglia Speaks Security 2004
Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux
Security. A full immersion in the world of Linux Security from many
sides and points of view.
http://www.linuxsecurity.com/content/view/117515/49/
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
Debian: cscope insecure temporary file
17th, December, 2004
A vulnerability has been discovered in cscope, a program to
interactively examine C source code, which may allow local users to
overwrite files via a symlink attack.
http://www.linuxsecurity.com/content/view/117531
* Debian: htget arbitrary code execution fix
20th, December, 2004
"infamous41md" discovered a buffer overflow in htget, a file grabber
that will get files from HTTP servers.=09It is possible to overflow a
buffer and execute arbitrary code by accessing a malicious URL.
http://www.linuxsecurity.com/content/view/117568
* Debian: a2ps arbitrary command execution fix
20th, December, 2004
Rudolf Polzer discovered a vulnerability in a2ps, a converter and
pretty-printer for many formats to PostScript. The program did not
escape shell meta characters properly which could lead to the
execution of arbitrary commands as a privileged user if a2ps is
installed as a printer filter.
http://www.linuxsecurity.com/content/view/117569
* Debian: ethereal denial of service fix
21st, December, 2004
Brian Caswell discovered that an improperly formatted SMB packet
could make ethereal hang and eat CPU endlessly.
http://www.linuxsecurity.com/content/view/117609
* Debian: xzgv arbitrary code execution fix
21st, December, 2004
Luke "infamous41md" discoverd multiple vulnerabilities in xzgv, a
picture viewer for X11 with a thumbnail-based selector. Remote
exploitation of an integer overflow vulnerability could allow the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117610
* Debian: debmake insecure temporary directories fix
22nd, December, 2004
Javier Fern=C3=A1ndez-Sanguino Pe=C3=B1a noticed that the debstd script fro=
m
debmake, a deprecated helper package for Debian packaging, created
temporary directories in an insecure manner. This can be exploited
by a malicious user to overwrite arbitrary files owned by the victim.
http://www.linuxsecurity.com/content/view/117630
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora: selinux-policy-targeted-1.17.30-2.51 update
16th, December, 2004
Fix problems with winbind, nscd, apache and others.
http://www.linuxsecurity.com/content/view/117525
* Fedora: xcdroast-0.98a15-8 update
16th, December, 2004
fixed frozen progress bars with patch from Didier Heyden (bug
#134334)
http://www.linuxsecurity.com/content/view/117529
* Fedora: udev-039-10.FC3.6 update
16th, December, 2004
fixed a case where reading /proc/ide/hd?/media returns EIO (bug
rh#142713) and added simple dvb rules
http://www.linuxsecurity.com/content/view/117530
* Fedora: cups-1.1.20-11.7 update
17th, December, 2004
Two security problems were found by Bartlomiej Sieka. They concern
the lppasswd utility, which can be made to cause a denial of service,
and the
hpgltops filter, which can be exploited to run code remotely as the
user "lp". These problems have both been fixed.
http://www.linuxsecurity.com/content/view/117540
* Fedora: cups-1.1.22-0.rc1.8.1 update
17th, December, 2004
Two security problems were found by Bartlomiej Sieka. They concern
the lppasswd utility, which can be made to cause a denial of service,
and the
hpgltops filter, which can be exploited to run code remotely as the
user "lp". These problems have both been fixed.
http://www.linuxsecurity.com/content/view/117541
* Fedora: postgresql-7.4.6-1.FC2.2 update
17th, December, 2004
Update to PyGreSQL 3.6 (to fix bug #142711). Adjust a few file
permissions (bug #142431). Assign %{_libdir}/pgsql to base package
instead of -server (bug #74003)
http://www.linuxsecurity.com/content/view/117542
* Fedora: postgresql-7.4.6-1.FC3.2 update
17th, December, 2004
Update to PyGreSQL 3.6 (to fix bug #142711). Adjust a few file
permissions (bug #142431). Assign %{_libdir}/pgsql to base package
instead of -server (bug #74003)
http://www.linuxsecurity.com/content/view/117543
* Fedora: namazu-2.0.14-0.FC2.0 update
20th, December, 2004
Security fix release.
http://www.linuxsecurity.com/content/view/117604
* Fedora: namazu-2.0.14-0.FC3.0 update
20th, December, 2004
Security fix release.
http://www.linuxsecurity.com/content/view/117605
* Fedora: pam-0.77-66.1 update
20th, December, 2004
add argument to pam_console_apply to restrict its work to specified
files. #140451 parse passwd entries correctly and test for failure
http://www.linuxsecurity.com/content/view/117606
* Fedora: samba-3.0.10-1.fc2 update
20th, December, 2004
New upstream release that closes CAN-2004-1154=09bz#142544. Include
the -64bit patch from Nalin. This closes bz#142873. Update the
-logfiles patch to work with 3.0.10
http://www.linuxsecurity.com/content/view/117623
* Fedora: samba-3.0.10-1.fc3 update
20th, December, 2004
New upstream release that closes CAN-2004-1154=09bz#142544. Include
the -64bit patch from Nalin. This closes bz#142873. Update the
-logfiles patch to work with 3.0.10
http://www.linuxsecurity.com/content/view/117624
* Fedora: glibc-2.3.4-2.fc3 update
21st, December, 2004
work around rpm bug some more, this time by copying iconvconfig to
iconvconfig.%{_target_cpu}.
http://www.linuxsecurity.com/content/view/117625
* Fedora: krb5-1.3.6-1 update
21st, December, 2004
A heap based buffer overflow bug was found in the administration
library of Kerberos 1.3.5 and earlier. This overflow in the password
history handling code could allow an authenticated remote attacker to
execute commands on a realm's master Kerberos KDC.
http://www.linuxsecurity.com/content/view/117626
* Fedora: krb5-1.3.6-2 update
21st, December, 2004
A heap based buffer overflow bug was found in the administration
library of Kerberos 1.3.5 and earlier. This overflow in the password
history handling code could allow an authenticated remote attacker to
execute commands on a realm's master Kerberos KDC.
http://www.linuxsecurity.com/content/view/117627
* Fedora: php-4.3.10-3.2 update
21st, December, 2004
This update includes the latest release of PHP 4.3, including fixes
for security issues in the unserializer (CVE CAN-2004-1019) and exif
image parsing (CVE CAN-2004-1065).
http://www.linuxsecurity.com/content/view/117628
* Fedora: php-4.3.10-2.4 update
21st, December, 2004
This update includes the latest release of PHP 4.3, including fixes
for security issues in the unserializer (CVE CAN-2004-1019), exif
image parsing (CVE CAN-2004-1065), and form upload parsing (CVE
CAN-2004-0958 and CAN-2004-0959).
http://www.linuxsecurity.com/content/view/117629
* Fedora: gnumeric-1.2.13-10 update
22nd, December, 2004
#rh133662# printer font fallback
http://www.linuxsecurity.com/content/view/117648
* Fedora: selinux-policy-targeted-1.17.30-2.58 update
22nd, December, 2004
Several updates to fix problems with Apache, Squid, postgresql
http://www.linuxsecurity.com/content/view/117649
* Fedora: abiword-2.0.12-9 update
22nd, December, 2004
RH#143180# backport fix for really stupid ownership of string bug
http://www.linuxsecurity.com/content/view/117650
* Fedora: libtiff-3.5.7-21.fc2 update
22nd, December, 2004
Fix several buffer overflow problems that could be used as an
exploit. Fixes the following security advisory: CAN-2004-1308
http://www.linuxsecurity.com/content/view/117651
* Fedora: libtiff-3.6.1-8.fc3 update
22nd, December, 2004
Fix several buffer overflow problems that could be used as an
exploit. Fixes the following security advisory: CAN-2004-1308
http://www.linuxsecurity.com/content/view/117652
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: cscope Insecure creation of temporary files
16th, December, 2004
Cscope is vulnerable to symlink attacks, potentially allowing a local
user to overwrite arbitrary files.
http://www.linuxsecurity.com/content/view/117558
* Gentoo: Adobe Acrobat Reader Buffer overflow vulnerability
16th, December, 2004
Adobe Acrobat Reader is vulnerable to a buffer overflow that could
lead to remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117559
* Gentoo: samba Integer overflow
17th, December, 2004
Samba contains a bug that could lead to remote execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/117560
* Gentoo: PHP Multiple vulnerabilities
19th, December, 2004
Several vulnerabilities were found and fixed in PHP, ranging from an
information leak and a safe_mode restriction bypass to a potential
remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117576
* Gentoo: Ethereal Multiple vulnerabilities
19th, December, 2004
Multiple vulnerabilities exist in Ethereal, which may allow an
attacker to run arbitrary code, crash the program or perform DoS by
CPU and disk utilization.
http://www.linuxsecurity.com/content/view/117577
* Gentoo: kdelibs, kdebase Multiple vulnerabilities
19th, December, 2004
kdelibs and kdebase contain a flaw allowing password disclosure when
creating a link to a remote file. Furthermore Konqueror is vulnerable
to window injection.
http://www.linuxsecurity.com/content/view/117578
* Gentoo: kfax Multiple overflows in the included TIFF library
19th, December, 2004
kfax contains several buffer overflows potentially leading to
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117579
* Gentoo: abcm2ps Buffer overflow vulnerability
19th, December, 2004
abcm2ps is vulnerable to a buffer overflow that could lead to remote
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117580
* Gentoo: phpMyAdmin Multiple vulnerabilities
19th, December, 2004
phpMyAdmin contains multiple vulnerabilities which could lead to file
disclosure or command execution.
http://www.linuxsecurity.com/content/view/117581
* Gentoo: WordPress HTTP response splitting and XSS vulnerabilities
19th, December, 2004
Thomas Waldegger, who discovered these vulnerabilities, reported that
these issues were not fixed in version 1.2.1. After notifying the
developers, they released 1.2.2 to fix these flaws.
http://www.linuxsecurity.com/content/view/117582
* Gentoo: NASM Buffer overflow vulnerability
20th, December, 2004
NASM is vulnerable to a buffer overflow that allows an attacker to
execute arbitrary code through the use of a malicious object file.
http://www.linuxsecurity.com/content/view/117583
* Gentoo: MPlayer Multiple overflows
20th, December, 2004
Multiple overflow vulnerabilities have been found in MPlayer,
potentially resulting in remote executing of arbitrary code.
http://www.linuxsecurity.com/content/view/117584
* Gentoo: mpg123 Playlist buffer overflow
21st, December, 2004
mpg123 is vulnerable to a buffer overflow that allows an attacker to
execute arbitrary code through the use of a malicious playlist.
http://www.linuxsecurity.com/content/view/117611
* Gentoo: Zwiki XSS vulnerability
21st, December, 2004
Zwiki is vulnerable to cross-site scripting attacks.
http://www.linuxsecurity.com/content/view/117622
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: wget download bug fix
17th, December, 2004
A problem in wget prevents it from downloading very large data files.
The updated packages are patched to fix the problem.
http://www.linuxsecurity.com/content/view/117536
* Mandrake: urpmi ssh parallel support fix
17th, December, 2004
A bug in the parallel ssh extension in urpmi would prevent parallel
installations using ssh; urpmi would crash. The updated pacakges fix
the problem.
http://www.linuxsecurity.com/content/view/117537
* Mandrake: urpmi ssh parallel support fix
18th, December, 2004
A bug in the parallel ssh extension in urpmi would prevent parallel
installations using ssh; urpmi would crash. The updated pacakges fix
the problem.
http://www.linuxsecurity.com/content/view/117574
* Mandrake: php multiple vulnerabilities fix
18th, December, 2004
A number of vulnerabilities in PHP versions prior to 4.3.10 were
discovered by Stefan Esser. Some of these vulnerabilities were not
deemed to be severe enough to warrant CVE names, however the packages
provided, with the exception of the Corporate Server 2.1 packages,
include fixes for all of the vulnerabilities, thanks to the efforts
of the OpenPKG team who extracted and backported the fixes.
http://www.linuxsecurity.com/content/view/117575
* Mandrake: aspell vulnerability fix
20th, December, 2004
A vulnerability was discovered in the aspell word-list-compress
utility that can allow an attacker to execute arbitrary code.
http://www.linuxsecurity.com/content/view/117607
* Mandrake: ethereal multiple vulnerabilities fix
20th, December, 2004
A number of vulnerabilities were discovered in Ethereal.
http://www.linuxsecurity.com/content/view/117608
* Mandrake: krb5 buffer overflow vulnerability fix
22nd, December, 2004
Michael Tautschnig discovered a heap buffer overflow in the history
handling code of libkadm5srv which could be exploited by an
authenticated user to execute arbitrary code on a Key Distribution
Center (KDC) server.
http://www.linuxsecurity.com/content/view/117641
* Mandrake: kdelibs multiple vulnerability fix
22nd, December, 2004
A vulnerability in the Konqueror webbrowser was discovered where an
untrusted java applet could escalate privileges (through JavaScript
calling into Java code). This includes the reading and writing of
files with the privileges of the user running the applet.
http://www.linuxsecurity.com/content/view/117642
* Mandrake: logcheck temporary file vulnerability fix
22nd, December, 2004
A vulnerability was discovered in the logcheck program by Christian
Jaeger. This could potentially lead to a local attacker overwriting
files with root privileges.
http://www.linuxsecurity.com/content/view/117643
* Mandrake: mplayer multiple vulnerabilities fix
22nd, December, 2004
A number of vulnerabilities were discovered in the MPlayer program by
iDEFENSE, Ariel Berkman, and the MPlayer development team. These
vulnerabilities include potential heap overflows in Real RTSP and pnm
streaming code, stack overflows in MMST streaming code, and multiple
buffer overflows in the BMP demuxer and mp3lib code.
http://www.linuxsecurity.com/content/view/117645
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
* NetBSD: Insufficient argument validation in compat code
17th, December, 2004
Some of the translation functions performed unsafe operations using
the syscall arguments, and were exploitable to cause kernel traps.
Some of the flaws may be exploitable and result in privilege
escalation.
http://www.linuxsecurity.com/content/view/117538
* Trustix: samba, php security update
20th, December, 2004
Remote exploitation of an integer overflow vulnerability in the smbd
daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to
and including 3.0.9 could allow an attacker to cause controllable
heap corruption, leading to execution of arbitrary commands with root
privileges.
http://www.linuxsecurity.com/content/view/117571
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
* Trustix: kernel Remote hole, local DoS
20th, December, 2004
Paul Starzetz discovered a bug in the IGMP networking modules of the
Linux kernel. This allows for a remote DoS and local root exploit.
http://www.linuxsecurity.com/content/view/117572
* Trustix: anaconda, mailcap, mkinitrd, vim, postgresql, ntp,
sqlgrey, db4, rsync, postgresql bugfixes
20th, December, 2004
The previous attempt to get PXE booting working with more network
cards turned out not to work. This update fixes that.
http://www.linuxsecurity.com/content/view/117573
* Trustix: kerberos5 execution of arbitary code by authenticated user
21st, December, 2004
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to
execute arbitary code on a Key Distribution Center (KDC) server.
http://www.linuxsecurity.com/content/view/117612
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* Red Hat: zip security issue fix
16th, December, 2004
An updated zip package that fixes a buffer overflow vulnerability is
now available.
http://www.linuxsecurity.com/content/view/117532
* Red Hat: libxml security vulnerabilities
16th, December, 2004
An updated libxml package that fixes multiple buffer overflows is now
available.
http://www.linuxsecurity.com/content/view/117533
* Red Hat: samba security issue fix
16th, December, 2004
Updated samba packages that fix an integer overflow vulnerability are
now available for Red Hat Enterprise Linux 3.
http://www.linuxsecurity.com/content/view/117534
* Red Hat: gd security issues fix
17th, December, 2004
Updated gd packages that fix security issues with overflow in various
memory allocation calls are now available.
http://www.linuxsecurity.com/content/view/117535
* Red Hat: Xfree86 security issues fix
20th, December, 2004
Updated XFree86 packages that fix several security flaws in libXpm
are now available for Red Hat Enterprise Linux 2.1.
http://www.linuxsecurity.com/content/view/117570
* Red Hat: rh-postgresql update
20th, December, 2004
Trustix has identified improper temporary file usage in the
make_oidjoins_check script. It is possible that an attacker could
overwrite arbitrary file contents as the user running the
make_oidjoins_check script. This script has been removed from the RPM
file since it has no use to ordinary users. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0977 to this issue.
http://www.linuxsecurity.com/content/view/117601
* Red Hat: nfs-utils security vulnerabilities fix
20th, December, 2004
SGI reported that the statd daemon did not properly handle the
SIGPIPE signal. A misconfigured or malicious peer could cause statd
to crash, leading to a denial of service. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-1014 to this issue.
http://www.linuxsecurity.com/content/view/117602
* Red Hat: glibc update
20th, December, 2004
This errata fixes several bugs in the GNU C Library.
http://www.linuxsecurity.com/content/view/117603
* Red Hat: php security issues and bugs fix
21st, December, 2004
Updated php packages that fix various security issues and bugs are
now available for Red Hat Enterprise Linux 3.
http://www.linuxsecurity.com/content/view/117620
* Red Hat: samba security issue fix
21st, December, 2004
Updated samba packages that fix an integer overflow vulnerability are
now available for Red Hat Enterprise Linux 2.1
http://www.linuxsecurity.com/content/view/117621
+---------------------------------+
| Distribution: SUSE | ----------------------------//
+---------------------------------+
* SuSE: various kernel problems
21st, December, 2004
Several vulnerabilities have been found and fixed in the Linux
kernel.
http://www.linuxsecurity.com/content/view/117618
* SuSE: samba remote privilege escalation
22nd, December, 2004
The Samba developers informed us about several potential integer
overflow issues in the Samba 2 and Samba 3 code.
http://www.linuxsecurity.com/content/view/117619
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
