+------------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 26th, 2007 Volume 8, Number 43 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +------------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week advisories were released for xen-utils, zoph, reprepro, xfce4-terminal, ktorrent, xulrunner, icedove, tllib, dhcp, ImageMagick, HPLIP, MLDonkey, tramp, tikiwiki, pdf kit, sleuth kit, firefox, nfs-utils, hplip, tk, httpd, php, libpng, flac, openssl, kernel, seamonkey, thunderbird, gnome-screensaver, ghostscript, util-linux, and nagios-plugins. The distributors include Debian, Gentoo, Mandriva, Red Hat, and Ubuntu. --- >> Linux+DVD Magazine << Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc. In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: How To Break Web Software With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand. http://www.linuxsecurity.com/content/view/122713/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf -------------------------------------------------------------------------- * EnGarde Secure Community v3.0.17 Now Available (Oct 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.17 (Version 3.0, Release 17). This release includes many updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, and a few new features. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce. http://www.linuxsecurity.com/content/view/129961 -------------------------------------------------------------------------- * Debian: New xen-utils packages fix file truncation (Oct 25) ----------------------------------------------------------- Steve Kemp from the Debian Security Audit project discovered that xen-utils, a collection of XEN administrative tools, used temporary files insecurely within the xenmon tool allowing local users to truncate arbitrary files. http://www.linuxsecurity.com/content/view/130295 * Debian: New zoph packages fix SQL injection (Oct 24) ---------------------------------------------------- It was discovered that zoph, a web based photo management system, performs insufficient input sanitising, which allows SQL injection. This is an updated advisory to make the update for oldstable (sarge) available, which had been uploaded to the wrong suite. http://www.linuxsecurity.com/content/view/130284 * Debian: New reprepro packages fix authentication bypass (Oct 23) ---------------------------------------------------------------- It was discovered that reprepro, a tool to create a repository of Debian packages, when updating from a remote site only checks for the validity of known signatures, and thus does not reject packages with only unknown signatures. This allows an attacker to bypass this authentication mechanism http://www.linuxsecurity.com/content/view/130197 * Debian: New xfce4-terminal packages fix arbitrary command execution (Oct 23) ---------------------------------------------------------------------------- It was discovered that xfce-terminal, a terminal emulater for the xfce environment, did not correctly escape arguments passed to the processes spawned by "Open Link". This allowed malicious links to execute arbitary commands upon the local system. http://www.linuxsecurity.com/content/view/130196 * Debian: New ktorrent packages fix directory traversal (Oct 23) -------------------------------------------------------------- It was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable to a directory traversal bug which potentially allowed remote users to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/130195 * Debian: New xulrunner packages fix several vulnerabilities (Oct 20) ------------------------------------------------------------------- Michal Zalewski discovered that the unload event handler had access to the address of the next page to be loaded, which could allow information disclosure or spoofing. http://www.linuxsecurity.com/content/view/130166 * Debian: New icedove packages fix several vulnerabilities (Oct 19) ----------------------------------------------------------------- Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems... http://www.linuxsecurity.com/content/view/130161 * Debian: New t1lib packages fix arbitrary code execution (Oct 18) ---------------------------------------------------------------- Hamid Ebadi has discovered a buffer overflow the intT1_Env_GetCompletePath routine in t1lib, a Type 1 font rasterizer library. This flaw could allow an attacker to crash and application using the t1lib shared libraries, and potentially execute arbitrary code within such an application's security context. http://www.linuxsecurity.com/content/view/130157 * Debian: New zoph packages fix SQL injection (Oct 18) ---------------------------------------------------- It was discovered that zoph, a web based photo management system, performs insufficient input sanitising, which allows SQL injection. http://www.linuxsecurity.com/content/view/130153 * Debian: New dhcp packages fix arbitrary code execution (Oct 18) --------------------------------------------------------------- It was discovered that dhcp, a DHCP server for automatic IP address assignment, didn't correctly allocate space for network replies. This could potentially allow a malicious DHCP client to execute arbitary code upon the DHCP server. http://www.linuxsecurity.com/content/view/130151 -------------------------------------------------------------------------- * Gentoo: Sylpheed, Claws Mail User-assisted remote (Oct 25) ---------------------------------------------------------- A format string error has been discovered in Sylpheed and Claws Mail, potentially leading to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/130300 * Gentoo: Qt Buffer overflow (Oct 25) ----------------------------------- An off-by-one vulnerability has been discovered in Qt, possibly resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/130299 * Gentoo: ImageMagick Multiple vulnerabilities (Oct 24) ----------------------------------------------------- Multiple vulnerabilities have been discovered in ImageMagick, possibly resulting in arbitrary code execution or a Denial of Service. http://www.linuxsecurity.com/content/view/130283 * Gentoo: HPLIP Privilege escalation (Oct 24) ------------------------------------------- The hpssd daemon might allow local attackers to execute arbitrary commands with root privileges. http://www.linuxsecurity.com/content/view/130282 * Gentoo: MLDonkey Privilege escalation (Oct 24) ---------------------------------------------- The Gentoo MLDonkey ebuild adds a user to the system with a valid login shell and no password. A remote attacker could log into a vulnerable system as the p2p user. This would require an installed login service that permitted empty passwords, such as SSH configured with the "PermitEmptyPasswords yes" option, a local login console, or a telnet server. http://www.linuxsecurity.com/content/view/130281 * Gentoo: OpenOffice.org Heap-based buffer overflow (Oct 23) ---------------------------------------------------------- A heap-based buffer overflow vulnerability has been discovered in OpenOffice.org, allowing for the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/130186 * Gentoo: Star Directory traversal vulnerability (Oct 22) ------------------------------------------------------- A directory traversal vulnerability has been discovered in Star. Robert Buchholz of the Gentoo Security team discovered a directory traversal vulnerability in the has_dotdot() function which does not identify //.. (slash slash dot dot) sequences in file names inside tar files. http://www.linuxsecurity.com/content/view/130181 * Gentoo: TRAMP Insecure temporary file creation (Oct 20) ------------------------------------------------------- The TRAMP package for GNU Emacs insecurely creates temporary files. Stefan Monnier discovered that the tramp-make-tramp-temp-file() function creates temporary files in an insecure manner. http://www.linuxsecurity.com/content/view/130168 * Gentoo: TikiWiki Arbitrary command execution (Oct 20) ----------------------------------------------------- Tikiwiki contains a command injection vulnerability which may allow remote execution of arbitrary code. ShAnKaR reported that input passed to the "f" array parameter in tiki-graph_formula.php is not properly verified before being used to execute PHP functions. http://www.linuxsecurity.com/content/view/130167 * Gentoo: PDFKit, ImageKits Buffer overflow (Oct 18) -------------------------------------------------- PDFKit and ImageKits are vulnerable to an integer overflow and a stack overflow allowing for the user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/130156 * Gentoo: The Sleuth Kit Integer underflow (Oct 18) ------------------------------------------------- An integer underflow vulnerability has been reported in The Sleuth Kit allowing for the user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/130155 * Gentoo: util-linux Local privilege escalation (Oct 18) ------------------------------------------------------ The mount and umount programs might allow local attackers to gain root privileges. http://www.linuxsecurity.com/content/view/130152 -------------------------------------------------------------------------- * Mandriva: Updated shared-mime-info packages fix incorrect (Oct 24) ------------------------------------------------------------------ The freedesktop.org MIME type database contains a wrong MIME type for HTML documents. This information is used by GNOME and other desktop environments to identify files and could cause trouble with the beagle desktop search and other applications. This update corrects this issue. http://www.linuxsecurity.com/content/view/130279 * Mandriva: Updated Firefox packages fix multiple (Oct 23) -------------------------------------------------------- A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.8. This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.8 for older products. http://www.linuxsecurity.com/content/view/130194 * Mandriva: Updated nfs-utils package fixes bug with (Oct 23) ----------------------------------------------------------- The nfs-utils package had some issues with it's provided initscripts including: a lack of dependency on portmap made the various services start in an arbitary order prior to portmap starting, and parallel execution of rpcidmapd and rpcgss led to a launch failure due to a sunrpc module loading failure. The updated packages correct these issues. http://www.linuxsecurity.com/content/view/130185 * Mandriva: Updated hplip packages fix vulnerabilities (Oct 22) ------------------------------------------------------------- A vulnerability in the hpssd tool was discovered where it did not correctly handle shell meta-characters. A local attacker could use this flaw to execute arbitrary commands as the hplip user. As well, this update fixes a problem with some HP scanners on Mandriva Linux 2007.1, particularly HP PSC 1315, which wouldn't be detected and also fixes a problem with HP 1220 and possibly other models when scanning via the OpenOffice.org suite. Updated packages have been patched to prevent these issues. http://www.linuxsecurity.com/content/view/130183 * Mandriva: Updated tk packages fix vulnerabilities (Oct 18) ---------------------------------------------------------- A vulnerablity in Tk was found that could be used to overrun a buffer when loading certain GIF images. If a user were tricked into opening a specially crafted GIF file, it could lead to a denial of service condition or possibly the execution of arbitrary code with the user's privileges. Updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/130158 -------------------------------------------------------------------------- * RedHat: Moderate: httpd security update (Oct 25) ------------------------------------------------ Updated httpd packages that fix two security issues are now available for Red Hat Application Stack. http://www.linuxsecurity.com/content/view/130297 * RedHat: Moderate: php security update (Oct 25) ---------------------------------------------- Updated PHP packages that fix several security issues are now available for Red Hat Application Stack. Various integer overflow flaws were found in the PHP gd extension. http://www.linuxsecurity.com/content/view/130296 * RedHat: Moderate: libpng security update (Oct 23) ------------------------------------------------- Updated libpng packages that fix security issues are now available for Red Hat Enterprise Linux. Several flaws were discovered in the way libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was manipulated. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130193 * RedHat: Moderate: php security update (Oct 23) ---------------------------------------------- Updated PHP packages that fix several security issues are now available for Red Hat Application Stack. http://www.linuxsecurity.com/content/view/130192 * RedHat: Moderate: php security update (Oct 23) ---------------------------------------------- Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. Various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. http://www.linuxsecurity.com/content/view/130191 * RedHat: Important: dhcp security update (Oct 23) ------------------------------------------------ An updated dhcp package that corrects a security flaw is now available for Red Hat Enterprise Linux 2.1. The dhcp package provides the ISC Dynamic Host Configuration Protocol (DHCP) server and relay agent, dhcpd. DHCP is a protocol that allows devices to get their own network configuration information from a server. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130187 * RedHat: Important: flac security update (Oct 22) ------------------------------------------------ An updated flac package to correct a security issue is now available for Red Hat Enterprise Linux 4 and 5. FLAC is a Free Lossless Audio Codec. The flac package consists of a FLAC encoder and decoder in library form, a program to encode and decode FLAC files, a metadata editor for FLAC files and input plugins for various music players. http://www.linuxsecurity.com/content/view/130174 * RedHat: Moderate: openssl security update (Oct 22) -------------------------------------------------- Updated OpenSSL packages that correct security issues are now available for Red Hat Enterprise Linux 2.1 and 3. A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-5135). This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130170 * RedHat: Important: kernel security update (Oct 22) -------------------------------------------------- Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130171 * RedHat: Critical: seamonkey security update (Oct 19) ---------------------------------------------------- Updated seamonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130162 * RedHat: Critical: firefox security update (Oct 19) -------------------------------------------------- Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130163 * RedHat: Moderate: thunderbird security update (Oct 19) ------------------------------------------------------ Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/130164 -------------------------------------------------------------------------- * Slackware: firefox, seamonkey (Oct 25) ---------------------------------------- New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, and -current to fix security issues. New seamonkey updates are available for Slackware 11.0, 12.0, and -current to address similar issues. http://www.linuxsecurity.com/content/view/130292 -------------------------------------------------------------------------- * Ubuntu: libpng vulnerabilities (Oct 25) ---------------------------------------- It was discovered that libpng did not properly perform bounds checking and comparisons in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng. http://www.linuxsecurity.com/content/view/130298 * Ubuntu: gnome-screensaver vulnerability (Oct 23) ------------------------------------------------- Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard lock focus. A local attacker could exploit this to bypass the user's locked screen saver. http://www.linuxsecurity.com/content/view/130199 * Ubuntu: Thunderbird vulnerabilities (Oct 23) --------------------------------------------- Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-5339, http://www.linuxsecurity.com/content/view/130200 * Ubuntu: dhcp vulnerability (Oct 23) ------------------------------------ USN-531-1 fixed vulnerabilities in dhcp. The fixes were incomplete, and only reduced the scope of the vulnerability, without fully solving it. This update fixes the problem. Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send malicious DHCP replies to the server and execute arbitrary code. http://www.linuxsecurity.com/content/view/130198 * Ubuntu: Firefox vulnerabilities (Oct 23) ----------------------------------------- Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-5336, CVE-2007-5339, CVE-2007-5340) http://www.linuxsecurity.com/content/view/130184 * Ubuntu: Ghostscript vulnerability (Oct 22) ------------------------------------------- USN-501-1 fixed vulnerabilities in Jasper. It was discovered that Jasper did not correctly handle corrupted JPEG2000 images. By tricking a user into opening a specially crafted JPG, a remote attacker could cause the application using libjasper to crash, resulting in a denial of service. http://www.linuxsecurity.com/content/view/130182 * Ubuntu: util-linux vulnerability (Oct 22) ------------------------------------------ Ludwig Nussel discovered that mount and umount did not properly drop privileges when using helper programs. Local attackers may be able to bypass security restrictions and gain root privileges using programs such as mount.nfs or mount.cifs. http://www.linuxsecurity.com/content/view/130178 * Ubuntu: OpenSSL vulnerability (Oct 22) --------------------------------------- Andy Polyakov discovered that the DTLS implementation in OpenSSL was vulnerable. A remote attacker could send a specially crafted connection request to services using DTLS and execute arbitrary code with the service's privileges. There are no known Ubuntu applications that are currently using DTLS. http://www.linuxsecurity.com/content/view/130179 * Ubuntu: nagios-plugins vulnerability (Oct 22) ---------------------------------------------- Nobuhiro Ban discovered that check_http in nagios-plugins did not properly sanitize its input when following redirection requests. A malicious remote web server could cause a denial of service or possibly execute arbitrary code as the user. http://www.linuxsecurity.com/content/view/130177 * Ubuntu: dhcp vulnerability (Oct 22) ------------------------------------ Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not correctly handle certain client options. A remote attacker could send malicious DHCP replies to the server and execute arbitrary code. http://www.linuxsecurity.com/content/view/130176 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
