[eddie5659]

Hiya

A vulnerability has been discovered in NANOG traceroute, an enhanced
version of the Van Jacobson/BSD traceroute program. A buffer overflow
occurs in the 'get_origin()' function. Due to insufficient bounds
checking performed by the whois parser, it may be possible to corrupt
memory on the system stack. This vulnerability can be exploited by a
remote attacker to gain root privileges on a target host. Though,
most probably not in Debian.

The Common Vulnerabilities and Exposures (CVE) project additionally
identified the following vulnerabilities which were already fixed in
the Debian version in stable (woody) and oldstable (potato) and are
mentioned here for completeness (and since other distributions had to
release a separate advisory for them):

* CAN-2002-1364 (BugTraq ID 6166) talks about a buffer overflow in
the get_origin function which allows attackers to execute arbitrary
code via long WHOIS responses.

* CAN-2002-1051 (BugTraq ID 4956) talks about a format string
vulnerability that allows local users to execute arbitrary code via
the -T (terminator) command line argument.

* CAN-2002-1386 talks about a buffer overflow that may allow local
users to execute arbitrary code via a long hostname argument.

* CAN-2002-1387 talks about the spray mode that may allow local users
to overwrite arbitrary memory locations.

Fortunately, the Debian package drops privileges quite early after
startup, so those problems aer not likely to result in an exploit on a
Debian machine.

For the current stable distribution (woody) the above problem has been
fixed in version 6.1.1-1.2.
For the old stable distribution (potato) the above problem has been
fixed in version 6.0-2.2.

For the unstable distribution (sid) these problems have been fixed in
version 6.3.0-1.

We recommend that you upgrade your traceroute-nanog package.

http://www.linuxsecurity.com/advisor...sory-2906.html


The shadow-utils package contains the tool useradd, which is used to
create or update new user information. When useradd creates an
account, it would create it with improper permissions; instead of
having it owned by the group mail, it would be owned by the user's
primary group. If this is a shared group (ie. "users"), then all
members of the shared group would be able to obtain access to the
mail spools of other members of the same group. A patch to useradd
has been applied to correct this problem.

http://www.linuxsecurity.com/advisor...sory-2907.html

A vulnerability was discovered in webmin by Cintia M. Imanishi, in the
miniserv.pl program, which is the core server of webmin. This
vulnerability allows an attacker to spoof a session ID by including
special metacharacters in the BASE64 encoding string used during the
authentication process. This could allow an attacker to gain full
administrative access to webmin.

MandrakeSoft encourages all users to upgrade immediately.


http://www.linuxsecurity.com/advisor...sory-2908.html

Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a
powerful tool for network monitoring and data acquisition. An
attacker is able to send a specially crafted network packet which
causes tcpdump to enter an infinite loop.

In addition to the above problem the tcpdump developers discovered a
potential infinite loop when parsing malformed BGP packets. They also
discovered a buffer overflow that can be exploited with certain
malformed NFS packets.

For the stable distribution (woody) these problems have been
fixed in version 3.6.2-2.3.

For the old stable distribution (potato) does not seem to be affected
by this problem.

For the unstable distribution (sid) these problems have been fixed in
version 3.7.1-1.2.

We recommend that you upgrade your tcpdump packages.

http://www.linuxsecurity.com/advisor...sory-2909.html

It has been discovered that adb2mhc from the mhc-utils package. The
default temporary directory uses a predictable name. This adds a
vulnerability that allows a local attacker to overwrite arbitrary
files the users has write permissions for.

For the stable distribution (woody) this problem has been
fixed in version 0.25+20010625-7.1.

For the old stable distribution (potato) does not contain mhc
packages.

For the unstable distribution (sid) this problem has been fixed in
version 0.25+20030224-1.

We recommend that you upgrade your mhc-utils packages.

http://www.linuxsecurity.com/advisor...sory-2910.html


"Many of the features supported by popular terminal emulator software
can be abused when un-trusted data is displayed on the screen. The
impact of this abuse can range from annoying screen garbage to a
complete system compromise. All of the issues below are actually
documented features, anyone who takes the time to read over the man
pages or source code could use them to carry out an attack."

It is recommended that all Gentoo Linux users who are running
x11-terms/eterm upgrade to eterm-0.9.2-r3 as follows:

emerge sync
emerge -u eterm
emerge clean

http://www.linuxsecurity.com/advisor...sory-2911.html

"Many of the features supported by popular terminal emulator software
can be abused when un-trusted data is displayed on the screen. The
impact of this abuse can range from annoying screen garbage to a
complete system compromise. All of the issues below are actually
documented features, anyone who takes the time to read over the man
pages or source code could use them to carry out an attack."


It is recommended that all Gentoo Linux users who are running
x11-libs/vte upgrade to vte-0.10.25 as follows:

emerge sync
emerge -u vte
emerge clean

http://www.linuxsecurity.com/advisor...sory-2912.html

Regards

eddie

[eddie5659]

Hiya

OpenSSL is a commercial-grade, full-featured, and open source toolkit that
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library.

In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin
Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites
in SSL and TLS. An active attacker may be able to use timing observations
to distinguish between two different error cases: cipher padding errors and
MAC verification errors. Over multiple connections this can leak
sufficient information to make it possible to retrieve the plaintext of a
common, fixed block.

In order for an attack to be sucessful, an attacker must be able to act as
a man-in-the-middle to intercept and modify multiple connections, which all
involve a common fixed plaintext block (such as a password), and have good
network conditions that allow small changes in timing to be reliably
observed.

These erratum packages contain a patch provided by the OpenSSL group that
corrects this vulnerability.

Because server applications are affected by these vulnerabilities, we
advise users to restart all services that use OpenSSL functionality or
alternatively reboot their systems after installing these updates.

http://www.linuxsecurity.com/advisor...sory-2939.html

Problem Description

The slocate command suffers from two command line buffer
overflows.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to slocate-2.6-3.i386.rpm

OpenLinux 3.1.1 Workstation prior to slocate-2.6-3.i386.rpm

OpenLinux 3.1 Server prior to slocate-2.6-3.i386.rpm

OpenLinux 3.1 Workstation prior to slocate-2.6-3.i386.rpm


http://www.linuxsecurity.com/advisor...sory-2940.html

"Remote attackers may exploit the buffer overflow condition to run
arbitrary code on a Snort sensor with the privileges of the Snort IDS
process, which typically runs as the superuser. The vulnerable
preprocessor is enabled by default. It is not necessary to establish
an actual connection to a RPC portmapper service to exploit this
vulnerability."


http://www.linuxsecurity.com/advisor...sory-2941.html

The file command is used to identify a particular file according to the
type of data contained in the file.

The file utility before version 3.41 contains a buffer overflow
vulnerability in the ELF parsing routines. This vulnerability may
allow an attacker to create a carefully crafted binary which can allow
arbitrary code to be run if a victim runs the 'file' command on that
binary.

There are other ways that an attacker may be able to take advantage of
this vulnerability in the file command:

-- In Red Hat Linux 6.2 and 7.0, the rhs-printfilter package makes use
of the file command. This would allow an attacker who has the ability
to print to execute arbitrary commands (as the user 'lp') on the print
server by sending a malicious file.

-- On some Red Hat Linux distributions it may also be possible to
trigger this exploit by encouraging the victim to use the 'less'
command on a malicious file which is named so that it will be
processed by the 'lesspipe.sh' script.

All users are advised to update to these erratum packages, which contain a
backported patch to correct this vulnerability.

Red Hat would like to thank iDefense for disclosing this issue and
zen-parse for discussion of some of the implications.


http://www.linuxsecurity.com/advisor...sory-2943.html

Versions prior to 0.8.9 had all configuration and connection files
world readable.

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-db/mysqlcc upgrade to mysqlcc-0.8.10-r1 as follows:

emerge sync
emerge -u mysqlcc
emerge clean

http://www.linuxsecurity.com/advisor...sory-2942.html

Recently ISS X-Force discovered a buffer overflow vulnerability in the
RPC preprocessor of the snort IDS system. A remote attacker could send
fragmented RPC records and cause snort to execute arbitrary code as the
snort user.

To fix this vulnerability we have upgraded snort to the latest stable
version (1.9.1). All users are recommended to upgrade as soon as
possible.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0033 to this issue.


http://www.linuxsecurity.com/advisor...sory-2944.html

There is a buffer overflow vulnerability in the 'file' command's ELF
parsing routines which can allow an attacker to exploit a victim by
tricking them into running 'file' on a specially crafted binary.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0102 to this issue.

http://www.linuxsecurity.com/advisor...sory-2945.html

Regards

eddie

[eddie5659]

Hiya

The /usr/bin/shutdown command that comes with the usermode package can
be executed by local users to shutdown all running processes and drop
into a root shell. This command is not really needed to shutdown a
system, so it has been removed and all users are encouraged to upgrade.
Please note that the user must have local console access in order to
obtain a root shell in this fashion.


http://www.linuxsecurity.com/advisor...sory-2955.html

Florian Heinz <heinz@cronon-ag.de> posted to the Bugtraq mailing list an
exploit for qpopper based on a bug in the included vsnprintf implementation.
The sample exploit requires a valid user account and password, and overflows a
string in the pop_msg() function to give the user "mail" group privileges and a
shell on the system. Since the Qvsnprintf function is used elsewhere in
qpopper, additional exploits may be possible.

The qpopper package in Debian 2.2 (potato) does not include the vulnerable
snprintf implementation. For Debian 3.0 (woody) an updated package is available
in version 4.0.4-2.woody.3. Users running an unreleased version of Debian
should upgrade to 4.0.4-9 or newer. We recommend you upgrade your qpopper
package immediately.

http://www.linuxsecurity.com/advisor...sory-2956.html

iDEFENSE discovered a buffer overflow vulnerability in the ELF format
parsing of the "file" command, one which can be used to execute
arbitrary code with the privileges of the user running the command. The
vulnerability can be exploited by crafting a special ELF binary which is
then input to file. This could be accomplished by leaving the binary on
the file system and waiting for someone to use file to identify it, or
by passing it to a service that uses file to classify input. (For
example, some printer filters run file to determine how to process input
going to a printer.)

Fixed packages are available in version 3.28-1.potato.1 for Debian 2.2
(potato) and version 3.37-3.1.woody.1 for Debian 3.0 (woody). We
recommend you upgrade your file package immediately

http://www.linuxsecurity.com/advisor...sory-2957.html

The lprm command of the printing package lprold shipped till SuSE 7.3
contains a buffer overflow. This buffer overflow can be exploited by
a local user, if the printer system is set up correctly, to gain root
privileges.
lprold is installed as default package and has the setuid bit set.

As a temporary workaround you can disable the setuid bit of lprm by
executing the following tasks as root:
- add "/usr/bin/lprm root.root 755" to /etc/permissions.local
- run 'chkstat -set /etc/permissions.local'
Another way would be to just allow trusted users to run lprm by
executing the following tasks as root:
- add "/usr/bin/lprm root.trusted 4755" to /etc/permissions.local
- run 'chkstat -set /etc/permissions.local'

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.


http://www.linuxsecurity.com/advisor...sory-2958.html

The network traffic analyzer tool tcpdump is vulnerable to a denial-of-
service condition while parsing ISAKMP or BGP packets. This bug can
be exploited remotely by an attacker to stop the use of tcpdump for
analyzing network traffic for signs of security breaches or alike.
Another bug may lead to system compromise due to the handling of
malformed NFS packets send by an attacker.
Please note, that tcpdump drops root privileges right after allocating
the needed raw sockets.

There is no temporary fix known.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.


http://www.linuxsecurity.com/advisor...sory-2959.html

A problem has been discovered in tcpdump, a powerful tool for network
monitoring and data acquisition. An attacker is able to send a
specially crafted RADIUS network packet which causes tcpdump to enter
an infinite loop.

For the stable distribution (woody) this problem has been
fixed in version 3.6.2-2.4.

The old stable distribution (potato) does not seem to be affected
by this problem.

The unstable distribution (sid) is not affected by this problem anymore.

We recommend that you upgrade your tcpdump package.


http://www.linuxsecurity.com/advisor...sory-2960.html

Sebastian Krahmer of the SuSE security audit team found two problems
in samba, a popular SMB/CIFS implementation. The problems are:

* a buffer overflow in the SMB/CIFS packet fragment re-assembly code
used by smbd. Since smbd runs as root an attacker can use this to
gain root access to a machine running smbd.

* the code to write reg files was vulnerable for a chown race which made
it possible for a local user to overwrite system files

Both problems have been fixed in upstream version 2.2.8, and version
2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.


http://www.linuxsecurity.com/advisor...sory-2961.html

Regards

eddie

[eddie5659]

The Post-Office-Protocol- (POP-) Server qpopper (version 4) was
vulnerable to a buffer overflow. The buffer overflow occurs after
authentication has taken place. Therefore pop-users with a valid
account can execute arbitrary code on the system running qpopper.
Depending on the setup, the malicious code is run with higher privileges.

There is no temporary fix known, please update your system.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.


http://www.linuxsecurity.com/advisor...sory-3030.html

Ethereal is a GUI for analyzing and displaying network traffic.
Ethereal is vulnerable to a format string bug in it's SOCKS code
and to a heap buffer overflow in it's NTLMSSP code.
These bugs can be abused to crash ethereal or maybe to execute
arbitrary code on the machine running ethereal.

There is no temporary workaround known.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

http://www.linuxsecurity.com/advisor...sory-3031.html

The file command can be used to determine the type of files.
iDEFENSE published a security report about a buffer overflow in the
handling-routines for the ELF file-format.
In conjunction with other mechanisms like print-filters, cron-jobs,
eMail-scanners (like AMaViS) and alike this vulnerability can be used
to gain higher privileges or to compromise the system remotely.

There is no temporary fix known other then updating the system.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

http://www.linuxsecurity.com/advisor...sory-3029.html

Linux 2.2.25 fixes the kmod/ptrace race condition vulnerability
discovered by Andrzej Szombierski. The vulnerability could result in
a local root compromise if the kernel is built with support for
auto-loading modules (CONFIG_KMOD) and the path to a module loader
program is specified in /proc/sys/kernel/modprobe. It is recommended
that you not enable or use kmod, for both security and reliability
reasons. The kernels used on Owl CDs have never been built with
support for kmod. Owl startup scripts, unlike those used on some
other distributions, don't setup a path to modprobe with the kernel.

Linux 2.2.24+ also corrects "Etherleak" issues with a number of
Ethernet drivers (a common class of vulnerabilities publicized by Ofir
Arkin and Josh Anderson of @stake) and a local DoS vulnerability with
mmap(2) of /proc//mem files discovered by Michal Zalewski of
Bindview.

Finally, Linux 2.2.25-ow1 patch makes the added RLIMIT_NPROC
enforcement also work for 32-bit syscalls on sparc64 (thanks to Brad
Spengler for noticing that this was missing).

For those who are wondering about 2.4.x, I am going to put out a new
version of the patch when 2.4.21 comes out. Meanwhile, if you must
use 2.4.x for whatever reason, make sure you aren't using kmod.

http://www.linuxsecurity.com/advisor...sory-3032.html

Patches were applied for the folowing issues.

19-Mar-2003: Security Advisory: Klima-Pokorny-Rosa attack.
17-Mar-2003: Security Advisory: timing attacks, RSA blinding.

Update:

http://www.linuxsecurity.com/advisor...sory-3033.html

Stunnel is an SSL wrapper able to act as an SSL client or server,
enabling non-SSL aware applications and servers to utilize SSL encryption.

Dan Boneh and David Brumley have successfully implemented an RSA
timing attack against OpenSSL-enabled SSL software, including
Stunnel. Their writeup is available at
http://crypto.stanford.edu/~dabo/abs...sl-timing.html


http://www.linuxsecurity.com/advisor...sory-3034.html

FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

II. Problem Description

This advisory addresses two separate flaws recently fixed in OpenSSL:
(1) an RSA timing attack, and (2) the Klima-Pokorny-Rosa attack.

- - - From the OpenSSL Project advisories (see references):

(1) Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been
turned on.

(2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on
RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.
Their attack requires the attacker to open millions of SSL/TLS
connections to the server under attack; the server's behaviour
when faced with specially made-up RSA ciphertexts can reveal
information that in effect allows the attacker to perform a single
RSA private key operation on a ciphertext of its choice using the
server's RSA key. Note that the server's RSA key is not
compromised in this attack.

http://www.linuxsecurity.com/advisor...sory-3035.html

Regards

eddie