[eddie5659]

Hiya

ScrollKeeper is a cataloging system for documentation. All versions of
ScrollKeeper between 0.3 and 0.3.11 have a tempfile vulnerability.

The scrollkeeper-get-cl command generates temporary files in the /tmp
directory. These files are named scrollkeeper-tempfile.[0-4], and while
creating these files scrollkeeper-get-cl follows symbolic links. These
files are created when a user logs in to a GNOME session and are created as
the user who logged in. This means an attacker with local access can easily
create and overwrite files as another user.

This errata updates ScrollKeeper packages for Red Hat Linux 7.3 with
patches that prevent ScrollKeeper from following symlinks when creating
temporary files. Previous releases of Red Hat Linux do not contain
vulnerable versions of Scrollkeeper.

Thanks go to Spybreak for discovering and responsibly disclosing this
vulnerability.

http://www.linuxsecurity.com/advisor...sory-2323.html

Spybreak discovered a problem in scrollkeeper, a free electronic
cataloging system for documentation. The scrollkeeper-get-cl program
creates temporary files in an insecure manner in /tmp using guessable
filenames. Since scrollkeeper is called automatically when a user
logs into a Gnome session, an attacker with local access can easily
create and overwrite files as another user.

This problem has been fixed in version 0.3.6-3.1 for the current
stable distribution (woody) and in version 0.3.11-2 for the unstable
distribution (sid). The old stable distribution (potato) is not
affected, since it doesn't contain the scrollkeeper package.

We recommend that you upgrade your scrollkeeper packages immediately

http://www.linuxsecurity.com/advisor...sory-2324.html

Mailman[1] is a mailing list manager.

"office" reported[3] several cross site scripting vulnerabilities in
Mailman versions 2.0.11 and older. The authors have been notified and
released[2] version 2.0.12 shortly thereafter to address these
issues.

Using these vulnerabilities a remote attacker could obtain sensitive
information, such as authentication cookies or even the
administrative password of a specific mailing list, by crafting a
special URL with javascript in it and somehow having a list
administrator click on it.

This announcement updates mailman to version 2.0.13.


http://www.linuxsecurity.com/advisor...sory-2325.html

A problem with user privileges has been discovered in the Mantis
package, a PHP based bug tracking system. The Mantis system didn't
check whether a user is permitted to view a bug, but displays it right
away if the user entered a valid bug id.

Another bug in Mantis caused the 'View Bugs' page to list bugs from
both public and private projects when no projects are accessible to
the current user.

These problems have been fixed in version 0.17.1-2.5 for the current
stable distribution (woody) and in version 0.17.5-2 for the unstable
distribution (sid). The old stable distribution (potato) is not
affected, since it doesn't contain the mantis package.

We recommend that you upgrade your mantis packages.

http://www.linuxsecurity.com/advisor...sory-2327.html

The scrollkeeper-get-cl program creates temporary files in an insecure
manner in /tmp using guessable filenames.
Since scrollkeeper is called automatically when a user logs into a Gnome
session, an attacker with local access can easily create and overwrite
files as another user.

http://www.linuxsecurity.com/advisor...sory-2326.html

The AMaViS shell script version (AMaViS 0.1.x / 0.2.x) uses securetar.
securetar removes the pathes of files in a tar archive and makes each
file name a unique name. Links, character devices, block devices and named
pipes will be removed from the archive.
A special-crafted TAR file may hung securetar forever, using up to
100% CPU time.

http://www.linuxsecurity.com/advisor...sory-2328.html

An integer overflow has been discovered in the xdr_array() function,
contained in the Sun Microsystems RPC/XDR library, which is part of
the glibc library package on all SuSE products. This overflow allows
a remote attacker to overflow a buffer, leading to remote execution of
arbitrary code supplied by the attacker.

There is no temporary workaround for this security problem other than
disabling all RPC based server and client programs. The permanent
solution is to update the glibc packages with the update packages
listed below.


http://www.linuxsecurity.com/advisor...sory-2329.html

Regards

eddie

[eddie5659]

ssldump is an SSLv3/TLS network protocol analyzer. If provided with
the appropriate keying material, it will also decrypt the connections
and display the application data traffic.


SUMMARY OF BUG
It's possible to send ssldump bogus protocol messages which will cause
a buffer under/overflow. Although no exploit is known, it is possible
that this buffer overflow can be used to take control of ssldump,
which might lead to execution of arbitrary code and compromise of the
affected system.

http://www.linuxsecurity.com/advisor...sory-2341.html

Overview:
Konqueror fails to detect the "secure" flag in HTTP cookies and as
a result may send secure cookies back to the originating site over
an unencrypted network connection

http://www.linuxsecurity.com/advisor...sory-2342.html

Konqueror's cross Site scripting protection fails to initialize the
domains on sub-(i)frames correctly. As a result, Javascript can
access any foreign subframe which is defined in the HTML source.

http://www.linuxsecurity.com/advisor...sory-2343.html

A fifth parameter was added to PHP's mail() function in 4.0.5 that is
not properly sanitized when the server is running in safe mode. This
vulnerability would allow local users and, possibly, remote attackers
to execute arbitrary commands using shell metacharacters.

After upgrading to these packages, execute "service httpd restart" as
root in order to close the hole immediately.


http://www.linuxsecurity.com/advisor...sory-2344.html

Mordred Labs and others found several vulnerabilities in PostgreSQL,
an object-relational SQL database. They are inherited from several
buffer overflows and integer overflows. Specially crafted long date
and time input, currency, repeat data and long timezone names could
cause the PostgreSQL server to crash as well as specially crafted
input data for lpad() and rpad(). More buffer/integer overflows were
found in circle_poly(), path_encode() and path_addr().

Except for the last three, these problems are fixed in the upstream
release 7.2.2 of PostgreSQL which is the recommended version to use.

Most of these problems do not exist in the version of PostgreSQL that
Debian ships in the potato release since the corresponding
functionality is not yet implemented. However, PostgreSQL 6.5.3 is
quite old and may bear more risks than we are aware of, which may
include further buffer overflows, and certainly include bugs that
threaten the integrity of your data.

http://www.linuxsecurity.com/advisor...sory-2345.html

The util-linux package contains a large variety of system
utilities that are necessary for a Linux system to function.
Among many features, it includes the chfn utility, a suid root tool
used to change user account information.

Michal Zalewski found a race condition vulnerability[1] in the way
chfn locks files when changing /etc/passwd. In order to sucessfully
exploit this vulnerability, some administrator interaction is needed
and there are some prerequisites to fulfill. Full details can be
found in the Bindview advisory[2].

Having what appears to be a stale /etc/ptmptmp file could be a sign
that the vulnerability is being exploited. In that case, the
administrator should investigate current users and processes before
attemtping to remove this file.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0638 to this issue[3].

Please note that the fixed packages were available in our ftp servers
since September 2nd, 2002.

http://www.linuxsecurity.com/advisor...sory-2346.html

Two buffer overflows have been discovered in purity, a game for nerds
and hackers, which is installed setgid games on a Debian system. This
problem could be exploited to gain unauthorized access to the group
games. A malicious user could alter the highscore of several games.

This problem has been fixed in version 1-14.2 for the current stable
distribution (woody), in version 1-9.1 for the old stable distribution
(potato) and in version 1-16 for the unstable distribution (sid).

We recommend that you upgrade your purity packages.


http://www.linuxsecurity.com/advisor...sory-2347.html

eddie

[eddie5659]

Kf and kfd are used to forward Kerberos credentials in a stand-alone
fashion, and come from the Heimdal Kerberos implementation used by
NetBSD. In Heimdal releases earlier than 0.5, these programs have
multiple security issues, including possible buffer overruns.

The kfd daemon has never been enabled by default in NetBSD; enabling
it would have required a port name to be added to /etc/services.

http://www.linuxsecurity.com/advisor...sory-2372.html

Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It
includes ASN1 updates in the woody packages, plus the potato packages
which were not initially available.

The OpenSSL development team has announced that a security audit by A.L.
Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed
remotely exploitable buffer overflow conditions in the OpenSSL code.
Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan.

CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client implementation
(by sending a large session id to the client). The SSL2 issue was also
noticed by Neohapsis, who have privately demonstrated exploit code for
this issue. CAN-2002-0659 references the ASN1 parser DoS issue.

These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.1, openssl095_0.9.5a-6.woody.1 and
openssl_0.9.6c-2.woody.1.

These vulnerabilities are also present in Debian 2.2 (potato). Fixed
packages are available in openssl094_0.9.4-6.potato.0 and
openssl_0.9.6c-0.potato.4.

Only i386 packages for openssl094 and openssl095 are available at this
time; other architectures will be made available as soon as possible.
A worm is actively exploiting this issue on internet-attached hosts;
we recommend you upgrade your OpenSSL as soon as possible. Note that you
must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.)
If you are uncertain which programs are using SSL you may choose to
reboot to ensure that all running daemons are using the new libraries.

http://www.linuxsecurity.com/advisor...sory-2373.html

The xf86 package contains various libraries and programs which are
fundamental for the X server to function.
The libX11.so library from this package dynamically loads other libraries
where the pathname is controlled by the user invoking the program linked
against libX11.so. Unfortunately, libX11.so also behaves the same way when
linked against setuid programs. This behavior allows local users to
execute arbitrary code under a different UID which can be the root-UID in
the worst case.
libX11.so has been fixed to check for calls from setuid programs. It
denies loading of user controlled libraries in this case.
We recommend an update in any case since there is no easy workaround
possible except removing the setuid bit from any program linked against
libX11.so.

http://www.linuxsecurity.com/advisor...sory-2374.html

Wojciech Purczynski found out that it is possible for scripts to pass
arbitrary text to sendmail as commandline extension when sending a
mail through PHP even when safe_mode is turned on. Passing 5th
argument should be disabled if PHP is configured in safe_mode, which
is the case for newer PHP versions and for the versions below. This
does not affect PHP3, though.

Wojciech Purczynski also found out that arbitrary ASCII control
characters may be injected into string arguments of mail() function.
If mail() arguments are taken from user's input it may give the user
ability to alter message content including mail headers.

Ulf Harnhammar discovered that file() and fopen() are vulnerable to
CRLF injection. An attacker could use it to escape certain
restrictions and add arbitrary text to alleged HTTP requests that are
passed through.

However this only happens if something is passed to these functions
which is neither a valid file name nor a valid url. Any string that
contains control chars cannot be a valid url. Before you pass a
string that should be an url to any function you must use urlencode()
to encode it.


http://www.linuxsecurity.com/advisor...sory-2375.html

Postgresql[1] is a sophisticated relational database which supports
almost all SQL constructs, including subselects, transactions and
user-defined types and functions.

Mordred Labs <mordred@s-mail.com> announced[3][4][5] several
vulnerabilities in the postgresql database:
- buffer overflow in the rpad() and lpad() functions;
- buffer overflow in the repeat() function;
- buffer overflow in the cash_words() function;

Other vulnerabilities were also fixed[2] by the postgresql
developers:
- buffer overflow in functions dealing with date/time and timezone;
- more buffer overflows, this time in the circle_poly(),
path_encode() and path_addr() functions, reported again by
<mordred@s-mail.com>. Fixes for these overflows are available only in
CVS[6] at this time and were not included in the official 7.2.2
release, but are included in this update. Thanks to Martin Schulze
<joey@infodrom.org> for alerting us about these last-minute fixes.


http://www.linuxsecurity.com/advisor...sory-2376.html

KDE[1] is a very popular graphical desktop environment available for
GNU/Linux and other operating systems.

A cross site scripting vulnerability[2] has been found in the
Konqueror browser which also affects other programs that use the same
rendering engine (KHTML).

This vulnerability could allow an attacker to steal cookies and
perform other types of cross site scripting attacks on applications
which use the KHTML rendering engine, such as Konqueror.

The KDE team released an advisory[3] and patches to address this
vulnerability.


http://www.linuxsecurity.com/advisor...sory-2377.html

This advisory is issued in an attempt to clarify any issues
surrounding the recently discovered Apache/mod_ssl worm.

On July 30, we released a security advisory concerning vulnerabilities
in OpenSSL, including a buffer overflow in the SSL code. This
vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory
http://www.cert.org/advisories/CA-2002-23.html) is currently being
exploited by a worm called Slapper, propagating through Apache's
mod_ssl module.

It is worth noting that even though the worm infects Apache through
mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in
the OpenSSL library used by mod_ssl.

This also means that Apache may not be the only service vulnerable
to an attack via the SSL bug. Similar exploits may be possible
against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled
services.

http://www.linuxsecurity.com/advisor...sory-2378.html

Regards

eddie

[eddie5659]

A heap buffer overflow exists in the XDR decoder in glibc version 2.2.5
and earlier. XDR is a mechanism for encoding data structures for use
with RPC, which is derived from Sun's RPC implementation which is
likewise vulnerable to a heap overflow. Depending on the application,
this vulnerability may be exploitable and could lead to arbitrary code
execution. Thanks to Solar Designer for the patches used to correct
this vulnerability.

http://www.linuxsecurity.com/advisor...sory-2382.html

Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to
source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.

http://www.linuxsecurity.com/advisor...sory-2383.html

Zope is a python-based application server. A number of security hotfixes
have been made available for Zope:

The "through the web code" capability for Zope 2.0 through 2.5.1 b1
allows untrusted users to shut down the Zope server via certain
headers. (CAN-2002-0687)

ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1
allows anonymous users and untrusted code to bypass access
restrictions and call arbitrary methods of catalog indexes. (CAN-2002-0688)

Zope 2.2.0 through 2.5.1 does not properly verify the access for objects
with proxy roles, which could allow some users to access documents in
violation of the intended configuration. (CAN-2002-0170)

Users should upgrade to these errata packages that have the Zope
Hotfixes 2002-03-01, 2002-04-15, and 2002-06-14 applied, and are therefore
not vulnerable to these issues.

http://www.linuxsecurity.com/advisor...sory-2384.html

Wolfram Gloger discovered that the bugfix from DSA 149-1 unintentially
replaced potential integer overflows in connection with malloc() with
more likely divisions by zero. This called for an update. For
completeness the original security advisory said:

An integer overflow bug has been discovered in the RPC library used
by GNU libc, which is derived from the SunRPC library. This bug
could be exploited to gain unauthorized root access to software
linking to this code. The packages below also fix integer overflows
in the malloc code.

This is fixed in version 2.2.5-11.2 for the current stable
distribution (woody) by using a patch from the stable glibc-2_2 branch
by Wolfgang and in version 2.1.3-24 for the old stable release
(potato).

http://www.linuxsecurity.com/advisor...sory-2385.html

There is an integer overflow present in the xdr_array() function
distributed as part of the Sun Microsystems XDR library. This overflow
has been shown to lead to remotely exploitable buffer overflows in
multiple applications, leading to the execution of arbitrary code.
Although the library was originally distributed by Sun Microsystems,
multiple vendors have included the vulnerable code in their own
implementations.


http://www.linuxsecurity.com/advisor...sory-2386.html

The XDR (external data representation) libraries are used to provide
platform-independent methods for sending data from one system process to
another, typically over a network connection. Such routines are commonly
used in remote procedure call (RPC) implementations to provide transparency
to application programmers who need to use common interfaces to interact
with many different types of systems. The xdr_array() function in the XDR
library provided by Sun Microsystems contains an integer overflow that can
lead to improperly sized dynamic memory allocation. Subsequent problems like
buffer overflows may result, depending on how and where the vulnerable
xdr_array() function is used.

http://www.linuxsecurity.com/advisor...sory-2387.html

The unzip and tar utilities contain vulnerabilities which can allow
arbitrary files to be overwritten during archive extraction.

http://www.linuxsecurity.com/advisor...sory-2388.html

Regards

eddie

[eddie5659]

The GNU C library package, glibc, contains standard libraries which are
used by multiple programs on the system.

A read buffer overflow vulnerability exists in the glibc resolver code in
versions of glibc up to and including 2.2.5. The vulnerability is
triggered by DNS packets larger than 1024 bytes and can cause applications
to crash.

All Red Hat Linux users are advised to upgrade to these errata packages
which contain a patch to correct this vulnerability.

http://www.linuxsecurity.com/advisor...sory-2404.html

A security vulnerability has been found in all Tomcat 4.x releases.
This problem allows an attacker to use a specially crafted URL to
return the unprocessed source code of a JSP page, or, under special
circumstances, a static resource which would otherwise have been
protected by security constraints, without the need for being properly
authenticated.

This problem has been fixed in version 4.0.3-3woody1 for the current
stable distribution (woody) and in version 4.1.12-1 for the unstable
release (sid). The old stable release (potato) does not contain
tomcat packages. Also, packages for tomcat3 are not vulnerable to
this problem.

We recommend that you upgrade your tomcat package immediately.

http://www.linuxsecurity.com/advisor...sory-2405.html

ggv is a user interface for the Ghostscript PostScript(R) interpreter used
to display PostScript and PDF documents on an X Window System.

Zen Parse found a local buffer overflow in gv version 3.5.8 and earlier.
ggv versions 1.0.2 and earlier contain code derived from gv and therefore
have the same vulnerability. An attacker can create a carefully crafted
malformed PDF or PostScript file in such a way that when that file is
viewed arbitrary commands can be executed.

All users of ggv are advised to upgrade to the errata packages which
contain a patch and are not vulnerable to this issue.


http://www.linuxsecurity.com/advisor...sory-2406.html

According to the Apache HTTP Server Project [1][2], there are
several remotely exploitable vulnerabilities which could allow an
attacker to enact a denial of service against a server. The Common
Vulnerabilities and Exposures (CVE) project identified the following
three vulnerabilities:

1. CAN-2002-0839 [3]: A vulnerability exists on platforms using System
V shared memory based scoreboards. This vulnerability allows an
attacker who can execute under the Apache UID to exploit the Apache
shared memory scoreboard format and send a signal to any process as
root or cause a local denial of service attack.

2. CAN-2002-0840 [4]: Apache is susceptible to a cross site scripting
vulnerability in the default 404 page of any web server hosted on a
domain that allows wildcard DNS lookups.

3. CAN-2002-0843 [5]: There were some possible overflows in the
utility ApacheBench (ab) which could be exploited by a malicious
server.

Please check whether you are affected by running "/bin/rpm -q
apache". If you have an affected version of the "apache" package (see
above), upgrade it according to the solution below. Remember to also
rebuild and reinstall any dependent OpenPKG packages. [6]

http://www.linuxsecurity.com/advisor...sory-2407.html

Zack Weinberg found a vulnerability in the way the exevpe() method
from the os.py module uses a temporary file name. A file which
supposedly should not exist is created in a unsafe way and the method
tries to execute it. The objective of such code is to discover what
error the operating system returns in a portable way.

http://www.linuxsecurity.com/advisor...sory-2408.html

Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1,
7.2, and 7.3. These updates fix a potential buffer overflow which can occur
when nss_ldap is set to configure itself using information stored in DNS,
a format string bug in logging functions used in pam_ldap, and to properly
handle truncated DNS responses.



http://www.linuxsecurity.com/advisor...sory-2409.html

Updated tcpdump, libpcap, and arpwatch packages are available for Red
Hat Linux 6.2 and 7.x. These updates close a buffer overflow when handling
NFS packets.

[Update 3 October 2002]
Replacement packages have been added for Red Hat Linux 6.2 as the previous
packages could not be installed with the version of RPM that shipped with
Red Hat Linux 6.2. Replacement packages have also been added for Red Hat
Linux 7.0 as the previous packages were not built correctly.


http://www.linuxsecurity.com/advisor...sory-2410.html

Regards

eddie