1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Linux Vulnerabilities: January

Discussion in 'Linux and Unix' started by eddie5659, Jan 5, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    37,062
    Hiya

    CUPS is a well known and widely used printing system for unix-like
    systems. iDFENSE reported several security issues with CUPS that can
    lead to local and remote root compromise. The following list
    includes all vulnerabilities:
    - integer overflow in HTTP interface to gain remote
    access with CUPS privileges
    - local file race condition to gain root (bug mentioned
    above has to be exploited first)
    - remotely add printers
    - remote denial-of-service attack due to negative length in
    memcpy() call
    - integer overflow in image handling code to gain higher privileges
    - gain local root due to buffer overflow of 'options' buffer
    - design problem to gain local root (needs added printer, see above)
    - wrong handling of zero width images can be abused to gain higher
    privileges
    - file descriptor leak and denial-of-service due to missing checks
    of return values of file/socket operations

    Since SuSE 8.1 CUPS is the default printing system.

    As a temporary workaround CUPS can be disabled and an alternative
    printing system like LPRng can be installed instead.

    New CUPS packages are available on our FTP servers. Please, install
    them to fix your system.


    http://www.linuxsecurity.com/advisories/suse_advisory-2709.html

    "The pdftops filter in the Xpdf and CUPS packages contains an integer
    overflow that can be exploited to gain the privileges of the target user
    or in some cases the increased privileges of the 'lp' user if installed
    setuid. There are multiple ways of exploiting this vulnerability."


    http://www.linuxsecurity.com/advisories/gentoo_advisory-2710.html

    "This vulnerability can make leafnode's nntpd server, named leafnode, go
    into an unterminated loop when a particular article is requested. The
    connection becomes irresponsive, and the server hogs the CPU. The client
    will have to terminate the connection and connect again, and may fall
    prey to the same problem; ultimately, there may be so many leafnode
    processes hogging the CPU that no serious work is possible any more and
    the super user has to kill all running leafnode processes."


    http://www.linuxsecurity.com/advisories/gentoo_advisory-2711.html

    A cross site scripting vulnerability has been discovered in
    squirrelmail, a feature-rich webmail package written in PHP4.
    Squirrelmail doesn't sanitize user provided variables in all places,
    leaving it vulnerable to a cross site scripting attack.

    For the current stable distribution (woody) this problem has been
    fixed in version 1.2.6-1.3. The old stable distribution (potato) is
    not affected since it doesn't contain a squirrelmail package.

    An updated package for the current unstable distribution (sid) is
    expected soon.

    We recommend that you upgrade your squirrelmail package.



    http://www.linuxsecurity.com/advisories/debian_advisory-2712.html

    Stefan Esser from e-matters reported various bugs in MySQL. Within the
    MySQL server the password checking and a signedness issue has been fixed.
    These could lead to a remote compromise of the system running an unpatched
    MySQL server. In order to exploit this bug, the remote attacker needs a
    valid MySQL account.
    Further, a buffer overflow in the mysqlclient library has been reported
    and fixed. Applications using this library (as commonly used from within
    PHP scripts) are vulnerable to this attack and could also be compromised
    by remote attackers.

    Since there is no workaround possible except shutting down the MySQL
    server, we strongly recommend an update.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

    To be sure the update takes effect you have to restart the MySQL server
    by executing the following command as root:

    /etc/rc.d/mysql restart

    If you run applications which utilize the mysqlclient library (i.e. software
    that accesses a MySQL database server) make sure you restart them again to
    force the use of the patched libraries.

    We thank MySQL Product and Release Engineer Lenz Grimmer as well as
    e-matters Stefan Esser who discovered the bugs for their committment to
    security matters and the communication of them.

    http://www.linuxsecurity.com/advisories/suse_advisory-2713.html

    Earl Hood, author of mhonarc, a mail to HTML converter, discovered a
    cross site scripting vulnerability in this package. A specially
    crafted HTML mail message can introduce foreign scripting content in
    archives, by-passing MHonArc's HTML script filtering.

    For the current stable distribution (woody) this problem has been
    fixed in version 2.5.2-1.3.

    For the old stable distribution (potato) this problem has been fixed
    in version 2.4.4-1.3.

    For the unstable distribution (sid) this problem has been fixed in
    version 2.5.14-1.

    We recommend that you upgrade your mhonarc package.


    http://www.linuxsecurity.com/advisories/debian_advisory-2714.html

    A vulnerability in Pine version 4.44 and earlier releases can cause
    Pine to crash when sent a carefully crafted email.

    2. Relevant releases/architectures:

    Red Hat Linux 6.2 - i386
    Red Hat Linux 7.0 - i386
    Red Hat Linux 7.1 - i386
    Red Hat Linux 7.2 - i386, ia64
    Red Hat Linux 7.3 - i386
    Red Hat Linux 8.0 - i386

    3. Problem description:

    Pine, developed at the University of Washington, is a tool for reading,
    sending, and managing electronic messages (including mail and news).

    A security problem was found in versions of Pine 4.44 and earlier. In these
    versions, Pine does not allocate enough memory for the parsing and escaping
    of the "From" header, allowing a carefully crafted email to cause a
    buffer overflow on the heap. This will result in Pine crashing.

    All users of Pine on Red Hat Linux are advised to update to these errata
    packages containing a patch to version 4.44 of Pine that fixes this
    vulnerability.


    http://www.linuxsecurity.com/advisories/redhat_advisory-2715.html

    Regards

    eddie
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    37,062
    A security vulnerability has been confirmed to exist in Apache Tomcat
    4.0.x releases, which allows to use a specially crafted URL to return
    the unprocessed source of a JSP page, or, under special circumstances,
    a static resource which would otherwise have been protected by a
    security constraint, without the need for being properly
    authenticated. This is based on a variant of the exploit that was
    identified as CAN-2002-1148.

    For the current stable distribution (woody) this problem has been
    fixed in version 4.0.3-3woody2.

    The old stable distribution (potato) does not contain tomcat packages.

    For the unstable distribution (sid) this problem does not exist in the
    current version 4.1.16-1.

    We recommend that you upgrade your tomcat packages.


    http://www.linuxsecurity.com/advisories/debian_advisory-2740.html

    Ethereal is a package designed for monitoring network traffic on your
    system. Several security issues have been found in the Ethereal packages
    distributed with Red Hat Linux versions 7.2, 7.3, and 8.0

    Multiple integer signedness errors in the BGP dissector in Ethereal
    0.9.7 and earlier allow remote attackers to cause a denial of service
    (infinite loop) via malformed messages. This problem was discovered by
    Silvio Cesare. CAN-2002-1355

    Ethereal 0.9.7 and earlier allows remote attackers to cause a denial
    of service (crash) and possibly execute arbitrary code via malformed
    packets to the LMP, PPP, or TDS dissectors. CAN-2002-1356

    Users of Ethereal should update to the erratum packages containing Ethereal
    version 0.9.8 which is not vulnerable to these issues

    http://www.linuxsecurity.com/advisories/redhat_advisory-2741.html

    Heap-based buffer overflow in fetchmail does not account for the
    "@" character when determining buffer lengths for local addresses,
    which allows remote attackers to execute arbitrary code via a
    header with a large number of local addresses.


    http://www.linuxsecurity.com/advisories/caldera_advisory-2742.html

    The pdftops filter found in both the xpdf and CUPS packages
    suffers from an integer overflow that can be exploited to gain
    the privilege of the victim user.


    http://www.linuxsecurity.com/advisories/mandrake_advisory-2743.html

    iDefense reported several security problems in CUPS that can
    lead to local and remote root compromise. An integer overflow
    in the HTTP interface can be used to gain remote access with
    CUPS privilege. A local file race condition can be used to
    gain root privilege, although the previous bug must be exploited
    first. An attacker can remotely add printers to the vulnerable
    system. A remote DoS can be accomplished due to negative length
    in the memcpy() call. An integer overflow in image handling code
    can be used to gain higher privilege. An attacker can gain local
    root privilege due to a buffer overflow of the 'options' buffer.
    A design problem can be exploited to gain local root access,
    however this needs an added printer (which can also be done, as
    per a previously noted bug). Wrong handling of zero-width images
    can be abused to gain higher privilege. Finally, a file descriptor
    leak and DoS due to missing checks of return values of file/socket
    operations.

    MandrakeSoft recommends all users upgrade these CUPS packages
    immediately.


    http://www.linuxsecurity.com/advisories/mandrake_advisory-2744.html

    A vulnerability was discovered by Simon Kelley in the dhcpcd DHCP
    client daemon. dhcpcd has the ability to execute an external script
    named dhcpcd-.exe when an IP address is assigned to that
    network interface. The script sources the file
    /var/lib/dhcpcd/dhcpcd-.info which contains shell variables
    and DHCP assignment information. The way quotes are handled inside
    these assignments is flawed, and a malicious DHCP server can execute
    arbitrary shell commands on the vulnerable DHCP client system. This
    can also be exploited by an attacker able to spoof DHCP responses.

    Mandrake Linux packages contain a sample /etc/dhcpc/dhcpcd.exe file
    and encourages all users to upgrade immediately. Please note that
    when you do upgrade, you will have to restart the network for the
    changes to take proper effect by issuing "service network restart"
    as root.


    http://www.linuxsecurity.com/advisories/mandrake_advisory-2745.html

    iDEFENSE discovered an integer overflow in the pdftops filter from the
    xpdf and xpdf-i packages that can be exploited to gain the privileges
    of the target user. This can lead to gaining privileged access to the
    'lp' user if thee pdftops program is part of the print filter.

    For the current stable distribution (woody) xpdf-i is only a dummy
    package and the problem was fixed in xpdf already.

    For the old stable distribution (potato) this problem has been
    fixed in version 0.90-8.1.

    For the unstable distribution (sid) this problem has been
    fixed in version 2.01-2.

    We recommend that you upgrade your xpdf-i package.


    http://www.linuxsecurity.com/advisories/debian_advisory-2746.html

    Regards

    eddie
     
  3. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    37,062
    VIM (Vi IMproved) is a version of the vi editor.

    VIM allows a user to set the modeline differently for each edited text
    file by placing special comments in the files. Georgi Guninski found that
    these comments can be carefully crafted in order to call external programs.
    This could allow an attacker to create a text file such that when it is
    opened arbitrary commands are executed.

    Users of VIM are advised to upgrade to these errata packages which have
    been patched to disable the usage of dangerous functions in modelines.


    http://www.linuxsecurity.com/advisories/redhat_advisory-2767.html

    A review was completed by the SuSE Security Team on the OpenLDAP
    server software, and this audit revealed several buffer overflows
    and other bugs that remote attackers could exploit to gain unauthorized
    access to the system running the vulnerable OpenLDAP servers.
    Additionally, various locally exploitable bugs in the OpenLDAP v2
    libraries have been fixed as well.


    http://www.linuxsecurity.com/advisories/mandrake_advisory-2768.html

    Two vulnerabilities have been discovered in Bugzilla, a web-based bug
    tracking system, by its authors. The Common Vulnerabilities and
    Exposures Project identifies the following vulnerabilities:

    * CAN-2003-0012 (BugTraq ID 6502): The provided data collection
    script intended to be run as a nightly cron job changes the
    permissions of the data/mining directory to be world-writable every
    time it runs. This would enable local users to alter or delete the
    collected data.

    * CAN-2003-0013 (BugTraq ID 6501): The default .htaccess scripts
    provided by checksetup.pl do not block access to backups of the
    localconfig file that might be created by editors such as vi or
    emacs (typically these will have a .swp or ~ suffix). This allows
    an end user to download one of the backup copies and potentially
    obtain your database password.

    This does not affect the Debian installation because there is no
    .htaccess as all data file aren't under the CGI path as they are on
    the standard Bugzilla package. Additionally, the configuration is
    in /etc/bugzilla/localconfig and hence outside of the web directory.


    http://www.linuxsecurity.com/advisories/debian_advisory-2769.html

    Stefano Zacchiroli found a buffer overrun in the url_filename
    function, which would make wget segfault on very long urls.

    Steven M. Christey discovered that wget did not verify the FTP
    server response to a NLST command: it must not contain any
    directory information, since that can be used to make a FTP
    client overwrite arbitrary files.


    http://www.linuxsecurity.com/advisories/caldera_advisory-2770.html

    "fnord 1.6 contained a buffer overrun in the CGI code. However, since
    the function does not return, this does not appear to be exploitable."


    http://www.linuxsecurity.com/advisories/gentoo_advisory-2771.html

    "The Internet Software Consortium (ISC) has discovered several buffer
    overflow vulnerabilities in their implementation of DHCP (ISC DHCPD).
    These vulnerabilities may allow remote attackers to execute arbitrary
    code on affected systems. At this time, we are not aware of any
    exploits."

    http://www.linuxsecurity.com/advisories/gentoo_advisory-2772.html

    The Internet Software Consortium discoverd several vulnerabilities
    during an audit of the ISC DHCP Daemon. The vulnerabilities exist in
    error handling routines within the minires library and may be
    exploitable as stack overflows. This could allow a remote attacker to
    execute arbitrary code under the user id the dhcpd runs under, usually
    root. Other DHCP servers than dhcp3 doesn't seem to be affected.

    For the stable distribution (woody) this problem has been
    fixed in version 3.0+3.0.1rc9-2.1.

    The old stable distribution (potato) does not contain dhcp3 packages.

    For the unstable distribution (sid) this problem has been fixed in
    version 3.0+3.0.1rc11-1.

    We recommend that you upgrade your dhcp3-server package.


    http://www.linuxsecurity.com/advisories/debian_advisory-2773.html

    Regards

    eddie
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    37,062
    The package "dhcp" provides a Dynamic Host Configuration Protocol[1]
    server developed by ISC (ISC DHCPD).

    During an internal source code audit, the ISC developers found
    several stack-based buffer overflow vulnerabilities[2,3] in the error
    handling routines of the minires library. This library is used by the
    NSUPDATE feature, which is present in dhcp versions newer than 3.0
    and allows the DHCP server to dynamically update DNS server records.

    A remote attacker which can send messages directly to the DHCP server
    can exploit these vulnerabilities to execute arbitrary code in the
    server context with the privileges of the root user.

    The packages provided with this announcement fix these
    vulnerabilities with a patch from ISC. Please note that Conectiva
    Linux versions prior to 8 do not ship dhcp 3.0 and therefore are not
    vulnerable to this problem.

    http://www.linuxsecurity.com/advisories/connectiva_advisory-2805.html

    libpng is a library used to create and manipulate PNG (Portable
    Network Graphics) image files.

    Glenn Randers-Pehrson discovered a buffer overflow vulnerability in
    unpatched libpng versions prior to 1.0.15 and 1.2.5(*) (inclusive).

    Programs such as web browsers and various others common applications
    make use of libpng. An attacker could exploit this vulnerability to
    remotely run arbitrary code or crash such applications by using a
    specially crafted png image.

    This update provides patched versions of libpng with fixes for this
    vulnerability.

    * The libpng-1.2.X series is available only in Conectiva Linux 8 in
    the libpng3 package.

    http://www.linuxsecurity.com/advisories/connectiva_advisory-2806.html

    The KDE team discovered several vulnerabilities in the K Desktop
    Environment. In some instances KDE fails to properly quote parameters
    of instructions passed to a command shell for execution. These
    parameters may incorporate data such as URLs, filenames and e-mail
    addresses, and this data may be provided remotely to a victim in an
    e-mail, a webpage or files on a network filesystem or other untrusted
    source.

    By carefully crafting such data an attacker might be able to execute
    arbitary commands on a vulnerable sytem using the victim's account and
    privileges. The KDE Project is not aware of any existing exploits of
    these vulnerabilities. The patches also provide better safe guards
    and check data from untrusted sources more strictly in multiple
    places.

    For the current stable distribution (woody), these problems have been fixed
    in version 2.2.2-2.2.

    The old stable distribution (potato) does not contain KDE packages.

    For the unstable distribution (sid), these problems will most probably
    not be fixed but new packages for KDE 3.1 for sid are expected for
    this year.

    We recommend that you upgrade your KDE packages.

    http://www.linuxsecurity.com/advisories/debian_advisory-2807.html

    According to research done by Steve Christey [0], directory traversal
    vulnerabilities exist in many FTP clients including wget [1].
    Resolution of this issue was handled primarily through Mark Cox of
    Red Hat whose patches were incorporated into the wget 1.8.2 HEAD
    development branch of the vendor. The Common Vulnerabilities and
    Exposures (CVE) project assigned the id CAN-2002-1344 [2] to the
    problem.

    Please check whether you are affected by running "/bin/rpm -q
    wget". If you have the "wget" package installed and its version is
    affected (see above), we recommend that you immediately upgrade it

    http://www.linuxsecurity.com/advisories/other_advisory-2808.html

    The KDE team discovered several vulnerabilities in the K Desktop
    Environment. In some instances KDE fails to properly quote parameters
    of instructions passed to a command shell for execution. These
    parameters may incorporate data such as URLs, filenames and e-mail
    addresses, and this data may be provided remotely to a victim in an
    e-mail, a webpage or files on a network filesystem or other untrusted
    source.

    By carefully crafting such data an attacker might be able to execute
    arbitary commands on a vulnerable system using the victim's account and
    privileges. The KDE Project is not aware of any existing exploits of
    these vulnerabilities. The patches also provide better safe guards
    and check data from untrusted sources more strictly in multiple
    places.

    For the current stable distribution (woody), these problems have been fixed
    in version 2.2.2-9.2.

    The old stable distribution (potato) does not contain KDE packages.

    For the unstable distribution (sid), these problems will most probably
    not be fixed but new packages for KDE 3.1 for sid are expected for
    this year.

    We recommend that you upgrade your KDE packages.


    http://www.linuxsecurity.com/advisories/debian_advisory-2809.html

    The KDE team discovered several vulnerabilities in the K Desktop
    Environment. In some instances KDE fails to properly quote parameters
    of instructions passed to a command shell for execution. These
    parameters may incorporate data such as URLs, filenames and e-mail
    addresses, and this data may be provided remotely to a victim in an
    e-mail, a webpage or files on a network filesystem or other untrusted
    source.

    By carefully crafting such data an attacker might be able to execute
    arbitary commands on a vulnerable system using the victim's account and
    privileges. The KDE Project is not aware of any existing exploits of
    these vulnerabilities. The patches also provide better safe guards
    and check data from untrusted sources more strictly in multiple
    places.

    For the current stable distribution (woody), these problems have been fixed
    in version 2.2.2-14.2.

    The old stable distribution (potato) does not contain KDE packages.

    For the unstable distribution (sid), these problems will most probably
    not be fixed but new packages for KDE 3.1 for sid are expected for
    this year.

    We recommend that you upgrade your KDE packages.


    http://www.linuxsecurity.com/advisories/debian_advisory-2810.html

    The KDE team discovered several vulnerabilities in the K Desktop
    Environment. In some instances KDE fails to properly quote parameters
    of instructions passed to a command shell for execution. These
    parameters may incorporate data such as URLs, filenames and e-mail
    addresses, and this data may be provided remotely to a victim in an
    e-mail, a webpage or files on a network filesystem or other untrusted
    source.

    By carefully crafting such data an attacker might be able to execute
    arbitary commands on a vulnerable system using the victim's account and
    privileges. The KDE Project is not aware of any existing exploits of
    these vulnerabilities. The patches also provide better safe guards
    and check data from untrusted sources more strictly in multiple
    places.

    For the current stable distribution (woody), these problems have been
    fixed in version 2.2.2-8.2. Please note that we are unable to provide
    updated packages for both MIPS architectures since the compilation of
    kdemultimedia triggers an internal compiler error on these machines.

    The old stable distribution (potato) does not contain KDE packages.

    For the unstable distribution (sid), these problems will most probably
    not be fixed but new packages for KDE 3.1 for sid are expected for
    this year.

    We recommend that you upgrade your KDE packages

    http://www.linuxsecurity.com/advisories/debian_advisory-2811.html

    Regards

    eddie
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/111580

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice